Cross layer-based intrusion detection based on
network behavior for IoT
Amar Amouri, Vishwa T. Alaparthy and Salvatore D. Morgera
Department of Electrical Engineering, University of South Florida
Tampa, FL, USA
(email: aamouri@mail.usf.edu, vishwateja@mail.usf.edu and sdmorgera@usf.edu)
Abstract—The intrusion detection systems gained major
significance in the field of internet of things (IoT) as the
communicating entities could reach thousands of nodes. An
intrusion detection system (IDS) that uses a hybrid learning
approach, consists of two stages of detection, local and global.
The data collection for the classification purposes at the local
detection phase is intended to mimic the network behavior
rather than node behavior and the ability to infer the state of the
node. A scheme based on obtaining datasets related to the
packet counts for normal and malicious cases, collected using
promiscuous mode, is adopted in the network. The local
detection is conducted by the dedicated sniffers (DS) where each
DS uses supervised learning approach based on decision trees to
generate correctly classified instances (CCIs). The global stage
collects the CCIs sent from the dedicated sniffers (DS) to the
super node (SN) and applies an iterative linear regression to
generate a time-based profile called the accumulated measure of
fluctuation (AMoF) for malicious and normal nodes. A profile
of a malicious and a normal node is obtained, and an anomaly is
detected after three iterations (processed samples).
Key words: Internet of things (IoT), Intrusion Detection Systems
(IDS), Accumulated Measure of Fluctuation (AMoF), decision
trees.
I. INTRODUCTION
The internet of things (IoT) is a term used to describe a
network that is connecting different communication entities
that span from simple sensing devices like thermostats at
home to healthcare devices, printers, smart phones, control
systems in factories [1]. The IoT can be considered as the
umbrella that took an advantage from the important aspects
of wireless sensor networks (WSN) and mobile Ad-hoc
networks (MANET) and forms an interface to the cloud or
the internet [2].
Intrusion detection systems (IDS) are the core of security
maintenance in any communication network, wireless or
wired. The vast application potential of the IoT devices drive
the need for developing an IDS that can deal with the threats
that are faced by WSN’s, MANET’s, legacy networks and
beyond. This is due to the massive range of communication
activities that are involved in the future IoT networks [3]
The IPv6 over Low-power Wireless Personal Area Network
(6LoWPAN) facilitate the connection of resource constrained
devices with the global network. Many IDS have dealt with
the security threats for 6LoWPAN routing protocols, such as
SVELTE [4], developed to detect routing attacks such as:
spoofing, sinkhole, and selective forwarding. A denial-of-
978-1-5386-1267-5/18/$31.00 ©2018 IEEE
service (DoS) detection architecture for 6LoWPAN is
presented by [5]. A packet matching technique is used to
detect attacks that exceed a certain threshold. The proposed
work integrates the IDS into the network framework
developed within the EU FP7 project ebbits.
The need for a simple yet adaptive intrusion detection
technique is a prerequisite for the networks that has low
computational capabilities and limited power resources as in
some IoT applications. This issue was the major drive for the
work presented in this paper. A time evolving IDS is
proposed, based on two-layers of detection. During stage one,
every DS deploys a classifier based on decision trees such as
C 4.5. The reason for choosing these types of classifiers is the
low computational complexity and low resource
requirements such as memory [6]. The packet collection
module acquires this information using the promiscuous
mode, which is collecting first hand data from neighboring
nodes that are in the radio range of the DS [7]. Every
reporting time, each DS sends the calculated CCI to the SN.
In stage two, The SN generates a variable called AMoF,
which is calculated based on the variations of the collected
CCIs using sliding window approach. In conjunction to this
step, he SN performs linear regression fitting for those CCIs
to set a proper detection threshold which helps in
differentiating between malicious and normal nodes. The rest
of the paper is divided into the following sections. Section II
presents a brief introduction about the black hole attack and
RPL protocol in MANET. In Section III, the system
architecture is described. The experimental setup is discussed
in Section IV. Results and discussion are provided in Section
V.. Finally, section VI presents the conclusions and thoughts
about future work.
II. BLACK HOLE AND ANDRPL IN IOT
The IPv6 Routing Protocol for Low-Power and Lossy
Networks, RPL, is the standardized routing protocol for the
IoT's [8]. The RPL topology forms the DODAG (Destination
Oriented Directed Acyclic Graph) tree, which has one root,
or sink [9]. The control packets of RPL are:
a) DODAG Information Solicitation (DIS): Solicit a DODAG
Information Object from a RPL node.
b) DODAG Information Object (DIO): It allows a node to
discover an RPL Instance, learn its configuration parameters
and select DODAG parents.
c) Destination Advertisement Object (DAO): Used to
propagate destination information upwards along the
DODAG.

