Abstract
We present a hybrid internal anomaly detection system that shares detection tasks between router and nodes. It allows nodes to react instinctively against the anomaly node by enforcing temporary communication ban on it. Each node monitors its own neighbors and if abnormal behavior is detected, the node blocks the packets of the anomaly node at link layer and reports the incident to its parent node. A novel RPL control message, Distress Propagation Object (DPO), is formulated and used for reporting the anomaly and network activities to the parent node and subsequently to the router. The system has configurable profile settings and is able to learn and differentiate between the nodes normal and suspicious activities without a need for prior knowledge. It has different subsystems and operation phases that are distributed in both the nodes and router, which act on data link and network layers. The system uses network fingerprinting to be aware of changes in network topology and approximate threat locations without any assistance from a positioning subsystem. The developed system was evaluated using test-bed consisting of Zolertia nodes and in-house developed PandaBoard based gateway as well as emulation environment of Cooja. The evaluation revealed that the system has low energy consumption overhead and fast response. The system occupies 3.3 KB of ROM and 0.86 KB of RAM for its operations. Security analysis confirms nodes reaction against abnormal nodes and successful detection of packet flooding, selective forwarding, and clone attacks. The system’s false positive rate evaluation demonstrates that the proposed system exhibited 5% to 10% lower false positive rate compared to simple detection system.
Highlights
Internet-of-Things (IoT), where intelligent “things” are interconnected to monitor and exchange information, is becoming increasingly prevalent across different application areas
The detection system is configured to monitor up to 8 neighbors and the memory required for maintaining neighbor statuses and monitoring logs was allocated and released during runtime
For monitoring 8 nodes, a total of 416 bytes of RAM were required during runtime
Summary
Internet-of-Things (IoT), where intelligent “things” are interconnected to monitor and exchange information, is becoming increasingly prevalent across different application areas. As in other similar technologies, security is an afterthought in IoT technology and becoming a main barrier in the wider adoption of IoT based services [14,15,16]. To address this issue, a number of security solutions for IoT have been proposed [17,18,19,20]. If some of the nodes are compromised and become internal attackers, cryptographic techniques cannot detect these malicious nodes since the adversary may have a valid key or the necessary information to perform activities within the network. Experiments showed that an intruder could effectively interpose itself in the low power networks within five minutes and almost all attackers exploit
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
