Detection and Mitigation of RPL Protocol Attacks in 6LoWPAN Using Federated Hybrid Deep Learning

Abstract

The adoption of 6LoWPAN in IoT networks has made the RPL a standard. Despite its widespread adoption, RPL is highly susceptible to routing attacks that threaten communication reliability, energy efficiency, and data integrity. Existing detection methods to detect RPL attacks often rely on centralized learning which raises privacy concerns, and typically use datasets limited to small or medium-size networks., limiting real-world applicability and generalization. Existing literature did not use more than one model at a time to handle the correlation relationship between RPL network traffic and the change of this traffic over time. To address this gap, this thesis proposed a federated deep learning-based framework for the detection and classification of three impactful RPL attacks: Blackhole (BH), Hello flooding (HF), and Version number (VN) attacks. We have collected a multiclass classification dataset from IRAD, covering four network sizes including 10 nodes, 20 nodes, 100 nodes, and 1000 nodes. This dataset is used to ensure realistic and generalizable evaluation. Preprocessing involved outlier removal, deduplication, and a hybrid feature selection approach combining Random Forest and XGBoost to enhance model performance were used. The round-robin assignment technique was used to assign labels equally to all federated clients. A novel hybrid CNN-GRU model was developed to improve the detection rate. It was evaluated against CNNLSTM, LSTM, and GRU baselines under a federated learning setup, where data remained decentralized across clients. The proposed CNN-GRU model achieved 99.50% accuracy, demonstrating superior detection performance and computational efficiency. A conceptual mitigation strategy is integrated into the study. Upon detection, specific actions are triggered based on the attack type. For BH attacks, malicious nodes are blacklisted by the root node and excluded from routing by all nodes. For VN attacks, the root node adds the attacker to a watchlist and instructs nodes to ignore its updates. For HF, affected nodes rate-limit or block messages from the attacker.