Due to global IP connectivity, 6LoWPAN networks are

vulnerable to most of the existing attacks against WSNs [10].
A black hole attack is implemented to induce a malicious
activity in the network, by manipulating the node’s rank, that
is the malicious node announcing that it has a higher rank
than it is supposed to, which forces other nodes in the
DODAG sending their data packets through this node [11].
III. SYSTEM ARCHITECTURE Fig. 1 System architecture

The system shown in Fig.1, is a simplified version of the X and independent variable Y [14],
system in [12] which in this paper, is adopted to IoT’s. The
system here, avoids using feature selection module for two ܻ௜ ൌ ߚ଴ ൅ ߚଵ ܺ௜ ൅ ߳௜ (1)
main reasons: Firstly, the complexity and power restriction in where ߚ଴ and ߚଵ are the model parameters. The errors ߳௜ are
IoT based systems, especially in our experiment with WSN assumed to be independent ܰሺͲǡ ߪ ଶ ሻ. The confidence interval
oriented scenario, are much higher than the ones in MANET. for ߚଵ is given as
Second, the total number of features used in the experiment
ഀ
is 6, which is a small dimensionality problem where the ௧ቀ௡ିଶǡଵି మ ቁ௦
ܾଵ േ ሼσሺ௫  (2)
decision trees would be able to handle. ೔ ି௫ҧ ሻమ ሽభȀమ
The IDS consists of a two-stage detection process, local and ఈ ఈ
global. The local detection is achieved via a DS located at two where ‫ ݐ‬ቀ݊ െ ʹǡͳ െ ቁ is the ͳͲͲ ቀͳ െ ቁ percentage point of
ଶ ଶ
diagonally opposite quadrants of the field similar to the a t-distribution with ሺ݊ െ ʹሻ degrees of freedom and the
scheme used in [13]. The packet counts from MAC and residual sum of squares ‫ ݏ‬ଶ . From algorithm 1, the threshold
network layer are the features used by the classifier to is calculated first by finding an initial threshold ሺߜ ‫ כ‬ሻwhich is
generate CCI. Each DS will calculate the CCI at every the difference between the maximum of the upper bounds and
reporting time (Tr). The total reporting time is given as N as the minimum of the upper bounds of all NUTs divided by two
shown in Fig. 1. The calculation of the CCIs depends on the and added to the minimum of the upper bounds for that
packet counts/ features shown in table 1. iteration.
The CCIs from the DS will be communicated to the SN
to perform an iterative linear regression process that will Algorithm 1 Calculating the AMoF, fitted slope and detection threshold for
establish a detection threshold, based on certain detection malicious and normal nodes
criterion, for the entire system. 1: Input: ‫ܫܥܥ‬ሺ஽ௌ೘ሻଵ,………,‫ܫܥܥ‬ሺ஽ௌ೘ሻ ே , ‫݊ א ݉׊‬
The use of the variation of the correctly classified 2: Output: AMoF, fitted slope (ߚ), detection threshold (ߜ)
instances (CCI) collected from different DS, to detect 3: At the super node
malicious nodes using a sliding window approach over the 4: ‫ࢀࢁࡺ א ݁݀݋݊׊‬
5: for i =1 to ܰ do
collected CCIs from different dedicated sniffers (DS) is the 6: for j =1 to ݊ do
core for our proposed IDS. A detailed mathematical 7: Calculate ܶ݁݉‫݌‬ሺௌೕሻ ௜ , ܰ‫݌̴݉݁ܶ݉ݎ݋‬ሺௌೕ ሻ௜
modeling for the CCI’s along with a detailed algorithmic 8: end for
description for calculating the AMoF and the iterative linear 9: ‫ܨ݋ܯܣ‬ሺௌೕ ሻ ௜ ĸሺܰ‫݌̴݉݁ܶ݉ݎ݋‬ሺௌೕ ሻ ௜ Ȁ݊) +‫ ܨ݋ܯܣ‬ሺௌೕሻ ௜ିଵ
regression to obtain the detection threshold is shown in 10: end for
Algorithm 1 [12]. A simplified version of the algorithms is 11: for k=1 to ܰ െ ͳ do
12: for j =1 to l do ‫ܷܶܰ א ݈׊‬
stated in this paper. 13: If k • then
A simple linear regression process can be characterized 14: Calculate ߚ௞ , ‫ܥ‬௞ , and ߜ௞‫כ‬
as shown in equations 1 and 2, relating a dependent variable 15: while ߜ௞‫ כ‬െ ߜ௞ିଵ
‫כ‬
൑ ȁοȁ do
16: ߜ௞ ՚ ߜ௞‫כ‬
17: If ߜ௞ ൒ ߜ
