A Review on the Security of IoT Networks: From Network Layer’s Perspective

Internet of Things (IoT) has revolutionized the world in the last decade. Today millions of devices are connected to each other utilizing IoT technology in one way or the other. With the significant growth in IoT devices, the provision of IoT security is imperative. Routing protocol for low power and lossy networks (RPL) is a network layer protocol, specially designed for routing in IoT devices. RPL protocol faces many attacks such as selective forwarding attacks, blackhole attacks, sybil attacks, wormhole attacks, and sinkhole attacks. All these attacks pose great threats to IoT networks and can substantially affect the performance of the network. In this work, a comprehensive review of internal attacks on the network layer is presented. Specifically, we focus on the literature that considers presenting solutions for the detection and prevention of sinkhole attacks. We reviewed the state-of-the-art works and different performance parameters like energy consumption, scalability, threshold value, packet delivery ratio, and throughput. Moreover, we also present a detailed analysis of machine learning-based algorithms and techniques proposed for the security of RPL protocol against internal attacks.


I. INTRODUCTION
Kevin Ashton presented the concept of the Internet of Things (IoT) for the 1 st time in 1999 [1]. IoT is basically an idea of interconnected devices that can communicate, collect data from the environment, process data, and share collected data to achieve a particular goal. Today, IoT has enabled automation in all aspects of life, such as Smart Homes in the form of air conditioning, security surveillance, lighting, and many more countless services and devices. Moreover, other segments of human life have been impacted as well which led to Smart Education Systems, Smart Health Care, Smart Farming, Smart Industries, etc. It is estimated that the IoT industry will grow by 22 billion smart devices by the end of 2025 [2]. Therefore, it is important to investigate the challenges faced by IoT networks. Security is one of the main stumbling blocks The associate editor coordinating the review of this manuscript and approving it for publication was Amjad Mehmood .
for internet-connected devices. Since the invention of the Internet security attacks and threats have existed which are now expanding to IoT devices. Intruder activities can affect IoT devices in different ways [3], sometimes it overloads the traffic on the device with false consumers, and from time to time it causes network segment failure and sometimes exploits the network with eavesdropping. As the IoT networks got fame and IoT devices increased, attackers got busy challenging its security [4], [5]. There are many security issues that have appeared in the field of IoT. IoT is known as the heart of the 4 th industrial revolution (4IR) [6], [7]. With this new trend different technologies are introduced such as virtualization, cloud computing, cyber-physical systems, and semantic web. These applications have also opened doors for attackers and they can potentially target the user and devices. The New York dam attack in 2013 is an important example where hackers got remote access to the dam system through a cellular modem and posed serious threats to the system [8]. Norwegian company Norsk Hydro stopped its online production operations as the system was affected by ransomware in 2019 [9].
IoT architecture is mainly composed of three layers known as the perception layer, network layer, and application layer [10], [11], [12], [13]. Each layer has its own security challenges and attacks. For example, the perception layer faces cyber-physical attacks, eavesdropping, and RFID tracking attacks. Common attacks on network layer include Distributed denial of service (DDoS) attack where service is unavailable, replay attack where the attacker first manipulates the message and then reorder the message packet, and Man in the middle (MITM) attack while injection and malware are examples of application layer attacks [14].
Security of all the above-mentioned layers which are presented in Figure 1 is very important for the efficient functioning of IoT technologies. However, this research targets network layer security issues, risks, and threats. Most IoT devices are connected to Wireless Sensor Network (WSN) and have low battery power and less processing capabilities [15]. Routing Protocol for Low Power Lossy Network (RPL) is a network layer routing protocol which is especially designed for IoT technologies and now-a-days it is highly utilized in IoT devices [16]. RPL is a routing protocol for IPV6 header and also works with IEEE 802.15.4 standard. There are many attacks that RPL confronts internally and externally. Some of the attacks include selective forwarding attack, hello flooding attack, clone ID attack, sinkhole attack, black hole attack, rank attack, and many more. These attacks are presented in Figure 3. The security of RPL needs to be carefully considered. These attacks cause delays in data packets or complete loss of message packets, increased battery power consumption, and an intention for higher security risks for consumers and devices [17].
Taking into consideration the above discussion and realizing that network layer security is critical for IoT networks, this study investigates the current trends, and identifies the weakness of current schemes, while providing potential future directions for introducing more effective security techniques based on Machine Learning (ML) and otherwise.
The organization of the manuscript is as follows. Section II presents the detailed information on the IoT architecture, and security attacks on IoT devices. In section III relevant and recent literature is reviewed. Different performance parameters utilized for evaluating RPL security are discussed in section IV. In section V machine learning based solutions for securing IoT devices at the network layer are presented.
In section VI future research directions are discussed and the conclusion is presented in Section VII.

