Skip to main content

FLSec-RPL: a fuzzy logic-based intrusion detection scheme for securing RPL-based IoT networks against DIO neighbor suppression attacks

Abstract

The Internet of Things (IoT) has gained popularity and is widely used in modern society. The growth in the sizes of IoT networks with more internet-connected devices has led to concerns regarding privacy and security. In particular, related to the routing protocol for low-power and lossy networks (RPL), which lacks robust security functions, many IoT devices in RPL networks are resource-constrained, with limited computing power, bandwidth, memory, and battery life. This causes them to face various vulnerabilities and potential attacks, such as DIO neighbor suppression attacks. This type of attack specifically targets neighboring nodes through DIO messages and poses a significant security threat to RPL-based IoT networks. Recent studies have proposed methods for detecting and mitigating this attack; however, they produce high false-positive and false-negative rates in detection tasks and cannot fully protect RPL networks against this attack type. In this paper, we propose a novel fuzzy logic-based intrusion detection scheme to secure the RPL protocol (FLSec-RPL) to protect against this attack. Our method is built of three key phases consecutively: (1) it tracks attack activity variables to determine potential malicious behaviors; (2) it performs fuzzy logic-based intrusion detection to identify malicious neighbor nodes; and (3) it provides a detection validation and blocking mechanism to ensure that both malicious and suspected malicious nodes are accurately detected and blocked. To evaluate the effectiveness of our method, we conduct comprehensive experiments across diverse scenarios, including Static-RPL and Mobile-RPL networks. We compare the performance of our proposed method with that of the state-of-the-art methods. The results demonstrate that our method outperforms existing methods in terms of the detection accuracy, F1 score, power consumption, end-to-end delay, and packet delivery ratio metrics.

Introduction

Internet of Things (IoT) technology refers to the interconnection of many types of physical devices, such as home appliances, vehicles, agricultural equipment, industrial equipment, and other devices embedded in software, sensors, and connectivity applications (Madakam et al. 2015). These devices can collect data, exchange data, and perform other special functions that can automatically control the entire environment around them. The IoT creates intelligent and efficient services that impact many sectors, including smart agriculture, smart cities, smart industry, housing, and healthcare (Al-Fuqaha et al. 2015). According to experts (statista.com), 11.28 billion active IoT devices were employed in 2021, and this number is expected to reach 29.42 billion by 2030. This figure shows that the degree of IoT technology usage is constantly increasing, demonstrating the significance of this technology in real life. With the advancement of IoT technology, many challenges are also encountered, such as security, privacy, standardization, integration and connectivity (Karie et al. 2020).

Sensor nodes are critical devices in IoT networks. Many IoT applications employ sensor nodes in different locations to collect data from the environment and communicate with other devices to transmit data to the border router via the internet or other forms of communication. Sensor nodes are designed for low-cost applications and devices with constrained resources, i.e., limited computing power, memory, battery life, bit rates, and short-distance communication capabilities (Pongle and Chavan 2015). Therefore, the connection of these devices heavily relies on low-power and lossy network standards (LLNs), which connect low-cost applications that require low power consumption and low data rates (Kushalnagar et al. 2007; Alexander et al. 2012). To support these constraints, the Internet Engineering Task Force (IETF) team developed IPv6 over Low-power Wireless Personal Area Networks (6LowPAN) for IPv6 packet transmission over LLNs and introduced the routing protocol for low-power and lossy networks (RPL) for managing routing on LLNs (Alexander et al. 2012).

RPL is a widely used protocol for 6LowPAN networks. RPL is responsible for building and maintaining network topologies by using the destination-oriented directed acyclic graph (DODAG) mechanism. A DODAG topology contains one root node/sink node acting as a border router connected to the internet and other child nodes connected to each other in the form of a tree topology that starts from the root node. Data are transmitted from the child nodes oriented toward the root node in a hop-by-hop manner. RPL also includes other mechanisms to maintain network topologies, such as loop avoidance and inconsistency detection, and it uses the Trickle algorithm to regulate ICMPv6 control messages with energy efficiency (Levis et al. 2011). RPL is an effective and flexible routing protocol that is resilient in both static and mobile networks.

To build and maintain a network topology, RPL employs four types of ICMPv6 control messages, including (1) DODAG information object (DIO) messages, which carry the RPL instance ID and other configuration parameters for child nodes to join the network; (2) DODAG information solicitation (DIS) messages, which are sent by child nodes requesting to join the network; (3) destination advertisement object (DAO) messages, which are unicasted by child nodes to propagate routing path information to the root node; and (4) destination advertisement object acknowledgment (DAO-Ack) messages, which are DAO reply messages sent by the root or parent to the recipient. The default RPL embeds several security features to secure RPL control messages, such as an unsecured mode, a preinstalled mode, an authenticated mode, and encryption protection, but the original author himself mentioned that those security features are optional (Alexander et al. 2012). They may not be sufficient for guaranteeing network security. Moreover, some studies have reported that RPL lacks security (Tsao et al. 2015; Medjek et al. 2018; Verma and Ranga 2020a). Hence, IoT devices on RPL networks are at risk, as attackers can exploit RPL control messages to launch a variety of attacks on these networks and harm IoT devices (Pongle and Chavan 2015; Raoof et al. 2019; Avila et al. 2020; Verma and Ranga 2020a; Bang et al. 2022).

The security threats faced by the RPL protocol are serious concerns because they can impact the proper function of RPL, which is a critical element of the IoT network that facilitates data transfer between devices. This research focuses on the detection and mitigation of attacks on neighboring nodes in an RPL network with DIO messages, named a DIO neighbor suppression attack. This type of attack severely damages the target RPL network. It manipulates nodes in the network to capture DIO messages and then broadcasts the unmodified DIO messages to the neighboring nodes at a fixed time replay interval (Le et al. 2013; Perazzo et al. 2017; Verma and Ranga 2021). The aim of this attack is to flood and replay the DIO messages, causing the victim to perform unnecessary routing that affects packet forwarding, introduces heavy interference, and increases delays and power consumption levels (Le et al. 2013; Verma and Ranga 2021). Alternatively, the attacker can trigger the victim node to believe that the DIO’s sender is within range, even if they are out of range, causing the victim to select that node as its preferred parent and change to an unoptimized routing path (Le et al. 2013). Moreover, when the victim node receives a redundant DIO message that contains the same information, it may suppress the transmission of DIO messages due to consistency. Some child nodes do not receive the DIO message, cannot join the network or remain in the network, which leads to network partitioning (Perazzo et al. 2017). This is a harmful attack. Efficient techniques are required to detect and mitigate this attack on an RPL network, increase the security of the RPL protocol, and enhance the quality of the RPL network.

In recent years, several studies have proposed various methods for defending RPL networks against DIO neighbor suppression attacks. These methods can be classified into two categories: rule-based and abnormality-based methods. The rule-based methods proposed in (Le et al. 2016) and (Thomas et al. 2018) check the specific signature of DIO traffic and perform packet pattern validation with predefined rules to identify malicious nodes, whereas the abnormality-based methods proposed in (Farzaneh et al. 2019) and (Verma and Ranga 2020b) identify malicious nodes by checking the DIO counter and DIO time interval to detect abnormal behaviors exhibited by malicious nodes. Most of these techniques were designed specifically for Static-RPL and have been tested with aggressive attackers, which are considered few in number in such networks. However, questions remain regarding their performance in some scenarios that may involve many malicious nodes attacking an RPL network with aggressive and nonaggressive behaviors under both Static-RPL and Mobile-RPL. In particular, some methods generate more data traffic overhead and require the implementation of special devices that need additional resource spending. In addition, they still have high false-positive and false-negative rates in detection tasks. Based on these limitations, a novel method that is more efficient and flexible for detecting and mitigating this type of attack in a variety of RPL network scenarios and meets the security requirements of emerging IoT technologies is needed.

Generally, identifying attacker nodes within an RPL network necessitates the differentiation of attack behaviors from the legitimate activities of nodes. Previous studies such as (Farzaneh et al. 2019; Verma and Ranga 2020b) examined the DIO counter and DIO time interval to detect this attack type. Relying only on these two variables, however, can result in confusion when detecting attacks due to the overlap between attackers and legitimate nodes in some cases. Considering multiple variables when detecting this attack can yield improved detection accuracy. Attackers intend to repeatedly multicast DIO messages at fixed replay intervals, whereas legitimate nodes utilize the Trickle algorithm to regulate those messages. Analyzing DIO time interval behaviors can help to accurately distinguish attackers from normal nodes. Furthermore, some legitimate nodes may reset the DIO timer and heavily transmit DIO messages, making them appear similar to attackers. Flagging these legitimate nodes can absolutely prevent them from being falsely blocked.

On the other hand, the consideration of multiple variables and conditions necessitates a powerful algorithm. This study adopts a fuzzy logic system (FLS) to simultaneously analyze the characteristic variables of a node’s activity to detect attackers. The FLS is an intelligence algorithm developed based on fuzzy logic theory that can simultaneously analyze many variables under multiple conditions and make intelligent decisions with high accuracy. The FLS is a suitable option for IoT devices due to its low complexity and power consumption (Iancu 2012). Additionally, we implement a detection validation and blocking mechanism, which is inspired by the Linux authentication security mechanism (namely, Fail2ban), to validate suspicious nodes before blocking them and to avoid falsely detecting and blocking legitimate nodes.

This article proposes a novel method, named FLSec-RPL, to protect the RPL protocol from DIO neighbor suppression attacks in 6LowPAN networks. FLSec-RPL is embedded with an FLS to consider four potential variables based on the characteristics of attackers for identifying malicious nodes; a detection validation and blocking mechanism is used to provide efficient validation and mitigate the impact of the attacker on the network. This method is designed to be distributed on each node and work independently, providing high levels of security and stability for RPL networks and supporting both Static-RPL and Mobile-RPL scenarios. An experiment demonstrates the superior performance of FLSec-RPL in a wide range of scenarios. This is a novel method for securing RPL networks, enabling legitimate nodes to protect themselves against attackers. The main contributions of this study are as follows.

  1. 1.

    A hybrid intrusion detection architecture is developed for securing the RPL protocol in 6LowPAN networks. This architecture combines a fuzzy logic-based intrusion detection mechanism with a detection validation and blocking mechanism to detect and mitigate DIO neighbor suppression attacks.

  2. 2.

    The tracking attack activity variables focus on accumulating data concerning the DIO counter, DIO time interval (DTI), statistical time interval analysis (STIA), and reset DIO timer flag (RDT_Flag) for identifying malicious attacks. STIA analyzes DIO time interval behavior, which helps yield improved detection accuracy. The reset DIO trimer (RDT) notification protocol is implemented to notify the nearby nodes, and RDT_Flag is flagged on heavy legitimate nodes to ensure that they are not blocked.

  3. 3.

    The fuzzy logic-based intrusion detection mechanism identifies malicious activities among neighboring nodes based on the tracked information.

  4. 4.

    The detection validation and blocking mechanism is used to validate suspicious malicious nodes and block attacker nodes.

