An intrusion detection mechanism for IPv6-based wireless sensor networks

With the advancement of IPv6 technology, many nodes in wireless sensor networks realize seamless connections with the Internet via IPv6 addresses. Security issues are a significant obstacle to the widespread adoption of IPv6 technology. Resource-constrained IPv6 nodes face dual attacks: local and Internet-based. Moreover, constructing an active cyber defense system for IPv6-based wireless sensor networks is difficult. In this article, we propose a K-nearest neighbor-based intrusion detection mechanism and design a secure network framework. This mechanism trains an intrusion detection algorithm using a feature data set to create a normal profile. The intrusion detection algorithm uses the normal profile to perform real-time detection of network traffic data to achieve rapid detections connecting many devices in a wireless sensor network. In addition, we develop a test platform to verify this mechanism. Experimental results show that this mechanism is appropriate for IPv6-based wireless sensor networks and achieves a low false-positive rate and good intrusion detection accuracy at an acceptable resource cost.


Introduction
In recent years, the scale of wireless sensor networks (WSNs) has grown rapidly. Internet of Things (IoT) systems have many types of networks connecting various system entities. Different networks need to be combined to provide the necessary network connectivity between the entities attached to each network. Entities must be interoperable to operate seamlessly in different networks. However, currently available heterogeneous network protocols in WSNs are typically applicationspecific. Network-level solutions are required among WSNs and between wired and wireless networks to provide seamless communications and interactions among different network types. IPv6 facilitates information exchange, peer-to-peer connectivity, and seamless communication between different IoT systems.
IPv6 technology can have a large number of address resources, automatic address configuration, and good mobility. The use of IPv6 technology in WSNs is inevitable, especially when nodes in WSNs are required to connect to the Internet using IPv6 technology seamlessly.
Numerous standardization work has been completed in Internet Engineering Task Force (IETF) to enable the use of IPv6 technology in WSNs. For IPv6 communication on IEEE 802.15.4 devices, IETF proposed IPv6 over low-power wireless personal area networks (6LoWPANs). These documents focus on the standardization of the IPv6 head compression, 1 neighbor discovery, 2 time-slotted channel hopping (TSCH), 3 and so on.
WSN features and frameworks have been significantly changed because of access to the Internet via IPv6 technology, which may lead to new network threats and attacks. Moreover, the WSN is in an unknown environment with limited resources and hidden attacks. 4 Therefore, it is necessary to study the security issues of IPv6-based WSNs.
Intrusion detection is a mechanism that detects network attacks by analyzing activities in a network or system. 5 Once an attack is detected, an intrusion detection system (IDS) records relevant information about the attack. However, current intrusion detection mechanisms against multiple attacks support multiple protocols but are still in development stages. Therefore, an intrusion detection mechanism, considering the overall security of IPv6-based WSNs, should be investigated further.
The contributions of this article are as follows:

A common intrusion detection framework for
IPv6-based WSNs is developed. Based on this framework, a security framework consisting of an intrusion detection console as the core, a traffic generation module, a traffic capture module, a feature processing module, and an intrusion detection module is proposed, and the coordination mechanism and workflow of each module are designed. 2. Methods of collecting and processing security feature data are described for IPv6-based Internet and IPv6-based wireless networks. The IPv6-based WSNs features for intrusion detection are specified in this article. A set of lightweight intrusion detection algorithms based on K-nearest neighbors (KNNs) is implemented for IPv6-based WSNs, and the algorithms are stable and can be used effectively in the intrusion detection console. 3. A test platform is developed to verify the proposed mechanism. The laboratory 6LoWPAN node and gateway are used to build an IPv6based WSN and verify the proposed mechanism's feasibility on the IPv6-based wireless. Compared with other schemes, the proposed mechanism can effectively reduce the false positive rate (FPR) of intrusion detection and achieves good detection efficiency and ACC.
This article is organized as follows. Section ''Related work'' reviews several existing works related to security and IDSs for WSNs. Section ''Intrusion detection framework'' describes the intrusion detection framework. Section ''Intrusion detection mechanism'' proposes a lightweight intrusion detection algorithm for IPv6-based WSNs based on KNN. Section ''Verification and result analysis'' develops a test platform to verify the proposed mechanism, and research results are analyzed and discussed. Finally, in section ''Verification and result analysis,'' we conclude the study with a summary.