II. IOT ARCHITECTURE, PROTOCOLS, AND ATTACKS
In this section, we provide details on different layers of the IoT architecture and discuss external attacks on this layered architecture. Moreover, protocols such as 6LoWPAN and RPL are discussed while providing details on different attacks on these protocols.

A. SECURITY ATTACKS ON THE LAYERED ARCHITECTURE OF IoT 1) ATTACKS ON THE PHYSICAL LAYER
The functionality of the physical layer is hampered by tampering, jamming, and spoofing. Attackers extract the information from sensors during the tampering attack using jamming techniques. Typically, a very high radio frequency is used to overpower the signals causing the SNR to decrease [18]. On the other hand, in spoofing attacks, forged identity information is embedded to destroy legitimate information. Spoofing is another threat to the physical layer that can occur during the transmission phase by introducing deceived signal [19], [20], [21].

2) ATTACKS ON THE NETWORK LAYER
The network layer is the target of many routing attacks due to the multi-hop environment. Sinkhole and selective forwarding are examples of routing attacks [22], [23]. These are discussed in detail in subsequent sections. DDoS occurs on this layer by spoofing and modifications in the routing path. Eavesdropping attacks are important to discuss as well since they put the security and privacy of the system at high risk. Important information about network nodes is obtained by the attacker through the eavesdropping method which impacts the quality of service (QoS). Most of the times eavesdropper targets insecure or weak network to access valuable or confidential data that may result in identity theft and financial loss.

3) ATTACKS ON THE APPLICATION LAYER
The application layer is vulnerable to different attacks as the end users can access network services directly which opens the gate for unauthorized and malicious users. MQTT, XAMPP, and COAP are widely used application layer protocols that are designed to protect against attacks but they are also vulnerable to security attacks. These attacks have a direct impact on the working of applications. DDoS, sniffing, malicious node injection and phishing attacks are the most common examples [23], [24].

B. 6LoWPAN
Internet engineering task force (IETF) defined 6LoWPAN as a standard that enables the use of IPV6. Most small and low-powered IoT devices use wireless personal area networks (WPAN). 6LoWPAN is a network layer protocol. It permits internet connection using open standards. In the beginning, it was difficult to implement IPV6 on IoT devices due to low energy constraints but 6LoWPAN overcame this issue and brought major changes in the use of this technology for IoT devices and networks. Mobility and scalability of the sensor network are increased by the 6LoWPAN [25]. There are many attacks and security threats that 6LoWPAN faces. Mainly these attacks are divisible on confidentiality, fragmentation, and authentication of data. Confidential data can be breached by man-in-the-middle attacks and eavesdropping. Different encryption mechanisms are used to secure the data for endto-end communication by use of IPsec. When data is received in the form of fragments there is a possibility that fragmented data is spoofed, and an attacker can embed his own fragment in the chain. Moreover, authentication attacks can occur as IoT devices become part of network topology without proper authorization mechanisms. An optimal node authorization/authentication mechanism can be used to protect the network topology against such attacks [26].

C. RPL PROTOCOL
Most IoT devices today have low power and lossy networks so traditional routing like RIP, DSR, OSPF cannot be applied. Smart devices have constraints like limited memory and energy and less processing power, therefore, use RPL protocol for routing purposes. Initially, the RPL protocol relied on the directed acyclic graph (DAG) that introduced the problem of the routing loop (algorithm not converging to outgoing links). Therefore, destination-oriented DAG (DODAG) was introduced to help achieve a loop-free network, converging to a single destination [27]. Point-to-multipoint (P2MP), Multipoint to point (MP2P), and Point to point (P2P) are three types of traffic that RPL supports [28], [29]. The rank number is used to identify the position of each and every node in the DODAG graph. The rank number is also used to measure the node distance from the root node and to the neighbor's node [30]. There are three ways to categorize nodes in the RPL, which are described in Table 2. The individual position of each node and its path from LBR is differentiated by rank for each node in the DODAG. Similar to node categorization, there are three types of main control messages [31], [32]. These messages are described below.

2) DODAG INFORMATION SOLICITATION (DIS) MESSAGE
It is known as the link-local multicast and only requests for DIO neighbor discovery in the RPL instance [34].

3) DESTINATION ADVERTISEMENT OBJECT (DAO)
As its name suggests, DAO messages help to cover the distance in a network for bi-direction communication by constructing the routes for message flows from child nodes to the parent node or to the root node.
A node joins an RPL instance as a host by a pre-shared authentication key. If any node wants to join the RPL as a router then it is mandatory to obtain a secondary key from the key authority [35].
For traffic management, there are two types of DODAG route formation which are discussed as follows.

4) UPWARD ROUTE
DIO and DIS use an upward route specifically for MP2P type of traffic. Significant information like version, Instance ID, timer, and Object Function (OF) are carried by grounded nodes to calculate rank to its relevant neighbor [36]. DIO message is shared among nodes that want to join DODAG. If any node is interested it adds its address to the already created OF and updates the DIO message and multicasts it to other nodes in the neighbor [37]. DIO message is discarded by the nodes which are already part of the DODAG. In the case of floating nodes, DIS message is multicast to the nearest nodes. After receiving the message, floating node selects the preferred parent or neighbor by sending back a unicast DIO message. The representation of the upward route is shown in Figure 2.

