Sage Journals: Discover world-class research

Abstract

Internet of things (IoT) is a complex and massive wireless network, where millions of devices are connected together. These devices gather different types of data from different systems that transform human daily lives by modernizing home appliances, business, medicine, traveling, research, and so on. Security is a critical challenge for a stable IoT network, for instance, routing attacks, especially sinkhole attack is a severe attack which has the capability to direct network data toward the intruder, and it can also disrupt and disconnect the devices from their network. The IoT needs multi-facet security solutions where network communication is protected with integrity, confidentiality, and authentication verification services. Therefore, the IoT network should be secured against intrusions and disruptions; the data exchanged throughout the network should be an encrypted form. In this article, an intrusion detection system for the prevention of an active sinkhole routing attack (PASR) in IoT is presented. The proposed PASR solves the problem of the sinkhole attack; for this purpose, the whole network is divided into the clusters of IoT. All the IoT devices are connected to their respective gateways. The gateway devices are equipped with an intrusion detection system. The intrusion detection system activates intrusion analyzer to detect anomalies in the context of ad hoc on-demand distance vector protocol. The base station is the main device that is responsible to receive data from all devices. Therefore, it detects and prevents sinkhole attacks; the base station keeps the record of all active devices and their possible links. The PASR is implemented and compared with the existing intrusion detection techniques ad hoc on-demand distance vector, and dual attack detection for black and gray hole attack. It was observed from the simulation results that the PASR outperforms in terms of data packet delivery, energy consumption, the detection rate of sinkhole attack, and routing overhead.

Keywords

Security attacks prevention efficiency performance

Introduction

The Internet of things (IoT) integrates most of the things in the world, from a biosensor to cloud computing. It ubiquitously links devices, networks, and individuals for generating a complex distributed system. It advances daily life by accomplishing robust device-to-device communication and device-to-person communication. The foremost contributors to the IoT are sensors, radio-frequency identification (RFID), nanotechnologies, and smart technologies. The IoT is nothing without the use of sensors, which plays a major role to detect the physical status of the things and collect data. Advanced systems based on IoTs make use of nanotechnologies, which shows the potential impact to implement smart systems. The RFID enabled devices to use wireless microchips for automatic identification and tagging objects. These devices can detect the things without line-of-sight wireless links, with the use of a reading device called a reader and tags to identify the frequency and sense of the collections. Smart technology devices include a smart alarm system, smart fridge, smartphone, and other wearable wireless technologies. In this context, IoT is introducing smart cities, smart homes, smart grids, medical IoT, and so on. Due to its wide-ranging applications and various advanced technologies, the IoT has introduced many research opportunities in recent years. Even though the IoT network is highly used throughout the world, it also creates serious security and privacy issues. The series of vulnerabilities in IoTs increases in terms of networking, infrastructures, devices, and interfaces. As the network size and number of IoT devices make it challenging to implement per IoT device security. If a whole network makes secure then the network-based security can be implemented to perform as a protective shield by analyzing the data throughout the network. Furthermore, network-based security solutions can be useful for other IoT networks with minor changes. In the network, all devices need to be registered first to have network access. Therefore, thresholds should be defined to predict the abnormal behavior of network traffic.¹ The network authentication and privacy are important issues for IoT devices/sensors network. The traditional solutions like key encryption and distribution protocols are not directly applicable to reduce the communication overhead of the sensor networks. To reduce the authentication overhead, many IoT protocols consider high degree of trust throughout the network. That increases the risk of malicious devices in the network. The main types of attacks are sinkhole attacks, denial of service (DoS) attacks, wormholes, Sybil attacks, selective forwarding, spoofing, and altering of routing information.