Related work
Research on the security of Internet protocol (IP)-based WSNs has attracted much attention. In terms of standardization, IPv6 has supported Internet protocol security (IPsec) for WSNs. In 2020, RFC 5570 6 proposed an optional method for encoding packet sensitivity labels on IPv6 packets. The encoding provided multilevel network security services for network layer traffic in IPv6 environments. RFC 8750 7 updated an encapsulated security payload to generate a nonce using values provided in the encapsulating security payload sequence number to avoid sending initialization vector. RFC 4301 8 updated security architecture for IP. In 2019, RFC 8598 9 proposed two configuration payload attribute types for Internet key exchange protocol version 2 (IKEv2), adding support for private domain name system (DNS) domains.
Meanwhile, IP-based wireless sensor networks are usually resource-constrained mainly because nodes are attacked locally and on the Internet. Therefore, lightweight security mechanisms are necessary in this regard. Cao et al. 10 designed a lightweight security D2D (Device to Device) system using multiple sensors on mobile devices. In the research by Raza and Magnu´sson, 11 a lightweight IKE was proposed, and IKEv2 was adapted. An active defense system can monitor a network and respond to detected attacks in real-time. Therefore, it is necessary to develop an active defense system for IPv6based WSNs to deal with security issues and detect attacks in real-time.
There are several research studies on IDSs for specific attacks. In 2013, Shahid first proposed the IDS SVELTE 12 for routing attacks by changing routing information 13 against IPv6 WSNs, with intrusion detection using the widely used and accepted the opnet 14.5 simulators to simulate in turn WSN generation of data sets for normal flow and attack flow. Althubaity et al. 14 proposed a hybrid specification-based IDS to protect the RPL (IPv6 routing protocol for low-power and loss networks) topology in 6TiSCH networks from any manipulation on the rank value to establish rank attack or on the routing metric to perform rank attack based on the objective function. Amaran and Mohan 15 proposed Optimal Multilayer Perceptron (OMLP) with Dragonfly Algorithm (DA) for intrusion detection in WSN. The OMLP model has high accuracy and detection rate. Choudhary and Taruna 16 proposed a technique which is based on the frequency analysis onsite to find intrusion into the network; the data from these dedicated sensors are stored in a fuzzy analytical engine for inference. Jiang et al. 17 proposed SLGBM, an intrusion detection method for wireless sensor networks. A LightGBM algorithm is utilized to detect different network attacks. Sharma et al. 18 proposed a supervised machine learningbased IDS for RPL-based cyber-physical systems, that is capable of detecting several attacks.
Similarly, there are some research studies on IDSs for specific protocols. Moustafa et al. 19 proposed an integrated intrusion detection technology. Message queuing telemetry transport (MQTT) protocols are used in IoT systems, and the AdaBoost ensemble learning method was developed using decision tree (DT), naive Bayesian, and artificial neural networks (ANNs). Verma and Ranga 20 used an ensemble learning-based network IDS framework to detect routing attacks on the IPv6-based routing protocols for low-power and lossy networks. Shen et al. [21][22][23] proposed IDSs for malware, which can suppress malware diffusion in IoT network. Zhou et al. 24 proposed a malware detection model based on game theory in WSNs. Liu et al. [25][26][27][28] proposed a series of methods for virtual resource security detection in sensor edge cloud.
Existing research studies focus on specific protocols or attacks, and they can achieve effective intrusion detection. However, an intrusion detection mechanism, considering the overall security of IPv6-based WSNs, merits further investigation. Furthermore, the intrusion detection mechanism should be designed considering all IPv6-based WSN frameworks.

