A Specification-based Distributed
Intrusion Detection Framework for
Wireless Sensor Networks
Ashfaq Hussain Farooqi
PhD (CS) Scholar
A thesis submitted in partial fulfillment of the requirements for the degree of Doctor of
Philosophy to the National University of Computer & Emerging Sciences
Department of Computer Sciences
National University of Computer and Emerging
Sciences
(2017)
ii
Author’s Declaration
I, Ashfaq Hussain Farooqi, hereby state that my Ph.D. thesis titled A
Specification-based Distributed Intrusion Detection Framework for Wireless
Sensor Networks is my own work and it has not been previously submitted by me
for taking partial or full credit for the award of any degree at this University or
anywhere else in the world. If my statement is found to be incorrect, at any time
even after my graduation, the University has the right to revoke my Ph.D. degree.
Ashfaq Hussain Farooqi
Date:_______________
iii
Plagiarism Undertaking
I take full responsibility of the research work conducted during the Ph.D. Thesis
titled A Specification-based Distributed Intrusion Detection Framework for
Wireless Sensor Networks. I solemnly declare that the research work presented
in the thesis is done solely by me with no significant help from any other person;
however, small help wherever taken is duly acknowledged. I have also written the
complete thesis by myself. Moreover, I have not presented this thesis (or
substantially similar research work) or any part of the thesis previously to any
other degree awarding institution within Pakistan or abroad.
I understand that the management of National University of Computer and
Emerging Sciences has a zero-tolerance policy towards plagiarism. Therefore, I as
an author of the above-mentioned thesis, solemnly declare that no portion of my
thesis has been plagiarized and any material used in the thesis from other sources
is properly referenced. Moreover, the thesis does not contain any literal citing of
more than 70 words (total) even by giving a reference unless I have the written
permission of the publisher to do so. Furthermore, the work presented in the thesis
is my own original work and I have positively cited the related work of the other
researchers by clearly differentiating my work from their relevant work.
I further understand that if I am found guilty of any form of plagiarism in my
thesis work even after my graduation, the University reserves the right to revoke
my Ph.D. degree. Moreover, the University will also have the right to publish my
name on its website that keeps a record of the students who plagiarized in their
thesis work.
Ashfaq Hussain Farooqi
Date:______________
iv
Certificate of Approval
It is certified that the research work presented in this thesis, entitled A
Specification-based Distributed Intrusion Detection Framework for Wireless
Sensor Networks was conducted by Ashfaq Hussain Farooqi under the
supervision of Dr. Farrukh Aslam Khan.
No part of this thesis has been submitted anywhere else for any other degree.
This thesis is submitted to the Department of Computer Sciences in partial
fulfillment of the requirements for the degree of Doctor of Philosophy in
Computer Science
at the
National University of Computer and Emerging Sciences
Islamabad, PAKISTAN
2017
Candidate Name: Ashfaq Hussain Farooqi
Signature:
Examination Committee:
a) Name: _______________ Signature: ______________________
b) Name: _______________ Signature: ______________________
c) Name: _______________ Signature: ______________________
___________________________________________________
Director, National University of Computer and Emerging Sciences, Islamabad
____________________________________________________
Dean of computer science, National University of Computer and Emerging Science
v
Abstract
Wireless Sensor Networks (WSNs) have a great potential to assist in storing
and processing data collected from tiny sensors placed in various environments
such as smart homes, vehicles, hospitals, enemy surveillance areas, volcanoes,
oceans, etc. The sensors may be implanted to inspect the physical aspects of the
external environment such as temperature, moisture, humidity, pressure, motion,
magnetic fields, light, sound, gravity, vibration, electrical fields, and others or
inspect the physical aspects of the internal environments such as motion of the
organism, glucose level, oxygen level and others. The data recorded by these
sensors can further be used for several applications as well as services. Here, the
data is acquired from sensors through the wireless medium. Recent studies show
that WSNs are vulnerable to various kinds of security threats and there is a
requirement of a security solution that can safeguard them from lethal attacks.
Several security schemes have been proposed in the recent past to counter the
attacks launched at different layers of WSNs. Intrusion detection systems (IDS)
focus on the detection of malicious activity at the network layer. Most of the
proposed IDS based security approaches for WSNs lack completeness with
respect to data acquisition, detection policy and the way actions should be taken
once the malicious behavior is detected. Further, they lack the proper testing of
the proposed schemes with respect to the performance metrics such as energy
consumption, throughput, false positive rate, intrusion detection rate, and
accuracy etc. Hence, there is a requirement of a purely distributed security scheme
that works independently and communicates the anomalous behavior of sensor
nodes with the base station (BS). The scheme should be lightweight and is able to
perform efficiently with respect to energy efficiency and throughput. Moreover, it
should be able to achieve low false positive rate and high detection rate.
In this thesis, a novel intrusion detection framework is proposed for securing
WSNs from routing attacks. The proposed system works in a distributed
environment to detect intrusions by collaborating with the neighboring nodes. It
works in two modes: online prevention allows safeguarding from those abnormal
nodes that are already declared as malicious, while offline detection finds those
nodes that are being compromised by an adversary during the next epoch of time.
The proposed framework is a specification-based detection framework that works
for a flat WSN scenario. To test the performance of the proposed framework, a
simulator is implemented, and results are produced. The results show that a
centralized distributed approach cannot properly figure out the actual condition of
the network. Therefore, a purely distributed security system is more appropriate
for WSNs. The results also show that the specification-based detection scheme
achieves higher detection rate and low false positive rate. These results also guide
that each node should be treated independently in WSNs, and centralized
distributed detection schemes may fail to identify the network behavior whether it
is normal or is under any attack.
As a second contribution, the low-energy adaptive clustering hierarchy
(LEACH) protocol for WSNs is modified by adding the functionality of the
proposed intrusion detection framework to secure it from sink-hole, black-hole,
and selective forwarding attacks. The modified protocol is called LEACH++. We
performed two types of analyses: (1) numerical analysis to check the effect on
vi
throughput and energy, and (2) simulations in Network Simulator-2 (NS-2) to
prove the results found from the numerical analysis. The results are quite
promising and favor LEACH++ over LEACH under attack with respect to
throughput and energy consumption.
The third contribution is to perform a security analysis of the LEACH++
protocol to validate the proposed specification-based detection scheme with
respect to accuracy, false positive rate, and detection rate. For this purpose, we
simulate LEACH++ by launching various numbers of attacks in different patterns
for different configurations. The experiments are carried out against the
LEACH++ protocol for black hole and sinkhole attacks in different patterns. The
results show that the proposed scheme achieves high accuracy and detection rate
for LEACH++ and shows very low false positive rate.
vii
This work is dedicated to my mother and loving
wife.
viii
Acknowledgements
At the outset, I would like to pay my gratitude to almighty ALLAH, the Most
Gracious and the Most Merciful, for bestowing upon me his blessings and
providing me with the opportunity to work under the supervision of most talented
and caring teachers that enabled me to undertake and carry out this research work.
I am deeply indebted to my thesis supervisor, Dr. Farrukh Aslam Khan for his
informed guidance, understanding, support and encouragement throughout the
years. His in-depth knowledge and vision in this area is truly admirable and has
been a source of inspiration to me. His patience and willingness to discuss the
details of the different obstacles I encountered while working on this thesis were
valuable and unique.
I could not reach at this goal without the prayers, moral support, and love of
my mother. I would like also to thank my wife and all other well-wishers. Here, I
would like to share all my achievements with them. I would like to extend my
gratitude to my friends and PhD colleagues for their discussions, contributions
and support.
At last but not the least, I would like to thank the Higher Education
Commission (HEC) of Pakistan for financing my PhD studies.
ix
Table of Contents
Chapter 1 Introduction .............................................................................................. 1
1.1 Motivation ................................................................................................. 1
1.2 Problem statement ..................................................................................... 2
1.3 Research Methodology.............................................................................. 3
1.4 Dissertation Contributions ........................................................................ 4
1.5 Thesis Organization .................................................................................. 5
Chapter 2 Background ............................................................................................... 7
2.1 Introduction ............................................................................................... 7
2.2 Security Issues in a Flat Wireless Sensor Networks ............................... 11
2.3 Security Issues in a Hierarchical Wireless Sensor Networks.................. 13
2.4 Miscellaneous Other security issues ....................................................... 15
2.5 Summary ................................................................................................. 16
Chapter 3 Intrusion Detection Systems for Wireless Sensor Networks .................. 18
3.1 Introduction ............................................................................................. 18
3.2 Intrusion detection system ...................................................................... 20
3.2.1 IDS Agent Installation ..................................................................... 20
3.2.2 Detection Policy ............................................................................... 21
3.3 IDS-based security mechanisms for Wireless Sensor Networks ............ 21
3.3.1 Purely Distributed Approach ........................................................... 23
3.3.2 Purely Centralized Approach ........................................................... 30
3.3.3 Distributed-Centralized Approach ................................................... 32
3.4 IDS-based security schemes for LEACH protocol ................................. 35
3.4.1 Intrusion detection and prevention .................................................. 36
3.4.2 Specification based centralized distributed detection scheme ......... 37
3.4.3 Adaptive Correctness Monitoring .................................................... 37
3.4.4 LEACH-S......................................................................................... 37
3.4.5 Stable Election Protocol................................................................... 37
3.4.6 Artificial Neural Network ................................................................ 38
3.4.7 SSLEACH ........................................................................................ 38
3.4.8 Anomaly detection system ............................................................... 38
3.5 Summary ................................................................................................. 38
Chapter 4 Proposed Intrusion Detection Framework for WSNs ............................. 40
4.1 Introduction ............................................................................................. 40
4.2 Online prevention .................................................................................... 41
4.2.1 Data Repository ............................................................................... 42
4.2.2 Local Auditing ................................................................................. 42
4.3 Offline detection...................................................................................... 43
4.3.1 Data Collection ................................................................................ 44
4.3.2 Content Suppression ........................................................................ 44
4.3.3 Intrusion Detection .......................................................................... 45
4.3.4 Cognition ......................................................................................... 47
4.3.5 Collaborative inquiry ....................................................................... 48
4.3.6 Consolation ...................................................................................... 50
4.4 Experiments and Analysis ....................................................................... 50
4.4.1 Trace List ......................................................................................... 50
x
4.4.2 Attack Scenario (AS) ....................................................................... 51
4.4.3 Discussion ........................................................................................ 54
4.5 Summary ................................................................................................. 55
Chapter 5 Securing LEACH protocol against Routing Attacks .............................. 56
5.1 Introduction ............................................................................................. 56
5.2 Proposed security solution for LEACH protocol .................................... 58
5.2.1 Online prevention ............................................................................ 58
5.2.2 Offline detection .............................................................................. 58
5.3 Numerical Analysis of LEACH++ .......................................................... 61
5.3.1 Normal execution ............................................................................. 61
5.3.2 Attack launched by adversary .......................................................... 63
5.3.3 LEACH++ ........................................................................................ 64
5.3.4 Experiments and Discussion ............................................................ 66
5.4 Simulation and analysis of LEACH++ using NS-2 ................................ 70
5.4.1 Attack implementation and LEACH modification .......................... 70
5.4.2 NS-2 Simulation results and discussion........................................... 72
5.5 Summary ................................................................................................. 76
Chapter 6 Comprehensive Security Analysis of LEACH++ Clustering Protocol .. 77
6.1 Introduction ............................................................................................. 77
6.2 False positive rate, intrusion detection rate, and accuracy ...................... 78
6.2.1 False positive rate (FPR).................................................................. 78
6.2.2 Intrusion detection rate (IDR) .......................................................... 78
6.2.3 Accuracy rate ................................................................................... 79
6.3 Simulation parameters and Experiments detail ....................................... 79
6.4 Detection rate analysis for Black-hole attack.......................................... 80
6.4.1 FPR analysis .................................................................................... 81
6.4.2 IDR analysis ..................................................................................... 81
6.4.3 Accuracy rate ................................................................................... 83
6.5 Detection rate analysis for Sink-hole attack............................................ 84
6.5.1 FPR analysis .................................................................................... 84
6.5.2 IDR analysis ..................................................................................... 85
6.5.3 Accuracy rate ................................................................................... 85
6.6 Summary ................................................................................................. 86
Chapter 7 Conclusion .............................................................................................. 87
7.1 Summary of the Contributions ................................................................ 87
7.2 Future Work ............................................................................................ 88
References .............................................................................................................. 89
xi
List of Publications
Following is a list of research publications produced as a result of the research
carried out for this PhD thesis:
Patent
1. Sungyoung Lee, Farrukh Aslam Khan, Ashfaq Hussain Farooqi,
"Intrusion Detection Apparatus and Method for Securing Wireless Sensor
Networks", Patent No. KR101262992B1, May 2013.