The remainder of this article is organized as follows: Section 2 provides a brief overview of recent studies related to this work. Section 3 then presents the network model, the DIO neighbor suppression attacker concept, and an energy model. In Sect. 4, we present our intrusion detection architecture and explain it in detail. Section 5 then describes the experimental setup and evaluation methods. Section “Simulation Results and analysis” presents the results of the experiment with a discussion, and the final section provides an overall conclusion of the study as well as suggestions for future research.

Related works

In this section, we provide a summary of the related works that investigated DIO neighbor suppression attacks to enhance the security of the RPL protocol. They can be classified into two categories: studies that focused on investigating the characteristics and analyzing the impact of this type of attack and studies that focused on the detection and mitigation of such attacks.

Le et al. (2013) conducted pioneering research that analyzed the characteristics and impacts of attacks, such as rank attacks, local repair attacks, DIS attacks, and DIO neighbor suppression attacks, on the RPL protocol. The author explained that a DIO neighbor suppression attack intends to duplicate the DIO messages that are received and broadcast that DIO repeatedly without modification. This study showed that a DIO neighbor suppression attack can affect RPL performance by degrading the quality of service, slightly increasing the end-to-end delay, and disrupting the network topology. The authors noted that this attack can be extremely harmful when combined with other attacks. Likewise, another study, Perazzo et al. (2017), investigated and found a gap in the RPL protocol that could be exploited by this type of attack. The authors explained that this attack can trigger victim nodes to suppress DIO transmission by repeatedly sending redundant DIO messages; as a result, it can reduce packet delivery, increase delays, increase power consumption, and partition networks. This result agrees with that of Verma and Ranga (2021), where the authors mentioned that an attacker can attack an RPL network with spoofed and nonspoofed identities. Both spoofing and nonspoofing attackers have significant impacts on RPL performance. These studies explained the characteristics of this type of attack and precisely analyzed its impact; nevertheless, they did not propose techniques for detecting or mitigating such attacks.

Consequently, Le et al. (2016) proposed a specification-based intrusion detection system (IDS) to detect and mitigate this attack. This method uses the extended finite state machine based on RPL profiling as a baseline for confirming nodes’ behaviors and detecting malicious nodes. This method requires a specific clustering topology in which each member node must periodically report its information to the cluster head node, and the cluster head node considers that information based on predefined rules to detect malicious nodes. The main drawback of this method is that it generates a massive amount of packet traffic overhead and consumes more power. In addition, it identifies malicious nodes, but it does not remove them from the network. Moreover, it is prone to false positives and false negatives in detection tasks because attackers can report fake information to the cluster nodes. This method was designed specifically for Static-RPL.

In addition, a location-based IDS, proposed by Thomas et al. (2018), was suggested to detect and mitigate this attack. This method uses the distance validation technique to detect malicious nodes. It measures the distance between the sender and receiver of DIO messages in two ways. The first distance is measured by using location information extracted from the DIO message sent from the sender, which uses a global positioning system (GPS). The second distance is measured by using received signal strength indicators (RSSIs). The sum of these two distances must be less than double the transmission range. If the sum is not validated with this rule, the sender is detected as a malicious node and is removed from the neighbor list. This IDS significantly requires special devices equipped with GPS for implementation, which are costly and reduce the battery life of the nodes (Han et al. 2013). Both Le et al. (2016) and Thomas et al. (2018) heavily depended on predefined rules that may not support dynamic networks or different network configurations.

In contrast to the work of Le et al. (2016) and Thomas et al. (2018), the Anomaly-Based IDS proposed in Farzaneh et al. (2019) does not need predefined rules. This method uses a dynamic threshold to detect abnormal DIO counters of malicious nodes. It counts DIO messages that are sent from each neighbor node, stores them in a list and then uses a dynamic threshold to determine abnormal DIO counters that are dedicated to malicious nodes. The dynamic threshold is calculated in association with the number of neighboring nodes and the mean and standard deviation of the DIO counters. This approach is fully distributed and works independently on Thomas et al. each node. It overcomes the drawbacks of the methods in Le et al. (2016) and (2018). However, this method is not robust. It still has high false-positive and false-negative rates in detection cases because it relies heavily on a single threshold to detect malicious nodes. In addition, this method was developed only to identify Static-RPL attacks.

Likewise, Verma and Ranga (2020b) proposed CoSec-RPL to detect this type of attack. This method counts DIO messages, measures the time intervals of the DIOs that are sent from neighboring nodes, and stores them in a list. The author proposed a dynamic threshold based on outlier detection (OD) techniques (Tukey and Hoaglin 2003) and a fixed threshold to determine DIO counters and DIO time intervals, respectively. If a neighbor node has an abnormal DIO counter and time interval, it is considered malicious and blocked in the blacklist. CoSec-RPL was evaluated by the author in both Static-RPL and Mobile-RPL with a small number of malicious nodes, i.e., 4 attacker nodes. However, the detection accuracy of this method decreased when the number of malicious nodes in the network increased because its solution depends on the percentage of detector nodes in the network. Additionally, this method considers only DIO counters and DIO time intervals for identifying malicious behaviors, which can lead to detection confusion due to the overlap between normal and malicious behaviors. For example, attackers can replay DIO messages with low frequency (nonaggressive), such as normal nodes, and in another case, normal nodes may heavily transmit DIO messages as a result of resetting the DIO timer in the Trickle algorithm, which causes detection confusion. Thus, this method still has high false-positive and false-negative rates in detection scenarios.

Each of the methods described above has made a significant contribution to improving the security of RPL networks. However, some drawbacks are still encountered when implementing these methods. Furthermore, most of these approaches were designed for Static-RPL and do not consider the Mobile-RPL scenario, which is important and necessary as its applications in real life, especially in healthcare, are increasing. Based on the gaps in previous studies, this study proposes a novel approach for ensuring the security of the RPL protocol against DIO neighbor suppression attacks.

System model

This section describes the networking and attacker, as well as the energy model employed in this study.

Network model

The network model and configuration parameters in this study are adopted from previous studies (Lamaazi et al. 2018; Farzaneh et al. 2019; Verma and Ranga 2020b). This network is organized into a DODAG topology using the RPL protocol, which consists of one sink node and child nodes, as shown in Fig. 1. All nodes are connected in the form of a tree structure that starts from the sink node. The sink node acts as a border router, which is responsible for broadcasting DIO messages to build and maintain the network and exchanging data between the child nodes and the internet, as well as between nodes in the DODAG. The child nodes sense the environment and transmit data to the sink node via the intermediate nodes. Each child node can be an intermediate node, which is responsible for forwarding the packet.

Fig. 1
figure 1

System model of the RPL network

Moreover, this study investigates the RPL network model in two primary use cases, Static-RPL and Mobile-RPL, similar to recent work on the security of the RPL protocol (Murali and Jamalipour 2020; Verma and Ranga 2020b; Sharma et al. 2023). In Static-RPL, all sensor nodes and the sink node are randomly placed in fixed locations with constraints to connect them to the network, and their routing information is not constantly updated. Static-RPL networks include industrial control systems, smart building systems, and agricultural monitoring systems. In contrast, Mobile-RPL involves sensor nodes that frequently change their locations and update their routing information to accommodate their new locations; the exception is the sink node, which acts as the border router and whose location remains constant. Typical examples of Mobile-RPL networks are vehicle networks, drone networks, and wearable device networks. The sink node and all sensor nodes are subject to the same configuration and share the same resources, as detailed below.

  • All sensor nodes are initialized with equal communication ranges (Le et al. 2016; Farzaneh et al. 2019; Murali and Jamalipour 2020).

  • All the sensor nodes are configured under the same NetStack setting (Farzaneh et al. 2019; Verma and Ranga 2020b).

  • In Static-RPL, the location of every sensor and attacker node is random (Lamaazi et al. 2018; Verma and Ranga 2020b).

  • In Mobile-RPL, the location of every sensor node and attacker node is shifted using the random waypoint model (Kabilan et al. 2018; Lamaazi et al. 2018; Mohammadi and Ghaffari 2019; Murali and Jamalipour 2020; Verma and Ranga 2020b).

Attacker model

The attacker model is adopted from previous studies (Le et al. 2016; Perazzo et al. 2017; Farzaneh et al. 2019; Verma and Ranga 2020b). Attacker nodes are programmed to capture the DIO messages that they receive and repeatedly broadcast the DIO messages without modification to the neighboring nodes at a fixed frequency, along with their own identities. This study focuses on the types of nonspoofed attackers, leaving spoofed attackers for further research. In Static-RPL, the attacker nodes have fixed locations, whereas in Mobile-RPL, they move freely in the network area using a random waypoint model (Kabilan et al. 2018).

In Fig. 1, node number 7 represents a DIO neighbor suppression attack. It listens to the DIO message sent from its neighbor and then replicates the DIO message and broadcasts it repeatedly to the neighbor nodes (i.e., nodes 3, 4, 6, 11, 12, and 8) without modification at a fixed frequency.

Energy model

The energy consumption of the nodes is crucial and needs to be accurately measured, as sensor nodes have limited battery life. According to Raza et al. (2013), energy consumption refers to the energy usage of a node in various states (CPU, LPM, Rx, Tx). CPU is the time when the MCU is on and the radio is off; LPM is the time when the MCU is off and the radio is off; Rx and Tx are the times when the CPU is on and the radio is listening or transmitting, respectively. Contiki Powertrace (Dunkels et al. 2011) is employed to measure the amount of energy consumed in each state. The result obtained from Contiki Powertrace is the number of rtimer_ticks that are consumed in each state. This study employs the Z1 mote as the 6LowPAN node and assumes that it uses a 3 V battery. The electrical characteristics of the Z1 mote are detailed in Zoliteria (2010). The total energy cost of the Z1 node is calculated by Eq. (1). We measure the power consumption of the node under normal conditions using the default ContikiMAC setting (Raza et al. 2013).

$$Energy\;({\text{mJ}}) = \left( {CPU \times 0.426\;{\text{mA}} + LPM \times 0.020\;{\text{mA}} + Rx \times 18.8\;{\text{mA}} + Tx \times 17.4\;{\text{mA}}} \right) \times \frac{3V}{{32,768}}$$
(1)

Fuzzy logic-based intrusion detection mechanism for securing the RPL protocol (FLSec-RPL)

This section explains the proposed method named FLSec-RPL in detail; it is designed to secure an RPL network against a DIO neighbor suppression attack. Figure 2 illustrates the architecture of FLSec-RPL, which contains three major phases: Phase I tracking attack activity variables, Phase II fuzzy logic-based attack detection mechanism and Phase III providing a detection validation and blocking mechanism. FLSec-RPL is completely distributed and operates independently on each legitimate node and sink node, allowing them to determine their neighbors for identifying attacker nodes while protecting themselves from the effects of attacks. Each phase of FLSec-RPL is explained below.

  • Attack activity variable tracking This phase accumulates data on neighbor nodes’ activities, including the number of DIO messages, the DIO time intervals, time interval analyses, and the flags of the DIO timer reset, and stores them in a table called the neighbor list. This information is important for identifying attackers.