There are many different security solutions to protect computing systems and networks against malicious attacks. One of the solutions is an intrusion detection system (IDS), which monitors the network data traffic by continuously scanning it for suspicious activities and sends alerts in case such activities discovered. IDSs, which are positioned to scan the network data packets, called network intrusion detection system (NIDS). NIDSs are, in contrast to common firewalls, able to perform a detailed examination of incoming network packets.² NIDSs not only monitor the headers of the data packets but also examine the payload. This means that NIDSs are not only examining the headers of the packets but also use to monitor the payload. This is one of the key features, which presents NIDS as a powerful tool, especially when it is used for protecting networks and computing systems. IDSs are especially implemented for the laptops and desktops, but not for the devices having limited resources. IoTs have limited memory, and limited computational and processing power. Therefore, to make these devices secure, IDSs must be resource-efficient.³ Recent research has managed to deploy Snort (open-source IDS) in a Raspberry Pi, which is a single-board computer (SBC).⁴ However, current research reveals that it is possible to execute IDS on the resource-limited devices, and it also shows that IDS is resource-demanding and consumes resources.

The application domain for IoT is vast; it is being used in the equipment of transport, medical, education, surveillance cameras, and so on. However, with the invention of new functionalities, different security threats have arisen. One threat was exposed in 2016 when a malware named Mirai was discovered. Mirai focused on hijacking IoT devices in the form of video surveillance cameras like closed-circuit televisions (CCTVs). Within 2 weeks, Mirai succeeded to hijack over 200,000 devices which were used in botnets to perform distributed denial of service (DDoS) attack.¹ This is one case of what could occur if IoTs are not secured. The attack can be more critical if the medical equipment based on IoTs is not secure. Many researchers have implemented different solutions for wireless sensor network security, but these solutions are not appropriate for the medical IoTs due to the following reasons:⁵

Medical IoTs are having low memory storage, low energy storage, and minimum bandwidth.

Medical IoTs are small in size, and they can be lost.

Some medical IoTs are implanted; the resources can be consumed quickly if not used efficiently.

In a medical-IoT environment, multiple sensors would transmit monitored data to a base station or cloud devices for further processing. It is well-known, and in current experience, that such many-to-one device communications are extremely susceptible to the sinkhole attack, where an intruder attracts surrounding devices with false routing information and then executes selective forwarding or modifies the information passing through it. A sinkhole attack creates a serious threat to sensor networks, mostly considering that these networks are often positioned in open areas with low battery power and computation.

This article emphasizes creating an efficient IDS for IoT devices. An IDS has three components: observing, detection, and alarm. An IDS is selected because it has the ability to detect intrusions by observing the network and connected devices if an intrusion is detected, and it alerts the users before the intruder begins to attack. The proposed IDS is a anomaly-based detection which is suitable for use in IoT. It detects the routing attacks which have not been previously detected. According to the proposed prevention of an active sinkhole routing attack (PASR), IoT devices do not communicate directly, which consumes resources. It is also observed from the simulation results that the PASR achieves high detection accuracy for the routing attacks, and it also confirmed the effectiveness of the algorithm. The results also revealed that the computational overheads are reasonably decreased for the whole networks.

The rest of the article is organized as follows: in section “Background and related work,” the relevant background information introduces the reader to the intrusion detection techniques. Section “The proposed IDS for the PASR in IoT” presents the proposed technique. The simulation results and discussions are presented in section “Results and discussion,” and the performance of the proposed PASR is compared with related existing techniques. Finally, the article is concluded in section “Conclusion.”

Background and related work

The IDS is further categorized into three main sub-categories anomaly-based, signature-based, and stateful protocol analysis (SPA)-based.⁶ The characteristics of signature-based IDSs are also known as knowledge-based IDSs. The data consist of signatures, generally pattern or strings which can be found in the data packets’ payload of malicious attack. For identifying intrusion, an IDS uses a pattern matching algorithm that monitors the data packets looking for a specific signature. In order to mention the features of a predicted attack, Snort (signature-based NIDS) combines signatures with the rules. A rule specifies the type of a protocol the signature is found, and the source and the destination of the data packet, and it also specifies what type of action should be taken if a malicious packet is predicted.⁷ The key benefit of knowledge-based IDSs is their accuracy. It means if an alarm is raised up by the IDS, then it is actually an intrusion and not a false alarm. However, the problems of extracting key signatures from a known attack and the maintenance—always keeping the IDS up-to-date with the latest susceptibilities—are often considered their main weaknesses. As the knowledge-based IDSs are dependent on the key signatures and data information from already known attacks in order to determine an attack, they are unable to identify so-called zero-day attacks. This shows that they cannot detect an intrusion attack if the methodology of the attack is unpredicted and never been used already.