Journal Publications
1. Ashfaq Hussain Farooqi, Farrukh Aslam Khan, “A survey of Intrusion
Detection Systems for Wireless Sensor Networks,” International Journal
of Ad Hoc and Ubiquitous Computing, Volume 9, Issue 2, 2012, Pages 69-
83. [Impact Factor: 0.489].
2. Ashfaq Hussain Farooqi, Farrukh Aslam Khan, Jin Wang, Sungyoung
Lee, “A novel intrusion detection framework for wireless sensor
networks,” Personal and Ubiquitous Computing, Volume 17, Issue 5,
2013, Pages 907-919. [Impact Factor: 2.395].
3. Ashfaq Hussain Farooqi, Farrukh Aslam Khan, “Securing wireless
sensor networks for improved performance in cloud-based environments,”
Annals of Telecommunications, Volume 72, Issue 5-6, 2017, Pages 265–
282. [Impact Factor: 1.412]
4. Ashfaq Hussain Farooqi, Farrukh Aslam Khan, “A Comprehensive
Security Analysis of LEACH++ Clustering Protocol for Wireless Sensor
Networks,” (Under Review).
Conference Publications
1. Ashfaq Hussain Farooqi, Farrukh Aslam Khan, “Intrusion Detection
Systems for Wireless Sensor Networks: A Survey,” International
Conference on Future Generation Communication and Networking
(FGCN), CCIS (Springer), Volume 56, pp. 234–241, Jeju, South Korea,
December 2009.
2. Ashfaq Hussain Farooqi, Farrukh Aslam Khan, Jin Wang, and
Sungyoung Lee, “Specification based Intrusion detection scheme for
Wireless Sensor Networks,” FTRA International Symposium on Advances
in Cryptography, Security and Applications for Future Computing
(ACSA), Jeju, South Korea, December 2011.
3. Ashfaq Hussain Farooqi, Jin Wang, Farrukh Aslam Khan and
Sungyoung Lee, “Security requirements for Cyber Physical community
systems - A Case Study,” Invited Paper, 4th ACM International
Symposium on Applied Sciences in Biomedical and Communication
Technologies, pp. 1-5, Barcelona, Spain, October 2011.
xii
List of Figures
Figure 1: Data transmission from a sensor network to the cloud for processing and
analysis ................................................................................................................................ 2
Figure 2: LEACH vs. Multi-hop routing protocol ............................................................ 10
Figure 3: 24 sensor nodes communicating with sink in a sensor network. ....................... 12
Figure 4: (a) Node J sending data through node C which is compromised (b) A scenario
for the sink-hole attack where node D is compromised .................................................... 13
Figure 5: Workflow of normal LEACH protocol ............................................................. 14
Figure 6: Common neighbors of node C and node I ......................................................... 24
Figure 7: Major components of IDS agent in cooperative local auditing ......................... 24
Figure 8: Negative selection for generating Non-self string. Input: random generated
string and output: Non-self string ..................................................................................... 27
Figure 9: Two nodes work in a pair to check the behavior of each other ......................... 29
Figure 10: Monitor node ................................................................................................... 32
Figure 11: Proposed intrusion detection framework ......................................................... 41
Figure 12: Online prevention ............................................................................................ 41
Figure 13: Sending rate Analysis ...................................................................................... 51
Figure 14: Receiving rate Analysis ................................................................................... 52
Figure 15: Forwarding rate Analysis................................................................................. 53
Figure 16: Retransmission rate Analysis........................................................................... 54
Figure 17: Workflow of proposed LEACH++ protocol .................................................... 57
Figure 18: Impact of sinkhole, black-hole, and selective forwarding attacks on normal
LEACH with respect to throughput by varying the CHs .................................................. 67
Figure 19: Average energy and throughput utilization by LEACH protocol for a different
number of CHs .................................................................................................................. 68
Figure 20: Comparison of energy consumption between LEACH and LEACH++ .......... 69
Figure 21: Throughput analysis. LEACH++ performs better in Attacked scenario ......... 70
Figure 22: Sensor network having 101 nodes with 5 CHs and 1 BS ................................ 73
Figure 23: Varying cluster size as LEACH supports heterogeneous cluster formation .... 74
Figure 24: Comparison between LEACH++ and normal LEACH with respect to energy
utilization .......................................................................................................................... 75
Figure 25: Throughput comparison of LEACH, attacked LEACH, and LEACH++ ........ 76
xiii
List of Tables Table 1: Parametric Vs Non-Parametric ........................................................................... 19
Table 2: IDS-based security mechanisms for WSNs ........................................................ 22
Table 3: Data acquisition in CUSUM ............................................................................... 34
Table 4: IDS based security schemes for LEACH protocol .............................................. 36
Table 5: Neighborhood List (N_List) ............................................................................... 42
Table 6: Malicious Node List (M_List) ............................................................................ 42
Table 7: Audit Data List (A_List) at node J ...................................................................... 44
Table 8: Flag List (F_List) ................................................................................................ 45
Table 9: Threshold List (T_List) ....................................................................................... 46
Table 10: Maliciousness Level List (ML_List) ................................................................ 48
Table 11: Initial Status List (S_List) of MED level Malicious Nodes .............................. 49
Table 12: Trace List .......................................................................................................... 50
Table 13: An example of Audit List (A_List) for normal occurrences of Cluster Heads . 59
Table 14: An example of Audit List (A_List) during SBS-F attacks ................................ 59
Table 15: S_List at node X ............................................................................................... 60
Table 16: Updated S_List ................................................................................................. 60
Table 17: Notations used in Numerical analysis ............................................................... 61
Table 18: Simulation Parameters for numerical analysis .................................................. 66
Table 19: Simulation parameters for NS2 ......................................................................... 72
Table 20: Simulation parameters for detection rate analysis ............................................ 79
Table 21: FPR for black-hole attack ................................................................................. 81
Table 22: Example illustrating IDR calculation ................................................................ 82
Table 23: IDR for purely random attack pattern for black-hole attack ............................. 82
Table 24: IDR for different attack patterns for black-hole attack having 2 & 3 attackers 83
Table 25: Average IDR for black-hole attack ................................................................... 83
Table 26: Accuracy rate for purely random attack pattern for black-hole attack .............. 83
Table 27: FPR rate for sink-hole attack ............................................................................ 84
Table 28: IDR for purely random attack pattern for sink-hole attack ............................... 85
Table 29: Accuracy rate for purely random attack pattern for sink-hole attack ................ 85
xiv
Nomenclature
Symbol Description
th Threshold
T_Rnd Randomized Number
N_List Neighborhood list
M_List Malicious node list
A_List Audit data list
A_snt Number of packet sent by a node
A_rec Number of packet received by a node
A_fwd Number of packet forward by a node
A_rtm Number of packet retransmit by a node
F_List Flag list
T_List Threshold list
ML_List Maliciousness level list
N_Claim Number of claims
C_List Claim list
S_List Initial status list
nA Number of attacker nodes
AS Attack scenario
CH Cluster head
ADV_CH Advertise CH packet to become CH for that round
JOIN_REQ Packet to join a cluster
𝐸1 Energy that is utilized by a node during sending a message to CH
and vice versa
𝐸2 Amount of energy that is utilized when a CH sends message to
BS and vice versa
𝐸𝑆𝑒𝑡𝑢𝑝 Total amount of energy used by sensor nodes during setup phase.
𝐸𝑆𝑡𝑒𝑎𝑑𝑦 Total amount of energy used by sensor nodes during steady
phase.
𝑇𝑁𝑜𝑑𝑒𝑠 Total number of sensor nodes in the sensor field
𝑇𝐶𝐻𝑒𝑎𝑑𝑠 Total number of CHs
𝐶𝐶𝐻𝑒𝑎𝑑𝑠 Number of compromised sensor nodes
𝑁𝐷𝑎𝑡𝑎 Amount of data messages send by each node to CH in 1 sec
𝐶𝐷𝑎𝑡𝑎 Amount of data messages send by CH to BS in 1 sec
𝑅𝑆𝑒𝑐 Length of a round in seconds. We assume that rounds have fixed
length.
Chapter 1
Introduction
1.1 Motivation In few years, many businesses will shift toward the usage of cloud computing due to
its decentralized processing and storage of data and online access to computing services.
Cloud computing will play a major role in providing healthcare services to smart
homes, healthcare institutes, e-healthcare systems, and people at remote locations.
Wireless medical sensor networks (MSNs) are the building blocks for remote health
monitoring systems. To minimize the limitations of MSNs (computational power, data
storage, and communication range/bandwidth) as standalone systems, these networks
have been integrated with cloud computing environments.
Smart hospitals are equipped with many sensor devices that send critical
information to the base station (BS) for monitoring the activities of the patients. The
data collected from patients may be transferred to the cloud for high-performance
computation, and this data would be accessible to the doctors from remote locations.
This will increase the data utilization and will also help in providing prompt response
by the healthcare experts. Similarly, cloud computing will facilitate the healthcare
institutes to perform their tasks online with ease.
Vehicular cloud computing model combines different networking paradigms such as
mobile ad hoc networks (MANETs), wireless sensor networks (WSNs), vehicular ad
hoc networks (VANETs), and cloud computing to assist in facilitating new trends in
traffic management, road safety and intelligent transportation systems (ITS). The model
provides a framework for the future transportation systems that ensure safety of vehicles
from accidents on the road, determine the condition of vehicles or drivers using sensors,
supply better assistance in case of emergency, provide possible healthcare services to
the passengers during traveling, discover shortest reliable routes to the destination, and
provide entertainment.
Cloud computing offers the capability to access shared resources and common
infrastructure in a ubiquitous and pervasive manner. The computation and analysis
performed at the cloud is based on the accuracy of the data received from the sensor
nodes. Healthcare-based cloud products offer services in all the three layers of the
cloud. It may be used for recording the health-related data, examining of patients, and
managing diseases. It enables to collaborate and communicate with the peers with ease
and helps in the analysis of the gathered data. Healthcare organizations, ITS, smart
home users, or others may use the cloud to analyze and facilitate the end user in a better
way, as shown in Figure 1. The sensors collect data from the devices (whether medical
or other appliances) and send that data to a central location for storage and processing.
These central locations are maintained in the cloud, which store and process all the data
Introduction
2
received from the sensors. Hence, the user may diagnose or analyze records from a
remote location as well and assist the patient accordingly.
Figure 1: Data transmission from a sensor network to the cloud for processing and
analysis
It is also observed that the patient’s health could be seriously threatened by a
malicious adversary and using traditional security techniques may not be suitable in
such a case. To provide cloud services to smart homes, vehicle passengers, mobile
users, healthcare institutes, etc., there is a requirement of a reliable network that ensures
zero level of tolerance toward the loss of sensors’ data. WSNs use wireless medium and
provide ad hoc access to resources; therefore, they are more vulnerable to security
threats than wired networks. Sensor nodes are self-controlled and an easy target for
attacks from the adversaries.
Mostly, security is not considered during the designing of the routing protocols for
WSNs. Therefore, most of the routing protocols are vulnerable to security threats.
Different models are presented to counter this problem, but these approaches show
limitations. Hence, there is a requirement of a security model that can be added to
insecure routing protocols to make them resilient against routing attacks.