  • Fuzzy logic-based attack detection mechanism This phase identifies attacker nodes by checking the tracked information in the neighbor list. It is embedded with a fuzzy logic system that computes an aggressive weight for each neighboring node, and a fuzzy filter is employed to detect abnormal aggressive weights.

  • Detection validation and blocking This phase verifies whether the detected nodes are actual attackers and ensures that no legitimate nodes are blocked. It has two main tiers: Tier I quarantine and Tier II blocking processes. The quarantine validates the suspicious nodes, and the block process prevents attacker nodes from communicating.

Fig. 2
figure 2

Architecture of FLSec-RPL

Phase I: tracking attack activity variables

The first phase of FLSec-RPL is to collect activity data from the neighboring nodes to address the DIO neighbor suppression attack (see Fig. 2). Four potential variables are considered, including the number of received DIO messages, the DIO time interval, the time interval analysis results, and the flag of the DIO timer reset notification. Figure 3 illustrates the process timeline of FLSec-RPL in two stages: data observation and checking for malicious activity. During the observation window (\(\varphi\)), data for these four variables are collected from each neighbor node and recorded in the neighbor list. Table 1 shows a neighbor record as an example. In this study, \(\varphi\) is set to 30 s, which is an appropriate period for observation, as suggested in Verma and Ranga (2020b). In the second stage, the information in the neighbor list is analyzed to identify attack activity. Each stage is carried out sequentially throughout the timeline. The recorded data are crucial for detecting malicious activity in the second stage. Each variable is described in detail below.

Fig. 3
figure 3

Processing timeline of the proposed FLSec-RPL approach

Table 1 Example of a record in the neighbor list

DIO counter

This variable is critical for detecting this type of attack because its primary characteristic is to send many DIO messages to nearby nodes to cause damage. A DIO message is a specific RPL message, and it is transmitted from a node to its neighboring nodes to join them as a network. The attacker exploits this message to attack the RPL network by flooding and replaying this message without modification. Studies such as Farzaneh et al. (2019), Le et al. (2016) and Verma and Ranga (2020b) have suggested counting the number of received DIO messages to identify attacker nodes.

DIO time interval (DTI)

This variable refers to the time interval between receipt of the current DIO message and receipt of the previous DIO message. The RPL protocol uses a Trickle algorithm to handle the DIO message transmission time interval. Each interval's value steadily doubles until it reaches its maximum value. This method guarantees that networks are well maintained and make efficient use of energy. In contrast, the attacker uses a fixed replay interval for transmitting DIO messages to harm other devices on the network (Perazzo et al. 2017; Verma and Ranga 2020b, 2021). According to Verma and Ranga (2020b), the DIO time interval is calculated by the node that received DIO messages using Eq. (2).

$$DTI_{t} = T_{t} - T_{t - 1}$$
(2)

where \(DTI_{t}\) is the DIO time interval at time t, \(T_{t}\) is the time at which the current DIO message is received, and \(T_{t - 1}\) is the time at which the previous DIO message was received.

Statistical-based time interval analysis (STIA)

STIA measures the average error between the DIO time interval (DTI) and the predicted time interval (PTI) by using time series analysis and statistical methods. The basic variables, the DIO counter and the DTI, have limitations regarding identifying malicious nodes in some cases. For instance, when a legitimate node multicasts numerous DIO messages at the beginning of the DIO timer, RPL resets the DIO timer to increase the DIO transmission frequency in response to a communication failure or the receipt of DIS messages. Resetting the DIO timer multiple times causes the legitimate nodes to heavily transmit the DIO, exhibiting behavior similar to that of attackers. In another case, attackers can carry out attacks with low-frequency (nonaggressive) behaviors to pretend that they are normal nodes, and this can harm the network if a massive number of attackers are present in the network. The use of only the DIO counter and the DTI in these two cases leads to false detections due to the overlap between normal and malicious behaviors.

The standard RPL protocol uses the Trickle algorithm to manage the DIO time interval to regulate the DIO message. When the current time interval expires, this algorithm continuously doubles the interval until it reaches the maximum value. Hence, the current DIO time interval is much larger than the previous DIO time interval. The Trickle algorithm was analyzed in Levis et al. (2011). In contrast, attacker nodes may attempt to replay DIO messages at fixed DIO time intervals or randomly within a short range to increase the frequency of DIO transmission, which generates more network impacts (Verma and Ranga 2020b). Hence, the current DIO time interval and previous DIO time interval are slightly different. Analyzing DIO time interval errors can help to identify legitimate and malicious behaviors more accurately. Hence, we propose a novel statistical-based variable named statistical-based time interval analysis (STIA) to analyze the DIO time interval while helping to distinguish between normal and attack behaviors and yielding improved detection accuracy.

To analyze the characteristics of DIO time intervals, we use the exponential smoothing technique and root mean squared error calculation method. Exponential smoothing is a popular method in time series analysis that can be used to predict time series data, filter noise, and learn historical data (Brown and Robert 1956). In this study, exponential smoothing is used to predict the time interval (PTI) of DIO messages. According to Heckert and Filliben (2003), the PTI is calculated using Eq. (3).

$$\left\{ {\begin{array}{*{20}l} {PTI_{1} = DTI_{1} { };} \hfill & {for\;{ }t = 1} \hfill \\ {PTI_{t} = \alpha {*}DTI_{t} + \left( {1 - \alpha } \right){*}PTI_{t - 1} { };} \hfill & {for{ }\;t > 1} \hfill \\ \end{array} } \right.$$
(3)

where \(DTI_{t}\) is the actual time interval at time \(t\), \(PTI_{t}\) is the predicted time interval at time \(t\), \(PTI_{t - 1} { }\) is the previously predicted time interval at time \(t - 1\), and \(\alpha\) is the coefficient of smoothing, which is set to 0.1 to track actual changes (Brown and Robert 1956).

When the detector node receives a DIO message, it calculates \(DTI_{t}\) and \(PTI_{t}\) and then determines the error between \(DTI_{t}\) and \(PTI_{t}\) and the sum of the error (SoE) using Eq. (4).

$$SoE = \mathop \sum \limits_{t = 1}^{N} \left( {DTI_{t} - PTI_{t} } \right)^{2}$$
(4)

where \(N\) is the number of DIO messages received from a neighboring node within an observation window and \(DTI_{t}\) and \(PTI_{t}\) are the DIO time interval and predicted time interval, respectively, which are calculated when the DIO message is received at time \(t\).

At the end of the observation window, the detector node calculates the average error between \({\text{DTI}}\) and \({\text{PTI}}\) for each neighboring node using the root mean square error (RMSE), which is a popular method for measuring error (Armstrong and Collopy 1992). In this study, the root mean square error between \({\text{DTI}}\) and \({\text{PTI}}\) is called the statistical-based time interval analysis (STIA) value, which is expressed in Eq. (5).

$$STIA = \sqrt{\frac{SoE}{N}}$$
(5)

where \(N\) is the number of DIO messages received from a neighbor node within the current observation window.

The three variables, \(DIO\_Counter\), \(DTI\) and \(SoE\), are precomputed from the observation data, and the STIA is calculated after the observation window is completely ended. These three variables, \(DIO\_Counter\), \(DTI\), and \(STIA\), are input into a fuzzy logic system to calculate the aggressive weight for identifying the attacker.

Reset DIO timer (RDT)

This variable is a flag for the neighboring nodes, and its Trickle algorithm resets the DIO timer one or many times during the observation window. Resetting the DIO timer causes the legitimate node to send many DIO messages upon the initialization of the timer. This makes legitimate nodes look like attackers, making it confusing to detect or block legitimate nodes. To prevent this, we create a flag called RDT_Flag and a communication protocol called the RDT notification protocol to inform the neighboring nodes in the RPL network.

Figure 4 illustrates the communication process of the RDT notification protocol. This protocol is a part of FLSec-RPL. It is implemented on each legitimate node and the root node. When the Trickle algorithm of a legitimate node resets the DIO timer, FLSec-RPL generates an RDT-Msg message to inform the neighboring nodes. RDT-Msg has a packet size of 5 bytes. It is piggybacked on the ICMPv6 protocol and multicast when RPL resets the DIO timer. When neighbor nodes receive this message, they flag the IP address of the sender in their neighbor list and send back the RDT-Reply message.

Fig. 4
figure 4

RDT notification protocol

RDT_Flag represents important information for accurately validating suspicious nodes. It ensures that no heavy legitimate node is blocked if it is suspected of being an attacker due to its abnormal behavior in the current window. The flagged node is provided with special validation if it is detected as suspicious or malicious. This special validation is intended to enhance the tolerance of the verification process by increasing the testing threshold to the maximum value and delaying the blocking process, which provides heavy legitimate nodes with time-reduced DIO transmission frequencies, returning them to normal behavior and making the validation results more accurate. By using RDT_Flag and the RDT notification protocol, FLSec-RPL can ensure that no legitimate nodes are blocked, especially heavy legitimate nodes. Thus, this technique enhances the effectiveness of the validation process and prevents false blocking.

Phase II: fuzzy logic-based attack detection mechanism

After the possible variables are determined in the first phase, this phase cooperates with the mechanism designed to detect abnormal attacker node behaviors based on tracked information. To consider the information in the neighbor list, this technique is embedded in a fuzzy logic system (FLS) that can consider multiple variables and make intelligent decisions using fuzzy set theory (Iancu 2012). The FLS has the ability to evaluate imprecise data from multiple variables simultaneously to produce an optimal answer while requiring low computational power. This makes it suitable for use on sensor nodes that have constrained resources. The FLS evaluates the collected information in the neighbor list and calculates the aggressive weight for each neighboring node. The aggressive weight is a metric that measures the aggression of nodes in transmitted DIO messages that lead to the detection of abnormal activities performed by the attacker nodes.

Fuzzy logic-based computing aggressive weight

The FLS retrieves the tracked information of each neighboring node from the neighbor list and then analyzes and calculates the aggressive weight for each neighboring node. As illustrated in Fig. 5, the FLS model consists of four components, including a fuzzifier, rule bases, an inference engine and a defuzzifier. The details of each process are explained below.

Fig. 5
figure 5

Fuzzy logic process for computing aggressive weights

  • Fuzzifier This process involves mapping input data, i.e., DIO_Counter, the DTI, and the STIA, to their linguistic variables and then converting the input data to fuzzy input sets by using a fuzzy membership function (FMF). We evaluate the performance of different FMFs, and we find that the trapezoidal FMF is the most suitable function for this study. The trapezoidal FMF is defined by four points that represent the left shoulder, the left peak, the right peak, and the right shoulder. As shown in Fig. 6, the data of each input variable are mapped into three linguistic terms, low (L), medium (M), and high (H), which are represented by trapezoidal shapes. For instance, the relationship of each input variable and its linguistic term is defined based on expert knowledge, such as DIO_counter {L(0,0,2,5), M(1,5,7,11), H(7,11,30,30)}; DTI {L(0,0,3,10), M(3,10,13,20), H (13,20,30,30)} and STIA {L(0,0,3,9), M(3,9,13,20), H(13,20,30,30)}. The degree of membership for each input variable is calculated using Eq. (6).

    $$\mu_{Q} \left( x \right) = max\left( {min\left( {\frac{x - a}{{b - a}},1\frac{d - x}{{d - c}}} \right),0} \right)$$
    (6)

    where \(x\) denotes the input data; \(\mu_{Q} \left( x \right)\) is the degree of membership; Q is a set of linguistic terms that are represented by the trapezoid FMF; and \(a,b,c,{ }\) and \(d\) are the left shoulder, the left peak, the right peak, and the right shoulder, respectively (Iancu 2012).

