Wormhole Attack Detection System for IoT Network: A Hybrid Approach

Many errors in data communication cause security attacks in Internet of Things (IoT). Routing errors at network layer are prominent errors in IoT which degrade the quality of data communication. Many attacks like sinkhole attack, blackhole attack, selective forwarding attack and wormhole attack enter the network through the network layer of the IoT. This paper has an emphasis on the detection of a wormhole attack because it is one of the most uncompromising attacks at the network layer of IoT protocol stack. The wormhole attack is the most disruptive attack out of all the other attacks mentioned above. The wormhole attack inserts information on incorrect routes in the network; it also alters the network information by causing a failure of location-dependent protocols thus defeating the purpose of routing algorithms. This paper covers the design and implementation of an innovative intrusion detection system for the IoT that detects a wormhole attack and the attacker nodes. The presence of a wormhole attack is identified using location information of any node and its neighbor with the help of Received Signal Strength Indicator (RSSI) values and the hop-count. The proposed system is energy efficient hence it is beneficial for a resource-constrained environment of IoT. It also provides precise true-positive (TPR) and false-positive detection rate (FPR).


Introduction
IoT is an emerging technology nowadays with a wireless interconnection of sensory devices in the existing infrastructure. Most of the researchers in this field claim that more than 30.9 billion devices are expected to connect to the internet by 2022. Smart cities, smart homes, smart grids, smart medical treatments, smart agriculture, etc., are the demanding applications of IoT [1,2]. Sensory devices are uniquely identified by IP addresses viz IPv4 and IPv6. IPv4 has limitations of providing IP addresses to the network with a large number 1 3 of devices whereas IPv6 protocol offers an infinite number of unique IP addresses. The performance of all these smart devices can be affected by battery power, memory, communication ranges, size, etc. For optimal performance of the network, all the above constraints are considered by avoiding the use of bulky and battery consuming encryption or security algorithms [3].
IoT network is vulnerable to internal (within the network) and external (through the internet) attacks. Currently, no Intrusion Detection Systems (IDSs) are reported fulfilling security requirements in the resource constrained IoT network efficiently. The existing IDSs are utilized either for Wireless Sensor Network (WSN) or conventional internet. A need for security in IoT as well as various security attacks on Routing Protocol for Low Power and Lossy Network (RPL) and IPv6 Low Power Wireless Personal Area Network (6LoWPAN) is discussed in a few research papers [4][5][6].
To design a security solution for an IoT network is a challenging task due to many new protocols like DTLS [7], IPsec [8], IEEE 802.15.4 link-layer security [9], RPL [10], 6LoWPAN [11], etc., that are involved in IoT communication. Also, the links used in IoT are lossy with resource-constrained devices connected to an insecure internet. Attacks like wormhole attack, sinkhole attack, blackhole attack, selective forwarding attack, etc., affect the performance of IoT network adversely [12,13]. Routing errors are a prominent factor affecting the security of data communication at the network layer of the IoT protocol stack. A wormhole attack causes routing errors which subsequently affect data communication in IoT. In the proposed work, an IDS is developed to detect and remove wormhole attacks from the IoT network.

Security Issues in IoT
Because of IoT, the world has become smarter. However, as it is moving towards more intelligent applications, more hackers and attackers are getting many chances to interfere which adds to life-threatening security issues in many forms. Though communication between all the devices without the intervention of humans for a smart network is the bright side of IoT, on the other hand, it increases threats of security and privacy of the data that is shared, stored and generated in the network. It is crucial and necessary for the IoT system to provide safety and privacy to the user data for the IoT network to be successfully implemented.
Smart homes, smart cars or smart grids can be exploited by hackers and the data can be misused which may severely affect everyone's lives. Hackers may use personal, industrial or governmental data which is very sensitive for a wrong purpose [14,15]. Security options of the traditional network are not applicable to the IoT network because of many reasons as discussed below: • IoT network is exceptionally heterogeneous and distributed.
• The devices used in IoT networks are resource-constrained in processing or computational capability, memory, battery life and bandwidth which doesn't support conventional network security solutions that require higher resources. • Internet Protocol (IP) is used to connect IoT devices to an insecure internet where it faces attacks from the internet. • As IoT network is formed by various heterogeneous technologies and protocols, security solutions must be compatible with all these protocols and standards which again make a heavyweight solution that is not suitable for the constrained network.
• A considerable amount of data is generated and floated by the IoT devices in wireless media which has limited bandwidth. It is easy for attacker nodes to interrupt communication by destroying or modifying data packets. • IoT network is open and flexible to accept new protocols, standards or devices for the scalability property. But this property makes it easier for attackers to break the security and insert attacks to disturb communication. • IoT network has decentralized wireless communication skills; any new device can be easily added in the existing network which can further lead to attack insertion. • Most of the time, IoT devices are placed in physically insecure areas because of which attackers quickly attack these devices physically by replacing or reprogramming the nodes or changing the batteries of the nodes [16,17].
There are various types of errors caused in an IoT network that affect the quality of the data communication in IoT.