5) DOWNWARD ROUTE
DAO messages use downward routes specifically for P2MP and P2P traffic. Neighbor discovery protocol is used here for route formation [38]. To maintain a downward route there are two types of modes that the RPL protocol follows, defined below.
Storing mode: In storing mode routing information is maintained by every router node.
Non-storing mode: In non-storing mode routing information is maintained by only the sink node and the sink node shares traffic information with other nodes.
In case of loop generation or failure between two nodes, a local repair scheme is performed with the help of the repair parent. But to reach the sink node optimal path is required which is not led by a local repair scheme therefore global repair scheme is used to find an optimal path where the DODAG version number is incremented which helps to construct a new DODAG with an optimal path. Figure 2 shows the concept of the RPL protocol.

D. ATTACKS ON RPL ROUTING PROTOCOL
There are many network attacks on RPL protocol because of the limitation of 6LoWPAN e.g. link failures, limited processing power, mobility, and change in network topology. Mainly Network layer attacks are classified as external attacks and internal attacks [39], [40]. A detailed discussion of these attacks is presented next and summarized in Figure 3.

1) HELLO FLOODING ATTACK
As the name represents, the ''Hello'' message is broadcast by the attacker initially. The attacker shows itself as a neighbor and has a strong routing metric. Generally, in RPL protocol DODAG information is advertised by DIO message. This attack impacts the network when selecting the link layer as the default route. This attack can be overcome by RPL local and global repair mechanisms, but if hello flooding attack is accompanied by other internal attacks then securely operating the network while maintaining its performance becomes extremely difficult [41].

2) CLONE ID ATTACK
An attacker can clone the identity of other nodes (also termed victim nodes). As a result, packets are misrouted by the attacker as they make multiple copies by acquiring the cryptographic secret and ID of the node. Typically, attacker nodes capture rank id and other related information of the nodes [42]. This attack is launched by selectively forwarding the packets, which causes great disruptions in the routing path. DDoS can be enabled by this attack. Attackers drop all the traffic and only forward control messages [43].

4) SYBIL ATTACK
Several identities are used by the malicious node to take control of the network completely. It is similar to a clone id attack. In WSN because of the distributed environment, such attacks can easily be executed. The nodes that keep up the masquerade are known as Sybil node S and other nodes are known as normal nodes N. Sybil nodes adopt a new identity therefore it is considered misbehaving nodes causing confusion and collision in the network. The Sybil attack is divided into two forms. 1) Direct attack where Sybil node communicates directly with normal node. 2) Indirect attack where malicious node (an intermediate node) communicates with the normal node [44].

5) BLACKHOLE ATTACK
In a blockhole attack all the data packets which contain actual messages are dropped or blocked by the attacker node and messages with false information are forwarded which causes control overhead and packet delay. A node wanting to reach the destination is deceived by alluring into the shortest path toward the destination node. After receiving data packets instead of transferring them to the right destination, denial of service occurs and the packet is dropped and location exploitation can take place as well. This results in a lack of communication between real source and destination nodes. The blockhole node cannot be seen in the network, therefore it is required to observe the network traffic carefully. Blackhole attack causes network performance degradation such as reduced throughput, and routing issues [45].

6) SINKHOLE ATTACK
The sinkhole attack occurs when fake or compromised routing information is shared among the nodes. Each sensor node tries to find the shortest route by evaluating the rank for sending packets to the sink node. Any malicious node can change the rank artificially and shows a better route and better link availability. A legitimate node gets deceived by the attacker node advertisement showing a better route. It focuses on routing patterns and is considered an active attack. Sinkhole is created on a compromised node (CN) which attracts other nodes towards it and has a higher routing metric by which it is on higher precedence [46]. Sinkhole attacks when combined with other attacks overwhelm a larger network. A sinkhole attack is demonstrated in Figure 4. In the figure below node 1 is the source node and node 4 is the destination. For this to take place, there are many routes possible depicted by black dotted lines. Node 5 which can be seen in Figure 4 is a sinkhole node that offers much better routing costs and therefore attracts other nodes [47].

7) WORMHOLE ATTACK
Wormhole attacks can impact RPL protocol by creating disruption in traffic flow and network topology. In this attack, all the data packets, and traffic is routed via a tunnel created by two attackers. There are two ways in which a wormhole occurs. Encapsulation process, where the packet is received to the associated/neighbor node in encapsulated form and it is a detached packet from the payload. Packet relay is another way where malicious node relay packets to distant nodes perceived as neighbors [48], [49].
Based on the first two sections, the authors believe that the following research question (RQ) needs to be addressed to present the current state of security protocols used for IoT networks.
RQ1: How machine learning can be used to secure IoT applications against different attacks? Is there any algorithm or technique of ML that is used on the Network layer to secure against internal attacks such as sinkhole attack? A mind map of the research can be seen in Figure 5.