    Fig. 6
    figure 6

    Fuzzy membership functions

  • Fuzzy rule bases The fuzzy rule bases are collections of IF-THEN statements that store the human experience and expertise gained while working with a real process. It maps the relationships between the fuzzy input set and the fuzzy output set. According to Iancu (2012), the fuzzy rule model can be expressed as follows.

    $$R_{l} :IF\; x_{1} \;is\; A_{l} \;and \;x_{2} \;is \;B_{l} \;and \;x_{3} \;is \;C_{l} \;THEN\; \omega \;is \;D_{l}$$

    \(R_{l}\) is the \(l^{th}\) rule of the fuzzy rule bases. \(x_{1}\) is the input value of DIO_counter. \(x_{2}\) is the input DTI value. \(x_{3}\) is the input value of the STIA. \(\omega\) is the fuzzy output of the \(l^{th}\) rule that is set in the range [0, 1]. \(A\), \(B\), \(C\) and \(D\) are sets of linguistic terms for \(x_{1}\), \(x_{2}\), \(x_{3}\) and \(\omega\), respectively. In fuzzy rule bases, the linguistic terms of DIO_counter, the DTI, and the STIA are mapped to a single term in the output of \(\omega\), i.e., normal (0,0,0.5), quarantine (0,0.5,1), or malicious (0.5,1,1); see Fig. 6D. In Table 2, all 27 fuzzy rules that are defined based on an expert’s knowledge are listed.

    Table 2 Twenty-seven fuzzy rules with aggressive weights
  • Inference engine This method combines the fuzzy input sets of different variables based on a subset of fuzzy rules to determine the degrees of fuzzy output sets using fuzzy logic operators (Saeed 2013). This study applies a minimization operator to the fuzzy input sets and generates a fuzzy output set. The fuzzy output set contains the degree of truthfulness of each rule (ranging from 0 to 1). Equation (7) is used to calculate a fuzzy output set \(\mu_{{D_{l} }} \left( \omega \right)\) based on the \(l^{th}\) rule by using the minimization operator.

    $$\mu_{{D_{l} }} \left( \omega \right) = \min \left( {\mu_{{A_{l} }} \left( {x_{1} } \right),\mu_{{B_{l} }} \left( {x_{2} } \right),\mu_{{C_{l} }} \left( {x_{3} } \right)} \right)$$
    (7)

    where \(\mu_{{A_{l} }} \left( {x_{1} } \right),\mu_{{B_{l} }} \left( {x_{2} } \right),\mu_{{C_{l} }} \left( {x_{3} } \right)\) are the membership degrees of DIO_Counter, the DTI, and the STIA on linguistic terms \(A_{l} ,B_{l} ,C_{l}\), respectively.

  • Defuzzifier This method is the inverse of fuzzification. It converts the fuzzy output set to a crisp output (i.e., an aggressive weight) that can be used in the subsequent process. After the complete inference process, the defuzzifier combines the fuzzy outputs of all rules and then calculates the centroid of gravity to obtain a precise output value (Saeed 2013). In our study, we compare the defuzzification methods of different fuzzy inference systems, such as Takagi-Sugeno (Lohani et al. 2006) and Mamdani (Iancu 2012). We find that the Mamdani method using the centroid of gravity outperforms the average method. The centroid of gravity is calculated via Eq. (8).

    $$\omega_{o} = \frac{{\mathop \sum \nolimits_{l = 1}^{N} \overline{\omega }_{l} \times \mu_{{D_{l} }} \left( \omega \right)}}{{\mathop \sum \nolimits_{l = 1}^{N} \mu_{{D_{l} }} \left( \omega \right)}}$$
    (8)

    where \(\omega_{o}\) is the centroid of gravity, \(\overline{\omega }_{l}\) is the centroid value of the membership function \(D_{l}\), and \(\mu_{{D_{l} }} \left( \omega \right)\) is the fuzzy output set of the \(l^{th}\) rule.

Detecting abnormal activity

After deriving the aggressive weight (\(\omega_{o}\)) from the FLS, the activities of neighboring nodes enable them to be evaluated as normal or suspicious/malicious nodes. In Fig. 7, Algorithm 1 explains the process of detecting abnormal activity in the neighbor list with the detector node. In lines 2–3, the FLS retrieves information from the neighbor list and calculates \(\omega_{o}\) for each neighboring node. The behavior of each neighbor is interpreted based on the level of its aggressive weight. If the weight is high, it indicates that the node is heavily sending DIO messages and could be an attack activity. If the node's weight is low, it means that it is behaving normally. By comparing the weight value with the fuzzy filter threshold (\(\delta\)), we can find the neighboring nodes that intend to launch attacks on the network. The threshold \(\delta\) is the central point of the normal and malicious membership functions of the fuzzy output; see Fig. 6D. This threshold represents a weight boundary between normal and malicious membership functions. In lines 4–6, if the \(\omega_{o}\) of a node is greater than \(\delta\), then its behavior is suspected to be malicious and must be quarantined to verify and implement blocking mechanisms to limit its impact on the network. Otherwise, the nodes that have \(\omega_{o}\) values less than or equal to \(\delta\) values are considered normal nodes.

Fig. 7
figure 7

Algorithm of the fuzzy logic-based attack detection mechanism

Phase III: detection validation and blocking

Once possible attacks have been detected, the detection validation and blocking phase further validates the detection result as well as performing the blocking to stop attackers. A node detected by Algorithm 1 is suspected to be a malicious node, which means it could be an actual attacker or a legitimate node that sent DIO messages heavily because it reset the DIO timer many times. It is important to verify the suspicious node to ensure that it is an actual attacker, take action to limit its impact on the network, and prevent legitimate nodes from being falsely blocked.

We design and implement a detection validation and blocking mechanism to validate suspicious nodes before taking countermeasures against them. This technique is inspired by the Linux authentication security mechanism Fail2ban, which is widely utilized to prevent unauthorized access and disruptions in networks. Fail2ban is an effective tool that protects servers and other systems from attacks by banning IP addresses that exhibit malicious behavior, thereby preventing security breaches and defending against attackers (Korniyenko and Galata 2019; Muakhori and Sunardi 2020). The concept behind this tool is useful and well suited for protecting an RPL network from flooding and replaying attacks, such as DIO neighbor suppression attacks.

Based on the Fail2ban concept (Fail2ban.org 2017), a detection validation and blocking mechanism is developed. This mechanism consists of two distinct subphases: quarantining and blocking. The primary objective of the quarantining phase is to validate suspicious nodes and determine whether they are indeed attackers. During the quarantining phase, an exponential decay model is employed to adjust the parameter values. It is crucial to address the serious threat that attacker nodes pose to their neighboring nodes. Consequently, the blocking phase is implemented to effectively mitigate the malicious activities of attackers. This is achieved through the utilization of soft blocking and hard blocking techniques at different restriction levels. Soft blocking temporarily blocks malicious nodes in a blacklist, while hard blocking permanently blocks malicious nodes in the blacklist. The subsequent sections provide detailed explanations of these two subphases.

Tier I: quarantine

The quarantining phase serves the purpose of verifying whether a suspicious node is an actual attacker. During this phase, the behavior of the suspicious node is thoroughly tested multiple times. If it continues to be detected as malicious, the detection counter is incremented and compared to the maximum detection threshold. Once the detection counter reaches the maximum detection value, it confirms that the suspicious node is indeed an actual attacker, prompting the immediate initiation of the blocking phase.

Throughout the quarantine period, the suspicious node remains isolated for a specific duration. If the quarantine period concludes with the detection counter not surpassing the maximum detection threshold, it signifies that the suspected node is a legitimate node. As a result, it is deemed safe and removed from quarantine.

If a suspected node is flagged for receiving its RDT-Msg within the current observation window, it is placed in quarantine under a special condition. This condition incorporates tolerance into the validation process by setting the maximum detection threshold and quarantine period to their maximum values. This approach ensures that a thorough verification is performed by subjecting the suspected node to multiple checks. Essentially, the purpose of this special condition is to delay the initiation of the blocking phase, providing quarantined nodes with an opportunity to decrease their DIO transmission frequencies and return to their normal behavior.

Moreover, this special condition proves beneficial for legitimate nodes that have neighbor nodes facing connection issues with their parent node due to the depletion or failure of the parent node's battery. In such cases, the affected node seeks to rejoin the network by sending DIS messages, which prompts neighboring nodes to reset their DIO timer and transmit additional DIO messages. By setting the maximum detection threshold and quarantine time to their maximum values, the blocking process can be delayed, allowing the legitimate node to locate a new parent node to join the network and subsequently resume its normal behavior. The values of the maximum detection threshold and quarantine period directly impact the effectiveness of the validation process. The following explains how to set the optimal values for these parameters in detail.

Maximum detection adjustment

The maximum detection value is important and influential for properly performing the validation process. Choosing a maximum detection value involves a tradeoff. For example, if the value is too small, it can quickly block suspicious nodes, but it also makes the validation process less accurate and causes confusion when blocking legitimate nodes. If the value is too large, the corresponding node will be properly verified, but it may be too late to prevent the effect of the attack on the network. Therefore, the criteria for the maximum detection value should result in attackers being blocked as quickly as possible while preventing legitimate nodes from being falsely blocked.

To find the best maximum detection profile, we conduct experiments on Static-RPL and Mobile-RPL networks. The influence of aggressive weight is investigated, and an accuracy matrix is employed to assess the efficiency of the maximum detection value. The experimental findings are depicted in Fig. 8A. Suspicious nodes are classified into three categories: low-weight nodes, medium-weight nodes, and high-weight nodes. To conduct an accurate validation, low-weight nodes, which are nonaggressive attackers and may contain some legitimate heavy nodes, require at least 4–6 positive tests to conclude that they are real attackers. In contrast, medium-weight nodes require at least 2–4 positive tests to verify their results, while high-weight nodes are the most aggressive attackers and should be blocked immediately upon detection; one or two positive tests are sufficient for confirming that they are actual intruders.

Fig. 8
figure 8

A Adjusting the maximum detection values associated with the aggressive weight. B The influence of the maximum detection values on the detection accuracy

Figure 8B demonstrates that when maximum detection values are used, FLSec-RPL obtains average accuracies of 95%–0.99% in Static-RPL and 88%–98% in Mobile-RPL. This means that the max detection values are well defined, yielding improved validation effectiveness and detection accuracy.