1.2 Problem statement The fundamental purpose of this work is to propose a novel framework that provides
resilient once added to unsecure routing protocol against routing attacks. Security is a
major concern for all types of network paradigms whether they are wired or wireless
networks. The vision for the security of a network is secure transmission and reliable
delivery of packets from a source to the destination. In WSNs, key management,
authentication and secure routing protocols provide secure transmission while lacking
reliable delivery of messages. In other words, these mechanisms can protect the network
from outside attacks but show failure against the inside attacks. These mechanisms aim
to provide data confidentiality, data authentication and data integrity. In an outside
1.3 Research Methodology
3
attack, when an intruder tries to get access to the data, these mechanisms protect the
secret information. During an inside attack, the sensor node that is a part of the sensor
network starts performing maliciously without trying to get access to the data of the
message. These attacks aim to affect the throughput of the network (i.e., by dropping
received packets without forwarding them). Hence, critical information will not reach
the sink or BS that is important in making decisions regarding the relative sensor field.
Intrusion detection system (IDS) provides a mechanism to detect anomalous
behavior that deviates from the normal. Several IDS-based security mechanisms are
proposed that analyze the working of sensor node(s) and detect abnormal activities.
Their work differs from each other in two ways, i.e., installation of IDS agent and the
detection policy. It is important to note that most of the proposed approaches focus on
the detection policy only. They provide an anomaly-based detection which uses more
power and computation. Secondly, there are purely centralized or centralized distributed
solutions that shows limitations with respect to scalable nature of sensor network and
self-controlled sensor nodes respectively. Thirdly, there are IDS based solutions, but
they are not thoroughly evaluated with respect to throughput and energy consumption.
They also lack the detection rate analysis that show their false positive and intrusion
detection rates. Majority of these approaches are targeting a specific application rather
providing a complete solution that is tested efficiently.
The above-mentioned challenges/problems form a set of objectives which are
summarized in the following lines:
• To propose a novel technique based on intrusion detection system, which is
complete with respect to data acquisition, detection policy and the way actions
should be taken once the malicious behavior is detection.
• To propose a purely distributed security scheme that work independently and
communicate about the anomalous behavior with BS.
• To propose a solution that is light weighted and able to perform efficiently with
respect to energy efficiency and throughput.
• To propose a solution that achieves low false positive rate and high detection
rate.
1.3 Research Methodology In this dissertation the following research methodology is adopted to design a
generic framework for intrusion detection system.
1. In first step, a comprehensive survey of related work is carried out in which
special focus is to highlight the weaknesses of existing intrusion detection
systems.
2. In second step, a novel detection framework is proposed and discussed
thoroughly with respect to data acquisition, detection policy and the way actions
should be taken once the malicious behavior is detection.
3. In third step, experiments are performed to show that purely distributed
detection policy favors WSNs over centralized distributed detection scheme.
Introduction
4
4. In forth step, the effectiveness of proposed solution has been validated by
performing numerical experimentation and NS2 simulation after modifying a
well-known clustering routing algorithm LEACH.
5. Lastly, detection rate analysis is done to show that the proposed scheme
achieves low false positive and high detection rate.
1.4 Dissertation Contributions In this research work, a novel intrusion detection system is proposed to safeguard
WSNs from inside attack. It is further thoroughly experimented by adding its features in
a clustering routing protocol LEACH. To achieve the above objectives following
contributions are made:
• A detailed discussion and analysis of the existing IDS based solutions for WSNs
is presented. These solutions are categorized in three categories: purely
centralized, purely distributed and distributed-centralized. In the first approach,
it is installed only at sink or BS, whereas in the second approach IDS agent is
present in every sensor node. In the third approach, only monitor nodes are used
for intrusion detection. Purely centralized IDS approaches are power-efficient
because the most powerful part of the network (sink or BS) detects intrusion.
But, these techniques are complex and require some specialized routing protocol
that gathers data from each sensor node to BS or sink for anomaly detection. On
the other hand, purely distributed IDS techniques are not energy-efficient
because IDS agent is installed in every node. It increases extra computation or
power consumption at node level. Distributed-centralized IDS approach suits
WSNs in accordance with energy consumption and complexity; but it has its
own constraints.
Ashfaq Hussain Farooqi, Farrukh Aslam Khan, “A survey of Intrusion Detection
Systems for Wireless Sensor Networks,” International Journal of Ad Hoc and
Ubiquitous Computing, Volume 9, Issue 2, 2012, Pages 69-83. [Impact Factor:
0.489].
• A novel intrusion detection framework to secure wireless sensor networks from
routing attacks. The proposed approach is explained thoroughly using a flat
wireless sensor network scenario. We test the specification-based detection
scheme proposed for the presented example. The results show that the
specification-based detection scheme achieves higher detection rate and receives
low false positive rate. These results also guide that each node should be treated
independently in WSNs and centralized distributed detection schemes may fail
to identify the network behavior whether it is normal, or it is under any attack.
Therefore, a purely distributed security system is more appropriate for WSNs.
Ashfaq Hussain Farooqi, Farrukh Aslam Khan, Jin Wang, Sungyoung Lee, “A
novel intrusion detection framework for wireless sensor networks,” Personal and
Ubiquitous Computing, Volume 17, Issue 5, 2013, Pages 907-919. [Impact Factor:
2.395].
1.5 Thesis Organization
5
Sungyoung Lee, Farrukh Aslam Khan, Ashfaq Hussain Farooqi, “Intrusion
Detection Apparatus and Method for Securing Wireless Sensor Networks”, Patent
No. KR20130020406 (A), 2011.
• Modified the low-energy adaptive clustering hierarchy (LEACH) protocol for
WSNs and added the functionality of intrusion detection to secure WSNs from
sinkhole, blackhole, and selective forwarding attacks. We analyzed the energy
consumption and throughput of the proposed LEACH++ protocol both
numerically as well as using the NS-2 simulator. The results show that
LEACH++ receives more throughput than LEACH during attack, while it does
not affect the overall energy consumption of the system. The proposed intrusion
detection framework (IDF) is lightweight and does not put much burden on the
LEACH protocol with respect to memory utilization and computation. The
proposed protocol can be effectively used for cloud-based WSN environments.
Ashfaq Hussain Farooqi, Farrukh Aslam Khan, “Securing wireless sensor
networks for improved performance in cloud-based environments,” Annals of
Telecommunications, Volume 72, Issue 5-6, 2017, Pages 265–282. [Impact Factor:
1.412]
• An IDS monitors the activities of the sensor field and interprets whether these
activities are normal or malicious. There is chance that the IDS consider a
normal activity as abnormal and generates an alarm regarding the maliciousness
of the node vice versa there is an abnormal activity, but IDS cannot judge it as
malicious. Hence, there is a requirement to test the proposed IDS schemes
against detection rates. Commonly, proposed schemes are tested for false
positive rates and intrusion detection rates. In this work, we performed the
detection rate analysis for the proposed LEACH++, which uses a specification-
based detection scheme for the detection of the malicious nodes.
Ashfaq Hussain Farooqi, Farrukh Aslam Khan, “A Comprehensive Security
Analysis of LEACH++ Clustering Protocol for Wireless Sensor Networks,”
Submitted.
1.5 Thesis Organization Chapter 2 explains the requirement of security solution for cloud-based WSN
environments. In this chapter, we discussed about the security issues for wireless sensor
networks and LEACH routing protocol. Various types of attacks are briefly discussed
and the way they occur and might be countermeasure as well.
Chapter 3 contains a comprehensive survey of security schemes that are earlier
proposed for wireless sensor networks. These approaches are classified into three
categories based on IDS agent installation. Survey of IDS based solutions for LEACH
protocol are also discussed here.
Chapter 4 covers the proposed intrusion detection framework. It provides detail of
its working. The proposed framework works in two modes; offline detection and online
prevention. The work of these modes is explained thoroughly by considering an
Introduction
6
example of a flat base sensor network. Further, the adoption of distributed detection
scheme over centralized is tested by simulation.
In chapter 5, the focus is upon the inclusion of intrusion detection framework in
LEACH routing protocol to make it resilient against inside attacks. We have also
explained how our proposed security framework may be added in actual LEACH
protocol. It also provides the experiments that are taken on actual LEACH, attacked
LEACH and modified LEACH. Experiments are carried out both numerically and by
simulation in NS-2. Results show that performance of LEACH protocol may affect
during attack scenario and modification improves the performance even attack is
launched.
Chapter 6 presents the detection rate analysis of the proposed intrusion detection
framework. We simulate LEACH++ by launching various number of attacks (1, 2, and
3) in different pattern (PR, OL, and ST) for different configurations (CR-2, CR-3, and
CR-4) to determine the intrusion detection, false positive, and accuracy rates.
Chapter 7 provides the detail summary of the contributions made in thesis. It further
elaborates the future work, which can add significant improvement to the given area of
research.
2.1 Introduction
7
Chapter 2
Background
2.1 Introduction Cloud computing has a great potential to assist in storing and processing data
collected from sensors placed in any environment such as smart homes, vehicles,
hospitals, enemy surveillance areas, volcanoes, oceans, etc. The sensors may be
implanted to inspect the physical aspects of the external environment, such as
temperature, moisture, humidity, pressure, motion, magnetic fields, light, sound,
gravity, vibration, electrical fields, and others or inspect the physical aspects of the
internal environment, such as motion of the organism, glucose level, oxygen level and
others. The data recorded by these sensors can further be used for several applications
implemented in the cloud as well as other services. Recently, many businesses shifted
towards the usage of cloud computing due to its decentralized processing and storage of
data and online access to computing services. Cloud computing will play a major role in
providing healthcare services to smart homes, healthcare institutes (Rolim, et al. 2010)
(Doukas and Maglogiannis 2011), e-healthcare systems (J. Zhou, et al. 2015), and
people at remote locations. Wireless medical sensor networks (MSNs) are the building
blocks for remote health monitoring systems. To minimize the limitations of MSNs
(computational power, data storage, and communication range/bandwidth) as standalone
systems, these networks have been integrated with cloud computing environments
(Hayajneh, et al. March 2016). Smart hospitals are equipped with different types of
sensor devices that send critical information to the base station (BS) for monitoring the
activities of the patients. The data collected from patients may be transferred to the
cloud for high-performance computation, and this data would be accessible to the
doctors from remote locations. This will increase the data utilization and will also help
in providing prompt response by the healthcare experts. Similarly, cloud computing will
facilitate the healthcare institutes to perform their tasks online with ease.
Vehicular cloud computing model combines different networking paradigms such as
mobile ad hoc networks (MANETs), wireless sensor networks (WSNs), vehicular ad
hoc networks (VANETs), and cloud computing to assist in facilitating new trends in
traffic management, road safety, and intelligent transportation systems (ITS) (Farooqi,
Khan and Wang, et al. 2013). The model provides a framework for the future
transportation systems that ensure safety of vehicles from accidents on the road,
determine the condition of vehicles or drivers using sensors, supply better assistance in
case of emergency, provide possible healthcare services to the passengers during
traveling, discover shortest reliable routes to the destination, and provide entertainment.
Background
8
Research in RFID (Radio frequency identification) has given birth to Radio
frequency identification Sensor Networks (RSNs) (Buettner, et al. 2009). It binds
together the advantages of RFID and WSNs. These networks will become visible and
might be used by us in our daily life as a lot of research is in progress for its various
applications. On the other hand, if we consider a WSN that is working for tracking the
movement of the enemy, it can provide very critical information for making a strategy
to beat the enemy in that area.
Current research trends show that WSNs based internet of things (IoT) is a hot
research topic. In one of the recent work, an environmental monitoring model is
proposed that uses WSNs based on IoT (Jaladi, et al. 2017). While, in (Shinde and
Prasad 2017), a system is presented that assists in animal health-care and benefiting the
farmers by using WSN technology and IoT applications. Research work is also in
progress to integrate cloud computing with IoT to enable large number of application
scenarios. A novel paradigm is proposed to merge cloud computing and IoT and called
in CloudIoT (Botta, et al. 2016). They discussed several challenges and open research
areas related to integration of these two technologies. According to (Aazam, et al.