Overview of Wormhole Attack
A wormhole attack affects network performance devastatingly. Because of a wormhole attack, routing information gets corrupted by inserting incorrect route information in the network. Also, localization dependent protocols fail in the presence of a wormhole attack. It damages data delivery and network-based stations also get altered. A wormhole attack allows other attacks like blackhole, DoS, sinkhole, grayhole, eavesdropping and Man In The Middle attack to be launched in the network. Because of a wormhole attack, unauthorized access can be gained and security keys can be cracked. Hence a wormhole attack is identified as a severe attack present at the network layer of IoT protocol stack and needs to be addressed.
In a wormhole attack, two long-distance nodes form a tunnel between themselves, thus pretending to be close to each other. When any transmitted packet comes to either of the attacker nodes, it sends the packet to the other long-distance attacker node through the intermediate legitimate nodes. These intermediate nodes are not a part of the said communication, but due to the wormhole attack, they get involved in transmission and drain their battery power. The deletion of a wormhole attack is not simple because the existence of this attack is detected only after a considerable loss. Hence it is necessary to design a strong IDS which will detect the presence of the wormhole attack and the attacker nodes at an early stage of its occurrence [18][19][20]. In the proposed research work, an IDS which can expose a wormhole attack at an early stage is designed.

Intrusion Detection System
Intrusion detection is a security mechanism that depends on the analysis of data collected in the network to identify any abnormal activity symptoms to discover the attack and trigger an alarm. To design an IDS for the 6LoWPAN-RPL based IoT network, one must consider its characteristics. IoT networks are infrastructure-less, ad-hoc and heterogeneous networks. Also, they are formed by devices with resource-constrained characteristics in terms of memory, processor, bandwidth, storage capacity and battery. Hence a suitable IDS for any attack detection in the IoT network should be one that consumes fewer resources. This section discusses the classification of IDSs for IoT networks. There are two significant classifications of IDSs: (i) Placement Strategy, (ii) Detection Method [21][22][23][24].