Anomaly-based IDSs also called behavior-based systems detect and record the regular and expected behavior of a system. It means, within a specific time period, the IDSs are trained to identify the behavior of a system. In order to recognize an intrusion, the IDS compares the differences between current and recorded behaviors. If anomalies are predicted, the IDS alerts the system by sending alarms. A major drawback with anomaly-based IDSs is a high rate of false alarms because it is possible that normal behavior changes over time. Stateful protocol analysis–based IDSs¹ are similar to anomaly-based IDS, and they predict the system’s behavior of a specific protocol instead of a whole system. The other difference is about the reference model that a system’s behavior is comparing is established by well-known vendors rather than a recorder system. As edge routers connect wireless sensor devices or IoT to the Internet, these are at risk against common attacks. The common wireless sensor network attacks are routing attacks. The routing attack targets routing information to disturb the network routing, for example, alteration of data, change the source or destination addresses, and creating topology loop.⁸

The most common routing attack is Sinkhole. It was mentioned in Intrusion detection of SiNkhole attacks on 6LoWPAN for the Internet of things (INIT)⁹ that the sinkhole attack is one of the critical attacks against wireless sensor networks, and it disrupts the communication between devices. A sinkhole attack disrupts the routing in a network by having one device broadcasting that it knows the shortest link to the destination device. In the network, the nearby devices receive maximum data through the attacking device. Then, the attacking device will not continue to transmit the data packets it collects to the other devices. The device will just receive the data packets and then drop them. INIT not only emphasizes the detection of the Sinkhole attack but also focuses on preventing the effects of the attacks. The proposed technique is also trying to decrease unfavorable effects on the system. The unwanted effects include resources’ slow performance, high cost, false negatives, false positives, and so on. For the prevention of sinkhole attack, different authors have proposed different techniques. First, a watchdog technique based on clustering is used to keep track of the network and then different techniques are used to detect attacks by monitoring the devices’ behavior. In order to coordinate between devices, it creates a self-organized network, where within a cluster, devices are assigned different roles. It is also self-repairing in order to identify suspicious attacks or devices and alleviate them from the network. The authors concluded that INIT can predict sinkhole attacks in 92% of all cases when the devices are not mobile and in 75% when they use mobile devices.

To detect and overcome sinkhole attack in mobile ad hoc network (MANET) (ad hoc on-demand distance vector (AODV)),³ an active sinkhole attack is initiated by updating the sequence number in the route request message (RRM). The higher sequence number shows that the routes are updated with new nodes. The active sinkhole attack starts by choosing a pair of source and destination devices. It gets the source’s sequence number and broadcasts a request for a route with a higher sequence number than the source’s sequence number. All the neighboring devices which receive the route request assume that the route is an efficient route. Now, the sinkhole attack starts and sending data through the selected source device. If the neighboring devices have to transmit data, they will transmit through the new route having a sinkhole. Suppose that, in Figure 1, the link having source device 8 and destination device 3 are transmitting the data between each other. The active sinkhole selected source device modifies the sequence number and broadcasts a route request to the neighboring devices. In this way, source device 8 having sinkhole diverts the local data traffic to itself and now it can perform any malicious action.^10,11

Figure 1.

Active sinkhole attack.

In MANETs, the devices have limited energy to establish the links to broadcast the data packets. Malicious devices transmit beacon messages periodically in MANETs, making a huge amount of useless data traffic to increase the routing overhead. Malicious devices should be disallowed in order to decrease the additional routing overhead. To handle this issue, the dual attack detection for black and gray hole attacks (DDBG) technique¹² combines two different algorithms, that is, connected dominating set (CDS) and IDS, to detect the malicious devices having a black hole and gray hole and to decrease the routing overhead in MANETs. A dominating set of devices is a subset of the network. All of the devices are not essentially connected within that subset, but at least one device should be a member of that subset of the network. The dominating set must be linked, called a CDS. A CDS has less connected devices to cover the maximum range.¹³