III. LITERATURE REVIEW
IoT is a vast field of study. It represents billions of small interconnected devices. These devices consist of limited resources such as energy, memory, and computational capability. These devices communicate by a low-power wireless standard known as 6LoWPAN. It allows devices to connect to the IPV6 network. It has been subjected to numerous attacks therefore a new protocol for routing in Low power and Lossy networks was introduced known as RPL. RPL also faced many internal and external attacks which are discussed in the literature section. Figure 6 describes the criteria for selecting relevant and recent literature. First of all, selected keywords like IoT, machine learning, sinkhole attack, network layer, and RPL protocol are used to download recent papers between 2015-2022 for the research. All papers are from top Q1 journals and top-tier conferences. In total over one hundred articles were reviewed, out of which 83 references are cited in this manuscript comprised of 66 journals and 17 conference papers. A pictorial representation of the total number of studies considered in this work has can be seen in Figure 7.   summarizes the research works selected from each year during the 2015 -2022 periods.

A. THE EXISTING APPROACH TO INTERNAL ATTACKS
In [50] the author discussed that IoT devices' security is different from traditional internet security therefore new and befitting encryption protocols and authentication processes are required. In the proposed method authors compare two encryption mechanisms AES (Advanced Encryption Standard with 128-bit) and PRESENT with 80-bit key. The authors believe that the PRESENT algorithm is lightweight and more suitable for RPL protocol.

1) CRYPTOGRAPHIC TOOLS FOR SECURITY
In [51] the author compared different solutions for the rank attack which represents one of the most threatening  cyber-attack on RPL protocol. The rank attack causes energy consumption in nodes to increase and makes unnecessary topology changes. In RPL one particular node is selected as the parent node on the basis of its rank. This opens the door for the attacker to manipulate the ranks which compromises the network performance. Its solution is to use a unidirectional hash function (Cryptographic tools). 71078 VOLUME 11, 2023 Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. In [52] authors worked on the detection of two internal attacks namely; DIS and neighbor attack. In this work, Cooja was used for simulations and the dynamic threshold value was utilized to detect the attack. The proposed model worked on a lightweight Intrusion Detection System (IDS) which was distributed and worked stand-alone which means each node in the network monitors the neighbors and detects attacks. The performance of this detection system is evaluated by true positive rate (TPR) and false positive rate (FPR). The simulation results showed promising results for simulations running for short times but long runs deteriorate the performance of the proposed solution.

3) TRUST PATH SELECTION FOR SECURITY
The authors in [53] presented a two-stage security solution for selective forwarding attack and black hole attack. The performance of the network was evaluated via energy consumption. Data packets were divided into distributed routes so that the lifespan of the node can be increased. Elliptic curve cryptography (ECC) was used to encrypt each data packet before transmission. Malicious nodes were eliminated as only a trusted route was selected. The proposed method was evaluated against various performance parameters such as throughput, network size, latency, energy consumption, and packet drop ratio.

4) MULTI-LAYER SECURITY SYSTEM
In [54] author discussed the selective forwarding attack in military applications. Sensor nodes can detect activities on battlefield such as tank movement but a malicious node can destroy transmission and stop the packet from being transmitted. Multilayer detection for selective forwarding is proposed, detection layers include the MAC pool IDs layer, rule-based processing layer, and anomaly detection layer. NS-2 simulator is used for simulations and results were collected on basis of scalability, reliability, and energy efficiency.

5) FBSD MODEL FOR SECURITY
In [55] a model is presented to detect and mitigate sinkhole attack. FBSD-based mechanism is proposed where the first step is to log the generated traffic and secondly identify the transition path by traffic pattern discovery. In the third step snapshot of the topology is captured by taking different time variant snapshots. This work tried to address network latency, overhead increases, and sudden throughput decrease. The authors in [56] presented IDS based solution to detect the hybrid attack (Sink + Clone ID). A comparative study is presented to analyze the impact of standalone as well as hybrid i.e. combination of several attacks. Simulations are taken in Contiki OS using Cooja simulator. 6Mapper and power tracker are the modules that are used for the simulations. Power consumption and memory consumption results are compared for standalone attacks as well for Sink-Clone attack. It is concluded that a hybrid attack can be more destructive than a standalone therefore a more secure method is required for prevention.

6) PASR BASED SOLUTION FOR SECURITY
In [57] Detection and prevention of sinkhole attack is countered by introducing the prevention of an active sinkhole routing attack (PASR) based solution in which IoT clusters are built by network and connections are created between gateways and end devices. A sequence number is updated in the route request message (RRM) to activate the attack in ad hoc on-demand distance vector (AODV) protocol for testing purposes. Routing table is maintained by the gateways. Intrusion analyzer is used to detect anomalies in AODV protocol and broadcast messages to other gateways and base stations. This method performed well in terms of routing overhead, energy consumption, and packet delivery rate.