Then, this study aims to model the trend of the maximum detection profile, which is shown in Fig. 8A. As the attacker's aggressive weight increases, the maximum detection value decreases exponentially, and vice versa. This behavior can be accurately described by the exponential decay model. Utilizing this model, the maximum detection value is dynamically adjusted based on the aggressive weights of suspicious nodes. Exponential decay is a mathematical function that describes quantities whose values change rapidly over time or their related variables. A common formula for exponential decay is expressed in Eq. (9) (Strang and Herman 2022).

$$P = P_{0} e^{kt}$$
(9)

where \(P_{o}\) is the initial value, \(k\) is a constant of exponentiality, and \(t\) is the time series or related variable considered throughout the problem. According to Eq. (9), we can develop a maximum detection (\(MD\)) model based on the problem in this study, which is expressed in Eq. (10).

$$MD = MD_{0} \times e^{k \times \omega }$$
(10)

where \(MD_{o}\) is the initial maximum detection value, \(k\) is the constant of exponentiality, and \(\omega\) is the aggressive weight.

To adjust the \(MD\) value, we consider the aggressive weight (\(\omega\)) output from the FLS. Suppose that \(\omega\) is given in the range \(\left[ {\alpha ,{ }\beta } \right]\). We have a fuzzy filtering threshold \(\delta\). The \(\omega\) of the suspected node must be greater than \(\delta\) and less than or equal to the upper bound \(\beta\). Thus, this can be expressed as \({ }\delta { } < { }\omega { } \le { }\beta\). Let \(L\) and \(U\) denote the lower and upper bounds of the MD value, respectively. Referring to Fig. 8A, we observe that when \(\omega\) is at its minimum value (i.e., equal to \(\delta\)), MD attains its maximum value (i.e., equal to \(U\)). Conversely, when \(\omega\) is at its maximum value (i.e., equal to \(\beta\)), MD attains its minimum value (i.e., equal to \(L\)). Therefore, we obtain the following expressions:

$$MD_{min} = L = MD_{0} \times e^{k\beta }$$
(11)
$$MD_{max} = U = MD_{0} \times e^{k\delta }$$
(12)

From Eq. (12), \(U = MD_{0} \times e^{k\delta } { } \Rightarrow { }MD_{0} = U \times e^{ - k\delta }\).

Dividing Eq. (11) by Eq. (12) yields the following:

$$\frac{L}{U} = \frac{{MD_{0} \times e^{k\beta } }}{{MD_{0} \times e^{k\delta } }} \Leftrightarrow \frac{L}{U} = e^{{k\left( {\beta - \delta } \right)}} \Leftrightarrow \ln \left( \frac{L}{U} \right) = k\left( {\beta - \delta } \right) \Rightarrow k = \frac{{ln\left( \frac{L}{U} \right)}}{\beta - \delta }$$

Then, by inputting the expressions of \(MD_{o}\) and \(k\) from Eq. (10), we obtain:Therefore,

$$MD = MD_{0} \times e^{k\omega } = U \times e^{ - k\delta } \times e^{k\omega } = U \times e^{{k\left( {\omega - \delta } \right)}} = U \times e^{{\frac{{ln\left( \frac{L}{U} \right)}}{\beta - \delta }\left( {\omega - \delta } \right)}}$$
$$MD = U \times e^{{\frac{{ln\left( \frac{L}{U} \right)}}{\beta - \delta }\left( {\omega - \delta } \right)}}$$
(13)

Equation (13) is used to dynamically adjust the maximum detection value to adapt to the aggressive weight of the suspected node. Based on the experimental results shown in Fig. 8A, the lower bound and upper bound of the maximum detection are set as \(\left( {L = { }1,{ }U{ } = { }6} \right)\).

Quarantine period adjustment

Suspicious nodes are subjected to isolation during a period called the quarantine period. The duration of this period is stipulated based on the aggressive weight of each suspicious node. Low-weight nodes are quarantined for a prolonged period because they require many tests to verify them and ensure their detection. On the other hand, high-weight nodes must go through a short quarantine period because they require testing with a small maximum detection threshold. Medium-weight nodes are quarantined for a moderate period. The trend of the quarantine period reveals that as aggressive weight increases, the quarantine duration decreases, and vice versa. We develop a quarantine period adjustment model that leverages the benefits of the exponential decay model. Utilizing the exponential decay model in Eq. (9) with a proof similar to that presented in section “Tier I: Quarantine”. A, we derive the following model for the quarantine period (\(QP\)), as expressed in Eq. (14).

$$QP = U^{\prime} \times e^{{\frac{{\ln \left( {\frac{{L^{\prime}}}{{U^{\prime}}}} \right)}}{\beta - \delta } \times \left( {\omega - \delta } \right)}}$$
(14)

where \(\omega\) is the aggressive weight of the suspected node, \(\beta\) is the upper bound of the fuzzy output, and \(\delta\) is the fuzzy filtering threshold. \(L{^{\prime}}\) and \(U{^{\prime}}\) are the lower bound and upper bound of the quarantine period, respectively, and are set as \(\left( {L^{\prime} = L{*}\varphi ,{ }U^{\prime} = U{*}\varphi } \right)\).

The duration of the quarantine period is extended upon the repeated detection of a suspicious node. This subsequently leads to a recalculation of the quarantine period, which is then added to the previous duration. The total quarantine time for a suspected node is determined using Eq. (15).

$$QP_{Total} = \mathop \sum \limits_{t = 1}^{DC} QP_{t}$$
(15)

where DC is the number of times that a suspicious node is detected. \(QP_{t}\) is the quarantine period calculated at detection time \(t\) using Eq. (14).

Tier II: blocking

The blocking phase involves the prohibition of communication from attackers by adding the attackers to a blacklist and blocking their IP addresses. Once a detector node detects a malicious node in its neighbor list, it adds the malicious node to its blacklist and eliminates it from the neighbor list. An example of a record in the blacklist can be found in Table 3. By blocking the IP address of the attacker, legitimate nodes can effectively prevent the detrimental effects of the attacker by rejecting all DIO messages from the attacker or simply ignoring its communications. The use of soft blocking and hard blocking on a malicious node is a crucial technique in network security. In this study, we implement both strategies to mitigate attackers within the network, and each is described in detail below.

Table 3 Example of a record in the blacklist

Soft blocking is a temporary blocking mechanism that involves placing a malicious node in a blacklist for a limited period called the block period (BP). This blocking step prevents a malicious node from causing further damage to the network. Once BP has completely ended, the node is removed from the blacklist and permitted to resume regular operations. If this node is detected and blocked again, the blocked counter (BC) is increased by one, and the BP is increased using the geometry sequences (Aharoni 2021) as expressed in Eq. (16).

$$BP = BP_{0} \times q^{BC - 1}$$
(16)

In this equation, \(q\) is the incrementation factor and is set to \(q{ } = { }2\) to doubly increase the BP. In this study, the initialized block period is defined as \(BP_{o} = 10{*}\varphi\). This strategy conserves network resources and avoids system disruptions. The soft block also enables network managers to monitor a node's activity and evaluate whether it can be rehabilitated, reducing the probability of mistakenly blocking valid nodes.

However, if a node repeatedly engages in malicious behavior, hard blocking is implemented. Hard blocking is a permanent blocking step that permanently blocks the malicious node's IP address. This assures the network's continued security and protection against repeated attacks from the same node. We set the \(\lambda\) threshold to determine the block counter (BC). If the BC is less than or equal to the threshold value (\(\lambda\)), soft blocking is implemented; otherwise, hard blocking is executed. In this study, we reconsider a malicious node three times, i.e., \(\lambda = 3\), before performing permanent blocking. This strategy is essential for preventing unwarranted network disruptions and defending network resources against persistent malicious nodes. Each process of the proposed FLSec-RPL approach is fully illustrated in Fig. 9.

Fig. 9
figure 9

Flowchart of the proposed FLSec-RPL method

Performance evaluation

In this section, we describe the simulation setup and evaluation metrics used to assess the proposed method in detail.

Simulation setup

We conduct experiments using Contiki-OS/Cooja, which is an open-source operating system that includes a well-known environment for realistic IoT simulations (Dunkels et al. 2004). In this study, we use the Zolertia (Z1) mote as the 6LowPAN nodes for the sink node, sensor nodes, and attacker nodes. The Z1 mote is built with 8 KB of RAM and a 92-KB ROM, including a msp430 microcontroller and a CC2420 transceiver (Zoliteria 2010). This experiment employs the unit disk graph radio medium (UDGM): distance loss radio model that simulates lossy links and media collisions among 6LowPAN sensor nodes as in real-world tests (Farzaneh et al. 2019; Murali and Jamalipour 2020; Pu 2020; Wadhaj et al. 2020; Medjek et al. 2021). Contiki-MAC is used as the radio duty cycle protocol, and carrier sense multiple-access/collision avoidance (CSMA/CA) is used as the link layer protocol.

We consider two main network scenarios:

  • Scenario 1 consists of a single sink node and sixteen sensor nodes.

  • Scenario 2 consists of a single sink node and thirty-two sensor nodes.

Each main scenario is placed in a grid network area of 150 m × 150 m and simulated under two types of RPL models: Static-RPL and Mobile-RPL. In Static-RPL, the positions of the sink node and sensor nodes are randomly placed in fixed locations within the network area with constraints, and each node must connect to the network. In contrast, in Mobile-RPL, the positions of the sensor nodes are shifted by using the random waypoint model (Kabilan et al. 2018), and the sink node that acts as the border router has a constant position. We implement the Cooja-Mobile plugin to create a Mobile-RPL scenario in Contiki. All the sensor nodes are programmed to send a 30-byte packet every 1 min to the sink node (Verma and Ranga 2020b).

The implementation of DIO neighbor suppression attacks aims to target the RPL protocol utilized in IoT devices. Such attacks comprise an attacker node flooding the network with numerous DIO messages that are responsible for disseminating critical routing information to other nodes. As a result, these attacks can lead to service denials, energy depletion, and network partition. To generate attack data, this study employs realistic IoT scenarios and tools such as the Contiki OS, Cooja simulator, and Zolertia Z1 motes. To facilitate the DIO neighbor suppression attack, the Contiki OS Library was modified. The attacker node is programmed to capture DIO messages from any legitimate node and resend them at a fixed replay interval, along with their own IP addresses, without making any modifications (Le et al. 2016; Farzaneh et al. 2019; Verma and Ranga 2020b). We experiment with various attack scenarios by adjusting the percentage of attacker nodes (PANs) ranging from 10 to 50% of the nodes in the network area and varying attack replay intervals (ARIs) from 1 to 8 s, similar to recent works (Le et al. 2013; Verma and Ranga 2020b; Sharma et al. 2023). The factorial design (Lammers and Babbie 2005) is employed to manage the scenarios in the experiment. In Static-RPL, the attacker nodes are placed randomly in fixed locations, while in Mobile-RPL, they move freely in the network area by utilizing the random waypoint model (Kabilan et al. 2018).

The attacker nodes are programmed to start attacking 90 s after the network starts up, i.e., after the RPL network is already stable. The proposed method is enabled to check for malicious nodes 30 s after the malicious nodes start attacking. Each scenario is simulated for 30 min, and the experiment is conducted five times to obtain statistical results. The results of the experimental runs are averaged. The results of the proposed FLSec-RPL approach are compared with those of two state-of-the-art methods, Anomaly-Based IDS (Farzaneh et al. 2019) and CoSec-RPL (Verma and Ranga 2020b). These three methods undergo experiments in the same scenarios and under the same conditions. A summary of the experimental setup is described in Table 4.