2015), a lot of data is generated by WSNs and IoT, hence, there will be a need for
integration of IoT and cloud computing, termed as Cloud of Things (CoT). These
research works show that WSNs will play a major role in future technologies in the
development of the cyber physical society.
Cloud computing offers the capability to access shared resources and common
infrastructure in a ubiquitous and pervasive manner (Siqi, David and X. 2016). The
computation and analysis performed at the cloud is based on the accuracy of the data
received from the sensor nodes. Healthcare-based cloud products offer services in all
the three layers of the cloud (Zhang and Liu 2010) (Tan and Wang 2010) (Sultan 2014).
It may be used for recording the health-related data, examining of patients, and
managing diseases. It enables to collaborate and communicate with the peers with ease
and helps in the analysis of the gathered data. Healthcare organizations, ITS, smart
home users, or others may use the cloud to analyze and facilitate the end user in a better
way. The sensors collect data from the devices (whether medical or other appliances)
and send that data to a central location for storage and processing. These central
locations are maintained in the cloud, which store and process all the data received from
the sensors. Hence, the user may diagnose or analyze records from a remote location as
well and assist the patient accordingly.
It is also observed that the patient’s health could be seriously threatened by a
malicious adversary and using traditional security techniques may not be suitable in
such a case (Camara, Peris-Lopez and Tapiador 2015). To provide cloud services to
smart homes, vehicle passengers, mobile users, healthcare institutes, etc., there is a
requirement of a reliable network that ensures zero level of tolerance toward the loss of
sensors’ data (Haque and Aziz 2015). WSNs are distributed, infrastructure-less, fault
tolerant, scalable and dynamic in nature (Akyildiz, Su, et al. 2002). These networks are
low cost and easy to install in an area. These are built upon small sized, low power and
self-controlled nodes called sensor nodes. These nodes have small memory, less
computation capacity and short lifetime. These nodes gather useful information from
their surroundings and transmit it to the user-controlled system, BS or sink for analysis.
Sensor nodes are densely deployed in the sensor field. They maintain a topology and
start sensing the environment. Data gathered from the surroundings is processed and
2.1 Introduction
9
transmitted to the BS or sink using any routing protocol. Their topology is dynamic and
changes frequently due to the limitations of the sensor nodes. Sensor nodes may get
damaged due to heavy wind, rain, sunshine, animals, etc. or their battery may exhaust.
Here, routing protocol plays an important role because nodes leave or join the sensor
network at irregular intervals. There are many routing protocols proposed for WSNs
(Akkaya and Younis 2005). These includes multi-hop, hierarchical, location-based
routing protocols, etc.
Security is a major concern for all types of network paradigms (Tellez, El-Tawab
and Heydari 2016), whether they are wired networks, mobile ad hoc networks (Swain,
Pattanayak and Pati 2017), cloud based networks (Raj and Bhaskaran 2017), IoT (J.
Zhou, et al. 2017), or others. The vision for the security of a network is secure
transmission and reliable delivery of packets from a source to the destination. In WSNs,
key management, authentication (Liu, et al. 2005) and secure routing protocols provide
secure transmission while lacking reliable delivery of messages. In other words, these
mechanisms can protect the network from outside attacks but show failure against the
inside attacks. These mechanisms aim to provide data confidentiality, data
authentication and data integrity. In an outside attack, when an intruder tries to get
access to the data, these mechanisms protect the secret information. During an inside
attack, the sensor node that is a part of the sensor network starts performing maliciously
without trying to get access to the data of the message. These attacks aim to affect the
throughput of the network (i.e. by dropping received packets without forwarding them).
Hence, critical information will not reach the sink or BS that is important in making
decisions regarding the relative sensor field.
WSNs are vulnerable to several types of security threats that can degrade the overall
performance of these networks (Ghosal and Halder 2017). According to (Wood and
Stankovic 2002), various attacks are possible on different layers of the sensor node that
may cause denial of service (DoS) in WSNs. In (Karlof and Wagner 2003), authors
discuss various routing protocol attacks that affect the throughput of the sensor network.
The possibility of Sybil attack in WSNs is briefly discussed in (Newsome, et al. 2004)
where some countermeasures for these attacks are also presented. In another work,
authors cover several possible attacks that can be launched with malicious intent
(Roosta, Shieh and Sastry 2006). This paper provides a comprehensive taxonomy of
security threats on sensor networks. In (Bojkovic, Bakmaz and Bakmaz 2008), authors
conduct a survey on security issues of WSNs. They focus on various attack scenarios in
WSNs and key distribution mechanisms. According to them, intrusion detection system
is an underdeveloped service for sensor networks that should be explored. In (Nayak,
Bhiwani and Lvanaya 2015), authors discuss about the impact of black-hole attack and
sink-hole attack on routing protocols for WSNs.
In this dissertation, we performed experiments considering an example of a flat
WSN and later using a hierarchical routing protocol known as low energy adaptive
clustering hierarchy (LEACH). A flat WSN uses multi-hop communication while in
hierarchical sensor networks the communication is performed in two ways; node to
cluster head (CH) and CH to BS as shown in Figure 2.
Background
10
Figure 2: LEACH vs. Multi-hop routing protocol
LEACH protocol is energy-efficient as compared to multi-hop routing protocols. In
LEACH, cluster nodes sense and send the sensed data to the CH in its allocated TDMA.
CH aggregates the received data from all cluster nodes and transmits it to the BS. While
in a multi-hop routing protocol, a sensor node finds a route to the BS and then uses it for
communication whenever it senses anything. Thus, this process utilizes energy at each
node and the overall energy consumption is more than that of a clustering routing
protocol.
In (Yassen, Aljawaerneh and Abdulraziq 2016), authors surveyed various security
solutions that are proposed for LEACH protocol that aim to provide resilient against
outside attack by securing the data. These schemes enable LEACH protocol to deal with
secure transmission but lack to handle the reliable transmission. In (Masdari, Bazarchi
and Bidaki 2013), author discussed the security issues faced by the LEACH protocol
and the schemes that are proposed to handle them. They presented a comparison
between different cryptographic-based solution for LEACH schemes and trust-based
clustering schemes in WSNs. They concluded that these approaches put more burden on
the working of LEACH protocol and affect the energy utilization and lifetime of the
sensor nodes. They also highlighted on the requirement of an energy efficient security
solution for WSNs. In (Farooqi and Khan 2017), we presented the numerical analysis
and NS2 simulations to provide the energy efficiency of LEACH++. Results showed
that LEACH++ achieves high throughput, then LEACH under attack, and put less
burden on the LEACH protocol w.r.t energy consumption. Sundararajan et al. propose a
centralized intrusion detection system where BS is responsible for calculation of
intrusion percentage or malicious level of the sensor nodes (Sundararajan and
Arumugam 2015). Here, intrusion percentage is calculated based on the number of
messages sent or received by the CHs. In (Farooqi, Khan and Wang, et al. 2013), we
have countered the use of purely centralized approach for securing WSN with results
that are achieved after simulations. It is also discussed that such scheme does not suit
WSNs which are infrastructure-less, and where nodes are self organized. Various
2.2 Security Issues in a Flat Wireless Sensor Networks
11
security threats that may degrades the performance of WSNs are discussed in following
sub-sections.
2.2 Security Issues in a Flat Wireless Sensor Networks Security is one of the major challenges for wireless networks particularly wireless
ad hoc and sensor networks. These networks are more vulnerable to attacks than wired
networks because these are infrastructure-less and are dynamic in nature. According to
(Cordeiro and Agrawal 2006), “WSNs can be considered as a special case of ad hoc
networks with reduced or no mobility”. Ad hoc networks have several similarities with
sensor networks such as no infrastructure, distributed nodes and dynamic topology
while sensor networks differ in various aspects.
Sometimes, a legitimate user cannot communicate with other users in the network or
with the server due to some reasons even though rights are given by the network
administrator. It might be due to the DoS attack. In these attacks, the legitimate users
are not able to communicate with the server or other nodes perfectly. They affect
various layers of the protocol stack of the node whether it is a laptop, mobile host or any
other device. Security mechanisms are modelled for different networks keeping in view
the possibility of these attacks.
Our discussion relating to security issues is incomplete without knowing the proper
definition of a compromised node because these attacks are launched by the adversary
by attacking the sensor node. When an adversary gains control over a node after its
deployment, it becomes a compromised node. Adversary can launch various types of
attacks by altering the nodes’ configurations i.e. adding malicious data to messages,
selective forwarding, black-hole attack etc. It also appears normal and performs the
activities of a legitimate node. DoS attacks may be launched in many ways in WSNs.
IDS-based security mechanisms have mainly focused on the network or routing
protocol attacks. In (Karlof and Wagner 2003), authors provide detailed information
about various routing attacks. In this section, we discuss several attacks that target
routing protocol or network layer such as selective forwarding, black-hole, sink-hole,
worm-hole, homing and hello flood attack.
HELLO Flood Attack
It is a common attack in networks whether wired or wireless. In WSNs, it is
launched by a compromised node. It sends HELLO messages to its neighbors to exhaust
their battery and create congestion; hence they do not work properly. A sensor node that
malfunctions due to some physical damage may cause this attack too.
Homing Attack
A compromised node can be configured such that when it receives rebroadcast
messages, it does not forward them because it thinks that these messages are destined to
it.
Selective Forwarding
In this type of attack, the compromised node selectively forwards messages to other
nodes and drops a fraction of messages. The amount of dropping the packets depends on
the configuration by the adversary and even sometimes, it is also set that which node’s
message should be forwarded or dropped. Consider the sensor network shown in Figure
Background
12
3. Let node C selectively forwards the received packets. Here, it will drop t fraction of
packets and forward others. It is difficult to detect this attack as node still forwards the
packets.
Figure 3: 24 sensor nodes communicating with sink in a sensor network.
Black-hole Attack
A compromised node sends wrong routing information to its neighbors and
mentions that it has a low-cost route to the sink or BS. Neighbor nodes may start
sending packets through this node. It is up to the configuration of that node whether it
drops all the packets or does something else.
Let node C is compromised by an adversary and it starts sending wrong routing
information to its neighbors A, D, F, I and J as shown in Figure 4(a). A and D will not
change their routes because they are very near to the sink, but node J will start sending
data to node C to route to the sink because it appears to be the shortest route to the sink.
Here, the target node J is in the main stream or flow of data to the BS and now more
than half of the network nodes send data through node C. It means that the sink does not
get much updates about the sensor field.
Sink-hole Attack
In the Sink-hole attack, the compromised node tries to gain more attention from its
surroundings and tries to become the parent node of its neighbors (Jahandous and
Ghassemi 2017). In MintRoute routing protocol, the compromised node sends wrong
information in route update message and becomes the parent (Giannetsos, Krontiris and
Dimitriou 2008). If it succeeds, then more traffic moves to that node like messages from
its neighbor and the neighbor’s children. It usually drops all the packets it receives, so
the BS receives less information from the sensor network.
2.3 Security Issues in a Hierarchical Wireless Sensor Networks
13
Consider the topology mentioned in Figure 4. Let node D is compromised by an
adversary. It sends messages to its neighbors and tries to become the parent in case of
MintRoute or appears as sink. Neighbors of node D update their routes. The affected
nodes are node C, E, and J as shown in Figure 4(b). These nodes start communication
with D and packets might be dropped there. Node D receives majority of the data
packets that should be routed to the sink. So, sink or BS gets incomplete information
about the sensor field.
Figure 4: (a) Node J sending data through node C which is compromised (b) A scenario
for the sink-hole attack where node D is compromised
Worm-hole Attack
A compromised node tunnels received messages in one part of the network over a
low latency link and replays them in a different part (Tun and Maw 2008). This attack
works in cooperative manner. Two or more compromised nodes take part in degrading
the performance by tunneling maximum messages between each other. Sensor nodes
can overhear messages in promiscuous mode that are even not destined to them. In
WSNs, this attack can be easily launched in different manners such as by high powered
transmission. In this attack, nodes think that by using the tunnel they can route their
messages in lesser number of hops because the two end points of the tunnel appear near
to each other. An attacker can affect the normal operation of the routing protocol by
using the tunneling mechanisms and can control various routes.