The IDS set is also a model of the subset of the network. It is used to create a set of devices based on the devices’ sufficient energy within the whole network. The IDS set is also implemented to decrease the data congestion and routing overhead of the network. Initially, the DDBG technique divides the whole network into small groups of devices with the help of the CDS technique. Second, the DDBG chooses the IDS set of devices from each group of CDS devices that have sufficient energy and do not belong to the blacklist. In the third phase, an IDS device having the highest energy is selected. The IDS device must be a trusted device. Then, the IDS device transmits status packets periodically to detect the malicious device within the IDS set. If any device’s behavior is distrusted to be malicious, then the IDS device broadcasts a block message to notify all devices. All of the devices will then terminate communication with that specific malicious device. From the subset of the network, a small group of devices executes the IDS to broadcast the status and observe the energy level. In the DDBG technique, an IDS is used to design and implement in the network. The IDS device broadcasts a status packet to check the status of every device in the CDS. If any device’s behavior is suspected to be malicious, then the IDS device broadcasts a block message to notify all devices. All of the devices will then stop communication with that specific malicious device. The problem with DDBG technique is that it considered all sensor devices for data transmission, intrusion detection, and for making routes hop by hop to the base station. It means a single device performs many tasks at the same time. Therefore, this technique consumes more resources and creates overhead.

The proposed IDS for the PASR in IoT

The proposed PASR develops an IDS that can detect the routing attack (active sinkhole attack) in IoT where the devices are connected wirelessly. The PASR, focused on AODV protocol, is created for ad hoc networks. It was considered because it supports self-configuration, keeps the record only for the desired route, reduces data redundancy, has the ability to immediately update the current routes due to route failure, and is scalable to a large number of devices which is highly required for IoT.

The IoT network is considered with many gateway devices and a single base station. The IoT devices are randomly deployed within a specific area. The IoT devices constantly monitor and transmit gathered data to the base station. It was considered that the base station is positioned outside of the IoT area in a secure place for further processing. The base station keeps the record of all the devices and routes between them. If any device added, replaced, or routes are changed, the record is updated immediately. There are many IoT and gateway devices in the network, and all the IoT devices are connected to their respective gateways. The whole network is divided into clusters, where the gateway devices are considered as cluster heads. All the cluster head/gateway devices are connected to each other. In order to optimize the resources, there is no direct communication between the IoT devices. The IoT devices are only responsible to monitor the environment and transmit data.

The IoT devices transmit their data through gateway devices. Gateways are the computational devices; they link the IoT devices and other available gateways. Gateway devices maintain the routing tables. In a network, all the gateways are connected to each other to provide the routes between the devices throughout the network. Suppose an IoT device has to transmit the data, first, it has to send a request to the gateway device for the link establishment. If a route exists in the gateway’s routing table, it mentions the next gateway device on the link to the destination device. Otherwise, the gateway has to discover an efficient route. For this purpose, a gateway device broadcasts the RRM to all other connected gateways. If a neighboring gateway device has the route information to the destination (which is usually a base station), it sends back a route information message (RIM) to the source gateway device. Otherwise, it forwards RRM to the further connected gateways.

Figure 2 shows many IoT devices, gateway devices, and a base station. Suppose an IoT device connected to gateway10, which is its cluster head, transmits data to the base station; first, gateway10 checks in its own routing table, and if it has a route toward base station, it will transmit the data; otherwise, it will send RRM to its neighbors. In this case, gateway10 creates RRM and broadcasts to its neighbor gateways (8, 12). Let say gateway12 is in proximity and has the route information so it replies with RIM. The formats of RRM and RIM are shown in Figure 3. Once the links are defined between the devices, the base station generates a special hello packet for getting the route information. It broadcasts a special hello packet to its directly connected gateway devices, where they attach their device ID number and hop count from the base station. This information is updated and sent back to the base station from each gateway device. In the next step, the current gateway device forwards this hello packet to all connected neighboring gateway devices by increasing the hop count value. The process is repeated until the hello packet reaches the last gateway device and the base station receives all the route information in its record.

Figure 2.

Route discovery by AODV.

Figure 3.

Formats of RRM and RIM.