7) WATERMARKING FOR SECURITY
In [58] Sinkhole attack is detected on a prior basis before its activation by watermarking technique and homomorphic encryption algorithm. Threshold Sensitive Energy Efficient Sensor Network (TEEN) protocol is used for routing. Watermark is applied on each data packet for data authentication. Homomorphic encryption is used to ensure cluster node identity. For simulation purpose, OMNET++ is used.

8) IDS AND DIGITAL SIGNATURE BASED TECHNIQUE FOR SECURITY
In [59] authors proposed IDS and digital signature-based technique for detection and prevention of blackhole attack in MANETs. This research also developed a modified form of AODV protocol named as Detected blackhole AODV. According to this research, NS2 cannot detect AODV protocol if the protocol itself is attacked. Therefore, a modified version was introduced and different simulation runs were conducted with varying simulation time, packet size, and the number of nodes. Parameters like PDR, overhead, and delay were evaluated.

9) CROSS-LAYER DESIGN FRAMEWORK FOR SECURITY
In [60] Sinkhole attack in MANETs is detected by cross-layer design solution. Cross layers basically referred to different layers in a mobile network for efficient availability of network resources. It is proposed that for efficient transmission of packets, both security and QoS improvement are required. The cross-layer framework enables layers to communicate directly which eliminates the need for bandwidth optimization and helps in identifying fake routes. IDS is implemented with optimized link state routing (OSLR) which is a protocol for optimized link state routing. This work focused on improving the jitter, delay, and network throughput.

10) FUZZY RULE AND FEED FORWARD METHOD FOR SECURITY
In [61] author proposed a method for five routing attacks which are; Grayhole attack, Selective forwarding attack, VOLUME 11, 2023  Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply.
Sinkhole attack, Blackhole, and Wormhole attacks. The purpose of this paper is to detect all the above attacks by one method which is the fuzzy rule and feed-forward neural network. The authors also compared the proposed solution with traditional ML approaches such as RF, DT, and SVM. AODV protocol is used and residual energy, packet delivery ratio and trip times are selected features for performance analysis. Comparison is reported between the proposed method and other ML-based approaches e.g. SVM, RF, and DT. It is observed that computational complexity is very high that requires substantial resources. Hence, further investigation is required to address this problem.
The literature review is summarized in Table 3 which highlights the simulation tools used and performance parameters considered by each study. The summary of each research work is provided in the table as well.

IV. PERFORMANCE PARAMETERS FOR RPL SECURITY EVALUATION A. ENERGY CONSUMPTION
Many IoT applications have limited energy so analysis of energy consumption is important. Network lifespan and lifespan of a single node in a network depend on energy consumption. Sending data packets to the sink node for optimizing throughput causes increased energy consumption which affects other parameters of the network [62]. While the size and frequency of data transmission impact energy consumption, network density also affect it. If data packets are lost, retransmission causes higher energy consumption as well [63]. Sinkhole attacks can be identified by analyzing energy consumption in the network and improved security solutions can be provided by minimizing energy consumption in the network. Trickle timer is used to minimize energy consumption and control messages in RPL. A lot of work has already been done in this aspect. In [64] a comparative study has been presented and the following Eq.1 is derived to calculate energy consumption in general. (1) where; Enet = Network Energy Eover = Overhead Energy Eids = Execution energy of IDS

B. SCALABILITY
The level of scalability is determined by the increment in the number of sensors/nodes in the network. Factors such as range and nodes' power impact the scalability. The scalability of the network can be analyzed under normal circumstances as well as for sinkhole compromised network. In [65], the performance of the sensor network is analyzed with respect to stability, and different parameters like packet delivery ratio, throughput, and jitter are used to analyze the network. Simulation results show that the delivery ratio and throughput decrease when the size of the network is increased while undergoing a sinkhole attack.

C. THRESHOLD
The threshold value can also help in identifying the sinkhole attack. In [66] threshold value is used to detect different attacks on RPL. For every node in the network, a dynamic threshold value is assigned. To calculate the threshold value, the following formula is used.
In this equation µ is the average, k is the coefficient which determines the distance and σ is the standard deviation.

D. PACKET DELIVERY RATIO
Packet Delivery Ratio (PDR) is defined as the number of packets received at the destination to the ratio of packets sent by the source. PDR is calculated in percentage. When a sinkhole attack occurs, the PDR of the network is decreased as the sinkhole holds the packets affecting the overall network performance. In [67] comparison is done to analyze the effect of sinkhole attacks. It is observed that the PDR is high in the absence of the sinkhole and decreases as the attack occurs which indicates fluctuation in the network performance.