2.3 Security Issues in a Hierarchical Wireless Sensor
Networks Routing protocols allow sensor nodes to communicate with the BS and vice versa.
(Heinzelman, Chandrakasan and Balakrishnan 2000) presented an energy-efficient
hierarchical routing protocol for WSNs called low-energy adaptive clustering hierarchy
(LEACH). LEACH protocol works in rounds, and each round is composed of two
phases, i.e., setup phase and steady phase as shown in Figure 5. Setup phase takes less
time while steady phase is for longer periods of time. In the setup phase, sensor nodes
make clusters and cluster heads (CHs) set for each cluster node (Heinzelman,
Balakrishnan and Chandrakasan 2002). Different clusters use different timings to avoid
Background
14
collision among the cluster nodes. Sensor nodes send data message to their CHs in the
steady phase and these CHs deliver the message to the BS after aggregation.
• Setup phase: When the sensor nodes are deployed in a sensor field, they first
elect the CH to make a hierarchy for sending data messages to the BS. Some
CHs advertise ADV_CH message and tell other nodes to join their cluster.
Sensor nodes calculate minimum distance towards BS with each choice of the
CH. A sensor node selects one CH with whom it has minimum distance to the
BS and sends a JOIN_REQUATION CH makes a schedule and allows sensors
to share data with it in a slotted time. Different clusters use different timings to
avoid collisions among the cluster nodes.
• Steady phase: Once the sensor nodes select appropriate CH and become part of a
cluster, they send data message to their CHs after sensing the environment in
their slotted TDMA. CHs are responsible to deliver the data message after
aggregation to the BS. Hence, LEACH avoids extra usage of energy.
Figure 5: Workflow of normal LEACH protocol
LEACH avoids extra usage of energy, but it is considered vulnerable to different
types of attacks (Tripathi and Laxmi 2013) (Karlof and Wagner 2003) (Ferreira, et al.
2.4 Miscellaneous Other security issues
15
2005) (Zhang, Wang and Wang. 2008) (Wu, Hu and Ni 2008) (Su, et al. 2005).
Literature review shows that most of the work has been done in providing privacy and
authentication to the data while few papers are available on the reliable transmission of
data (Sundararajan and Arumugam 2015). To ensure reliable delivery of data to the BS,
which is further transferred to the cloud, a secure and reliable routing protocol is
required. Most of the routing protocols are designed without considering security as a
key feature but focus more on energy efficiency and throughput. Hence, they become
vulnerable to routing attacks that may cause a fatal effect on the performance of these
approaches. In this work, we consider three attacks as they show similarity in launching
their impact during the setup phase of LEACH such as sink-hole, black-hole and
selective Forwarding (SBS-F) attacks. Here, a compromised node tries to become CH to
perform maliciously.
Black-hole attack
It is one of the serious security problems for WSNs. In this problem, a compromised
node uses the routing protocol to advertise wrong information to its neighbor to
intercept more packets from the neighborhood and drops all the packets (Deng, Li and
Agrawal 2002) (Al-Shurman, Yoo and Park 2004). In LEACH, a compromised node
advertises ADV_CH in each round to become CH in every round. Once it becomes the
CH of some n number of nodes, it starts dropping all the packets that it must send to
base station.
Selectively forwarding attack
It is more effective because compromised node drops sensitive packets such as
packet that reports about the movement of the enemy at a specific time. In LEACH, the
node that communicates with the BS is the CH. Hence, compromised node first tries to
become the CH and then selectively forwards the packets while drops a fraction of
incoming packets.
Sink-hole attack
It is among the intelligent attacks in WSNs. In this attack, a compromised node
makes itself more attractive to the neighboring nodes with respect to the routing metric
and gets as much traffic as possible (Karlof and Wagner 2003) (Giannetsos, Krontiris
and Dimitriou 2008). Hence, compromised node receives much data messages and
allows the adversary to launch severe attacks like dropping all or a fraction of packets
and modifying.
In LEACH, a compromised node advertises ADV_CH and wrong distance
information in each round to become CH of as much nodes as possible. Once it
becomes the CH than it performs according to the configuration set by the adversary.
2.4 Miscellaneous Other security issues A sensor network works in wireless environment using self-controlling sensor
nodes. There are a few other security issues and countermeasures discussed in (Roosta,
Shieh and Sastry 2006) and (Bojkovic, Bakmaz and Bakmaz 2008). We just highlight
them here to provide an overall picture of the security requirements for WSNs. These
are:
• Traffic Analysis attacks
Background
16
• Key management protocols
• Attacks on Reputation Assignment schemes
• Attacks on In-Network Processing
• Target location problem
• Security in Group Communication
• Software Updating in WSNs
There are several possible attacks on the protocol stack or different layers of the
sensor node that may cause DoS (Wood and Stankovic 2002). These are discussed
below:
• Physical layer: Jamming and tempering attacks are possible. Nodes should
change their mode of transmission or hide information in respective attacks.
• Link layer: Collisions may cause exhaustion or unfairness. Error-correcting
codes or any other mechanism might be used to avoid such attacks.
• Network or Routing layer: Black-hole, misdirection etc. can be launched at the
network layer. An intelligent work is required to stop these attacks.
• Transport layer: Attacks that can be launched at this layer are flooding and de-
synchronization. These are related to the actual data packet flow. These can be
minimized by client puzzle mechanism or authorization.
Sybil attack is caused by a Sybil node placed in the range of the wireless network. In
(Newsome, et al. 2004), authors explain about its occurrence in sensor networks.
According to them, it can affect different protocols and can play a major role in
degrading the performance of the wireless network. The Sybil node appears in the
network with multiple identities. It acts as if multiple nodes are functioning. Once it
gets into the network, it can overhear the communications of neighbor nodes or can act
maliciously (i.e. causing DoS). It may control network activities and can damage the
network performance. It can play a major role in providing malicious information by
attacking different protocols of WSNs.
2.5 Summary Cloud computing will play a major role in providing healthcare services to smart
homes, healthcare institutes, e-healthcare systems, and people at remote locations.
Cloud computing offers the capability to access shared resources and common
infrastructure in a ubiquitous and pervasive manner. The computation and analysis
performed at the cloud is based on the accuracy of the data received from the sensor
nodes. WSNs are vulnerable to various types of security threats. In this, chapter we
discussed the nature of different kinds of attacks and the way they effect the
performance by affecting the throughput of the network. We describe these attacks for
two kinds of network communication whether it is multi-hop or cluster based.
An example of 24 nodes is depicted for flat WSN that uses multi-hop
communication to illustrate the mostly used routing attacks for evaluating security
2.5 Summary
17
schemes. Here, we discussed the way black-hole, sink-hole, selectively forwarding,
worm-hole and hello forwarding attacks are launched in the multi-hop routing scheme.
LEACH protocol is a well-known hierarchical routing protocol. It is used to explain
the effect of routing attacks in clustering routing algorithms. Here, we explained the
launching pattern of selective forwarding, black-hole and sink-hole attacks in
hierarchical routing scheme. It shows that these attacks may affect the throughput and
degrade the overall performance of the network that may lead to wrong output.
Intrusion Detection Systems for Wireless Sensor Networks
18
Chapter 3
Intrusion Detection Systems for
Wireless Sensor Networks
3.1 Introduction Security is considered in terms of secure transmission and reliable delivery of data
(Sedjelmaci and Senouci 2014). Secure transmission means that data received at the
destination is exact the same as send by source and is not altered or copied during
travelling. While reliable delivery deals with the throughput of the system. It keeps
track of the data sent and received at the destination whether it is destined or dropped in
the way. In this dissertation, our work focusses on the reliable delivery of data by
detecting inside attackers and preventing the network from their further impact. The
solution is an intrusion detection framework.
Intrusion detection system (IDS) (Innella and McMillan 2001) is a security
mechanism used to detect the abnormal behavior of the mobile nodes in ad hoc
networks (Wang 2006), and clients in IMS (Farooqi and Munir 2008). Earlier, it is
thought that “IDS is not fit” for securing WSNs. It seemed true because IDS approaches
are computationally expensive. But there is a rapid change in technology and keeping in
mind the future perspectives; the capabilities of a sensor node will increase. The sensors
will have more memory and survival time and might be used for transmitting
multimedia information (Akyildiz, Melodia and Chowdhury 2007). Furthermore, these
devices will be used for underwater applications in future (Heidemann, et al. 2006).
Hence, there is a requirement of a secure WSN that ensures secure transmission and
reliable delivery of packets in the network.
IDS-based mechanisms can be very effective. They can detect the abnormal
behavior of the sensor nodes such as sink-hole, black-hole, selective forwarding, hello
flood, and other DoS attacks. In IDS, the unit that analyzes the network and detects the
abnormal behavior of node(s) is called an IDS agent. It works in three phases;
collection, processing and action. Initially, the network data is collected for a specified
interval of time. Processing depends on the detection mechanism. There are three types
of detection techniques; misuse detection, anomaly-based detection and specification-
based detection. In misuse detection, the system searches for some specific patterns or
signatures to detect the intruder while in anomaly-based detection; system learns about
the normal behavior of the network and then declares anything that deviates from a
specified pattern that it has learnt. Rules are made in specification-based detection for
attacks to analyze the behavior of the nodes. If it violates n numbers of rules, it is
declared as abnormal. After detection, an alert is generated to perform some appropriate
action. Misuse detection is also known as signature-based detection. It only detects
known attacks and does not perform well for unknown attacks. On the other hand, both
3.1 Introduction
19
anomaly and specification-based techniques detect known and unknown attacks
efficiently and achieve low false positive rate. That is why; the researchers are focusing
on improving the existing mechanisms or coming up with innovations in these two
kinds of detection techniques.
A survey on anomaly detection mechanisms is conducted in (Rajasegarar, Leckie
and Palansiwami 2008), which classify them into two categories (according to their
model); parametric or non-parametric techniques (see Table 1). Their work focuses only
on anomaly-based techniques and they discuss and compare five different approaches.
The paper does not provide a complete picture of IDS approaches that are proposed for
WSNs.
Table 1: Parametric Vs Non-Parametric
Parametric Non-Parametric
Data distribution Known Not known
Usage App. dependent Resource constrained
Data changes Not frequently Frequently
Sensor nodes Static Static or mobile
Approach Multivariate Rule or density based, Clustering, CUSUM
Several attacks that influence the overall working of WSNs are briefly discussed in
(Bojkovic, Bakmaz and Bakmaz 2008). According to them, “IDS is an interesting,
underdeveloped service, useful for scenarios where there is a possibility for a node
being subverted and controlled by an adversary”. Since recently, researchers have
proposed several IDS-based security mechanisms that analyze the working of sensor
node(s) and efficiently detect abnormal activities. They mostly focus on routing
protocol attacks for explaining their detection methodologies. Their work differs from
each other in two ways i.e. installation of IDS agent and the detection policy. There are
three possibilities of installing an IDS agent; purely centralized, purely distributed and
distributed-centralized. In the first approach, it is installed only at sink or BS while in
the second approach; IDS agent is present in every sensor node. In the third approach,
only monitor nodes are used for intrusion detection.
Intrusion detection system is a mature research field in wired networks as well as in
ad hoc networks. In sensor networks, it is still a new area that can be explored further.
Researchers have proposed many IDS-based methodologies for wired or ad hoc
networks, but these cannot be applied directly to WSNs due to the limitations of sensor
networks (directed towards sink or BS) and capabilities of sensor nodes (Butun,
Morgera and Sankar 2013). Standard intrusion detection that works better for wired
networks is not appropriate for WSNs because it is computationally expensive for the
sensor nodes. Energy-efficient intrusion detection system is more favorable for these
networks (Techateerawat and Jennings 2006). In this chapter, we provide a brief
introduction of IDS and the IDS-based security schemes for WSNs. Further, we discuss
the various IDS-based schemes that targeted the LEACH routing protocol for their
analysis and testing.