Survey of Available IDSs for Wormhole Attack in IoT
As has been mentioned above, a wormhole attack is activated in the network by forming a tunnel between two long-distance nodes. The presence of a wormhole attack modifies the routing table and misguides the nodes for packet transmission. It unnecessarily adds a delay in the transmission and drains the battery of resource-constrained devices. Researchers have developed IDSs for wormhole attacks in WSN and IoT networks. The proposed research work focuses on the IoT network hence the existing IDSs for wormhole attack detection in IoT are discussed next. To design IDS for a wormhole attack, one needs to know the symptoms of the existence of a wormhole attack. When a wormhole attack enters the network, path delays between the networks increase and the hop-count decreases abruptly. Data packets are received from far away nodes in the network. In the presence of a wormhole attack, the number of neighbour requests increases, and a particular link is utilized more than the others. These symptoms are considered while designing the IDS for the wormhole attack detection. Because of a wormhole attack, other attacks like eavesdropping and sinkhole attacks arrive in the network which further disrupts data communication completely. Researchers have used various approaches for wormhole attack detection in WSN and IoT. A detailed survey is as given below: Gupta et al. [37] have developed a technique to detect wormhole attacks using the 'hound packet'. This technique is a software method of attack detection. In this method, a hound packet is transmitted from source to destination through every node with an already established path. Every node along this path stores the hound packet information. The source node keeps a count of the hop difference with single hop away node. The hop difference between intermediate nodes with a threshold level is compared by the destination node. After studying this method, it is observed that it has given a high false-positive detection rate. Also, the hound packet adds delay in processing the packet and the processing overhead is increased. For wormhole attack detection, Khan et al. [38] have used the merkle tree methodology for authentication of communication in the network. In this method, root-level nodes were chosen from where the merkle tree originated and dealt with authentication in the dense and complex networks by breaking it into smaller pieces to identify the presence of a wormhole attack in the network. The disadvantage of this method is that it adds communication and computational costs at the root level.
Ji et al. [39] have developed a distributed wormhole attack detection algorithm called DAWN which detects changes in the direction of packet flow caused by the wormhole attack. The DAWN algorithm gathers data from the steady network rather than the middleware of location information or global synchronization. Limitations of this method are, it requires extra processing time and extra overhead for network monitoring. Arai [40] in his research work, has detected a wormhole attack by using a location-aware methodology. In his method, the attacker node is identified by using the hop-count and the location information of the neighbouring node. For performance analysis, the author has considered parameters like several affected nodes, average hop-count reduction and a suspicious rate. The limitation of this method is that it cannot be used for complex networks. Also, the author has not provided true and false-positive detection rates in his research work.
Acharjee et al. [41] have developed a hybrid algorithm for the detection and prevention of a wormhole attack. It is based on the High-Performance Adhoc On-demand Distance Vector (AODV-HP) routing protocol. This algorithm uses a communication node between neighbours, target hop-count and an anomaly value of all the nodes in the network. Using this algorithm, the wormhole link is effectively separated from the concerned network. The drawback of this method is that it has not been verified in real-time scenarios. Zheng et al. [42] have developed an IDS for wormhole attack detection. They have improved the localization accuracy by using the nodes which were outside the range of a normal attack. This method is efficient for a large distance attacker node with a higher communication radius. But it gives an inadequate response for attack detection for an isotropic sensor network.
Sharma et al. [43] have offered a high transmission power type wormhole attack detection method. They have improved parameters like average delay, throughput, packet delivery, etc., by modifying routing protocols. The disadvantage of their approach is that it requires more transmission power. Lai et al. [44] have offered wormhole detection techniques in RPL based IoT networks without using any extra hardware. In their method, the authors have used rank information for measuring the relative distance to the root node and neighbour nodes. In their approach, the presence of a wormhole attack is detected when an unreasonable rank is identified. They have considered the 'rank' of the node as the attack detection parameter where rank is nothing but a number of hops calculated from the child node to the root node by RPL. The rank represents the location of the node with respect to the root node. When nodes move away from the root, the rank increases. The authors have used geographic leashes to locate the attacker nodes. The limitation of this method is that it doesn't consider the integrity and confidentiality of the network.
Bendjima et al. [45] have proposed a neighbourhood discovery-based energy-efficient IDS using the principle of sectors and mobile agents operation. In their research work, using a mobile agent, the information about the network is gathered and sent to the sensor. By using the itinerary algorithm, the response time of lost packets is reduced, less energy is consumed and resources of the nodes are preserved. The developed method detects the attack and the attacker node by improving the security schemes available for the wormhole attack detection. The disadvantages of this method are, there is a high packet drop ratio and it consumes more energy. Patel et al. [46] have used neighbourhood and connectivity information to detect a wormhole attack in the network. In their method, to identify the wormholes, information regarding neighbouring nodes and the connectivity of sensor nodes is used as a detection feature. The drawback of their system is that the implemented approach is not applicable for non-stationary sensor networks.
Johnson et al. [47], in their research work, have used neighbour discovery and path verification mechanisms to detect a wormhole attack. They have removed the attack without adding any new hardware in the system. Their implementation is developed using the NS2 simulator with a modified AODV protocol. They have used neighbour information for identifying the attack. The validity of two-hop neighbours who have forwarded the control or data packets is checked. If it is found to be illegal then the attack detection alarm is raised. The authors have verified their results using delay, throughput and the packet delivery ratio. The limitation of their method is that it has a low packet delivery ratio. Tiruvakadu et al. [48] have implemented a wormhole attack detection system using a honeypot to monitor the activities of the attacker in the network. The authors have used the wormhole tree to analyse network traffic. The honeypot uses three steps to detect the attack: (i) Attack tree model for all observations which are responsible for a wormhole attack. (ii) Analysis model of a wormhole attack configuration. (iii) Increase network observations for decision making. The authors have used the AODV protocol for attack detection. The disadvantage of this method is that it increases latency in communication.
Perazzo et al. [20] have implemented a wormhole attack detection method by inserting attacker nodes using two endpoints deployed in different areas of the network. Their work is operated at the MAC layer of the IoT protocol stack. For implementation, they have interfaced with Python and Cooja simulators where the python process runs on the CC2650 Launchpad board and the Cooja simulator on the laptop. They have verified their results using a packet loss and frame loss. They have used a proxy-acker technique to increase the impact of the attack. They have used three parameters, namely, local packet loss, global packet loss, and the wormhole nodes for attack detection. Though they have not got optimum results for attack detection, they have concluded that the wormhole attack detection can be improved if related attacks like traffic eavesdropping and selective packet dropping are detected.
Qazi et al. [49] have provided an extension of the DELPHI algorithm for wormhole attack detection, where it is assumed that the base wireless rate is fixed. In DELPHI with this assumption, the detection rate is higher than 80%. There are many drawbacks of the original DELPHI algorithm, such as it is not able to protect the AODV protocol in a multiple transfer space. Multirate-DELPHI has improved the functionality by developing three factors, namely, Multi-channel, Processing delay and neighbouring supervision. The authors have used circular delay time which measures time duration in which confirmation of signal reception is received. With the help of this technique the detection rate of a wormhole attack is improved. The disadvantages of this method are that it consumes more energy and it increases the processing time.
Luo et al. [50] have used the CREDND algorithm for wormhole attack detection in WSN. In their research work, the authors have proposed CREDND, a protocol for creating a Credible Neighbour Discovery against the wormholes in WSN. The CREDND algorithm can detect an external as well as internal wormhole attack with the hop difference between two neighbours and monitoring authentication packets forwarded by attacker nodes by enabling common neighbour nodes, respectively. Their method does not perform well when different types of nodes with various transmission ranges are used. For a more complex network, this method doesn't give good results. This is the survey of the existing IDS for wormhole attack detection. The next section discusses the limitations of earlier research work and the necessity to design a new attack detection system that will detect the presence of a wormhole attack efficiently considering IoT characteristics.