Intrusion detection framework
Traditional WSNs are typically stand-alone, not connected to any other external networks. They are usually composed of low-power, lossy networks, and many resource-constrained nodes, forming a closed wireless mesh network. To use IPv6 technology in WSNs, IETF proposed a 6LoWPAN protocol stack based on IEEE 802.15.4. The protocol stack has six layers, where its bottom layer adopts the IEEE 802.15.4 standards of the PHY and MAC layers. For implementing a seamless connection between the MAC and network layers, an adaption layer is added between the MAC and network layers to handle header compression, fragmentation, reassembly, and mesh route forwarding. 6LoWPAN nodes and gateways form an IPv6-based WSN through the 6LoWPAN protocol stack. When one or more gateways of the IPv6-based WSN access the Internet, an extended IPv6-based WSN forms. The network is connected to the intrusion detection console to form an intrusion detection framework. Figure 1 shows the IPv6-based WSN intrusion detection framework, including the intrusion detection console, the IPv6-based Internet side, and the IPv6-based wireless side.
For the IPv6-based Internet side, a normal server and a malicious server can generate an original packet, and the traffic generated by the servers constitutes normal and abnormal activities. The traffic sent by the servers is forwarded to a PC or a portable device via a router.
For the IPv6-based wireless network side, each IPv6-based node forwards a packet to an IPv6-based border router through the IPv6-based route node, and finally, the IPv6-based border router uploads it to the gateway. Each node is configured with the CoAP/ MQTT protocol and is connected to the gateway via the CoAP/MQTT proxy. An intrusion detection device is a tool for constructing and collecting security feature data for the intrusion detection mechanism. It can sniff packets from its neighbors and construct security feature packets.
The intrusion detection console logically includes five functional modules: a traffic generation module, traffic capture module, feature processing module, intrusion detection module, and intrusion response module. Their specific functions are as follows: 1. Traffic generation module: the traffic generation module includes a server on the IPv6-based Internet side and a sensor node on the IPv6based wireless network side. These devices are responsible for generating original packets for intrusion detection. 2. Traffic capture module: the traffic capture module includes packet capture tools in the intrusion detection console and intrusion detection devices. The IPv6-based Internet side captures the traffic of an ingress router, and the IPv6based wireless network side captures the security feature packets forwarded by the gateway to the Internet. 3. Feature processing module: the feature processing module is a feature extraction tool in the intrusion detection console. After capturing the original traffic, it is stored in a local database in the intrusion detection console. Feature extraction tools and feature processing algorithms help realize feature statistics and selection. 4. Intrusion detection module: the intrusion detection module stores processed feature data in a CSV (comma-separated values) file in the intrusion detection console, using it as an input to the intrusion detection module. This module trains the intrusion detection mechanism to form the normal profile (NP) of the intrusion detection model. The NP is used to detect and classify the real-time flow data into normal flow or abnormal flow in real-time. 5. Intrusion response module: the intrusion response module prevents organizational attacks by managing the network, such as taking malicious nodes offline or restoring normal network behaviors.

Intrusion detection mechanism
In this section, an intrusion detection mechanism is proposed for an IPv6-based WSN based on KNN. Figure 2 shows its specific workflow. Three steps are involved in the proposed intrusion detection mechanism: 1. Security feature data collection and processing: on the IPv6-based Internet side, original packets generated by the gateway are collected and stored in the database. On the IPv6-based wireless network side, the intrusion detection device constructs a security feature message and eventually forwards it to the gateway. The packet capturing tool captures the packet from the gateway and stores it in the database. The feature processing module will perform feature extraction on packets stored in the local database to generate traffic features and generate security feature data after performing statistics on the traffic features. 2. Data standardization and feature selection: the feature processing module standardizes security feature data and uses feature selection algorithms to screen appropriate security features. Finally, the feature processing module creates a security feature data set for training the intrusion detection algorithms. 3. Algorithm training and intrusion detection: the intrusion detection module trains the algorithm, generating an intrusion detection model. In addition, the intrusion detection module needs to be regularly updated to adapt to network changes. The intrusion detection module also detects new security feature data. When the detected traffic flow is abnormal, the intrusion response module is responsible for processing the abnormal node.

Security feature data collection and processing
The network traffic on the IPv6-based Internet side uses a packet capturing tool to capture original packets of the entry router to form a packet capture (pcap) file. The pcap file needs to be processed to generate a record for each message sent and received. Implicit information related to normal and abnormal activities is recorded. Those records are further processed and transformed into security feature data for online analysis by the intrusion detection algorithm. IPv6based Internet side security features are divided into HTTP-based features, traffic-based features, and transaction-based features. Table 1 shows the HTTPbased features, Table 2 shows the traffic-based features, and Table 3 shows the IPv6-based Internet side transaction-based features. The IPv6-based wireless network side security features include RPL-based features, application layerbased features, 6top-based features, transaction-based   The number of commands in the FTP session ct_srv_src The number of connections containing the same service and source address in 100 connections ct_srv_dst The number of connections containing the same service and destination address in 100 connections ct_dst_ltm The number of connections with the same destination address among 100 connections ct_src_ltm The number of connections with the same source address among 100 connections ct_src_dport_ltm The number of connections with the same source address and destination port in 100 connections ct_dst_sport_ltm The number of connections with the same destination address and source port in 100 connections ct_dst_src_ltm In 100 connections, the number of connections with the same source and destination features, and TSCH-based features. Table 4 shows the RPL-based features, Table 5 shows the application layer-based features, Table 6 shows the TSCH-based features, Table 7 shows the 6top-based features, and Table 8 shows the transaction-based features. Application layer-based features include IP address and the port numbers of a source and destination and protocol. Transaction-based features are generated based on the interaction of flow identifiers created in a time window to maintain online detection of malicious activities. This includes traffic statistics, such as the number of connections in a fixed period. A flow identifier and session time are sequentially stored by the packet capturing tool after obtaining the header information of the original packet. According to the timestamp of the captured packets, the packets are grouped and processed in a fixed collection cycle to generate traffic features in the collection cycle.