TABLE I. FEATURES USED BY STAGE 1 OF THE IDS 18: node is normal
Tx/Rx 19: else
Mac layer 20: node is malicious
ACK 21: end if
22: end while
Tx/Rx Tx/Rx 23: end for
Network layer 24: end for
DAO DIO
 IV. EXPERIMENTAL SETUP TABLE II. SIMULATION PARAMETERS
The raw data was collected by simulating a network of No. of Nodes 35
thirty-five nodes using the widely adopted discrete-event
network simulator for IoT applications, called Cooja under Field area 100m × 100m
Contiki environment. Two of the nodes are designated as DS Transmission range 50 m/s
collects data from the neighboring nodes promiscuously and
then generate CCIs which in turn are sent to the SN that Simulation time 10,000 sec
performs the AMoF algorithm that includes a linear
Routing protocol RPL
regression of the MoF to detect the malicious nodes. The first
level detection is at the sniffers level, where each sniffer Reporting time (Tr) 1000 sec
generates a CCI at each Tr. Simple, yet effective, supervised
based machine learning algorithms namely, the C4.5 decision Sampling time (Ts) 200 sec
tree has been adopted. Nodes Under Test (NUT) 18, 22
The simulation parameters are shown in Table 2. The
NUT’s are node 18 (Malicious node), and Node 22 (Normal Transport layer Protocol UDP
node). The DS’s are node 8 and node 30 placed strategically
so that they can cover most of the simulation area. A static set
V. RESULTS
of features collected from the MAC and network layers are
used for the detection process using a C4.5 decision tree as Simulation for scenario of transmission range = 50 m,
shown in Table 1. Those features, which are packet counts, Tr = 1000 sec, and Ts = 200 sec is presented. The detection
are fed to the C4.5 classifier mounted at the DS. The threshold criterion ȁοȁ which is the difference between
classification process produces true positive (TN), true consecutive fitted slopes is chosen after certain number of
negative (TN), false positive (FP), and false negative (FN). iterations that achieve small fluctuation in the consecutive
The CCI is the ratio of the summed TP and TN instances to fitted slopes, showing stable behavior, ȁοȁ = 10-3 was picked
the total instances classified. for this purpose.
The tracing logs are obtained using Wireshark and The results shown in Fig.3 represents the AMoF for two
processed using MATLAB. Simulation time is 10000 sec, different types of node. Normal and malicious. The AMoF of
which is divided into ten reporting times (Tr) of length 1000 the normal node, node 22 shows higher variation than the
sec. Each reporting time is divided into five sampling times AMoF of the malicious node, node 18.
(Ts), or instances. Traces when the network is normal, no The iteratively fitted slope (FS) and confidence
malicious nodes deployed, is used to label the data set as intervals for nodes 18 and 20 are shown in Fig.4. The
normal. Traces when the network has malicious activity, 3 confidence interval for each sample has upper bound (UB)
black holes were deployed, is used to label the data set as and lower bound (LB). The detection threshold is met at the
malicious. This gives a total of ten instances, 5 normal and 5 3rd AMoF sample as shown in Fig.4 which translates to 3000
malicious in every Tr. A stratified ten-fold cross validation sec of simulation time. This appears to be long time for
process is used for training and testing purpose. This process detecting a malicious activity, but it is highly dependent on
divides the labeled data into ten equal folds and uses nine the traffic types deployed in the network such as the client-
folds for training and one-fold for testing. server type traffic at the application layer.