Limitations of Earlier Wormhole Attack Detection Systems
As per the discussion on the survey of an available wormhole attack detection system, there are many limitations as stated below: i. Very little work has been done on the design of IDS in the IoT network as compared to WSN. ii. No IDS has given optimum values for True and False-Positive Detection Rate for wormhole attack detection in IoT.
iii. Power consumption is one of the most significant criteria for attack detection in resource-constrained networks such as IoT. Many IDSs consume high power to achieve attack detection. iv. Many IDSs cannot justify the optimum values of Accuracy, F1 Score and Mathews Correlation Coefficient.
After surveying the research work on wormhole attack detection, this research work has focused on RSSI and Hop-count as the attack detection parameters. RSSI is the preferred tool for wormhole attack detection because it doesn't require any additional hardware for signal strength detection. However, it has been observed that if only RSSI is used for wormhole attack detection, it doesn't give optimum results for a false-positive detection rate (FPR). FPR is when there is no attack and still an alarm for an attack is raised. To avoid this, the hop-count is used along with the RSSI value which improves the FPR in the proposed research work.
After discussing the limitations of the available methods for wormhole attack detection, a novel design technique is developed for the said attack detection in the proposed research work. For the development of the IDS, a proper simulation tool needs to be finalized. In the proposed system the Contiki OS with the Cooja simulator is used for the purpose of simulation.

Wormhole Attack Detection System for IoT Network: A Hybrid Approach
The proposed system is an 'RSSI and Hop-Count Based Energy Efficient Wormhole Attack Detection System for IoT Network' (RHE2WADI). For attack detection using simulation, the proposed system uses two parameters, namely, 'RSSI' from the range-based localization method and 'Hop-count' from the range-free localization method. Thus, the developed system uses a 'Hybrid' approach for attack detection. Due to two different parameters, the proposed method is divided into two stages. Common suspicious nodes from both the stages are declared as attacker nodes and their entries are removed from the routing table by a border router. To obtain the simulation results for 'RHE2WADI', the Cooja simulator of the Contiki OS is used. The detection result is observed for a number of nodes, ranging from 20 to 100. While designing the IDS for the wormhole attack, different parameters are finalized after studying its symptoms. Symptoms such as the strength of the signal, attraction of the path advertised by the attacker nodes, the difference between the actual path and the advertised path, and the delay in transmitting packets from the source to the destination are considered for designing the IDS. By considering this, the presence of the wormhole attack is detected with the 'RSSI' and 'hop-count' parameters.
When any node sends a neighbor request packet to nearer nodes, the distance between these two nodes is calculated using the RSSI value of the received packet. An alert is generated if it is higher than the transmission range of already existing nodes in the network. That particular link and the respective nodes are kept under observation by sending their IDs to the suspect list 1. By using the strength of the incoming signal, the distance between transmitter and receiver nodes can be estimated by using standard Eq. (1) for distance calculation.
where received power is the RSSI value and N is the constant that depends on the Environmental factor with a range of 2-4. In the current experimentation, it is considered as '2'. The RSSI value is negative and its unit is dBm (decibel-milliwats). Ideally, it must be zero. However, practically, it is in range of − 30 dBm to − 50 dBm. For the experimentation, a signal with an RSSI value of more than − 30 dBm is considered a strong signal, whereas a signal with an RSSI value of less than − 60 dBm is considered a weak signal.
The RSSI value alone detects the presence of the wormhole attack successfully; however, it increases the FPR which is not desirable. FPR is explained in detail in Sect. 4. Hence to reduce the FPR, along with RSSI, another parameter, i.e., the 'hop-count' is used, which gives the precise value of the FPR [51,52]. Its details are discussed in the next section.
In the presence of a wormhole attack, the attacker nodes which are physically at a fair distance from each other form a tunnel between themselves. This reduces the hop-count drastically. When suspicious nodes are under observation at the border router, the actual hop-count in the database of the 6LoWPAN Border Router (6BR) and the advertised hopcount are compared. If the actual hop-count is below the threshold level then the node IDs of the suspicious nodes are sent to the suspect list 2 of the second stage. If there are common nodes present in the suspect lists of both the stages consecutively for three times then a wormhole attack is confirmed and the attacker nodes are disabled from the network.

The Architecture of 'RHE2WADI' Method
In this section the architecture of the IDS to detect the wormhole attack is discussed. It requires at least a single node with extra features of battery power, processing power, etc., and which is treated as a border router (6BR). General sensor nodes connected to the internet through a 6BR, are as shown in Fig. 1. The 'RHE2WADI' monitors the behaviour of nodes before and after the insertion of an attack in the network. In the implemented work, the 6BR acts as a root node through which the hop-count is calculated using the RPL protocol. The RSSI value plays a significant role in locating the attacker node. The RSSI value of each packet travelling from the source to the destination node is converted into distance as per Eq. (1). When a large discrepancy in the RSSI amount and the hop-count is observed, then an attack and attacker nodes are identified [53,54].
In the implemented method, the IDS module is placed at the 6BR as well as at each node. Initially, neighbour information is sent to the 6BR. If the requesting neighbour is in the transmission range of the original node, then the regular operation is continued. If the requested nodes are not in the transmission range of the original node, then the 6BR sends a victim packet. The victim packet collects the RSSI value from the requesting node. The distance (d1) is calculated using RSSI values received from the neighbouring nodes and verified with the actual distance calculated using the formula of the Euclidean distance given by using Eq. (2), where X and Y coordinates are the coordinates of the location of the nodes.