Intrusion Detection Systems for Wireless Sensor Networks
20
3.2 Intrusion detection system Intrusion detection system (IDS) is a system that checks the network behavior and
finds the nodes that are not working normally. IDS-based security mechanisms are
proposed for other network paradigms too (Iqbal and Calix 2016). It is a mature
research field for wired networks or ad hoc networks while it is an emerging area of
research cloud integrated WSNs. IDS is an additional unit installed at the clients or
server or both. This unit is called IDS agent. IDS agent works in three essential
sequential steps (Innella and McMillan 2001); monitor network behavior, detect the
intrusion, and respond to the abnormal activity. In other words, we say that the IDS
agent works in three phases and each phase has a unit such as:
• Collection unit: It collects the network data.
• Detection unit: It performs detection policy accordingly to find intrusions.
• Response unit: It generates alert in case of abnormal node detection.
Various approaches are used to develop these systems depending on the nature of
the network architecture. In this section, we explain various ways of installation of the
IDS agent and define various detection policies.
3.2.1 IDS Agent Installation
IDS agent performs an important task for securing network from intrusive attacks.
Researchers use three different ways of installing IDS agent in WSNs. These are; purely
centralized, purely distributed and distributed-centralized.
Purely Centralized IDS Agent Installation Mechanism
In WSNs, sensor nodes sense the environment and transmit processed information
to the sink or BS. All the sensor nodes scattered in the sensor area communicate with
the sink and the analysis of the field is done by users or human beings. In purely
centralized IDS approach, IDS agent is installed in the sink or BS. It requires an
additional special routing protocol that gathers or collects information from nodes to
analyze the behavior of the sensor nodes collectively.
Purely Distributed IDS Agent Installation Mechanism
Sensor nodes work in a distributed manner. In purely distributed IDS approach, IDS
agent is installed in every node. It checks the abnormal behavior of neighboring nodes
locally. It analyzes the data that it receives from nodes in its radio range. Sensor nodes
audit that data and generate alerts for abnormal activity. There are further two ways for
declaring a node as compromised or not. In individualized decision making, node that
detects the anomalous behavior of another node sends that information to the sink or
BS. In cooperative decision making, node that detects the anomalous behavior of any
node communicates with other nodes and finally that node is declared compromised
after voting. If majority of the nodes validate it then proper action is taken to secure the
network according to the configuration.
Distributed-Centralized IDS Agent Installation Mechanism
Cluster-head approach lowers the power consumption and efficiently reduces the
control overhead. This approach is used in hierarchical routing protocols. Cluster-heads
3.3 IDS-based security mechanisms for Wireless Sensor Networks
21
have more capabilities than other ordinary nodes. The concept of monitor node is
derived from this philosophy. In distributed-centralized approach, IDS agent is installed
in monitor nodes only. This node performs two types of functions simultaneously. First,
it performs the activities of the normal nodes and secondly, it checks for intrusion
detection. The logic behind that approach is to minimize the detection overhead faced
by purely distributed approaches.
3.2.2 Detection Policy
In an intrusion detection system, the detection of intrusions is the major phase.
There are three different policies of detection; misuse detection, anomaly-based
detection and specification-based detection.
Misuse Detection System
There are various attacks that follow same sequence of steps to launch their effect.
In misuse detection system, these sequences of steps are used to detect these attacks.
This detection mechanism is also called signature-based detection. It is like pattern
matching and works better for known attacks only and cannot cater unknown attacks.
In this approach, abnormal behavior is defined for the network, e.g., by making a
log file of signatures of known attacks. The network is then simulated to evaluate the
performance of the designed technique. Every instance is matched with the entries of
the log file to detect the attack scenario. That is why; this approach is quite expensive
especially for sensor nodes.
Anomaly-based Detection System
Signature-based approach cannot detect the attacks for which signature (known
pattern) is not present. There are several attacks that change the signatures frequently.
These attacks are hard to detect using these mechanisms. Anomaly-based systems
provide a security environment in which anything that deviates from the normal
behavior are declared anomalous or malicious.
In this approach, normal behavior of the network is defined, and any other behavior
is declared intrusive. An anomaly detection algorithm learns about the normal behavior
of the targeted network during normal simulation of the network. It sets some thresholds
etc. during this period. These help in detection of intrusions in attack scenarios.
Specification-based Detection System
Specification-based detection system works by defining rules for attacks. A sensor
node’s behavior is checked against each rule sequentially. There is a failure bit
associated with each node. If the sensor node violates any rule, failure bit is
incremented. If the number of failures of a node increases than a threshold (adjusted for
normal situation) after an interval of time ‘t’; an alert about that node is generated.
3.3 IDS-based security mechanisms for Wireless Sensor
Networks Since recently, various intrusion detection systems have been proposed for detecting
compromised nodes in WSNs (Gunasekaran and Periakaruppan 2017). We categorize
these methodologies into three major classes depending upon the way they install IDS
agent in the network. Table 2 categorizes the IDS-based security mechanisms based on
Intrusion Detection Systems for Wireless Sensor Networks
22
detection policy, decision making, and attacks encountered. It indicates that researchers
mostly targeted routing protocol attacks. In detection policy, “Any” shows that authors
do not specify any way while “Both” means that the proposed approach uses the
benefits of signature-based as well as anomaly-based detection techniques.
Table 2: IDS-based security mechanisms for WSNs
Proposed Approach IDS Agent
Installation
Detection
Policy
Decision
Making Attacks
Spontaneous Watchdog
(Roman, Zhou and Lopez
2006)
Purely
distributed Any
Sensor node
after
Cooperating
-------
Cooperative local auditing
(Krontiris and Dimitriou 2007) Purely
distributed
Specification-
based
Sensor node
after
Cooperating
Routing
Neighbour Trust based
Intrusion Detection (Sajjad
and Yousaf 2015)
Purely
distributed
Anomaly-
based Individually Routing
Fixed-width clustering (Loo,
et al. 2006) Purely
distributed
Anomaly-
based
Sensor node by
its Individual
knowledge
Routing
Artificial Immune System
(Drozda, Schaust and
Szczerbicka 2007)
Purely
distributed
Anomaly-
based
Sensor node by
its Individual
knowledge
MAC/Routing
Intrusion aware validation
algorithm (Shaikh, et al. 2008) Purely
distributed
Anomaly-
based
Sensor node
after
Cooperating
-------
Pair-based approach
(Ahmed, et al. 2008)
Purely
distributed Both Pairing node -------
Group Based Detection
scheme
(Li, He and Fu 2008)
Purely
distributed
Anomaly-
based Root node Routing
ANDES algorithm (Gupta,
Zheng and Cheng 2007)
Purely
Centralized
Anomaly-
based BS Phys./Routing
Application Independent
Framework (Zhang, Yu and
Ning 2008)
Purely
Centralized
Anomaly-
based Sink or BS -------
Decentralized intrusion
detection Model (Da Silva, et
al. 2005)
Distributed-
Centralized
Specification-
based Monitor node Trans./Routing
Hybrid intrusion detection
system (Hai, Khan and Huh
2007)
Distributed-
Centralized Both Cluster Head Routing
Cumulative Summation
(Phuong, et al. 2006)
Distributed-
Centralized
Anomaly-
based Monitor node Trans./Routing
Matrix based detection
(Pandey, et al. 2016)
Distributed-
Centralized
Anomaly-
based IDS agent Routing
Multi-agent trust-based
intrusion detection scheme
(Jin, et al. 2017)
Distributed-
Centralized
Anomaly-
based Cluster Head Routing
Signaling game-based
strategy (Shen and Cao 2011)
Distributed-
Centralized
Anomaly-
based Cluster Head Routing
3.3 IDS-based security mechanisms for Wireless Sensor Networks
23
Hybrid trust-based intrusion
detection (Ozcelik, Irmak and
Ozdemir 2017)
Distributed-
Centralized
Specification-
based Cluster Head Routing
3.3.1 Purely Distributed Approach
A sensor node has its own memory unit, processing unit, sensing unit and
communication unit. It senses the environment using its sensing unit. It stores that data
in the memory unit for some interval of time. It processes data with the help of the
processing unit. Finally, it communicates this data to the sink in a hop-by-hop manner.
Hence, the sensor node works independently. In purely distributed mechanisms, IDS
agent is installed in each sensor node to analyze the working of the other node(s). In this
section, we discuss several approaches that focus on this idea.
Spontaneous Watchdog Approach
In (Roman, Zhou and Lopez 2006), authors claim for giving an idea of IDS
architecture for the first time. They introduce a neighbor monitoring technique known
as spontaneous watchdog. According to them, IDS agent is installed in every sensor
node. It has a data structure containing two types of information; knowledge about
previously declared malicious nodes and a list of legitimate neighbors.
IDS agent also has two detection bodies; local agent and global agent. Local agent
audits data that comes from those nodes that lie inside its radio range or are its
neighbors. It generates alert if any node works abnormally, such as flooding or if it
receives message from a node that is not present in the neighbor list. On the other hand,
a node activates its global agent if it senses any communication in promiscuous mode
about any of its neighboring nodes. Here, global agent acts like a spontaneous
watchdog. This agent now discovers that how many neighboring nodes have activated
their global agent. If there are n global agents in the same situation, then the node works
like a spontaneous watchdog with a probability of 1/n. It checks whether nodes
rebroadcast received message (s) or not.
Consider a sensor network shown in Figure 6. Let node I senses some movement
and broadcasts after processing to node C for further rebroadcast. Now, according to the
proposed methodology, anyone among the common neighbors of nodes C and I
activates global agent such as node F or J as shown in Figure 6. It senses the network in
promiscuous mode until it receives rebroadcast message from node C in time interval
‘t’. If it does not receive, it generates an alert about the abnormality of node C. In this
approach, the activation of the global agent is an important issue that should be handled
carefully because sensor nodes are independent.
Intrusion Detection Systems for Wireless Sensor Networks
24
Figure 6: Common neighbors of node C and node I
Cooperative Local Auditing
Key management protocols, authentication protocols and secure routing provide
security to WSNs against outside attacks but fail to secure from inside strong attacks. A
specification-based cooperative local auditing mechanism for detection of selective
forwarding and black-hole attacks is proposed in (Krontiris and Dimitriou 2007).
Authors further extend their work for sink-hole attack in (Krontiris, Dimitriou and
Giannetsos, et al. 2007). According to their approach, IDS agent is installed in each
sensor node. Here, IDS agent is composed of five main components as shown in Figure
7 i.e., local packet monitoring, local detection engine, cooperative detection engine,
communication, and local response.
Figure 7: Major components of IDS agent in cooperative local auditing
The local packet monitoring component gathers packet from the radio frequency
range of the node and transmits to the local detection engine. Specification-based
detection mechanism is applied to find intrusions. The authors have mentioned four
rules in their papers from which two rules are for detecting black-hole, selective
forwarding and sink-hole attacks and the other two relate to an action. Local detection
engine performs this task. It checks whether messages of a node obey the rules or not. If
it violates the specifications, then an alert is sent to the cooperative detection engine.
This component then communicates with other nodes to check the status of that node
there. If majority of the nodes validate the maliciousness of that node, then an alert is
3.3 IDS-based security mechanisms for Wireless Sensor Networks
25
passed to the local response. There may be different types of responses to secure the
network from compromised nodes depending upon the configuration.
In (Krontiris and Dimitriou 2007), authors mention specification or rules for
detecting selective forwarding or black-hole attacks. An example helps here in
understanding the phenomenon. Consider the black-hole scenario discussed before for
network topology shown in Figure 3. Let node J sends data packet to node C after
sensing the environment. According to the proposed rule, node J buffers that packet for
some time t. It waits for node C to rebroadcast that packet. If it does not rebroadcast,
then it increments a failure counter corresponding to node C. If it forwards, then node J
removes that packet from the buffer. Let failure counter meets a certain limit for node
C, node J generates an alert. It communicates with its neighbor about the maliciousness
of node C and voting takes place.