The proposed PASR creates an IDS that can predict an active sinkhole routing attack on the AODV protocol in IoT devices. The purpose of an active sinkhole attack is to forward the data traffic to the intruder, where first it takes over the control of a device and then broadcasts an RRM to all neighboring devices. During the active sinkhole attack, in the proposed network, the intruder takeovers the control of one of the gateway devices, because these are the main device that consists of the routing tables and are capable to transmit the RRMs and RIMs. After getting the control of a gateway device, it broadcasts the RRM to all neighboring gateways to get the route information to the base station. The neighboring gateway devices reply back with RIMs to the compromised gateway device. Now, the compromised gateway device broadcasts the RIM with the updated route toward the base station. Intruder gateway device also broadcasts to its neighbors that it has the optimum path toward the base station. Finally, all the neighboring gateway devices update their tables and transmit data through a new route where all the data packets are bound to pass by the compromised gateway device.

In order to detect and prevent the attack, all the gateway devices are equipped with IDS. Therefore, all the gateway devices are capable to detect the intrusion by analyzing the data they receive. It is also assumed that all the gateway devices are equipped with enough resources to execute the intrusion detection process. All gateway devices are equipped with a special module named intrusion analyzer. The function of the intrusion analyzer is to detect the irregularities/anomalies and broadcast intrusion alerts to the other gateway devices and base station. The PASR divides the whole network into the clusters of IoT devices, where gateway devices are cluster heads. This technique is applicable for the event-driven applications; whenever an event is detected, a control message is broadcasted to the base station and all connected gateway devices. The control message contains the control message number, control message source device, and message identifier and message size. To detect the intrusion, it is assumed that all the IoT devices are in the range of their relevant gateway devices and all the gateway devices are in range and connected with each other. They have same transmission and reception signal strength. Two-ray propagation model is used to calculate the static signal strength that can be used for both the direct path and ground reflection path. The received power at distance D is calculated through the following formula¹⁴

$R_{\Pr} (D) = \frac{({T_{\Pr}}^{*} {GT}^{*} {GR}^{*} {HT}^{2^{*}} {HR}^{2})}{D^{4} L}$ (1)

where R_pr is fixed received power, D is distance, and HT and HR are the heights of transmitting and receiving antennas, respectively.

After establishing the whole network and links between devices, the devices start communication. The base station is a main device and destination for all the devices, it receives data. Therefore, the base station keeps the record of all the active devices and their links. The base station keeps the record of every possible link coming from each device. Each gateway device maintains its routing table; depending on the routing table, gateways transmit data toward base station through intermediate gateway devices. During data transmission, if suspicious activity is detected, the devices have sinkhole in order to intruder gateway devices. When data packets are received at the base station appropriately, each time base station conforms and compares the accuracy of links and control messages. If there is no difference, it means that the data are received correctly. If data are changed by an intruder device and transmitted to the base station, the base station can identify the change in data by comparing the control messages with the original control messages.

In case if an intruder gateway device does not transmit the data to the base station, when the base station accepts the control messages and has not received within the specified time, the base station announces the detection of an intruder gateway device and sends alerts to all gateway devices not to transmit the data through the intruder gateway device. After detecting the intruder device, the base station sends alert messages to all gateway devices. In case if a new intruder device enters the network and sends a route request to the base station, the base station immediately checks the device ID and compares it in the database. If the database does not have the information about the new ID, it sends alerts to all gateway devices about the attack. It is a possibility that an intruder gateway device drops the reply packet as devices can transmit the data traffic towards BS through many different routes. Specially, they can forward reply packets to N neighbor gateways, where N ≥ 1. Suppose N be the number of neighbor gateways through which a data packet is transmitted, H be the number of intermediate gateway devices from farthest gateway device to the BS, P is the probability of sinkhole attack, and level L has T^L devices, where 1 ≤ L ≤ H

$R_{msg} [a response packet from a device at L can deliver to BS] = (1 - P) {(1 - P^{N})}^{L - 1}$ (2)

The number of response packets delivering the BS is calculated as given below

$Number of response packets = \sum_{L = 1}^{H} (1 - P) (1 - P^{N})^{L - 1} T^{L}$ (3)

The PASR overcomes the sinkhole attack by activating the intrusion analyzer at each gateway device and by keeping the record of all devices and their link in the base station. After receiving a new route request or data, the base station monitors and compares the route source to the sinkhole attack in the IoT network.

