Adaptive Intrusion Detection for Evolving RPL IoT Attacks Using Incremental Learning

TL;DR

This paper tackles the challenge of evolving routing-layer attacks on RPL-based IoT networks by proposing a class-incremental learning (CIL) framework that incrementally integrates new attack classes without full retraining. Five model families (three tree-ensembles, a DNN, and a GNN) are evaluated under three training regimes to detect attacks such as hello flood, decreased rank, and version number, with a distillation-based incremental update and an exemplar memory buffer to preserve prior knowledge. Key findings show that CIL restores detection performance on unseen attacks, mitigates catastrophic forgetting, and significantly reduces update time (up to about $72\%$ faster) compared to retraining from scratch. This approach offers a practical, scalable path to resilient intrusion detection in evolving RPL IoT networks, with future work exploring concurrent attacks and agentic, self-adaptive IDS behavior.

Abstract

The routing protocol for low-power and lossy networks (RPL) has become the de facto routing standard for resource-constrained IoT systems, but its lightweight design exposes critical vulnerabilities to a wide range of routing-layer attacks such as hello flood, decreased rank, and version number manipulation. Traditional countermeasures, including protocol-level modifications and machine learning classifiers, can achieve high accuracy against known threats, yet they fail when confronted with novel or zero-day attacks unless fully retrained, an approach that is impractical for dynamic IoT environments. In this paper, we investigate incremental learning as a practical and adaptive strategy for intrusion detection in RPL-based networks. We systematically evaluate five model families, including ensemble models and deep learning models. Our analysis highlights that incremental learning not only restores detection performance on new attack classes but also mitigates catastrophic forgetting of previously learned threats, all while reducing training time compared to full retraining. By combining five diverse models with attack-specific analysis, forgetting behavior, and time efficiency, this study provides systematic evidence that incremental learning offers a scalable pathway to maintain resilient intrusion detection in evolving RPL-based IoT networks.

Figures (4)

• Figure 1: Workflow of the proposed class incremental learning (CIL) framework for RPL intrusion detection.
• Figure 2: Comparison of model performance across different regimes when VN attack data are used as the test set. Accuracy, precision, recall, and F1-score are reported for five models (XGBoost, LightGBM, CatBoost, DL, and GNN). Regime-1: Models trained on VN and normal data, tested on VN data. Regime-2: Models trained on HF, DR, and normal data, tested on VN data (unseen attack scenario). Regime-3: Models initially trained on HF, DR, and normal data, then incrementally improved with VN data, and tested on VN data (incremental learning scenario).
• Figure 3: Change in the success of the model in pretrain data (blue: before previously known attacks, orange: after improving), right:accuracy, top:precision, left:recall, bottom:f1-score
• Figure 4: Comparison of the time required for incremental model updates and complete retraining from scratch.