In another paper (Krontiris, Dimitriou and Giannetsos, et al. 2007), authors discuss
about the possibility of the sink-hole attack in MintRoute routing protocol. They
extended their previous work and added rules for the sink-hole attack too. According to
that, sensor node generates an alert whenever the malicious node tries to impersonate
another node. According to them, the node checks the ID of the sender. Here, for each
route_update packet, the sender ID should be different from its own ID and it should be
only from its neighbors. It generates an alert in any other situation. When an intrusion is
detected such as sink-hole attack, sensor nodes start sharing their neighbor list to
identify the malicious node. In sink-hole attack, it is observed that the compromised
node lies in the intersection of different nodes. Following is a scenario after information
sharing by the neighbors:
Node C: {A, D, F, I, J} ∩ {C, D, I, M} ∩ {C, D} = {D}
Node B: {D, E} ∩ {B, D, G, J} = {D}
Node J: {C, D, I, M} ∩ {A, D, F, I, J} ∩ {B, D, G, J} = {D}
After analyzing this, a collective result is maintained, and it satisfies in the above
scenario that node D is an abnormal node. A comprehensive alert is generated for BS or
sink to take immediate steps to avoid the influence of the compromised node.
Neighbor Trust based Intrusion Detection
An IDS that maintains the trust values of its neighboring nodes is proposed in
(Sajjad and Yousaf 2015). These trust values guide about the trustworthiness of the
node, whether it should be used for forwarding again or not. They claim that the
proposed scheme works better for hello flood, selective forwarding and jamming
attacks.
Fixed-width Clustering Algorithm
A well-known distributed anomaly detection mechanism is discussed in (Loo, et al.
2006). In this approach, twelve various features like number of packets received or sent
or broadcast, route request sent or forwarded or received etc. are loaded. These features
are used to determine mean or standard deviation for each neighboring node in normal
messaging. These values are normalized to get a single value. This value is utilized to
Intrusion Detection Systems for Wireless Sensor Networks
26
form fixed width clusters. If it is close to any cluster central value, it is placed in that
cluster. Otherwise, it forms another cluster and becomes a central value of that cluster.
A range is also calculated for it. These values are also calculated by simulating various
attack scenarios and are placed in the cluster. After analyzing these clusters, the
compromised nodes are detected. It is assumed that those clusters that have fewer points
indicate the abnormal activity.
According to the algorithm, the IDS agent is installed in every node and all the
nodes act as monitor nodes. Two challenges are faced for presenting this model. First
challenge is the identification of the features. These are used to identify attack while
appropriate anomaly detection mechanism is the second challenge. Twelve features are
identified to analyze the behavior of the network. Nine features relate to non-traffic
properties while other three are related to the traffic. A network simulation is created to
discover the mean values and standard deviation of these features in normal messaging.
These values are then utilized to detect the abnormal behavior of the network in attack
scenarios. These features are depicted below:
Feature 1 relates to the number of messages received from a node in some interval
of time t. It is useful in detecting flood attacks.
Ad hoc On-demand Distance Vector (AODV) is a well-known reactive routing
protocol. In WSNs, sensor nodes create a route to sink by broadcasting Route Request
(RREQ) message when they require route. This message is transmitted hop-by-hop until
the route is discovered or time to live (TTL) expires. Once a node has active route to the
sink or sink is its next hop, it replies with a Route Reply message (RREP). Features 2, 3,
4 are number of RREQ received, sent or dropped respectively. These features can be
helpful in detecting sink-hole attack. This is because, in sink-hole attack, a
compromised node tries to broadcast wrong route information to affect the routes.
Other three features are also related to AODV routing protocol; number of RREP
received, forwarded or sent are 5th, 6th and 7th feature respectively. These are mainly
affected by a compromised node in routing attacks. Feature 8 and 9 are errors received
or sent respectively about the route request messages.
Last three (10, 11 and 12) traffic related features are: the changes that occur to a
route of a node to deliver the messages to the BS, mean and standard deviation of the
number of hops to the BS respectively.
The next challenge is the anomaly detection mechanism. Data is collected from the
surrounding nodes or neighbor nodes for some interval of time. It is used to detect the
malicious activity and nodes that are acting abnormally. Here, the sensor nodes work in
two phases after collecting the data i.e., training and testing. Training phase involves
three sequential processes. Data is collected for a specified time and each dataset
contains data items. Each data item is a vector of attributes or features, containing
values about any node. Now, in the first step, data items are normalized to a possible
range based on a formula using mean and standard deviation. Secondly, normalized data
values are checked that how much it differs from the previous centroid of clusters
having fixed radius. If the value is close to some defined degree, it is kept in that
cluster, else it forms another centroid and a radius is calculated for it. So, if any other
data item lies in this range, it will become a part of that cluster. Finally, a label is
assigned to the clusters. Abnormal nodes are less as compared to the normal nodes. So,
the cluster(s) with minimal activities than a threshold (keep for normal behavior) are
labelled as malicious and the others as normal. After training, testing phase inquires
3.3 IDS-based security mechanisms for Wireless Sensor Networks
27
whether these nodes efficiently detect the anomalies or not. According to the authors,
their proposed methodology can detect the simulated routing attacks efficiently while
gaining low false positive rate.
Artificial Immune System
Artificial immune system (AIS) is used as an anomaly detection mechanism in
wired networks as well as in ad hoc networks (Drozda and Szczerbicka 2006). It works
like human immune system (HIS) that safeguards human body from various viral or
bacterial attacks. In (Drozda, Schaust and Szczerbicka 2007), they introduce an AIS-
based detection mechanism for WSNs because it is computationally less expensive and
provide better detection performance. They explain design principles for their proposed
methodology and perform experiments by simulating in NS-2 to show the effectiveness
of their approach. They focus on MAC layer and network layer attacks and call them
misbehavior attacks. Mostly, these attacks are launched by compromised nodes in the
sensor network like medium access selfishness (node holds the medium), flooding,
wormhole, Sybil, etc. In AIS, the system maintains a list of self-strings (normal
behavior) and non-self strings (misbehavior).
Figure 8: Negative selection for generating Non-self string. Input: random generated string and
output: Non-self string
The system learns normal behavior by maintaining strings called self-strings from
the header of each received message. After that, random generate and test process is
introduced to form detector set as shown in Figure 8. Self strings are compared with
randomly generated strings. If newly produced string matches the self-string, it is
rejected; else it is stored in the detector set. Now, new strings are again randomly
produced. These are compared with detector set entities. If match appears, it confirms
the positive nature of a non-self string and it is stored in the list of non-self string. This
process is called negative selection because it determines those behaviors (strings) that
are used for determining abnormal activity. When this process completes, attacks are
launched to analyze false positive rate.
Intrusion-aware Validation Algorithm
An algorithm is proposed in (Shaikh, et al. 2008) for identifying compromised
nodes if they generate alerts against normal nodes and give an impression that it is
malicious. It enhances those distributed cooperative IDS systems that lack confirmation
about the source of the alert because compromised nodes can generate false alarms
Intrusion Detection Systems for Wireless Sensor Networks
28
about normal node(s). It works in two phases. In consensus phase, node checks after
receiving any alert about the occurrence of the malicious activity that whether it is any
declared (available in list) abnormal node or not. If the information is not available, then
it checks the anomaly type and the threat level. It randomly selects n number of
neighbors, according to the threat level, for consensus and sends confirmation request
packet(s). When any node receives confirmation request packet, decision phase
activates. Neighbor node replies with three types of responses: 1 agrees with claim, 0
don't know and -1 does not agree with the claim. Sensor node takes decision based on
the responses received from the randomly selected nodes. There are three possible
decisions; validate (node is abnormal), no consensus (not identified) and invalidate
(node that sends the alert is compromised).
It is clear from the above discussion that intrusion-aware validation algorithm helps
those methodologies that lack the confirmation about the source of alert because
compromised nodes can generate false alarms for normal nodes. On the other hand, it
increases energy consumption and computational and control overhead too.
Pair-based Abnormal Node Detection
A novel distributed abnormal node detection technique is proposed in (Ahmed, et al.
2008). It uses both signature and anomaly-based techniques to identify compromised
nodes. In this technique, the sensor network is divided into pairs that further lead to
form groups. These groups communicate with each other in hierarchical way. They are
controlled by central pairs or cluster-heads.
There are two challenges; creation of pair(s) that further leads to form group(s) and
detection mechanism for abnormal activity. There are some important points for making
pairs. These are as follow:
1. A pair is made between adjacent nodes according to some attribute such as
distance from the adjacent node, energy of the node, response time etc.
2. If any new node enters the network, initially, it searches for lonely available
node in its neighborhood. If no node is available, then it broadcasts a request to
make pair.
3. The first pair that is formed after deployment of the nodes in the sensor field is
known to be the central pair. There might be several central pairs in the sensor
field. These central pairs further form groups of nodes. These groups further
communicate with each other in hierarchical way. They are controlled by central
pairs because they act as cluster-heads.
Every sensor node audits the behavior of its pairing node. It has a local detection
engine and a local knowledge-base while there are two central containers; central
knowledge-base and central signature key management engine as shown in Figure 9.
These help in the detection of abnormal nodes in the network. Among the two, central
signature key management engine is responsible for secure transmission of messages
between the pairs and groups. It always communicates with the local detection engine to
verify the node.
3.3 IDS-based security mechanisms for Wireless Sensor Networks
29
Figure 9: Two nodes work in a pair to check the behavior of each other
Data is collected based on some predefined features by the local knowledge-base
about pairing node and is used by the local detection engine to detect the anomaly.
Central knowledge-based collects and stores information about all the nodes present in
the group or outside the group. The information updates when an anomalous behavior is
detected inside the group or outside and it shares the relevant information about the
nodes with local knowledge base of individual nodes to clarify the true picture of the
pairing node. Similarly, when an individual node finds any anomaly, it updates the
central database too. It performs anomaly detection by consulting the local database and
if it does not find any maliciousness, it contacts the central database to detect the
abnormality.
Group-based Detection Scheme
A group-based detection mechanism is proposed in (Li, He and Fu 2008) that works
in two phases. The sensor network is partitioned into n number of groups. Authors
assume that all the nodes of a group should perform the same task such as sensing some
attribute of the environment; and the sensed information should differ from each other
with certain threshold “th”. In this phase, each node generates a randomized number
T_Rnd. If it does not receive any group joining request during this time, it makes itself
the root of a new group and broadcasts this information with its neighborhood to join its
group. Once a node receives any group joining request:
• It determines the Euclidean distance between the sensed data of itself with that
of the root node of a group. This should be less than or equal to th/2.
• It calculates the number of hops to that root which should be less than or equal
to a predefined maximum number of hops within a group.
If a node satisfies the above two conditions, it joins this group. After grouping the
sensor field, the second phase starts that is intrusion detection.
Initially, sensor nodes are grouped together based on the similarity between their
sensed data. This information can be utilized to detect the abnormal activity of a node
Intrusion Detection Systems for Wireless Sensor Networks
30
during attack scenarios. When a malicious activity is detected, the root or monitor node
broadcasts a message containing four attributes i.e., alert, charged node, monitor node,
and timestamp, where alert is the type of attack, charged node is the compromised node,
monitor node is the one which performed intrusion detection, and timestamp assures
that the message is fresh. Now, if the neighboring nodes receive N number of alert
messages from the same monitor node for the same charged node, it starts monitoring
the activities of both the charged node and the monitor node in promiscuous mode. If it
finds that the node is malfunctioning, then it removes it from its routing table.
Monitor node collects various types of data of the sensor nodes for auditing the
behavior. Sensed data can be utilized to find fabricated information attack. Packet
sending and receiving rates are used to detect energy exhausting and sink-hole attacks
respectively. Whereas, packet dropping rate and sending power can be helpful for
analyzing the behavior for black hole attacks and worm hole attacks respectively.
Authors find low false alarm rate after applying the proposed methodology on a real
data acquired from 54 nodes situated in Intel Berkeley Research Lab in 2004.
3.3.2 Purely Centralized Approach
In several schemes, sink or BS collects some specific information from sensor nodes
using some routing protocol and analyzes it to detect intrusions.