Implementation of 'RHE2WADI' Method
The Cooja simulator is a feasible simulator for the IoT application as it met all the requirements of 'RHE2WADI', related to routing and communication protocol [55,56]. Power consumption is measured by including Mica [57] and Sky mote platforms [58]. Cooja is a GUI based simulation software and it also supports testing and debugging of IoT applications. Because of these reasons, the Cooja simulator is used in the current research work. Table 1 gives the parameters used for simulation in the 'RHE2WADI' method.
The design of the IDS for wormhole attack detection in the current research work is divided into two stages, as discussed below: Stage 1: Implementation of an RSSI based, hybrid type IDS module at the 6BR and at each node; A detailed explanation of both the stages is given in the next section.

RSSI-Based, Hybrid Type IDS Module
In stage 1, to implement the IDS at the 6LoWPAN Border Router or 6BR, the 6BR must be added to the network using the Contiki OS 2.7 and the Cooja simulator. Skymote nodes are used for the implementation of the 6BR and other nodes. In IoT, the 6BR is equivalent to the sink node of the WSN which connects the nodes of the network to the internet through the IPv6 protocol. As the IoT network is resource-constrained, the heavyweight IPv6 protocol is not suitable for it. Hence, the 6LoWPAN, which is a compressed version of the IPv6 protocol, is used for communication. The 6BR works between IPv6 of the internet and 6LoWPAN of the local nodes as shown in Fig. 1.
For the hybrid type of IDS implementation, heavy processing is done at centralized modules placed at the 6BR whereas lightweight modules are run to save energy at the sensor nodes. This section discusses the different modules used at the 6BR to discover the presence of an attack and the attacker nodes. It uses the RSSI value to detect the attack. The hypothesis is used as when a new neighbour request comes the 6BR node validates the claim. It checks whether a new neighbour is within the transmission range of the original neighbour or not. If it is not then an attack is detected. More details about the IDS based on RSSI and hop-count are discussed in the following section.
There are two modules in the RRSI based hybrid type IDS module: Distributed module and centralised module. Details of these modules are explained below.

Distributed Module
In the distribution module, the following four steps are proposed:

i. Neighbour Validation
Sensor nodes in the network contain the ID of the destination node and the ID of the neighbouring node. In the 'neighbour validation' step, this information is collected from all sensors to validate the original neighbours.
ii. Distance Calculation By using Eq. (1), the distance between two nodes is calculated. This distance is verified using the Euclidian distance formula given in Eq. (2). Here the RSSI value gives the distance between the coordinates of the two nodes. The value of X and Y coordinates of the nodes are calculated with the help of the Cooja simulator.

iii. RSSI Collection
The RSSI collection module is activated after the detection of an attack in the network. It collects the RSSI value from the victim node and its neighbour node using victim packets. The 6BR maintains two RSSI values, one from the victim node and the other from its neighbour which is in the range of the attacker node. To avoid multiple RSSI values coming from the same node, the 6BR compares the node ID of the latest RSSI value with an already sent node ID.

iv. Attacker Node Detection
The working of this module is based on the RSSI values received from the nodes. This module finds the nodes in the range of distance 'd' by converting RSSI values into distance 'd', as per Eq. (1). If some nodes are found consecutively for three times, then these nodes are considered as suspicious nodes and sent to suspectlist1.

Centralised Module
In the centralised module the following three steps are proposed:

i. Send Neighbour Info
This module is placed in the regular nodes and it saves the initial neighbours as the original neighbours at initialization. If new neighbour information is received, this module sends it to the 6BR as 'neighbour information packet info'. The IoT uses the UDP protocol for data transmission which does not guarantee packet delivery. For assured packet delivery, intermediate nodes forward the sender's packet through its default root and broadcasting. When intermediate nodes receive the 'victim forward packet' from the 6BR, they send it to the destination node by local unicast.

ii. Monitoring RSSI
After receiving the victim packet through broadcasting or from the border router, the receiver node initializes the monitoring process. When the receiving node finds its ID in second position and the ID of another victim colleague in the third position, it interchanges the two IDs; i.e., it puts the node ID of the other victim colleague in second place and its own ID in the third place. These two nodes record each other's RSSI values. To locate the attacker node, the two victim notes broadcast the end victim packets.

iii. Send RSSI
The previous module collects the RSSI value from the nodes and their neighbours. This recorded RSSI value must be sent to the border router through broadcast, unicast and through the default route. RSSI packets are forwarded after a pause of 2 s to avoid packet loss because of collision and buffer overflow.
These steps are shown in Algorithms 1 and 2.
The process of wormhole attack detection is given in Algorithm 1. Algorithm 'A' is explained in Algorithm 2 which runs at the individual nodes.

