Towards Intrusion Detection Systems for RPL-based IoT Networks using Foundation Models
2026-06-02 • Cryptography and Security
Cryptography and SecurityNetworking and Internet Architecture
AI summaryⓘ
The authors studied how large AI models, called foundation models, can help detect attacks on specific Internet of Things (IoT) networks using the RPL protocol. They fine-tuned a model named MOMENT to identify different types of attacks like Blackhole and DIS flooding from data collected in simulations. Their results show the model works about as well as current top methods and can also tell the attack types apart effectively. This suggests foundation models could be useful for keeping IoT networks safe.
Intrusion Detection System (IDS)Internet of Things (IoT)RPL protocolFoundation modelsMOMENT modelBlackhole attackDIS flooding attackCooja simulationMulti-class attack identification
Authors
Elias Lunderbye, Sourasekhar Banerjee, Christian Rohner, Andreas Johnsson
Abstract
AI-based intrusion detection systems (IDS) have shown promise in detecting attacks on IoT systems. In this work, we explore the use of foundation models to detect and identify attacks, with a specific focus on RPL-based IoT networks. We study multiple attack types, attack variations, and network configurations, and provide insights into the performance of foundation models for attack identification. Specifically, we fine-tune the MOMENT foundation model for multi-class attack identification. Our evaluation is based on a dataset containing RPL-related statistics collected under normal operation and under Blackhole, DIS flooding, Worst Parent, and Local Repair attacks, generated in a Cooja simulation environment. The initial results are promising. The approach achieves attack-detection performance comparable to state-of-the-art methods, while also demonstrating strong performance in distinguishing between different attack types.