E. THROUGHPUT
The performance of a network is indicated by throughput because it measures the actual number of packets that are delivered per second. Mostly throughput is measured by the number of bits transferred per second. Low throughput creates many problems and it can be an indication of a sinkhole attack. During the sinkhole attack, many nodes select the same path which increases traffic and causes latency [68]. As a result, throughput is decreased. Therefore, we need mechanisms that can keep the throughput of the network above a given value even when the network is undergoing a sinkhole attack.

V. IoT SECURITY FROM THE MACHINE LEARNING PERSPECTIVE
Machine learning (ML) has revolutionized the field of IoT and how it can be a solution to security problems. Different ML algorithms help industries and businesses to grow by identifying patterns. The task of ML is to learn from model behavior and utilize these models for either classification or future predictions. This is done independently without human intervention [69].
In [70] a systematic comprehensive survey of ML and deep learning (DL) is presented pertaining to IoT devices. In this survey, the authors discuss the applicability of ML to IoT devices. IoT devices are resource constraint as they have limited processing power and energy so ML cannot be directly implemented into IoT devices. On the other hand, IoT devices generate heterogeneous data and pre-processing is required since ML may not be able to process this data directly. In this survey, it is also emphasized that a mechanism is required to ensure user authentication so that the right person acquires the right data. Different ML, DL, and Reinforcement learning (RL) based authentication and access control solutions are presented.
It can be observed from the literature [70], [71] that while ML offers unique security solutions for IoT networks, there is still a lot of pending research problems that need to be investigated. A summary of recent literature utilizing ML for detecting internal attacks has been presented in Table 3.

A. MULTI-LEVEL FRAMEWORK
In [72] a multi-level framework is proposed for the mitigation of DDoS. These multi-levels consist of edge, fog, and cloud computing. Software Defined Networking (SDN) is used with gateways at the edge and then honeypots are used with SDN controller to collect data traffic at fog and this collected data is analyzed for mitigation of DDoS attack. In [73] the authors used an ML approach for the detection and avoidance of DDoS where four steps are followed for anomaly detection in the network. These four steps include traffic capturing, packet grouping by device and time, feature extraction, and binary classification. For testing purposes, the authors have collected consumer IoT devices and applied five ML classifiers namely KNN, SVM, Decision Trees (DT), Random Forest (RF), and Neural Networks (NN). Promising results are reported by this study.
The authors in [74] review different attacks like jamming, spoofing, eavesdropping, and denial of service. The ability of ML techniques to detect these attacks is discussed as well. From the literature, it can be observed that it is critical to identify the attack at the beginning but traditional ML schemes have not been able to do this even with the multilayer framework. Moreover, traditional ML techniques have high implementation cost in terms of communication and computation, therefore low-cost solutions need to be investigated for IoT security systems.

B. HOST/WWWWW/NETWORK BASED ML TECHNIQUE
The authors in [75] proposed a solution for IoT device security utilizing host and network-based ML techniques. Challenges while applying these techniques are discussed in detail. Limited hardware resources, connectivity, and heterogeneity are challenges of IoT devices. While applying a network-based defensive approach there are no restrictions on computational resources. By measuring the round trip time between incoming and outgoing packets reroute packets can be detected by IDS. Malicious traffic can be identified by using KNN or SVM as they are resource efficient and can use the same model many times for the detection of attack.
For host and network-based data collections, it should be noted that connectivity issues may result in missing data, therefore model accuracy can be affected. When IoT devices change state, they cannot be utilized with full potential. Malicious activity can be separated from normal ones by clustering in unsupervised learning. However, the computationally intensive nature of unsupervised learning algorithms makes it harder to analyze the data. In host-based supervised learning, spoofing attacks, malware, and intrusion attacks can be detected by ML (specifically utilizing SVM, and KNN). As the host interacts with other network devices, traffic classification can take place.

C. CHA-IDS BASED ML TECHNIQUE
The authors in [76] worked on the 6LoWPAN protocol and detected the combined and individual routing attacks by Compression Header Analyzer -Intrusion Detection System (CHA-IDS). Raw data is collected and analyzed, and based on the analysis appropriate actions are taken making a framework of a multi-agent system. For intrusion detection systems, correlation-based significant features are selected which are then used to differentiate normal and attack scenarios. The impact of wormhole, sinkhole, and hello flooding attacks are determined in terms of memory consumption, accuracy of detection, and energy consumption. In the first layer, which is a sensor agent, a cooja traffic analyzer is used to collect packets. The second layer is the aggregator agent which is responsible for finding significant features by using Correlation-based Features Selection (CFS) algorithm. Third layer represents the analyzer agent in which WEKA tool is used to compare ML algorithms. The fourth layer is the actuator agent in which threshold value is compared and if it is exceeded, an alert is given to the user. Tmote Sky is used as an IoT device to calculate memory and energy consumption.