Hop-Count Based, Centralized Type IDS Module
The AODV protocol is used for the hop-count metric. This module is placed at the 6BR hence, it is called the centralised module. It is used for broadcast as well as unicast routing where sequence numbers are used to find the routing messages. The destination sequence numbers are used to find the fresher path. AODV uses Route Request (RREQ) and Route Reply (RREP) as control messages. The source node broadcasts the RREQ message to the destination node and a RREP message is unicasted by the destination to the source node.
The RREP message includes the information of the hop-count of the route traversed from the destination to the source. On receiving the RREP, the source node checks the signature and if the signature matches the specific signature, the source node sends the encapsulated data packet through the route where the destination address is mentioned.
If some malicious activities are found, the data packet is sent via a different safe route. The hop-count is calculated. If it does not match, the route may contain the wormhole node. Thus, that path is avoided. Hop-count information is also maintained in the routing table of each node for further cross verification.
As shown in Fig. 2, the normal count from source to destination is considered as 5 or 6. However, when a wormhole tunnel is formed, the hop-count goes down to 2. The lower hop-count value attracts other nodes to send their packets through the wormhole tunnel.
In the 'RHE2WADI', method, initially, a hop-count of all the roots is examined. To avoid an attack, a threshold of the lower hop-count is set; if a count is below the threshold value, then that root is avoided and those nodes having the lowest hop-count are declared as attacker nodes. Minimum threshold hop count value is 10% of total nodes. In the AODV protocol, the RREQ packet is used for route request that discovers the root and RREP is used as the root replay. Figure 3 shows a packet format for a RREQ where the verification flag (VF) is used for distinguishing the new RREQ packet with the old one with RREQ ID. VF is also a part of the RREP packet. If VF = 0, then the RREQ packet is declared as normal route discovery. When VF ≠ 0, then it is considered a suspicious link.

Route Establishment with RREQ and RREP
Initially, the source node sends RREQ packets for route discovery when communication is required. In the RREQ packet, it adds the source IP ( IP S ), the destination IP ( IP D ), and the RREQ ID, (RREQ ID ). The hop-count is set to 0 and the expiration time of the RREQ packet is also set. This RREQ packet is broadcast in the network and received by the neighbouring nodes. Algorithm 3 demonstrates how a route is established with RREQ packets.

Route Establishment with RREP
An RREP packet is unicasted from the destination to the source node. In the reverse path,

Hop-Count Number Limit and Suspect List Broadcast
When a wormhole attack is activated in the network, the hop-count is reduced drastically. The attacker node broadcasts the RREQ packet with the lowest hop-count which is accepted by the surrounding nodes by dropping the RREQ packets of legitimate nodes. Thus, only the route through the wormhole nodes is established as shown in Fig. 4.
The solution for this situation is to set a lower limit of the hop-count with a Hop_Count lim register. The hop-count limit is set to 10% of the total number of nodes. For the condition shown in Fig. 4, if the Hop_Count lim is set to 2 and if the received hop-count is compared and found to be less than or equal to Hop_Count lim , then the presence of a wormhole attack is declared. The suspect list is broadcast by the 6BR to identify the attacker nodes. The source node of the modified value is alerted, and then the suspect IP address is sent to suspectlist2. These IP addresses are compared with the IP addresses of suspectlist1. If common IP addresses are found in suspectlist1 and sus-pectlist2 then the 6BR removes those nodes from the routing table permanently.
Algorithm 5 gives a better understanding of attack detection using the hop-count.

Results and Discussions
In this section, the evaluation of the implemented system is presented. After describing the experimental setup, quantitative assessment, the true and false-positive detection rates for each experimental set-up are investigated. Initially, the network is simulated without inserting the attacker node. At this stage, the routing table is built and the 6BR collects the information of all nodes. The experimentation starts with 20 nodes and two attacker nodes. After 15 min of network settlement, attacker nodes are inserted in the network with a longdistance node as a destination address in their routing table.
As new nodes are added in the network, a request about its validity is sent to the 6BR. The 6BR node starts collecting the RSSI and hop-count information from all the nodes. After verifying the RSSI values and the hop-count, the attacker node is identified by observing the RSSI values which show that the attacker nodes are not in the transmission range of the original node. The attacker also gives fewer hop-counts than the actual hopcounts. These symptoms show the presence of an attack and the attacker node is displayed on the output window of Cooja simulator.
In the implementation of the 'RHE2WADI' method, the readings are taken for nodes ranging from 20 nodes to 100 nodes with an interval of 10. Till 20 nodes, readings are constant, hence for analysis, readings taken after 20 nodes are considered. As the total number of nodes is increased, attacker nodes are inserted at the rate of 10% of the total nodes. For example, for 20 nodes, two attacker nodes are inserted and for 40 nodes, four attacker nodes are inserted and so on. The implemented IDS in the current research work is evaluated using performance and security-based metrics where attack detection rate, energy consumption and propagation delay are assessed under performance-based metrics. The obtained results are compared with state of art results obtained by Luo et al. [50]. Whereas, accuracy, F1 score and Mathew's Coefficient Correlation (MCC) are evaluated under security-based metrics. The obtained results are compared with state of art results obtained by Johnson et al. [47], Perazzo et al. [20] and Luo et al. [50]. Their work is already discussed in section 2.