Results and discussion

The performance of the proposed PASR is evaluated through Network Simulator (NS-2). The simulation parameters are shown in Table 1. The simulation is carried out over the 100 m × 100 m area. The gateway devices and IoT were placed randomly. A total of 150 devices including intruder devices (with wireless channel type) which communicate with each other in AODV routing protocol are used. The two-ray ground propagation model is used for radio waves propagation. The constant bit rates (CBR) data type and packet size of 100 bytes are used.

Table 1.

Simulation parameters.

Parameters	Values
Simulation area	100 × 100 m²
Number of devices	150
Channel type	Wireless
Radio propagation model	Two-ray ground wave
Data type	CBR
Routing protocol	AODV
Type of attack	Sinkhole attack
Simulation time	850 s
Packet size	512 bytes
Control packet size	32 bits
MAC protocol	IEEE 802.11

CBR: constant bit rates; AODV: ad hoc on-demand distance vector; MAC: media access control.

The performance of the proposed PASR is compared with DDBG and AODV techniques.³ We have selected the above-mentioned two techniques because these are similar to the PASR in terms of gathering data from devices, sending route requests and route replies,^15–19 and so on. Furthermore, the evaluation results are based on data packet delivery ratio, network throughput, intrusion detection rate, routing overhead, and end-to-end delay.

The packet delivery percentage is monitored in three situations with different protocols. We have selected AODV protocol with sinkhole attack, DDBG protocol and the PASR with sinkhole detection and prevention. In the AODV protocol, all the devices are connected with each other and transmitting data without clustering. As shown in Figure 4, the value of data packet delivery percentage in AODV and DDBG with routing attacks is lower than the proposed PASR. The packet delivery percentage in the PASR is higher because it has implemented IDS in each device and in the base station. When a base station receives data, each time it compares the device and route information. If it predicts that the data are coming from an intruder device, it blacklists the intruder device and informs the whole network about it. Therefore, all the connected gateway devices disconnect from that intruder gateway device and continue their data transmission through other routes. As each device has IDS, if there is anomaly predicted between the gateways devices, the neighboring gateway devices inform base station, where it compares the device information in its database; if it predicts it as an intruder device, the base station broadcasts alert messages. The PASR data packet delivery percentage is higher as compared to the AODV and DDBG because after the detection of intruder devices having sinkhole attacks, it prevents intrusion and continues data transmission to the base station through normal routes. During the simulation, it was observed that data packet delivery percentage increases with the increase in the number of devices

$Dr = (\frac{\sum_{i = 1}^{n} R_{p}}{\sum_{i = 1}^{n} T_{p}}) \times 100$ (4)

where Dr represents data packet delivery percentage, R_p represents a number of received packets, and T_p represents the number of transmitted packets.

Figure 4.

Data packet delivery versus the number of devices.

The energy consumption of all devices for intrusion detection is monitored. Figure 5 shows the average energy consumption of all the gateway devices as a hop counts to the base station. As IoT devices are small devices having limited resources like energy, we are using IoT only for data gathering and data transmission, and these are not used for intrusion detection and routes. That’s why we are presenting the average energy consumption for only gateway devices. During the simulation, it was observed that the gateway devices which are located closer to the base station consumed more energy, this is because all the gateway devices transmit data through these devices. Gateway devices farther from the base station are only transmitting data through their routes hop by hop, and all data are not passing by from each gateway device, but the gateway devices near to the base station are receiving data from different gateway devices and transmitting to the base station. These closer gateway devices are not consuming too much energy for their own data transmission, these consume more energy because of other devices for sending and receiving a greater amount of messages compared to other gateway devices. It was observed from Figure 5 that the energy consumption of the PASR is less than the previous techniques, as AODV and DDBG considered all sensor devices for all-purpose like for data transmission, intrusion detection, and for making routes hop by hop to the base station. Therefore, a single device performs many tasks and consumes more energy. In the proposed PASR, IoT is only used for data gathering and transmission to the respective gateway device. The gateway devices are responsible for intrusion detection and making routes hop by hop toward the base station.