D. CLUSTERING ALGORITHM DCA-SF AND NB-DPC
The authors in [77] and [78] proposed a data clustering algorithm (DCA) and a Noise-Based Density Peaks Clustering (NB-DPC) algorithm for detecting a selective forwarding attack (DCA-SF). In cluster-based selective forwarding attack, cluster heads (CH) is compromised which disconnects form some or all of its cluster members. In this work, it is suggested that by clustering cumulative forwarding rates (CFRs) a malicious CH can be captured and isolated from the network. The detection mechanism consists of a cluster which has three nodes namely CH, inspector node (IN), and the member nodes (MNs). CH receives data packets from MN which consist of environmental information. This information is further transmitted to sink nodes (SN). CFR of CH and MN are calculated and depending upon calculations of the highest residual energy from IN, a particular MN becomes the new CH. Centralized and distributed are the two schemes that fall under DCA-SF category. In the case of a centralized scheme, after receiving CFR of all the CHs, DP-DBSCAN is independently executed, while in distributed detection scheme to confirm if a particular CH is malicious, IN performs DP-DBSCAN.

E. E-PASH SYBILWATCH APPROACH
A novel algorithm known as SybilWatch based on BlueTits Detection (BTD) algorithm for Sybil attack detection is presented in [79]. This algorithm addresses the issues of tractability of nodes and revocation.
Another study pointed out that the attacks on social media can be categorized as Sybil attacks [80]. As we all know that Twitter is one of the largest and fastest growing social media platforms with 317 million active users from all over the globe, therefore more prevailed to attacks. Traditional detection techniques are no longer applicable to protect against Sybil attacks owing to the scale of the network as there are many organizations and individuals which can harm social media sites by increasing the fake number of followers. The research presented in [80], evaluated and analyzed user profiles on Twitter by a deep regression model and detected Sybil attack. Three integrated modules are proposed in their works, described below.

1) DATA HARVESTING MODULE
Data harvesting module in which 5000 user IDs are utilized for gathering information like the number of posts, trending metrics, etc.

2) FEATURE EXTRACTING MECHANISM
Feature extracting mechanisms in which profile, content, and graph-based features of users are extracted by Twitter API, in total 80 online-offline features were extracted.

3) DEEP REGRESSION MODEL
A prediction system is introduced which recognized activity patterns of Sybil profiles on basis of user characteristics User who uses the English language on Twitter, their accounts are taken as database and the trustworthiness of Sybil node is predicted. A malicious Sybil node sends a friend request to other nodes in the network, the purpose of this is to detect the colluded node by regression model not only in government agenesis but also in private enterprises and for individual security.

F. GINI INDEX-BASED COUNTERMEASURE
It is important to observe the energy consumption of nodes and special attention is being paid if multiple devices/nodes lose energy at once. During the Sybil attack, multiple DIS messages are sent that can cause fast depletion in energy. In [81], Sybil attack is detected and mitigated by GINI indexbased countermeasure. To measure the dispersity in the DIS message a GINI impurity is used. An excessive number of DIS messages point towards the abnormal range which influences the identities of GINI impurity and confirms the Sybil attack. While on the other hand if there exists no attack a stable distribution is maintained. After the detection of Sybil attack, DIO messages are minimized and an adaptive replaying rate of DIO messages is determined. An alert packet is constructed and broadcasted to the nearest nodes, by the node which detects the Sybil attack.
The authors in [82] considered Minimum Rank with Hysteresis Object Function (MRHOF) to detect hybrid attacks and analyze vulnerabilities. To enhance security, RF and MLP-based machine learning approaches were used. For the creation of dataset, different private and publicly available datasets were explored.

G. AI-BASED FRAMEWORK
The authors in [83] discussed the inability of conventional techniques to handle novel attacks like clone ID in RPL networks for IoT devices. A framework based on AI is proposed to cater to such kinds of attacks. The selection of the key characteristics from RPL is categorized by unsupervised pretraining technique.
Conventionally, IDS/IPS provided continuous network observation that leads to many problems like resource and time consumption. In a clone ID attack, identities are impersonated by legitimate nodes. An attacker can directly leak, alter, ex-filtrate, and spoof the data coming from the clone root node.
To apply the new technique proposed in [83], real-time traffic data was gathered consisting of normal and malicious nodes. A supervised learning approach was used where a DNN model with one outer layer and two hidden layers was adopted. This DNN model helped in recognizing network communication with impersonated nodes.