Performance-Based Metrics
Performance-based metrics measure the system's performance under which the attack detection rate, energy consumption, and propagation delay are observed. These terms are explained next.

i. Detection Rate
The true-positive and false-positive detection rates of the wormhole attacks are observed in the performed experimentation. True-Positive Detection Rate (TPR) is defined as how correctly the IDS identifies the presence of the attack and attacker nodes. Ideally, the TPR must be nearer to 100%. The developed system detects a wormhole attack successfully when an attack is present in the system. The detection rate reduces as the complexity of the network increases. It is calculated using equation (3): A False-Positive Detection Rate (FPR) is defined as how many times the IDS falsely raises an alarm for attack when the network is not under attack. Ideally, this value must be nearer to zero. It is calculated using Eq. (4): ii.

Energy Consumption
Energy consumption for a sensor node is defined as the amount of energy required per unit second for data processing and transmission. In the IoT, nodes are battery-powered and therefore, energy efficiency is an essential aspect in IoT devices. The Contiki's power-trace tool is used to measure the power consumption of the implemented IDS [59]. For calculation, the working voltage is considered as 3V. Energy consumption is calculated using nominal values of the Tmote sky, as shown in Table 2 and standard equation (5) [60].

Propagation Delay
Propagation delay is defined as time taken by a packet for transmission from source to destination in the wireless environment. In the implemented system, propagation delay is calculated by using standard equation (6). The parameter values used in Eq. (6) are given in Table 3.

Security-Based Metrics
Security based metrics measure the security related outcome of the given system. Under this, accuracy, the F1-score and MCC are measured. These terms are explained next.
i. Accuracy (Acc) Accuracy represents the effectiveness of the given wormhole attack detection techniques. Total accuracy is the proportion of accurately classified instances, either positive or negative. It states how effective the detection rate is, which is calculated as Eq.  ii.

F1-Score
In the statistical analysis of binary classification, the F1 score is a measure of the accuracy of a test. It considers both, the precision p and the recall r, of the test to compute the score. Here p is the number of correct positive results divided by the number of all positive results returned by the classifier. And r is the number of accurate positive results divided by the number of all relevant samples. The F1 score is the harmonic mean of the precision and recall, where the F1 score reaches its best value at 1 (perfect precision and recall) and worst at 0. It is calculated as Eq. (8): iii.

Mathew's Correlation Coefficient (MCC)
For binary classification, there is another solution which is, treat the true class and the predicted class as two (binary) variables, and compute their correlation coefficient. The higher the correlation between the true and predicted values, the better is the prediction. This is the MCC when applied to classifiers. MCC represents the degree of correlation between the actual wormhole nodes and the predicted wormhole nodes. MCC lies between − 1 and 1, where being close to the value 1 indicates a higher effectiveness of the function. It is calculated as Eq. (9):

Attack Detection Rate
The TPR and FPR of a wormhole attack are compared with results obtained by recent research work done by Luo et al. [50]. By considering attacker nodes 10% of the total nodes, the readings are taken as per Tables 4 and 5.
From Table 4, the average TPR values of the IDS developed by Luo et al. [50] and the IDS developed by the current research work are 90.24% and 95.01% respectively. Thus, the TPR value of the IDS using the 'RHE2WADI' method is 4.77% better than the most recent research work.
The average FPR for the research method of Luo et al. [50] is 18.07%. Whereas the FPR value for the proposed research work is 11.96% thus giving 6.11% better results than the earlier research work.

Energy Consumption
For energy consumption measurement, a comparison of the implemented IDS with a basic application 'hello world' is made using the powertrace tool. Energy consumption is calculated by using Eq. (5) and Tmote Sky Operating conditions as shown in Table 2. Energy .
consumption for nodes ranging from 20 to 100 with an interval of 10 nodes is observed. The powertrace tool is applied to get the readings of work done by Luo et al. [50] and the proposed work. The obtained result is as shown in Table 6. After running the 'hello world' application, using the IDS developed by Luo et al. [50] and the IDS developed by the current research work, the average energy consumption readings are 261623 mJ, 2969401 mJ and 2575811 mJ respectively. It is observed that the IDS in 'RHE2WADI' requires less energy to run.