Table 4 Summary of the simulation setup

Evaluation metrics

The effectiveness of various methods is evaluated using the following metrics.

  • Detection accuracy and F1 score These metrics evaluate the effectiveness of an intrusion detection algorithm in terms of detecting attackers. Both metrics are calculated based on the confusion matrix. This matrix has four classes: true positives (TP), false negatives (FN), false positives (FP), and true negatives (TN), which represent the different conditions of correctly identifying attack activity, incorrectly predicting an attack as normal, incorrectly predicting normal activity as an attack, and correctly predicting normal activity, respectively. The detection accuracy and F1 score are calculated using Eq. (17) and Eq. (20), respectively (Akosa 2017).

    $$Accuracy = { }\frac{TP + TN}{{TP + TN + FP + FN}}$$
    (17)
    $$Specificity = \frac{TP}{{TP + FN}}$$
    (18)
    $$Precision = \frac{TP}{{TP + FP}}$$
    (19)
    $$F1 - Score = 2\left( {\frac{Specificity \times Precision}{{Specificity + Precision}}} \right)$$
    (20)
  • Average power consumption (APC) This metric measures the average power consumption per node that is under attack with various intrusion detection algorithms. It is a critical metric because sensor nodes have limited battery life. The power consumption is calculated using Eq. (21); then, by dividing it by the number of nodes that are under the attacker’s effect, we obtain the average power consumption per node.

    $$Power\left( {mW} \right) = \frac{{TotalEnergy\left( {mJ} \right)}}{SimulationDuration\left( s \right)}$$
    (21)

    where the total energy is the energy consumed by the nodes under attack effects and is calculated using Eq. (1).

  • Average end-to-end delay (AEED) This metric measures the average delay per packet that is sent from a sensor node to the sink node. The total delay in the whole network is calculated by Eq. (22), and the AEED is calculated via Eq. (23).

    $$TotalDelay = \mathop \sum \limits_{i = 1}^{N} (TimeReceivedPacket_{i} - TimeSentPacket_{i} )$$
    (22)
    $$AEED = \frac{TotalDelay}{N}$$
    (23)

    where \(N\) is the number of packets that are successfully received by the sink node.

  • Packet delivery ratio (PDR) The PDR is the percentage of packets successfully received at the sink node compared out of the total number of packets sent from the sensor nodes. The PDR is a significant metric for low-power, lossy networks. It can be affected by many factors, such as link quality, interference, routing, and congestion. The PDR is calculated via Eq. (24).

    $$PDR = \frac{\sum Packets Received}{{\sum Packets Sent}}$$
    (24)
  • First-time detection (FTD) This metric measures the duration that an attacker node starts attacking the network until it is detected by the intrusion detection algorithm for the first time. FTD evaluates how fast the tested intrusion detection algorithm detects attackers. According to Verma and Ranga (2020b), FTD is calculated via Eq. (25). FTD is measured on each attacker node that is detected, and then the average is calculated.

    $$FTD = Time_{detected} - Time_{start}$$
    (25)

Simulation results and analysis

Simulation results of scenario 1

FLSec-RPL, CoSec-RPL, and Anomaly-Based IDS are simulated under the same settings in scenario 1, which contains one sink and sixteen sensor nodes in a \(150\;{\text{m}} \times 150\;{\text{m}}\) grid under Static-RPL and Mobile-RPL networks, with varying percentages of attacker nodes (10–50%) and varying attack replay intervals (1–8 s). The experimental results are presented below.

Detection accuracy

Figure 10 illustrates the comparison between FLSec-RPL and the other two methods, CoSec-RPL and Anomaly-Based IDS, in terms of their detection accuracies under varying percentages of attacker nodes (PANs) and attack replay intervals (ARIs) in both Static-RPL and Mobile-RPL scenarios. The results demonstrate that as the percentage of attacker nodes or the attack replay interval increases, the detection accuracies of all three methods decrease. However, FLSec-RPL consistently maintains a higher level of detection accuracy than the other two methods in both scenarios. Specifically, in Static-RPL, FLSec-RPL achieves a detection accuracy of 97–100%, while CoSec-RPL and Anomaly-Based IDS only achieve 49–66% and 49–64% accuracy rates, respectively, as depicted in Fig. 10A. In Mobile-RPL, FLSec-RPL achieves a detection accuracy of 75–100%, while CoSec-RPL and Anomaly-Based IDS achieve 61–98% and 58–94% accuracy rates, respectively, as shown in Fig. 10B.

Fig. 10
figure 10

Detection accuracy vs. PANs and ARIs in Static-RPL and Mobile-RPL networks in scenario 1. A Detection accuracy achieved in Static-RPL. B Detection accuracy achieved in Mobile-RPL

The superior performance of FLSec-RPL can be attributed to its consideration of multiple variables concerning attackers’ characteristics, such as DIO_Counter, the DTI, and the STIA, which it utilizes through the fuzzy logic system and fuzzy filter to identify malicious nodes. Additionally, FLSec-RPL employs the detection validation and blocking mechanism that further improves its detection accuracy. However, the other two methods only consider two variables, DIO_Counter and the DTI, which can cause confusion during the detection process, and their solutions highly depend on their dynamic thresholds, which become less sensitive when the percentage of attacker nodes increases or the attack replay interval decreases; this limits their malicious node identification accuracy.

Notably, CoSec-RPL and Anomaly-Based IDS exhibit greater detection accuracy improvements in Mobile-RPL than in Static-RPL due to their ability to reach more legitimate neighbor nodes in the mobile scenario. Furthermore, FLSec-RPL's detection accuracy in Mobile-RPL is slightly decreased because some attacker nodes move far from the detector nodes and cannot provide the needed information to detect them. Nevertheless, FLSec-RPL still maintains a higher level of accuracy in all scenarios than the other two methods. Thus, FLSec-RPL is the most suitable method for detecting such attacks.

F1-score measure

The F1 score metric is used to compare FLSec-RPL with Anomaly-Based IDS and CoSec-RPL in both Static-RPL and Mobile-RPL under varying percentages of attacker nodes (PANs) and attack replay intervals (ARIs), as depicted in Fig. 11. The F1 scores of all three methods decline as the percentage of attacker nodes or the attack replay interval increases, with FLSec-RPL consistently demonstrating higher F1 scores than the other two methods. In Static-RPL, FLSec-RPL attains F1 scores ranging between 91 and 100%, while Anomaly-Based IDS achieves F1 scores between 21 and 51% and CoSec-RPL obtains F1 scores between 1 and 27%, as shown in Fig. 11A. In Mobile-RPL, FLSec-RPL exhibits F1 scores ranging between 60 and 100%, while CoSec-RPL attains F1 scores between 14 and 97% and Anomaly-Based IDS achieves F1 scores between 9 and 83%, as illustrated in Fig. 11B.

Fig. 11
figure 11

F1-Score versus PANs and ARIs in Static-RPL and Mobile-RPL networks in scenario 1. A F1 scores achieved in Static-RPL. B F1 scores achieved in Mobile-RPL

FLSec-RPL achieves the best F1 scores because it uses a hybrid intrusion detection mechanism that considers multiple variables concerning attacker characteristics to detect malicious nodes and a detection validation and blocking mechanism to ensure the accuracy of the detection results by verifying suspicious nodes before blocking them. CoSec-RPL and Anomaly-Based IDS achieve decreased F1 scores because they consider only two variables (i.e., DIO counter and the DIO timer interval) and heavily depend on dynamic thresholds to detect malicious nodes, causing more confusion during detection. In Mobile-RPL, Anomaly-Based IDS and CoSec-RPL are likely to increase their F1 scores because they can reach more nearby nodes, which benefits their methods for detecting malicious nodes more accurately. The mobility of attacker nodes slightly diminishes the F1 scores of FLSec-RPL because the attacker nodes move far from the detector node and cannot provide the needed information to detect them. Nevertheless, FLSec-RPL still maintains the highest F1 scores compared to those of the other methods. Therefore, FLSec-RPL is the most effective method for accurately detecting this type of attack while minimizing the induced false-positive and false-negative rates.

Average power consumption

Figure 12 presents a comparative analysis of the average power consumption levels per node required by FLSec-RPL, CoSec-RPL, and Anomaly-Based IDS at different percentages of attacker nodes (PAN) and attack replay intervals (ARI) in Static-RPL and Mobile-RPL. It is observed that the power consumption levels of all three methods increase as the percentage of attacker nodes increases or the attack replay interval decreases. This is because attackers aim to flood and replay DIO messages, which causes neighboring nodes to listen to and process unnecessary routing information, which consumes more CPU power, eventually leading to increased power consumption. FLSec-RPL provides a promising solution compared to other methods with the lowest power consumption because it is capable of accurately detecting attackers and rejecting all disruptive packets from attacker nodes, limiting their impact on the network. In Static-RPL, the average power consumption of FLSec-RPL varies between 0.49 and 1.38 mW, whereas Anomaly-Based IDS and CoSec-RPL record average power consumption values ranging from 0.61 to 2.74 mW and 0.61 to 3.09 mW, respectively, as shown in Fig. 12A. In Mobile-RPL, the mobility of nodes leads to additional power consumption due to the need for transmitting and receiving more control messages to maintain the network topology. FLSec-RPL still maintains the lowest power consumption, with an average power consumption ranging from 1.89 to 2.72 mW, compared to 2.09–3.82 mW for CoSec-RPL and 2.06–3.87 mW for Anomaly-Based IDS, as shown in Fig. 12B. These findings demonstrate that FLSec-RPL is a more effective method than the other two approaches in terms of mitigating the impacts of attacks on power consumption in both Static-RPL and Mobile-RPL scenarios due to its high accuracy in detecting and mitigating attacker nodes.

Fig. 12
figure 12

Average power consumption vs. PANs and ARIs in Static-RPL and Mobile-RPL networks in scenario 1. A Average power consumption achieved in Static-RPL. B Average power consumption achieved in Mobile-RPL

End-to-end delay

Figure 13 compares the AEEDs of FLSec-RPL, CoSec-RPL, and Anomaly-Based IDS in a network under attack with varying percentages of attacker nodes (PANs) and attack replay intervals (ARIs) in both Static-RPL and Mobile-RPL. As the percentage of attacker nodes increases or the attack replay interval decreases, the AEEDs of all three methods increase due to disruptive packets from attackers triggering legitimate nodes to process unnecessary routing information, consuming more CPU power and resulting in packet forwarding delays. Nevertheless, FLSec-RPL maintains the lowest AEED compared to the other two methods. This is because it can accurately detect attackers and prevent unnecessary routing processes from being performed in the CPU by rejecting all disruptive packets from the attacker nodes. In Static-RPL, FLSec-RPL maintains an AEED range of 130–670 ms, while CoSec-RPL and Anomaly-Based IDS maintain AEED ranges of 150–1160 ms and 145–1170 ms, respectively, as shown in Fig. 13A. In Mobile-RPL, FLSec-RPL still outperforms the other two methods despite the additional processing of control messages required to maintain the network topology by achieving an AEED range of 590–1700 ms, while CoSec-RPL and Anomaly-Based IDS maintain AEED ranges of 690–2300 ms and 680–2460 ms, respectively, as shown in Fig. 13B. Therefore, based on these findings, FLSec-RPL is the superior method for detecting and mitigating attacks' impacts on the AEED, as it maintains the lowest AEED compared to the other two methods.

