February 17, 2020 –
Title: Towards Detecting Routing-based Internal Attacks in 6TiSCH Architecture
Student: Areej Althubaity
Major Advisor: Prof. Song Han
Associate Advisors: Prof. Reda Ammar and Prof. Sanguthevar Rajasekaran
Date/Time: Monday, Feb 17, 2020, 12:30pm
Location: HBL Instruction 2119A (formerly Video Theater 2 )
The Routing Protocol for Low-Power and Lossy Networks (RPL) has been proposed in 2012 by the IETF ROLL working group to support the routing requirements of the Low-power and Lossy Networks (LLNs) and has been adapted by the IPv6 over the Time-Slotted and Channel Hopping mode of IEEE 802.15.4e (6TiSCH) architecture that has brought the deterministic and time-critical industrial networks to the Internet. 6TiSCH devices, however, are not temper-resistance sensors and some of the protocols in the architecture (as for example its routing protocol) are vulnerable to a number of internal attackers or intrusions. Protecting the 6TiSCH network and securing the low-capability devices from any intrusion is a goal that must be fulfilled.
We aim in this thesis to tackle internal attacks which are unique to the RPL protocol by proposing Intrusion Detection Systems (IDSs) with high accuracy detection rates, and low processing power and storage consumption to suit 6TiSCH architecture. On the first fold of the thesis, we propose a lightweight centralized specification-based IDS namely: ARM (Authenticated Rank and routing Metric) to detect two forms of RPL-based attacks which manipulate the mote’s location in the routing graph in regard to the root of the topology and goes by the Rank value in the RPL specification. ARM composes of centralized and distributed modules installed on the root mote and all RPL motes, respectively. The root is responsible for making the detection decisions while the motes periodically share with the root their routing information. Unfortunately, ARM lacks the ability of detecting most of the Rank-related attacks; thus on the second fold, we enhance our centralized IDS and rename it to ARM-Pro where most of the modules accompany with new capabilities. ARM-Pro relies on the sink to detect malicious motes in the topology which limits the application to only small-scale networks. Thus, in our third fold, we introduce a fully distributed IDS named FORCE (FOrged Rank and routing metriC dEtector) where each mote locally analyzes any received RPL control messages and raises alerts upon the discovery of suspicious or malicious behavior.