The Internet of things (IoT) is a worldwide network in which all heterogeneous objects around us (such as smart phones, laptops or smart sensors) can connect to the Internet by using a wide range of technologies. In other words, large number of smart interconnected devices in IoT results in valuable services to the society and individual citizens [1]. Moreover, IoT can be supported by satellite communication systems for the case of Internet of remote things (IoRT) in which Internet protocol version 6 (IPv6) should be supported over satellite [2]. The general architecture of IoT is shown in Fig. 1. As seen in Fig. 1, the IPv6 over low-power wireless personal area networks (6LoWPANs) [3] is a wireless sensor network (WSN) which allows the connection of resource-constrained devices, such as sensor nodes, to the Internet through the 6LoWPAN border router (6BR) [4, 5]. It is noted that the routing protocol for low power and lossy networks (RPL) [5] is a certain routing protocol for 6LoWPAN. The RPL, which is based on the construction of a destination-oriented directed acyclic graph (DODAG), is an IP-based distance vector and hop-by-hop routing protocol. RPL enables different operations such as the unidirectional traffic towards a DODAG root, bidirectional traffic between resource-constrained devices (i.e., 6LoWPAN nodes), and bidirectional traffic between resource-constrained devices and the DODAG root [5]. Along with the rapid growth of technology in computer networks such as IoT, security has become a critical challenge. The main security requirements for the IoT are as follows [6]: a) data confidentiality and authentication and b) privacy and trust among users and things. The communication in the IoT can be secured by using standard mechanisms such as cryptography and authentication techniques; however, these preventive mechanisms cannot detect all possible attacks, because of the nature of wireless communication. On the other hand, the resource-constrained devices are directly connected to unreliable Internet via IPv6 and 6LoWPAN networks in the IoT; so, they are vulnerable to intrusions (both from the Internet and WSNs) [4]. Therefore, an intrusion detection system (IDS) is required for detecting malicious activities in the IoT besides the standard security mechanisms. IDS is an effective mechanism which gathers system activities or network traffic as input data with the aim of analyzing them for identifying malicious behaviors. IDSs are classified into the following categories: a) misuse-based (as the best method for detecting known attacks); b) anomalybased (as the best method for detecting unknown attacks); and c) specification-based detection systems.