Feature data standardization and feature selection
The generated security feature data set is denoted by X with n feature data. The dimension of each feature data is denoted by q. Equations (1) and (2) represent the security feature data set X and the sample x i in the data set, respectively Standardization Box-Cox transformation. Correlation analysis and machine learning algorithms have a default requirement that data follow the normal distribution. However, in reality, data seldom follow the normal distribution.  The number of relayed packets Table 6. TSCH-based features.

Feature Description numSharedCells
The number of shared cells NumTxCells The number of transported cells NumRxCells The number of received cells numDedicatedCells The number of dedicated cells TschRxEB The number of received beacon TschTxEB The number of transported beacon Times for received response to delete a time cell 6topRxDelReq Times for received request to delete a time cell 6topTxDelResp Times for transported response to delete a time cell 6topTxAddReq Times for transported request to add a time cell 6topRxAddReq Times for received request to add a time cell 6topRxReCells Received cell relocated command 6topTxDelReq Times for transported request to delete a time cell 6topTxReBund Transported bund relocated request 6topTxReCells Transported cell relocated request 6topTxAddResp Transported response to add a time cell The data queue is full NumTx The number of transported packets Box-Cox transformation can reduce unobservable errors and predict the correlation of variables to a certain extent. Therefore, before performing the feature correlation analysis, we use the Box-Cox transformation to bring the data as close to the normal distribution as possible It can be seen from equation (3) that the final form of Box-Cox transformation is determined by l: 1. When l = 0, Box-Cox transformation is a logarithmic transformation. 2. When l = À 1, it is equivalent to a reciprocal transformation. 3. When l = 0:5, it is equivalent to a square transformation.
Kolmogorov-Smirnov test. Kolmogorov-Smirnov test 29 is used to determine the normal distribution of features. It involves the degree of consistency between the eigenvalue distribution and the completely theoretical continuous distribution.
Equation (4) is the cumulative distribution function F n (x) Equation (5) is the Kolmogorov distribution func- Feature correlation analysis. Correlation analysis is a statistical evaluation technique used to determine the relationship between features. This technique is used to study the relationship between the features of the training set and test set.
Pearson's correlation coefficient. Pearson's correlation coefficient (PCC) is used to study feature correlation between the training set and test set, without considering labels or categories. PCC is a measure of the strength and direction of the linear correlation between two features.
Equation (6) is the PCC between features f 1 and f 2 In equation (6), x if1 and x if2 are the values of features f 1 and f 2 , respectively.
The calculated value of PCC can vary from + 1 to 0 to 21. A positive value of PCC indicates that two features are positively related, whereas a negative value of PCC indicates that two features are negatively related.
Gain ratio. The gain ratio is used to classify the correlation between features, and it considers the corresponding instance labels. The analysis aims to find features that distinguish between normal traffic instances and attack traffic instances.
Splitting information is the potential information generated by splitting the security feature data set X into m blocks. Equation (7) is used to calculate the splitting information In equation (7), X represents the security feature data set with n instances, and m represents the number of results corresponding to the feature f.
The average information entropy required to classify an instance is expressed in equation (8 In equation (8), p i represents the probability that an instance in the data set belongs to the class i. k represents the number of label categories in the data set.
Based on the feature f, X is divided into i different groups, and the expected information gain E(f) is defined in equation (9) Therefore, the information gain before and after splitting can be calculated using equation (10) The gain ratio is defined as the ratio between the information gain and split information Intrusion detection algorithm The proposed intrusion detection algorithm proposed is an anomaly detection method for a single classification problem. It is a variant of the KNN algorithm, which aims to solve the shortcomings of the KNN algorithm with high computation and lazy learning. In IPv6-based WSN intrusion detection, the intrusion detection algorithm needs to distinguish between normal traffic and abnormal traffic. The key assumption of the proposed intrusion detection algorithm is that normal data points appear in dense neighborhoods and abnormal data points are far from neighbors.
Quantification method of grid structure. Each data object is quantified into a q-dimensional space. The q-dimensional space is divided into a continuous hypercube grid space composed of a fixed size. Assume the diagonal of the hypercube grid to be d/2. For the data dimension q = 2 in the data set, quantify each data object into a two-dimensional (2D) space. The 2D space is divided into a continuous square grid space composed of a fixed size; the grid structure diagram is shown in Figure 3. Cube(u 1 ,u 2 ) represents the grid at the intersection of row u 1 and column u 2 . The grid set of the nearest neighbors of the grid is represented in equation (12) Neighbor In 2D space, the length of the grid is L, and L = d=2 ffiffi ffi 2 p In the q-dimensional space, the diagonal length of the hypercube is ffiffi ffi q p L, so in the q-dimensional space, L = d=2 ffiffi ffi q p , and the hypercube is represented as Cube (u1, u2,..., uq) , representing the grid at coordinate (u 1 , u 2 ,..., u q ). Equation (13) represents the neighbors of the hypercube The grid structure has the following geometric properties: 1. The distance between any data objects in a grid is at most d/2. (u1,u2,..., uq) , q 2 Cube (v1,v2,..., vq) , where the distance between any data object p and q is at most d. (u1,u2,..., uq) , and detection area DR(x) be a hypercube with data x as the center and d as the diagonal length. Cube (u1, u2,..., uq) can cover the detection area, as shown in Figure 3.