Fig. 13
figure 13

Average end-to-end delays vs. PANs and ARIs in Static-RPL and Mobile-RPL networks in scenario 1. A Average end-to-end delays achieved in Static-RPL. B Average end-to-end delays achieved in Mobile-RPL

Packet delivery ratio

Figure 14 depicts a comparative analysis of the packet delivery ratios (PDRs) produced by FLSec-RPL and two competing methods under varying percentages of attacker nodes (PANs) and attack replay intervals (ARIs) in both Static-RPL and Mobile-RPL. The results demonstrate that as the percentage of attacker nodes increases or the attack replay interval decreases, the PDRs of all three methods decrease because attackers flood and replay numerous disruptive packets, which occupy and overwhelm the processor; in this way, legitimate nodes are unable to receive the remaining data packets. Nevertheless, FLSec-RPL sustains a higher PDR level than CoSec-RPL and Anomaly-Based IDS due to its superior accuracy in terms of identifying attackers that lead legitimate nodes to reject all disruptive packets from them. Conversely, the other two methods suffer from packet losses due to attackers overloading the processor with DIO messages. In Static-RPL, FLSec-RPL obtains a PDR range of 91–99%, whereas CoSec-RPL and Anomaly-Based IDS have lower PDR ranges of 86–99% and 86–98%, respectively, as illustrated in Fig. 14A. Similarly, in Mobile-RPL, all three methods display significant PDR reductions due to the additional impact derived from the mobility of the nodes that disrupt the network topology. FLSec-RPL can prevent attackers from affecting the PDR by consistently maintaining a higher PDR than the other two methods. In Mobile-RPL, FLSec-RPL maintains a PDR range of 41–51%, while CoSec-RPL and Anomaly-Based IDS have lower PDR ranges of 31–43% and 32–42%, respectively, as depicted in Fig. 14B. Thus, FLSec-RPL outperforms CoSec-RPL and Anomaly-Based IDS in maintaining higher PDRs, regardless of the number of attacker nodes and the attack replay interval.

Fig. 14
figure 14

Packet delivery ratio versus PANs and ARIs in Static-RPL and Mobile-RPL networks in scenario 1. A Packet delivery ratio achieved in Static-RPL. B Packet delivery ratio achieved in Mobile-RPL

First-time detection

In Fig. 15, the performance of FLSec-RPL is compared with that of other methods in terms of the first-time detection (FTD) metric under varying percentages of attacker nodes (PANs) and attack replay intervals (ARIs) for both Static-RPL and Mobile-RPL. A low FTD number for an intrusion detection method illustrates fast detection and good performance, while a high FTD value indicates slow detection and poor performance. As the percentage of attacker nodes or the attack replay interval increases, the FTDs of all three methods increase. CoSec-RPL and Anomaly-Based IDS show an exponential increase in their FTDs as the number of attacker nodes or the attack replay interval increases, particularly at 30%, 40%, and 50% attacker nodes and 4 s, 6 s, and 8 s for the attack replay interval, because the dynamic thresholds in these methods become less sensitive. In contrast, FLSec-RPL maintains a much lower FTD than the other two methods because it employs an FLS to consider the tracked information in the neighbor list when identifying malicious nodes, regardless of the percentage of attacker nodes or the replay interval.

Fig. 15
figure 15

Average first-time detection versus PANs and ARIs in Static-RPL and Mobile-RPL networks. A Average first-time detection achieved in Static-RPL. B Average first-time detection achieved in Mobile-RPL

In Static-RPL, FLSec-RPL maintains FTDs between 27 and 45 s, while CoSec-RPL and Anomaly-Based IDS have higher FTDs between 27 and 612 s and 27 s and 698 s, respectively, as shown in Fig. 15A. In Mobile-RPL, the FTD of FLSec-RPL slightly increases due to the mobility of attacker nodes requiring more time to be spent collecting enough data using the method to detect them. However, it still maintains a lower FTD than the other two methods in most scenarios. Comparing the FTD results obtained in Mobile-RPL, FLSec-RPL achieves FTDs between 31 and 110 s, while CoSec-RPL and Anomaly-Based IDS have higher FTDs between 28 and 348 s and 28 s and 631 s, respectively, as shown in Fig. 15B. Although FLSec-RPL has a slightly higher FTDmin than the other two methods, its FTDmax is much lower, indicating that it is a more stable method in terms of FTD regardless of the percentage of attacker nodes and the attack replay interval. These findings demonstrate that FLSec-RPL is an effective and stable method that detects attackers faster than competing methods, thereby protecting RPL networks against this attack type.

Simulation results of scenario 2

Scenario 2 involves the deployment of a network that consists of 32 sensor nodes and one sink node within a 150 m × 150 m area. The FLSec-RPL, CoSec-RPL, and Anomaly-Based IDS protocols are subjected to simulations with varying percentages of attacker nodes between 10 and 50% and attack replay intervals ranging from 1 to 8 s. The simulations are conducted using both Static-RPL and Mobile-RPL. The subsequent section below presents the outcomes of the experiment.

Detection accuracy

Figure 16 compares FLSec-RPL to two other methods, CoSec-RPL and Anomaly-Based IDS, in terms of their detection accuracies under varying percentages of attacker nodes (PANs) and attack replay intervals (ARIs). The findings reveal that the detection accuracy declines for all three methods as the percentage of attacker nodes or the attack replay interval increases. FLSec-RPL outperforms the other methods in terms of detecting malicious nodes due to its comprehensive consideration of multiple attacker characteristics, including DIO_Counter, the DTI, the STIA, and RDT_Flag. These variables are effectively utilized through the implementation of a fuzzy logic system and a fuzzy filter. Moreover, FLSec-RPL incorporates a detection validation and blocking mechanism, further enhancing its accuracy. FLSec-RPL achieves accuracies of 96–99% in Static-RPL and 70–99% in Mobile-RPL. However, the other two methods only consider two variables, the DIO Counter and the DIO time interval, which can lead to detection confusion. Additionally, these methods heavily rely on dynamic thresholds, which become less effective when the number of attacker nodes increases or the attack replay interval decreases. As a result, their malicious node identification accuracies are limited. In Static-RPL, CoSec-RPL achieves accuracies of 66–95%, and Anomaly-Based IDS achieves accuracies of 61–72% (see Fig. 16A); in Mobile-RPL, CoSec-RPL achieves accuracies of 65–98%, and Anomaly-Based IDS achieves accuracies of 66–95% (as shown in Fig. 16B).

Fig. 16
figure 16

Detection accuracy versus PANs and ARIs in the Static-RPL and Mobile-RPL networks in scenario 2. A Detection accuracy achieved in Static-RPL. B Detection accuracy achieved in Mobile-RPL

Interestingly, Mobile-RPL, CoSec-RPL and Anomaly-Based IDS demonstrate higher detection accuracies than Static-RPL because they can reach more legitimate neighbor nodes in the mobile environment. On the other hand, FLSec-RPL exhibits slightly decreased detection accuracy in Mobile-RPL due to some attacker nodes moving out of range of the detector nodes, resulting in a lack of necessary information for detection. Nevertheless, FLSec-RPL still maintains superior accuracy across all scenarios compared to the other two methods. Thus, FLSec-RPL is the most suitable method for effectively detecting such attacks.

F1-score measure

The F1 score metric is employed to compare the performance of FLSec-RPL with that of Anomaly-Based IDS and CoSec-RPL in both Static-RPL and Mobile-RPL under varying percentages of attacker nodes (PANs) and attack replay intervals (ARIs), as illustrated in Fig. 17. As the number of attacker nodes and the attack frequency increase, the F1 scores of all three methods decrease.

Fig. 17
figure 17

F1 scores vs. PANs and ARIs in the Static-RPL and Mobile-RPL networks in scenario 2. A F1 scores achieved in Static-RPL. B F1 scores achieved in Mobile-RPL

FLSec-RPL maintains the best F1 score compared to the other two methods because it uses a hybrid intrusion detection mechanism that considers multiple variables concerning attacker characteristics for detecting malicious nodes. Additionally, it employs a detection validation and blocking mechanism to verify suspicious nodes before blocking them, which further improves the resulting F1 score. Conversely, CoSec-RPL and Anomaly-Based IDS achieve lower F1 scores because they rely only on two variables (the DIO counter and DIO timer interval) and heavily depend on dynamic thresholds to detect malicious nodes, leading to confusion during detection. In Static-RPL, FLSec-RPL achieves F1 scores of 93–99%, while CoSec-RPL and Anomaly-Based IDS achieve F1 scores of 14–70% and 13–31%, respectively, as shown in Fig. 17A. In Mobile-RPL, FLSec-RPL achieves F1 scores of 25–99%, while CoSec-RPL and Anomaly-Based IDS achieve F1 scores of 10–94% and 16–86%, respectively, as depicted in Fig. 17B.

In Mobile-RPL, Anomaly-Based IDS and CoSec-RPL are more likely to exhibit F1 score increases due to their ability to reach nearby nodes, thereby enhancing their ability to detect malicious nodes more accurately. The mobility of attacker nodes slightly affects the F1 score of FLSec-RPL as attacker nodes move further away from the detector nodes, thereby reducing the data required for detection. Nonetheless, FLSec-RPL still maintains the highest F1 scores compared to the other methods. Therefore, FLSec-RPL is the most effective technique for accurately detecting attacks while minimizing the rates of false-positive and false-negative results.

Average power consumption

Figure 18 presents a comparison of the average power consumption levels required per node by FLSec-RPL, CoSec-RPL, and Anomaly-Based IDS under attack effects in both Static-RPL and Mobile-RPL at varying percentages of attacker nodes (PANs) and attack replay intervals (ARIs). As the percentage of attacker nodes increases or the attack replay interval decreases, the average power consumption level also increases. This happens due to attackers flooding and replaying multiple DIO messages, which cause the neighboring nodes to listen and process unnecessary routing information, leading to increased energy consumption in the CPU. In almost all scenarios, FLSec-RPL maintains the lowest power consumption compared to its competitors. This is due to its ability to accurately detect attackers and reject all disruptive packets from the attacker nodes, limiting their impacts on the network. In Static-RPL, FLSec-RPL consumes between 0.58 and 2.5 mW average power, while CoSec-RPL consumes 0.80–3.59 mW, and Anomaly-Based IDS consumes 0.79–3.72 mW, as shown in Fig. 18A. In Mobile-RPL, the mobility of the nodes causes additional power consumption due to the sensor nodes frequently transmitting and listening to control messages for maintaining the network topology. Nevertheless, FLSec-RPL maintains lower power consumption than the other two methods in most scenarios. FLSec-RPL reduces the power consumption to between 3.17 and 4.09 mW, while CoSec-RPL consumes 3.22–4.65 mW, and Anomaly-Based IDS consumes 3.28–4.75 mW, as shown in Fig. 18B. Based on these results, FLSec-RPL can better limit the impacts of attacks on power consumption than the other two methods.