AMoF for malicious and normal nodes

2
AMoF18
AMoF22

1.5
AMoF

0.5

0
Fig.2 Layout of the nodes showing transmission range for both DS 0 2 4 6 8 10

Number of processed CCI samples

Fig.3 The AMoF for different nodes

 Range = 50 m Tr = 1000 sec, Ts = 200 sec [4] S. Raza, L. Wallgren, and T. Voigt, “SVELTE: Real-time intrusion
1.5 detection in the Internet of Things,” Ad Hoc Netw., vol. 11, no. 8, pp.
FS 18
2661–2674, Nov. 2013.
UB 18
[5] P. Kasinathan, C. Pastrone, M. A. Spirito and M. Vinkovits, "Denial-
LB 18
1 of-Service detection in 6LoWPAN based Internet of Things," 2013
FS 22
UB 22
IEEE 9th International Conference on Wireless and Mobile
Fitted slope for each NUT

LB 22 Computing, Networking and Communications (WiMob), Lyon, 2013,

0.5 Treshold
0 classification algorithms. Machine Learning, 39,2000.
-0.5
-1
0 2 4 6
Number of processed AMoF samples
Fig.4 The fitted slope and its confidence for different nodes
These traffic types produce large amount of packet counts
compared to the ones used in this experiment. The richness
of packet counts will allow to use much smaller Tr/Ts which
will help detecting at faster rate.
VI. CONCLUSION AND FUTURE WORK
In this paper, a two stage IDS system based on data
collection that functions in environments which prohibit
direct access to data regarding certain nodes, is proposed.
The network behavior is used to give an inference regarding
the node’s state in the network using the variations in the CCI
collected every Tr. The results show promise despite lack of
randomness compared to the MANET scenario. The results
also show the ability to distinguish between normal and
malicious nodes after the third processed AMoF sample. The
detection reaches 100% after the detection criterion is met.
pp. 600-607.
[6] T.-S. Lim, W.-Y. Loh, and Y.-S. Shih. A comparison of prediction
accuracy, complexity, and training time of thirty-three old and new
[7] D. Sterne et al., "A general cooperative intrusion detection architecture
for MANETs," Third IEEE International Workshop on Information
Assurance (IWIA'05), 2005, pp. 57-70.
[8] Wallgren, Linus, Shahid Raza, and Thiemo Voigt. "Routing Attacks
and Countermeasures in the RPL-based Internet of Things."
International Journal of Distributed Sensor Networks 2013 (2013).
8 [9] P. Pongle and G. Chavan, "A survey: Attacks on RPL and 6LoWPAN
in IoT," 2015 International Conference on Pervasive Computing
(ICPC), Pune, 2015, pp. 1-6.
[10] C. Karlof and D. Wagner, “Secure Routing in Wireless Sensor
Networks: Attacks and Countermeasures,” Ad Hoc Networks, vol. 1,
2003, pp. 293–315.
[11] V. T. Alaparthy and S.D. Morgera, "Modelling an Intrusion Detection
System based on Adaptive Immunology," to be published in Wireless
Telecommunications Symposium, Chandler, 2018.
[12] A. Amouri, S. D. Morgera, M. A. Bencherif, and R. Manthena "A
Cross-Layer, Anomaly-Based IDS for WSN and MANET," Sensors,
vol. 18, no. 2, 2018.
[13] A. Amouri, L. G. Jaimes, R. Manthena, S. D. Morgera and I. J.
Vergara-Laurens, "A simple scheme for pseudo clustering algorithm
for cross layer intrusion detection in MANET," 2015 7th IEEE Latin-
American Conference on Communications (LATINCOM), Arequipa,
2015, pp. 1-6.
[14] Draper, N. R. and Smith, H. (1998) Fitting a Straight Line by Least
Squares, in Applied Regression Analysis, Third Edition, John Wiley &
Sons, Inc., Hoboken, NJ, USA.

The future work will concentrate on testing the IDS on

different types of attacks, especially the denial of service
(DoS). Using different simulation parameters, as in table 2, is
of great interest. Different transmission ranges, number of
NUT’s, DS’s, and node deployment scenarios (random)
compared to the linear model used in this work will be
employed and tested.

REFERENCES
[1] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari and M.
Ayyash, "Internet of Things: A Survey on Enabling Technologies,
Protocols, and Applications," in IEEE Communications Surveys &
Tutorials, vol. 17, no. 4, pp. 2347-2376, Fourthquarter 2015.
[2] P. Bellavista, G. Cardone, A. Corradi and L. Foschini, "Convergence
of MANET and WSN in IoT Urban Scenarios," in IEEE Sensors
Journal, vol. 13, no. 10, pp. 3558-3567, Oct. 2013.
[3] L. Atzori, A. Iera, and G. Morabito, “The internet of things: A survey,”
Comput. Netw., vol. 54, no. 15, pp. 2787–2805, 2010.