International Journal of Computer Applications (0975 - 8887) Volume 121 - No. 9, July 2015 Real Time Intrusion and Wormhole Attack Detection in Internet of Things Pavan Pongle Department of computer Engineering Sinhgad College of Engineering Pune, India Gurunath Chavan Department of computer Engineering Sinhgad College of Engineering Pune, India ABSTRACT There are currently more objects connected to the Internet than people in the world. This gap will continue to grow, as more ob- jects gain the ability to directly interface with the Internet. Pro- viding security in IoT is challenging as the devices are resource constrained, the communication links are lossy, and the devices use a set of novel IoT technologies such as RPL and 6LoWPAN. Due to this it is easy to attack in IoT network. The proposed system is a novel intrusion detection system for the IoT, which is capable of detecting Wormhole attack and attacker. The proposed methods uses the location information of node and neighbor information to identify the Wormhole attack and received signal strength to iden- tify attacker nodes. Design of such system will help in securing the IoT network and may prevents such attacks. This method is very energy efficient and only takes fixed number of UDP packets for attack detection, hence it is beneficial for resource constrained en- vironment. Keywords Intrusion Detection, Internet of Things, RPL, Wormhole, Packet Relay, Encapsulation, RSSI 1. INTRODUCTION Internet of Things (IoT) is a fast-growing innovation that will greatly change the way humans live. It can be thought of as the next big step in Internet technology. The changing operating environment associated with the Internet of Things represents considerable impact to the attack surface and threat environment of the Internet and Internet-connected systems. IoT is heterogeneous system consisting of various types of sensors nodes or devices with different kind of technology at each layer. However, due to the limited address space of IPv4, objects in the IoT uses IPv6 to accommodate space in Internet. Objects in the IoT can be devices with sensory capabilities, smart metering, health care sensor etc. RPL (Routing Protocol for low power and Lossy network) [1] is routing protocol used at the network layer in IoT. RPL topol- ogy contains one root/sink node directly connected to Internet using 6BR (IPv6 Border Router). RPL topology forms the DODAG (Des- tination Oriented Directed Acyclic Graph) tree, which contain only 1 root. Root node starts the formation of the topology by broad- casting the DIO (DODAG Information Object) messages. Nodes receiving the DIO message selects the parent to sender by reply- ing DAO (Destination Advertisement Object) message asking can I join you? Parent node gives the permission to join by sending DIO ACK message as yes you can join me. The rank value calcu- lated with respect to the parents rank value and other parameters. The rank value may be depend on the distance from the root node, energy of link etc. The network owner can decide the rank value calculation parameters. If new node want to join the network it first ask is there any DODAG here? By sending DIS (DODAG Info so- licitation) message. The nodes continue to broadcast the DIO mes- sage and form the tree topology. Fig. 1 shows the comparison of protocols used at traditional IP network and IoT. Fig. 1. Protocols used at traditional IP network and IoT The rest of the paper is organized as follows: Section II discuss the related work in Wormhole attack detection techniques and IDS systems designed for IoT. Section III gives discussion on architec- ture of system, modules and algorithm used for detecting attack. In section IV we have discussed the algorithms used to detect the attack and design of wormhole attacker node. Section V is on dis- cussion of how the attacks are detected using proposed system with example. Section VI on evaluation of system using various param- eter. Section VII gives the future work and extension for proposed system. Section VIII concludes the work done. 1