x 2 Cube
Algorithm training. The training process of the intrusion detection algorithm involves using the generated security feature data set to adjust the parameters of the algorithm (a KNN classifier) to meet the requirements of intrusion detection. The proposed intrusion detection algorithm analyzes the relationship between the data and the label in the security feature data set. Thus, the algorithm can learn to infer the affiliation of new data. In the training process, the security feature data are projected into the grid structure. The maximum and minimum values of the ith feature are max i and min i . In this case, the ith dimension boundary of the grid structure is limited by max i and min i .
If the training data remain unchanged, the boundary can be fixed. However, the IDS needs to update the training data regularly while retraining the model. Therefore, it is necessary to set aside appropriate redundant space and leave a margin at the current boundary for the online update, the grid structure can then capture data outside the current boundary.
In addition, the coefficient c is introduced to translate the data, where c . |min|, min = {min i |i = 1,2,..., q}; the entire feature space is transferred to the positive coordinate space to avoid negative component values in the security data set.
For the hypercube position in which the data x i is located as u i b c, where u i = (x i + c)/l, the binary code 2 b is used to represent the hypercube, with the hypercube position encoded as pos = u i ( (q 2 i) b|pos. The binary code must be able to cover the hypercube position. The maximum hypercube position is (max + c)/l, where max = {max i |i = 1,2,...,q}. Therefore, (max + c)/l ł 2 b .
Intrusion detection. Equation (14) is defined as the alternative detection area of test data. The alternative detection area is shown in Figure 3 DR In equation (14) Figure 3. The intrusion detection hypercube grid structure.
The intrusion detection rules are described as follows: If there are at least k data points in the grid, the test data falling into the grid are always normal.
If the data points in the grid are less than k, determine the number of data points in the detection area DR to determine whether the number of data points in the replacement DR is greater than k. If it is greater, the test data are normal. If the data in DR are less than k, continue to analyze the data in the Neighbor(Cube); if the number of data points in Neighbor(Cube) is greater than k, the test data are normal; if the number of data points in Neighbor(Cube) is less than k, the test data are abnormal.

Verification and result analysis
This section describes the test platform for verifying and analyzing the intrusion detection mechanism. Figure 4 shows the test platform, which is built with an IPv6-based WSN platform independently developed by our laboratory. The platform has obtained the IPv6 Ready Phase-2 Logo, which designates the consistency of the IPv6 protocol and device interoperability. The platform includes one PC, one 6LoWPAN gateway, and fifteen 2.4 GHz band 6LoWPAN nodes. The UNSW-NB15 30 data set is used as the feature data set of the IPv6-based Internet side. The raw network packets of the UNSW-NB15 data set were created using the IXIA PerfectStorm tool in the Cyber Range Lab of the Australian Centre for Cyber Security for generating a hybrid of real modern normal activities and synthetic contemporary attack behaviors.
The 6TiSCH Simulator 31 is used to simulate normal activities and attack behaviors of IPv6-based nodes.
After the simulation, a DAT file is generated as the feature data set of the IPv6-based wireless network side. The simulation has 50 nodes, 5k slot frames, a slot frame length of 101 cells, and a cell duration is 10 ms.