Figure 5.

Average energy consumption versus the number of gateway devices.

The prediction of the detection rate of the sinkhole attack in the network is highly required to show the accuracy of the PASR. The purpose of selecting this metric is to show the ability of the PASR to detect the sinkhole attack in the gateway devices. The detection rate of the PASR is compared with the previous AODV and DDBG protocols. The x-axis shows the number of devices and the y-axis shows the detection rate of intruder devices. We have mentioned the devices as intruder devices because in the AODV and DDBG consider all the devices, whereas in the PASR considered only gateway device because sinkhole attack enters in the devices that can broadcast messages. In the PASR, gateway devices are main devices that broadcast messages, whereas the AODV and DDBG considered all the devices. It is observed from Figure 6 that the detection rate of intruder devices in PASR is higher than the previous techniques because when an intruder attacks, it tries to broadcast an RRM from the gateway device, and immediately the IDS of gateway device investigates and predicts the anomaly and discards the message broadcast. While AODV and DDBG the intruder devices could not detect their irregularity and let the device to broadcast messages. Hence, the PASR detects the intruder devices more quickly as compared to the other techniques. Therefore, the detection percentage is increasing with the increase in the number of devices.

Figure 6.

Detection rate of intruder devices.

The greater routing overhead percentage shows the worse performance of the routing protocol. The routing overhead is measured as the total amount of packets are transmitted against the actual data packets. During the simulation, with the same number of devices, the routing overhead of the PASR, AODV, and DDBG protocols are analyzed. The experimental results in Figure 7 show that the overall performance of the PASR in terms of the overhead is superior compared to AODV and DDBG. When the number of devices increased, the routing overhead also increased due to a large number of different data packets. The main reason is that the devices having IDS broadcast packets periodically. It is observed that the routing overhead of PASR is less than AODV and DDBG because the PASR divides all the IoT into clusters where each cluster is assigned a specific gateway device that is responsible to receive the data and forwards to the base station. As not all the IoT devices are not involved in routing decisions, finding intrusion, and so on, in the PASR, all the devices are not transmitting all types of message (return receipt requested, RIM, control messages, etc.) and only gateway devices broadcast messages to the other connected devices for making routes, detecting intrusion, and intrusion alerts. Therefore, the percentage of routing overhead of AODV and DDBG is high because these techniques include all the devices for making routes, intrusion detection, and so on.

Figure 7.

The routing overhead versus the number of devices.

Conclusion

One of the critical issues in the IoT network is how to detect and prevent routing attacks in an efficient manner. In this article, the detection and prevention of a sinkhole routing attack are presented. The PASR divides the whole IoT network into the clusters where each cluster is served by a gateway device known as cluster head. In the network, each gateway device is equipped with a special module (intrusion analyzer) of an IDS that predicts sinkhole attack and sends alerts to other connected devices. The base station is the main device that receives the data from all devices. It keeps the record of all connected devices and their links. If an intruder tries to enter the network or tries to transmit RRMs, the base station immediately monitors and compares the whole record and broadcasts alerts to a whole network about the attack. In particular, it was found that the PASR was highly effective at detecting and preventing active sinkhole attacks. The key advantage of the PASR is to predict the sinkhole attack at the same time and it requires no communication between the IoT devices, which is a significant factor in minimizing the resources.

In the future work, an IDS technique which will detect and prevent the sinkhole and Sybil attacks (fake identities) in all connected medical sensors will be implemented. It will enhance the performance and security of the whole network.

Footnotes

The authors,therefore,acknowledge with thanks Deanship of Scientific Research (DSR) for technical and financial support.

Handling Editor: Iftikhar Ahmad

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research,authorship,and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research,authorship,and/or publication of this article: This project was funded by the DSR,at King Abdulaziz University,Jeddah,under grant no. D1437-53-612.

ORCID iDs

Sabeen Tahir

Sheikh Tahir Bakhsh

References

Kolias

Kambourakis

Stavrou

, et al. DDoS in the IoT: Mirai and other botnets. Computer 2017; 50(7): 80–84.

