This study addresses the challenge of accurately detecting and distinguishing multiple attack types in RPL-based IoT networks. To this end, it introduces foundational models into RPL intrusion detection for the first time, proposing a fine-grained attack identification approach based on the MOMENT model. A network dataset encompassing normal traffic and four representative attacks—including Blackhole and DIS flooding—is generated using the Cooja simulation platform. The MOMENT model is then fine-tuned with RPL-specific traffic features to enable end-to-end multi-class attack classification. Experimental results demonstrate that the proposed method achieves detection performance comparable to state-of-the-art techniques while significantly improving the accuracy of attack-type identification, thereby validating the effectiveness and potential of foundational models in resource-constrained IoT security scenarios.

AI-based intrusion detection systems (IDS) have shown promise in detecting attacks on IoT systems. In this work, we explore the use of foundation models to detect and identify attacks, with a specific focus on RPL-based IoT networks. We study multiple attack types, attack variations, and network configurations, and provide insights into the performance of foundation models for attack identification. Specifically, we fine-tune the MOMENT foundation model for multi-class attack identification. Our evaluation is based on a dataset containing RPL-related statistics collected under normal operation and under Blackhole, DIS flooding, Worst Parent, and Local Repair attacks, generated in a Cooja simulation environment. The initial results are promising. The approach achieves attack-detection performance comparable to state-of-the-art methods, while also demonstrating strong performance in distinguishing between different attack types.