Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Exploring and Enhancing Placement of IDS in RPL: A Federated Learning-based Approach

Selim Yilmaz, Sevil Sen, Emre Aydogan

TL;DR

This work addresses where to place intrusion detection in RPL-based LLNs and how to balance effectiveness with resource constraints. By evaluating three architectures (CIDwL, CIDwG, DCID) across attacker locations and introducing a federated intrusion detection framework (FedID), the study demonstrates that distributed or federated approaches improve detection under varying insider threats while mitigating data transfer costs. FedID, trained with local XGBoost models and aggregated via FedAvg, achieves strong detection performance with limited data sharing and reduced testing overhead, outperforming centralized CID-based designs in many scenarios. The results highlight FedID’s potential as a scalable, privacy-preserving IDS solution for lossy IoT networks, with practical implications for LLN security and IDS deployment guidance.

Abstract

In RPL security, intrusion detection (ID) plays a vital role, especially given its susceptibility to attacks, particularly those carried out by insider threats. While numerous studies in the literature have proposed intrusion detection systems (IDS) utilizing diverse techniques, the placement of such systems within RPL topology remains largely unexplored. This study aims to address this gap by rigorously evaluating three intrusion detection architectures, considering central and distributed placement, across multiple criteria including effectiveness, cost, privacy, and security. The findings underscore the significant impact of attacker position and the proximity of IDS to attackers on detection outcomes. Hence, alongside the evaluation of traditional intrusion detection architectures, this study explores the use of federated learning (FL) for improving intrusion detection within RPL networks. FL's decentralized model training approach effectively addresses the impact of attacker position on IDS performance by ensuring the collection of relevant information from nodes regardless of their proximity to potential attackers. Moreover, this approach not only mitigates security concerns but also minimizes communication overhead among ID nodes. Consequently, FL reduces the need for extensive data transfer, thus mitigating the impact of packet loss and latency inherent in lossy networks. Additionally, the study investigates the effect of local data sharing on FL performance, clarifying the balance between effectiveness and security.

Exploring and Enhancing Placement of IDS in RPL: A Federated Learning-based Approach

TL;DR

This work addresses where to place intrusion detection in RPL-based LLNs and how to balance effectiveness with resource constraints. By evaluating three architectures (CIDwL, CIDwG, DCID) across attacker locations and introducing a federated intrusion detection framework (FedID), the study demonstrates that distributed or federated approaches improve detection under varying insider threats while mitigating data transfer costs. FedID, trained with local XGBoost models and aggregated via FedAvg, achieves strong detection performance with limited data sharing and reduced testing overhead, outperforming centralized CID-based designs in many scenarios. The results highlight FedID’s potential as a scalable, privacy-preserving IDS solution for lossy IoT networks, with practical implications for LLN security and IDS deployment guidance.

Abstract

In RPL security, intrusion detection (ID) plays a vital role, especially given its susceptibility to attacks, particularly those carried out by insider threats. While numerous studies in the literature have proposed intrusion detection systems (IDS) utilizing diverse techniques, the placement of such systems within RPL topology remains largely unexplored. This study aims to address this gap by rigorously evaluating three intrusion detection architectures, considering central and distributed placement, across multiple criteria including effectiveness, cost, privacy, and security. The findings underscore the significant impact of attacker position and the proximity of IDS to attackers on detection outcomes. Hence, alongside the evaluation of traditional intrusion detection architectures, this study explores the use of federated learning (FL) for improving intrusion detection within RPL networks. FL's decentralized model training approach effectively addresses the impact of attacker position on IDS performance by ensuring the collection of relevant information from nodes regardless of their proximity to potential attackers. Moreover, this approach not only mitigates security concerns but also minimizes communication overhead among ID nodes. Consequently, FL reduces the need for extensive data transfer, thus mitigating the impact of packet loss and latency inherent in lossy networks. Additionally, the study investigates the effect of local data sharing on FL performance, clarifying the balance between effectiveness and security.
Paper Structure (19 sections, 2 equations, 7 figures, 11 tables)

This paper contains 19 sections, 2 equations, 7 figures, 11 tables.

Table of Contents

  1. Introduction
  2. Background
  3. Protocol Overview
  4. RPL Attacks
  5. Related Work
  6. IDS Architectures
  7. Central ID with Local Information (CIDwL)
  8. Central ID with Global Information (CIDwG)
  9. Distributed and Collaborative ID (DCID)
  10. Comparative Analysis of Architectures
  11. Simulation Setting and Environment
  12. Evaluations of Architectures
  13. The Proposed Method
  14. Federated Intrusion Detection (FedID)
  15. Evaluation of FedID
  16. ...and 4 more sections

Figures (7)

  • Figure 1: The network topology
  • Figure 2: A scenario with nine collaborators for CIDwG and DCID architectures
  • Figure 3: The detection accuracy performance of IDSs with respect to the attacker location in CIDwL architecture. The x- and y-axis represent, respectively, the location of attacker and IDSs nodes (given in order of distance from root to leaf).
  • Figure 4: The comparison of the overall accuracy obtained by CIDwL and CIDwG architectures
  • Figure 5: The comparison of the overall accuracy as a function of varying number of nodes in DCID architecture (50% voting scheme)
  • ...and 2 more figures