Mudzingwa

Agrawal

A study of methodologies used in intrusion detection and prevention systems (IDPS). In: Proceedings of IEEE Southeastcon, Orlando, FL, 15–18 March 2012. New York: IEEE.

Tabrizi

Pattabiraman

. Flexible intrusion detection systems for memory constrained embedded systems. In: 11th European dependable computing conference (EDCC), Paris, 7–11 September 2015, pp.1–12. New York: IEEE.

Sforzin

Mármol

Conti

, et al. RPiDS: Raspberry Pi IDS—a fruitful intrusion detection system for IoT. In: International IEEE conferences on ubiquitous intelligence computing, advanced and trusted computing, scalable computing and communications, cloud and big data computing, internet of people, and smart world congress, Toulouse, 18–21 July 2016, pp.440–448. New York: IEEE.

Reddy

MPK

Babu

. An energy aware end-to-end trust mechanism for IoT healthcare applications. Biomed Res 2017; 28(8): 3456–3464.

Liao

Lin

CHR

Lin

, et al. Intrusion detection system: a comprehensive review. J Network Comp Appl 2013; 36: 16–24.

Tahir

Bakhsh

Abulkhair

, et al. An energy-efficient fog-to-cloud Internet of Medical Things architecture. IJDSN 2019; 15(5): 1–13.

Kasinathan

Pastrone

Spirito

, et al. Denial-of-service detection in 6LoWPAN based Internet of Things. In: IEEE 9th international conference wireless and mobile computing, networking and communications (WiMob), Lyon, 7–9 October 2013, pp.600–607. New York: IEEE.

Cervantes

Poplade

Nogueira

, et al. Detection of sinkhole attacks for supporting secure routing on 6LoWPAN for Internet of Things. In: IFIP/IEEE international symposium on integrated network management (IM), Ottawa, ON, Canada, 11–15 May 2015, pp.606–611. New York: IEEE.

10.

Tank

Lathigara

To detect and overcome sinkhole attack in mobile ad hoc network. Comm Appl Electr 2015; 2, https://pdfs.semanticscholar.org/d66c/c313186f5b16a77e47ebd1198a2dc18a9427.pdf

11.

Kumar

Doohan

. A modified approach for recognition and eradication of extenuation of gray-hole attack in MANET using AODV routing protocol. In: Proceedings of the 2016 symposium on colossal data analysis and networking (CDAN), Indore, India, 18–19 March 2016, pp.1–5. New York: IEEE.

12.

Zardari

Zhu

, et al. A dual attack detection technique to identify black and gray hole attacks using an intrusion detection system and a connected dominating set in MANETs. Fut Internet 2019; 3(11): 61.

13.

Chu

. An efficient algorithm for finding an almost connected dominating set of small size on wireless ad hoc networks. In: Proceedings of the 2006 IEEE international conference on mobile ad hoc and sensor systems, Vancouver, BC, Canada, 9–12 October 2006. New York: IEEE.

14.

Bakhsh

ST.

Multi-tier mobile healthcare system using heterogeneous wireless sensor networks. J Med Imag Health Informat 2017; 7: 1372–1379.

15.

Baskar

Kishore Raja

Komara

, et al. Sinkhole attack detection in hierarchical sensor networks. Int J Sci Eng Res 2014; 5(9): 322–326.

16.

Patel

NJ.

Detection & prevention techniques of sinkhole attack in mobile adhoc network: a survey. Int J Latest Res Eng Tech 2016; 2(4): 50–54.

17.

Mohammad

Das

Kumari

, et al. Design of sinkhole node detection mechanism for hierarchical wireless sensor networks. Security Comm Networks 2016; 9: 4596–4614.

18.

Bhanbhro

Hassan

Nizamani

, et al. Enhanced textual password scheme for better security and memorability. Int J Adv Comp Sci Appl 2018; 9: 209–215.

19.

Al-Turjman

Imran

Bakhsh

, et al. Energy efficiency perspectives of femtocells in IoT. IEEE Access 2018; 5: 26808–26818.