Fig. 18
figure 18

Average power consumption versus PANs and ARIs in the Static-RPL and Mobile-RPL networks in scenario 2. A Average power consumption in Mobile-RPL. B Average power consumption in Mobile-RPL

End-to-end delay

Figure 19 depicts a comparison of the average end-to-end delays (AEEDs) exhibited by networks that are subjected to attack effects. The comparison is made between FLSec-RPL, CoSec-RPL, and Anomaly-Based IDS in both Static-RPL and Mobile-RPL scenarios at varying percentages of attacker nodes (PANs) and attack replay intervals (ARIs). As the percentage of attacker nodes increases or the attack replay interval decreases, the AEEDs of the three methods increase because numerous disruptive packets from attackers trigger legitimate nodes, occupying them with unnecessary routing processes that consume more CPU power, resulting in packet forwarding delays.

Fig. 19
figure 19

Average end-to-end delays versus PANs and ARIs in Static-RPL and Mobile-RPL networks in scenario 2. A Average end-to-end delays achieved in Static-RPL. B Average end-to-end delays achieved in Mobile-RPL

FLSec-RPL, however, exhibits promising results by maintaining the lowest AEEDs compared to its competitors. This is because it can detect attacker nodes with high accuracy; in this way, legitimate nodes can reject all disruptive packets from attackers, which limits the impacts of attacks on the AEED. In Static-RPL, FLSec-RPL maintains AEEDs between 190 and 3770 ms, while that of CoSec-RPL ranges from 310 to 4910 ms and that of Anomaly-Based IDS ranges from 290 to 5450 ms, as shown in Fig. 19A. In Mobile-RPL, the AEEDs of the three methods increase because the nodes in the network perform additional processing to maintain the network topology due to network disruptions caused by node mobility. Nonetheless, FLSec-RPL still reduces the AEED more than the other two methods. In Mobile-RPL, FLSec-RPL maintains AEEDs between 3760 and 5490 ms, while that of CoSec-RPL ranges from 3770 to 5990 ms and that of Anomaly-Based IDS ranges from 3770 to 6810 ms, as shown in Fig. 19B. Thus, FLSec-RPL is shown to be more effective than CoSec-RPL and Anomaly-Based IDS in terms of mitigating the impacts of attacks on the AEED, regardless of the number of attack nodes and the attack replay interval.

Packet delivery ratio

Figure 20 illustrates a comparative analysis of the packet delivery ratios (PDRs) of FLSec-RPL, CoSec-RPL, and Anomaly-Based IDS in Static-RPL and Mobile-RPL networks, accounting for varying percentages of attacker nodes (PANs) and attack replay intervals (ARIs). As the number of attacker nodes or attack replay intervals increases, the PDRs of all three methods decrease because the attackers flood and replay numerous disruptive packets, which occupy and overwhelm the processor, ultimately rendering legitimate nodes unable to receive the remaining data packets.

Fig. 20
figure 20

Packet delivery ratios vs. PANs and ARIs in the Static-RPL and Mobile-RPL networks in scenario 2. A Packet delivery ratios in Static-RPL. B Packet delivery ratios in Mobile-RPL

However, the findings demonstrate that FLSec-RPL maintains the highest PDRs in almost all scenarios compared to its competitors due to its superior accuracy in identifying attackers, which leads legitimate nodes to reject all disruptive packets from them. Conversely, the other two methods suffer from packet losses due to the attackers overloading the processor with DIO messages. In Static-RPL, FLSec-RPL maintains PDRs between 42 and 97%, while CoSec-RPL and Anomaly-Based IDS maintain PDRs between 37 and 95% and 36% and 95%, respectively, as illustrated in Fig. 20A. In Mobile-RPL, the PDRs of all three methods decrease compared to those attained in Static-RPL because of the network disruption frequency, and the nodes in the network perform additional processing to maintain the network topology. Nevertheless, FLSec-RPL shows promising results in terms of mitigating the impacts of attacks on the resulting PDRs by maintaining higher PDRs than the other two methods. In Mobile-RPL, FLSec-RPL maintains PDRs of 13–40%, while CoSec-RPL and Anomaly-Based IDS maintain PDRs of 9–28% and 8–27%, respectively, as shown in Fig. 20B. Hence, FLSec-RPL is indicated to be more efficient than CoSec-RPL and Anomaly-Based IDS in mitigating the impacts of attackers on the PDRs, regardless of the number of attacker nodes or the attack frequency.

First-time detection

In Fig. 21, a comparison is made between the performance of FLSec-RPL and the other methods in the context of the first-time detection (FTD) metric, accounting for varying percentages of attacker nodes (PANs) and attack replay intervals (ARIs) for both Static-RPL and Mobile-RPL. A low FTD number is indicative of an intrusion detection method that can quickly detect attackers and demonstrate good performance, whereas a high FTD value suggests that the detection process is slow and that the performance is poor. As the percentage of attacker nodes or the attack replay interval increases, the FTDs of all three methods increase.

Fig. 21
figure 21

First-time detection versus PANs and ARIs in the Static-RPL and Mobile-RPL networks in scenario 2. A Average first-time detection achieved in Static-RPL. B Average first-time detection achieved in Mobile-RPL

In Static-RPL, CoSec-RPL and Anomaly-Based IDS exhibit exponential increases in their FTDs as the number of attacker nodes or the attack replay interval increases, particularly at 30%, 40%, and 50% attacker nodes and 4 s, 6 s, and 8 s attack replay intervals, because the dynamic thresholds in their methods become less sensitive. In contrast, FLSec-RPL demonstrates much lower FTDs than the other two methods because it employs an FLS to consider the tracked information in the neighbor list to identify malicious nodes, regardless of the percentage of attacker nodes or the replay interval. As depicted in Fig. 21A, FLSec-RPL has FTDs between 27 and 69 s, while CoSec-RPL has FTDs between 27 and 470 s, and Anomaly-Based IDS has FTDs between 27 and 564 s.

On the other hand, in Mobile-RPL, the FTDs of all three methods increase compared to those obtained in Static-RPL due to the mobility of the attacker nodes. Nevertheless, FLSec-RPL still maintains the lowest FTDs compared to its competitors by achieving FTDs between 53 and 490 s, while CoSec-RPL achieves FTDs between 28 and 690 s and Anomaly-Based IDS achieves FTDs between 33 and 710 s, as shown in Fig. 21B. Notably, the FTDs of FLSec-RPL slightly increase above those of CoSec-RPL and Anomaly-Based IDS at 10% and 20% attack nodes, but the proposed approach still maintains lower FTDs than the other two methods at 30%, 40%, and 50% attacker nodes. This observation implies that FLSec-RPL produces more stable detection results in terms of FTD than its competitors, regardless of the number of attack nodes and the attack replay interval. Thus, FLSec-RPL emerges as a faster and more stable method for detecting attackers in both Static-RPL and Mobile-RPL scenarios in comparison with its competitors.

Conclusion

The increasing popularity and widespread use of the IoT have raised significant privacy and security concerns, particularly regarding attacks on the RPL protocol. To address this issue, this research introduces FLSec-RPL, a novel method designed to secure the RPL protocol in 6LowPAN networks against DIO neighbor suppression attacks. FLSec-RPL consists of three key phases: (1) an attack activity variable tracking mechanism, including the DIO counter, the DIO timer interval, time interval analysis, and RDT_Flag, which gather data from neighboring nodes; (2) a fuzzy logic-based intrusion detection mechanism to detect attack activities based on the collected information; and (3) a detection validation and blocking, which utilizes quarantine mechanisms to validate malicious nodes and suspicious nodes, as well blocking techniques to mitigate the impacts of attacks on the network. An experiment is conducted in both Static-RPL and Mobile-RPL networks while considering varying numbers of attacker nodes, attack frequencies, and network sizes. The experimental results show that FLSec-RPL yields significant detection accuracy improvements, F1 score increases, power consumption reductions, end-to-end delay reductions, PDR increases, and FTD decreases averaging 32.40%, 50%, 26%, 25.32%, 26.20%, and 38.97% compared to Anomaly-Based IDS and 32.30%, 42.73%, 26.74%, 26.39%, 28%, and 12% compared to CoSec-RPL, respectively. These findings highlight the potential of FLSec-RPL as a promising solution for enhancing the security of RPL protocol-based IoT networks when compared to state-of-the-art methods such as Anomaly-Based IDS and CoSec-RPL.

Future work will involve testing and implementing FLSec-RPL to defend against DIO neighbor suppression attacks in a real testbed, as well as exploring its applicability for detecting other similar attacks executed on RPL networks.

Availability of data and materials

Data is unavailable due to privacy.

Abbreviations

6LoWPAN:

IPv6 over Low-Power Wireless Personal Area Networks

ARI:

Attack Replay Intervals

BC:

Block Counter

BP:

Block Period

DC:

Detection Counter

DODAG:

Destination-Oriented Directed Acyclic Graph

DIO:

DODAG Information Objects

DIS:

DODAG Information Solicitations

DTI:

DIO Time Interval

FLS:

Fuzzy Logic System

ICMPv6:

Internet Control Message Protocol Version 6

IDS:

Intrusion Detection System

IoT:

Internet of Things

MD:

Maximum Detection

MRHOF:

Minimum Rank with Hysteresis Objective Function

PAN:

Percentage of Attacker Nodes

PTI:

Predict Time Interval

QP:

Quarantine Period

RDT:

Reset DIO Timer

RPL:

Routing Protocol for Low-Power and Lossy Networks

SoE:

Sum of Error

STIA:

Statical-Based Time Interval Analysis

References

Download references

Acknowledgements

The author expresses gratitude to Prof. Dr. Chakchai So-in, Dr. Phet Aimthongkham, and Dr. Yanika Kongsorot for their valuable guidance and motivation in this research. They acknowledge the Royal Scholarship Projects and Khon Kaen University for financial support, and faculty of College of Computing, Khon Kaen University for administrative assistance.

Funding

The research is funded by a Royal Scholarship from Her Royal Highness Princess Maha Chakri Sirindhorn Education Project to Cambodia for 2020; faculty of College of Computing, Khon Kaen University.

Author information

Authors and Affiliations

Authors

Contributions

Conceptualization; methodology; software; validation; formal analysis; investigation; resources; data curation; writing—original draft preparation visualization, project administration; funding acquisition, CK; Conceptualization; writing—review and editing; supervision, CS-I, and PA; Conceptualization, writing—review and editing, YK. All authors have read and agreed to the published version of the manuscript.

Corresponding author

Correspondence to Phet Aimtongkham.

Ethics declarations

Competing interests

The authors declare that there is no competing interest regarding the publication of this manuscript.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kim, C., So-In, C., Kongsorot, Y. et al. FLSec-RPL: a fuzzy logic-based intrusion detection scheme for securing RPL-based IoT networks against DIO neighbor suppression attacks. Cybersecurity 7, 27 (2024). https://doi.org/10.1186/s42400-024-00223-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1186/s42400-024-00223-x

Keywords