Propagation Delay
Propagation delay is computed as a function of distance over wave propagation speed (d/s). By using the parameters shown in Table 3 and by using Eq. (6), propagation delay values are calculated for nodes ranging from 20 to 100 with an interval of 10.
A test packet is transmitted by the border router to all the nodes and the average propagation delay is calculated using Eq. (6). Similarly, the delay is calculated after attack It is observed that for 20 nodes, when there is no attack detected, the propagation delay is 0.22 mS. After activation of the wormhole attack, the propagation delay for the same packet is 0.62 mS. It happens because in the presence of the wormhole attack, the attacker node misguides the valid nodes to transmit the packet through the wrong route by changing the routing table. For the remaining nodes observations are taken as shown in Table 7.
The average propagation delay when no attack is detected is 0.3667 mS, the average delay in the presence of an attack and without an IDS is 0.7522 mS. The average propagation delays with the IDS by Luo et al. [50] and the IDS in the 'RHE2WADI' method

Comparison of Security Based Metrics Results with State-of-the-Art Results
The evaluation and comparison of security-based metrics results are carried out by applying the latest and best techniques to earlier research work and the proposed method for a number of nodes ranging from 20 to 100 but are not limited to this set only. The primary metrics considered in the current research work are accuracy (Acc), F1 score, and MCC.

Accuracy
The results obtained in the 'RHE2WADI' method are compared with the results obtained from earlier research work. The latest research work by Johnson et al. [47], Perazzo et al. [20] and Luo et al. [50] are used as reference. For 20 nodes, when all systems have been run to detect the attack, the accuracy is calculated using Eq. (7). The same procedure is followed for nodes from 30 to 100. In percentage, the average accuracy by Johnson et al. [47], Perazzo et al. [20] and Luo et al. [50] are 83.10%, 83.19%, and 86.63% respectively. Whereas accuracy in the current research work is 94.51% which is better than earlier research work as shown in Table 8.

F1 Score
The F1 score is used to measure the performance of the model. It is a weighted mean of the precision and recall, where F1 attains its effective value at '1' and worst score at '0'. The values of F1 score are obtained based on Eq. (8).

Matthews Correlation Coefficient (MCC)
MCC defines the degree of correlation between the predicted wormhole nodes and actual wormhole nodes. MCC values are obtained between − 1 and 1. It is given by Eq. (9). Table 10 gives a comparison of MCC values obtained for state-of-the-art implementation and the IDS of the current research work.
In terms of percentage, the average MCC value obtained by Johnson et al. [47], Perazzo et al. [20] and Luo et al. [50] are 72.61%, 73.66%, and 74.94% respectively. Whereas the After comparing the results obtained in the 'RHE2WADI' method for performancebased and security-based metrics with state-of-the-art results, it is concluded that the IDS developed in the proposed method is better than all existing methods. The proposed method is different than the already existing methods in term of number of stages used to confirm the presence of attack. In proposed 'RHE2WADI' method, two stages of attack detection are used. The first stage uses 'RSSI' parameter to identify the presence of attack. Second stage which uses 'hop-count' parameter, confirms the attack if same nodes appear in both the detection stages. These two-stage attack identification methods have improved TPR and FPR values tremendously.

Conclusion
This paper has explained the design of IDS for wormhole attack detection. The IDS of the proposed method is less complex and uses less overhead; hence, it consumes less energy and it provides less propagation delay. Under performance-based metrics, most of the IDSs proposed in literature fail to get effective results in wormhole attack detection in IoT. When the system in 'RHE2WADI' is implemented using the Cooja simulation software, it is observed that the TPR value is 95.01% which is the highest TPR value for wormhole attack detection in an IoT based network. Even the FPR value is reduced to 11.96%, which is the lowest value compared to all the existing IDSs developed in the IoT network for wormhole attack detection. Energy consumption and propagation delay values of the 'RHE2WADI' method are better compared with state-of-the-art results.
The IDS in the 'RHE2WADI' method has judged using performance-based metrics and security-based metrics. Under performance-based techniques, detection rates, energy consumption and propagation delay are measured. The obtained results are far better than the existing research methods. Whereas, under security-based metrics, accuracy, F1 score and MCC are evaluated. The accuracy is 94.51% which is 7.88% better than the latest research work. For the F1 score, the obtained result is 91.19% which is 10% higher than the latest research work. Also, the result for MCC is 87.33% which is 12.39 % higher than the existing latest research work. From the obtained values in the proposed method, it can be concluded that the implemented system in this paper has given superior results in terms of all the metrics which decide the quality of the IDS.
Authors' contributions SAB and SSS conceived of the presented idea. SAB developed the theory and performed the computations, verified the analytical methods. SSS encouraged SAB to investigate security aspect in IoT and supervised the findings of this work. Both the authors discussed the results and contributed to the final manuscript.
Funding NA.

Availability of data and material
The authors confirm that the data supporting the findings of this study are available within the article and its supplementary materials.

Dr. S. S. Sonavane
Pro-Vice Chancellor, Vijaybhoomi University, Karjat, Navi Mumbai, Maharashtra, India. He has 20 years of experience in the field of education and has served in many well-known organizations. He is a successful academician and has published 2 books internationally (Austria and Germany). He had more than 75 International and National publications on his name in reputed peer Reviewed Journals. He has published more than 5 patents on his name. He is a registered Ph.D. guide in SPPU, Pune. He is also a reviewer of many Electronics International Journals including IEEE Sensor Journal and IEEE Communication Letters. He had successfully completed two Research Projects funded by University of Pune. His Research areas are Wireless Sensor Network and Internet of Things.