Data set analysis
The security feature data set is divided into training data set and test data set. The skewness, kurtosis, and PCC of the data set are analyzed. Figure 5 shows the skewness of IPv6-based wireless network side data set. In the training data set, features 20,23,25,33,39,40, and 42 are positively skewed, and features 39 and 41 are negatively skewed. The training data set and the test data set have almost equal skewness, and it can be inferred that they have similar distributions. Figure 6 shows the kurtosis of IPv6-based wireless network side data set. Most of the features of the training data set and the test data set have flat kurtosis.    kurtosis. The training data set and the test data set have similar kurtosis.
The PCC of IPv6-based wireless network side data set is shown in Figure 7, most of the correlations between the features remain balanced, there is no excessive correlation, and no correlation, such features are acceptable features. Acceptable-related features account for more than 70%, and the data set has good correlation.

Overhead analysis
The intrusion detection algorithm should be as light as possible to ensure that it can maintain optimal network performance when used in a resource-constrained environment such as IPv6-based WSNs. Therefore, the overhead of the intrusion detection algorithm is evaluated. Assume that retraining the algorithm necessitates n 1 feature data, q feature dimension of the data, and NP size. The number of non-zero hypercubes is S. The overhead of the proposed algorithm is discussed in this section.
Computational complexity. Computational complexity determines the detection efficiency of an algorithm. The intrusion detection algorithms mainly include training the algorithm and intrusion detection, both of which are completed in the intrusion detection console.
The computational complexity of projecting each training data to the hypercube is O(n 1 ) and of counting and sorting data in the hypercube is O(n 1 log(n 1 )). Address encoding requires O(n 1 ). Therefore, the total computational complexity of the learning process is O(n 1 log(n 1 )).
In the detection process, each data will generate computational complexity from n 1 log(n 1 ) + 1 to n 1 log(n 1 ) + 2 q 2 1; therefore, the computational complexity of the detection process is O(n 1 log(n 1 )).
The results show that the computational complexity of each function varies linearly or logarithmically with the number of data n 1 . This indicates that the training and detection efficiency of the algorithm is stable, and it can run effectively on the intrusion detection console.
Communication overhead. The communication overhead generated during the detection process mainly includes the feature data collected by the intrusion detection device and sent to the gateway and the intrusion response.
A packet payload sent by the intrusion detection device to the gateway is 4 bytes. The feature data sending period is T. The number of nodes is N, the node data message payload is 4 bytes, and the data sending period is 60 s. Intrusion detection devices need to send n 1 feature data to retrain the algorithm.
During the intrusion response process, the offline command message length is 14 bytes, and the broadcast offline message length is 12 bytes. In a training cycle, the communication overhead of the feature data is 4 n 1 bytes. Without considering packet forwarding, the total overhead in the network is at least 4NT (n 1 =N )=60 + 4n 1 = n 1 T =15 + 4n 1 bytes. This result shows that the communication overhead of feature data accounts for 60/(T + 60) of the total network communication overhead during the training process. T is typically much larger than the node data transmitting period, so the communication overhead is acceptable.
Storage overhead. Since feature data of the IPv6-based WSN changes constantly, the NP of the intrusion detection model changes accordingly, and the NP is updated online. Therefore, the intrusion detection console stores only the NP, the length of the position-coding unit is bp bits, and the amount of data in the hypercube is log(n 1 ) bits at most. Therefore, the total storage overhead is (bp + log(n 1 ))|S|.