VI. FUTURE RESEARCH DIRECTIONS
From the detailed literature review and the summary presented in Tables 3 and 4, it is evident that RPL security is of paramount importance. There are several works reported in this area, however, gaps can be identified that need researchers' attention.
Firstly, it is important to understand that different attacks on RPL can cause different network parameters to report faulty values. Therefore, to detect security attacks not only selected parameters rather most of the parameters need to be analyzed. This will give a better and bigger picture required to detect attacks.
Secondly, an extensive body of work can be found that utilizes ML for improving the performance of the network however, when it comes to detecting security attacks, ML is still underutilized. Moreover, a unified approach to implementing ML for resource-constraint IoT devices needs to be investigated and designed. The recent literature suggests that  ML approaches are yet to focus on detecting internal attacks. A mechanism is required where RPL protocol can be secured not only from the sinkhole attack but also from other internal attacks as well. Most importantly such mechanisms should ideally be distributed in nature and their implementation should not derail the performance of the IoT network.
Thirdly, more investigation is required to secure IoT devices at the network layer. It should be noted that ondevice security solutions are very limited for IoT networks therefore devices such as routers, switches, and firewalls can be subjected to Spoofing and DDoS attacks and thus require new and improved security mechanisms. It is significant since hardware or device-level attacks can go undetected by the software.
To secure the network layer, attacks on RPL, or more generally, to secure the IoT network, a layered security approach is required. It represents designing layer-specific software by layer-specific specialists. Mostly, an IT specialist is given the role of handling network security aided by certain hardware and software tools. Rather, a distributed approach is required where each layer is dealt with by a specialist (i.e. a network layer specialist) using layer-specific tools.

VII. CONCLUSION
Technology advancement has brought the risk of cybercrimes for IoT networks. With the significant increase in the deployment of IoT networks, it has become necessary to understand the current state of security protocols for IoT networks. Keeping this in view, this manuscript presented a comprehensive review of the external and internal security attacks on IoT devices. Details on the layered structure of IoT are presented as well. Moreover, protocols especially designed for IoT devices are discussed in detail. It is found, to protect the network layer against internal attacks different performance parameters are required to be analyzed. Once the network security is breached it impacts various performance parameters such as energy consumption, throughput, packet delivery ratio, etc. It is believed that ML has made enough progress to present solutions for protecting IoT devices against security attacks. Currently, ML is more focused on detecting external attacks and a thorough investigation is required for internal attacks as well. It is observed that the nature of the IoT network is an obstacle when designing security protocols. IoT network is mostly comprised of sensors having limited capabilities therefore, it is challenging to implement robust and computationally complex algorithms. The RPL protocol does not have a pre-defined standard for its security operation, therefore researchers need to standardize the security implementation protocol.
SIBGHAT ULLAH BAZAI received the bachelor's and master's degrees in computer engineering from the Balochistan University of Information Technology, Engineering and Management Sciences (BUITEMS), Quetta, Pakistan, and the Ph.D. degree in information technology (cyber security) from Massey University, Auckland, New Zealand, in 2020. He is currently an Assistant Professor with the Department of Computer Engineering, BUITEMS. His research interests include applying cyber security to disease identification using deep learning, automating exams using natural language processing, and designing local language sentiment corpora and smart city planning. He was a recipient of the HEC HRDI-UESTP Faculty Ph.D. Scholarship. He is a guest editor and reviewer of several journal's special issues in MDPI, Hindawi, CMC, Plosone, and Frontier.
SAAD ASLAM received the Ph.D. degree in electrical and electronic engineering from Massey University, New Zealand. He is currently a Senior Lecturer with the School of Engineering and Technology, Sunway University, Malaysia. He has over 12 years of experience in academia blended with industry exposure. His current research interests include exploiting machine learning for optimizing wireless networks, D2D communication, clustering algorithms, distributed systems, and game theory optimization.
SHAH MARJAN received the B.S. and M.S. degrees (Hons.) from the Balochistan University of Information Technology, Engineering and Management Sciences (BUITEMS), and the Ph.D. degree from the School of Electronics and Information Engineering, Beihang University, Beijing, China, in 2020. He is currently the Chairperson with the Department of Software Engineering, BUITEMS. He is also engaged in different research groups of bachelor's and master's. His exposure, experience, and knowledge are aiding the unexposed young blood of Pakistan in general and Balochistan in particular. His research interests include broad and comprises of security, encryption, wireless communication, the Internet of Things, blockchain usage, and machine learning algorithms. He was awarded the M.S. degree (Hons.), which led him to secure a fully funded scholarship for his journey in achieving exposure and Ph.D. degree.
MUHAMMAD ANAS received the B.S. degree from the Balochistan University of Information Technology, Engineering and Management Sciences (BUITEMS), where he is currently pursuing the M.S. degree. His research interests include the Internet of Things, cloud computing, and cyber security. He was awarded with fully funded scholarship during his B.S. degree.
SAYED HABIBULLAH HASHEMI received the dual B.S. degrees in mathematics and physics from Nangarhar University, in 2009, and the M.S. degree in physics (optics and laser) from Bu-Ali Sina University, Iran, in 2021. He is currently an Assistant Professor with the Department of Physics, Paktia University, Paktia, Afghanistan. His research interests include smart agriculture using IoT and AI-based efficient approaches for metal identification.