Performance analysis
First, the feasibility of the intrusion detection mechanism is verified. When an attacking node is detected, the intrusion detection console records the device address of the attacking node in an offline command message. Then, it sends a message to the gateway to take the attacking node offline and then broadcasts the node's offline information to other nodes to update the network topology.
The algorithm's intrusion detection performance and efficiency were evaluated in terms of ACC, the FPR, receiver operating characteristic (ROC) curve, and CPU running time. ACC is the percentage of all normal and abnormal records that are correctly detected. FPR is the percentage of incorrectly identified abnormal records. The ROC curve represents the relationship between the true positive rate (TPR) and FPR, reflecting the algorithm's overall performance. scikit-learn 32 is a Python module comprising a wide range of state-of-the-art machine learning algorithms for medium-scale supervised and unsupervised problems. We compared the proposed model's performance to intrusion detection models trained on this study's feature data using DT, 33 ANN, 34 random forest (RF), 35 KNN, 36 AdaBoost, 37 logistic regression (LR), and Bayesian algorithms; 38 these algorithms are from scikit-learn.
Two experiments were conducted to verify the intrusion mechanism's performance further. In both experiments, the security feature dimension was q = 10. These 10 security features are drawn from the top four and top six features in descending order of the gain ratios of the IPv6-based Internet side and the IPv6based wireless network side, respectively. Experiment 1 was conducted for preliminary verification of intrusion detection performance. The coefficient L is set to a fixed value, and ROC is tested to observe the algorithm's overall performance. In Experiment 1, the algorithm ran 100 times independently, and the experimental results in terms of Area Under Curve (AUC), as shown in Figure 8(a). AUC = 0.87, which indicates that the classifier learning effect is good. Figure 8(b) shows the detection time of a single sample, which is 0.12-0.14 ms. It can meet the requirement of real-time detection. The floating of detection time is caused by judgment conditions in the intrusion detection process. Experiment 2 tests the robustness of intrusion detection capability and compares and analyzes it with other algorithms. The length of the grid L is set in [0.86, 1.02]; ACC, FPR, and detection time are calculated in each algorithm run. Figure 9 shows the experimental results in terms of ACC except for the sixth experiment. The results show that ACC is stable at approximately 90%, which shows the algorithm's effectiveness. The ACC of the proposed algorithm proposed close to DT, AdaBoost, and RF and better than most of the comparison algorithms. Figure 10 shows the experimental results in terms of FPR. The proposed algorithm results are close to those of DT, AdaBoost, and RF. It does not exceed 25% and can even achieve 6% FPR, which is better than most comparison algorithms. The FPR indicates that the NP has well expressed the behaviors of nodes in the network, and the algorithm is robust.
The experimental results in terms of detection time are shown in Figure 11. The results of the proposed algorithm proposed are close to those of the LR, DT, and RF algorithms. It can achieve timely detection within 2 ms. Experiment 1 and Experiment 2 results show that the proposed intrusion detection algorithm's AUC is 0.87 and ACC is stable around 0.9, which indicates that the classifier has a good learning effect and effective intrusion detection. The proposed algorithm's FPR is less than 0.25, which indicates that the NP well expressed the behaviors of nodes in the WSN. The algorithm's detection time of a single sample is stable within 0.12-0.14 ms. The overall detection time of the algorithm is stable within 2 ms, indicating that the algorithm is highly efficient. In addition, the detection time of the intrusion detection mechanism meets the requirement of timely detection.
Analysis and experimental results show that the algorithm proposed in this research can effectively reduce the FPR of intrusion detection, achieving good detection efficiency and ACC. In addition, the inexpensiveness of the intrusion detection mechanism allows for the realization of the real-time detection of malicious attacks in IPv6-based WSNs. The proposed intrusion detection algorithm can achieve better detection performance than other comparison algorithms.

Conclusion and future work
This research proposed an intrusion detection framework and mechanism for an IPv6-based WSN. The mechanism is lightweight and efficient, and the NP of the intrusion detection model is trained using the feature data set. The intrusion detection algorithm uses the NP to perform real-time detection of traffic data to achieve rapid detection after a significant number of  devices are connected in the network. In addition, a test platform was developed to verify the effectiveness and performance of the intrusion detection mechanism. Experimental results have shown that implementing the proposed intrusion detection mechanism is reasonable and can be used in IPv6-based WSNs.
The intrusion detection mechanism can only detect active threats; it cannot detect threats in advance. Furthermore, in the face of fake malicious behavior, the attack (threat) source cannot be traced, resulting in some false positives. In the future, we will build the 6TiSCH platform to further verify the proposed intrusion detection mechanism. The intrusion detection algorithm will need to collaborate with expert systems to analyze security situations and prevent attacks in advance. Furthermore, more in-depth research on the nature of networks and attack mechanisms will be critical for developing a comprehensive intrusion detection mechanism.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.