ANDES
A centralized anomaly detection mechanism for detecting fail-stop failures and
several routing protocol attacks is presented in (Gupta, Zheng and Cheng 2007). It
works in two main phases i.e., collection of information and detection. ANDES gathers
information from the sensor network using two sources; data plane (normal or regular
collection of data in the sensor network) and management plane (specific information
from sensor nodes using a specialized routing protocol).
Sink or BS collects sufficient information before applying anomaly detection. This
approach consists of three main components. In collection of application data, sink or
BS collects regular data but there are a few assumptions regarding that data. A node
sends its ID with each packet and after a certain time, each node generates a packet.
When the data arrives at sink, it records the sequence number of the last n messages
received from a node. It updates the time-stamp of the last received data packet from
that node and updates the total number of application packets received from each node.
Collection of management information is the second component. An additional
management routing protocol collects attributes such as address, parent, hops, send_cnt,
receive_cnt, and fwd_cnt from each node after an interval of time. Detection policy
analyzes gathered information to find anomalous behavior of the sensor node(s) or
intrusions. It works in three phases; analysis of application data, analysis of
management data and cross-checking to determine the root cause of the attack.
ANDES algorithm analyzes the application data to maintain a list of active and
connective nodes to declare the current state of each node. The states are normal,
abnormal and unattached or replicate, while it performs three operations on the
management data which are: setup active sets, create routes, and self-learning. Nodes'
response to the queries of the management routing protocol are kept in active set.
ANDES creates routes to each node to find whether it is reachable or not. Self learning
is a machine leaning algorithm like decision tree (Mitchell 1997). It is applied to four
3.3 IDS-based security mechanisms for Wireless Sensor Networks
31
attributes namely fwd_cnt, send_cnt, receive_cnt, and failure_cnt. In the start, normal
operations are assumed, and ANDES calculates the baseline values during the first k
epochs. These values change at the end of subsequent updates and are compared with
their changing averages.
ANDES utilizes the information to identify abnormal node(s) that gather from
application plane and management plane. Cross check helps in the taxonomy of the
attacks.
Fail-stop failure: If analysis of application data of any node shows that it is not
available, and that node is not in the active set (maintained from management data),
ANDES considers it as a failed node and eliminates it from the network.
Selective forwarding, Black-hole and Sink-hole attack: Consider node C, a
compromised node that launches black-hole, sink-hole or selective forwarding attack
(Network topology shown in Figure 3).
Node F: Sink A C F
Node H: Sink A C F H
Node I: Sink A C I
Node O: Sink A C I O
Node J: Sink A C J
According to ANDES, initially nodes are considered white or normal. After
applying create route operation (construct paths toward sink), nodes are marked as
white or black. This tells that F, H, I, O, and J are not available still they are active.
They are not children of any failed node too. Depth first search algorithm finds the
normal node that contains black child. This node is declared as malicious like node C in
this example.
Flooding: It is identified from careful analysis of receive_cnt of each node. It causes
a change in the average. If it is above certain limit or threshold, the sensor node is
declared abnormal.
Application Independent Framework
In (Zhang, Yu and Ning 2008), authors present simple graph theory-based approach
that efficiently detects compromised beacon nodes. Beacon nodes provide location
information to the sensor nodes. It is assumed that the IDS agent is installed at the
beacon nodes. It produces alerts about the maliciousness of the sensor nodes. A
compromised beacon node transmits false information about other nodes and degrades
the performance of the routing protocol. It is not a purely centralized IDS methodology
because nodes are also playing a role in detection. It is classified in this category
because the proposed detection framework works at sink or BS only. In this, beacon
nodes generate alerts about the malicious activity. Sink or BS receives these alerts by
any secure transmission protocol. Once efficient amount of data is gathered, it applies
the proposed graph theory-based detection mechanism to find whether the information
is received from reliable source or not.
Authors of this approach propose an application independent framework. Their
focus is about identifying the source of information; whether it is reliable one or
compromised. Global Positioning System (GPS) is expensive if it is installed in each
sensor node. The concept of beacon node is resource efficient for networks that have
location-based routing. Major components of the proposed framework are observability
Intrusion Detection Systems for Wireless Sensor Networks
32
graph, alerts, sensor behavior model, observer model, security estimation, and
identification function.
3.3.3 Distributed-Centralized Approach
Generally, a hybrid technique combines best features of two or more different
approaches to achieve better performance. Distributed-Centralized is a hybrid approach
that combines both purely-centralized and purely-distributed approaches. In this
approach, IDS agent is installed in some nodes called monitor nodes. Monitor node
listens in two modes; normal and promiscuous. In normal listening, monitor node
interprets and forwards after processing (application dependent) those messages that are
destined to it. It is like other regular sensor nodes because they perform same operation
after receiving destined messages. In promiscuous listening, monitor node interprets all
the messages whether they are destined to it or not.
In (Atakli, et al. 2008), authors favor those approaches that work on the principle of
distributed-centralized over purely distributed. They avoid the complexity of using an
additional specialized routing protocol (purely centralized approach) and limit the
overall energy consumption of sensor nodes (purely distributed approach).
Decentralized Intrusion Detection Model
A specification-based distributed centralized IDS mechanism that is well-known in
the field of IDS for WSNs is proposed in (Da Silva, et al. 2005). They simulate it in
C++ to analyze the detection rate. In this mechanism, authors test each specification by
changing the configuration of an abnormal node or compromised node that is located at
same location in the sensor field. There are 100 common nodes with 28 monitor nodes.
These are distributed randomly in the sensor field such that two monitor nodes surround
abnormal node and other common nodes are present around it. Results show that their
approach works better and detects abnormal behavior effectively while achieving less
false positive rate.
Figure 10: Monitor node
IDS agent is installed in the monitor node. It works in three phases as shown in
Figure 10. These are:
3.3 IDS-based security mechanisms for Wireless Sensor Networks
33
Data Acquisition: Here, the monitor node listens in promiscuous mode. It maintains
an array data structure for each node. It contains information about those nodes that lie
in its neighborhood.
Rules Application: In this phase, the monitor node checks whether any node violates
any rule or not, after collecting enough data in the first phase. There is a failure counter
for each node. If a node's data structure violates any rule, its respective counter is
incremented. Monitor node applies rules for various attacks in the following way:
• Exhaustion attack: An interval rule detects exhaustion attack. In this, monitor
node checks the time interval of two consecutive messages sent by a node. If the
node sends messages frequently with a rate greater than others or with a certain
limit; failure information for that node is updated in the history table (stores
failure information).
• Selective forwarding or Black-hole attacks: Retransmission rule detects these
types of attacks. The monitor node interprets the collected data and finds
whether the next hop of message m has retransmitted or forwarded the received
message or not in time t. Consider black-hole or selective forwarding attack
scenario depicted in Chapter 2. If node C does not retransmit messages, then the
monitor node updates the number of failures for it.
• Flooding attack: This type of attack is detected using repetition rule. According
to this rule; monitor node analyzes node's behavior by auditing the message
whether it transmits same message again and again or anything else. If it
broadcasts same data messages for n number of times greater than a certain
retransmission range, the numbers of failures are updated in the history table.
Similarly, other rules like integrity rule, delay rule and jamming rule are used for
detecting message modification, delay and jamming attacks respectively.
Intrusion Detection: In this phase, the monitor node evaluates failure history table of
each node. If the counter value exceeds from a certain threshold ‘th’ in time interval ‘t’,
an alert is generated about that node. Authors simulate decentralized intrusion detection
model in their own simulator (Su, et al. 2005). This IDS simulator is implemented in
C++. Results show that their methodology is energy-efficient and achieves detection
rate of 100% for black- hole, selective forwarding and worm-hole attacks.
Hybrid Intrusion Detection System
A cluster-based detection mechanism is presented in (Hai, Khan and Huh 2007) that
finds the intrusion using a hybrid detection policy which unites the benefits of misuse
and anomaly-based detection techniques. Authors acknowledge and use the knowledge
of two previous approaches that are discussed in this paper and one other for deciding
the clustering methodology. These are summarized below:
Clustering algorithm: The sensor network is organized into clusters as discussed by
(Heinzelman, Chandrakasan and Balakrishnan 2000). There is a cluster-head (CH) in
each cluster. Sensor nodes are part of any one cluster. They sense the environment
according to their configuration and communicate with the CH. CH aggregates the
gathered data and further communicates with sink or BS through other CHs. This
reduces the overall control overhead.
Intrusion Detection Systems for Wireless Sensor Networks
34
IDS agent architecture: Spontaneous watchdog approach is applied. Every node
contains the IDS agent. Whenever a sensor node detects any malicious activity whether
through local agent or global agent, it sends an alert to the cluster-head (CH). Here,
cluster-head acts like a local BS. It takes decision when it receives alerts greater than or
equal to some X (threshold) about any node. It communicates this information with
other nodes of the cluster and they update their malicious node database.
Detection policy: Local agent contains the signatures of maliciously detected nodes
in its database, so it avoids those packets that it receives from such nodes. While the
global agent works in promiscuous mode if activated.
Routing attacks such as selective forwarding, sink-hole, hello flood and worm-hole
can be detected using this mechanism. Results achieved from mathematical analysis
show that the probability of detection of an attack increases with the increase of monitor
nodes.
Cumulative Summation
An anomaly-based distributed-centralized detection mechanism to analyze the
behavior of nodes is discussed in (Phuong, et al. 2006). It secures WSN from three
categories of attacks by an anomaly detection algorithm called Cumulative Summation
(CUSUM). The three categories are:
• Compromised nodes attract the attention of other nodes as done in black-hole,
sink-hole or worm-hole attacks.
• Affect the packets' data such as collision.
• Compromised node floods packets to exhaust resources of other nodes.
IDS agent is installed in the monitor nodes only. The architecture of monitor node is
almost the same as shown in Figure 10, but here monitor node performs two operations
for detecting abnormal behavior of neighboring nodes; data acquisition and anomaly
detection. In data acquisition, the monitor node listens in promiscuous mode. It
maintains a table containing total number of incoming packets and outgoing packets
that relate to neighbor n (1, 2, 3... N) as shown in Table 3. CUSUM further works on
this statistical data to find intrusions. Authors analyze the network behavior under the
above-mentioned three categories of attacks. According to this, there are three changes
that occur due to these attacks. These are:
• Number of messages received by a node.
• Amount of collision occurrence with the packet.
• Number of packets emerging from a node.
Table 3: Data acquisition in CUSUM
Incoming Packets Outgoing packets
Neighbour# 1 X x
Neighbour# 2 X x
... ... ...
3.4 IDS-based security schemes for LEACH protocol
35
In anomaly detection, CUSUM detects these three changes to find abnormal
behavior of the nodes. Consider an adversary compromised node C (sensor network
topology in Figure 3) and it launches a black-hole attack. Let, any one or more among
the neighbors of node C (see Figure 4 (a)) A, D, J, I, and F are monitor nodes. They
analyze that node C receives a lot of messages for some time interval. It generates an
alert of type one (compromised a node to attract the attention of other nodes).
CUSUM algorithm is widely used in different networks for analyzing abnormal
transition in mean of random sequence. CUSUM algorithm is not simulated by authors
in (Phuong, et al. 2006), so it is difficult to analyze the effectiveness of this algorithm in
WSNs.
Matrix Based Detection
A matrix-based detection scheme in which IDS agent is trained to interpret the
behavior of nodes is presented in (Pandey, et al. 2016). It is provided with a matrix that
will be stored in its buffer. It stores the values about the behavior of the nodes. The
values are 0 or 1. If at any stage the value of matrix becomes zero than the node is
considered as malicious. This information is shared with BS. Further actions are taken
by the BS.
Multi-agent trust-based intrusion detection scheme
A multi-agent trust-based intrusion detection scheme, where intrusion detection is
performed using Mahalanobis distance theory at both CHs and normal sensor nodes is
proposed in (Jin, et al. 2017). Here, node trust attributes are identified, and values are
assigned using that theory. These trust values provide whether the node is working
normally or maliciously.
Signaling game-based strategy
Shen et al. adopt a distributed-centralized network, where every node has IDS agent,
but only the node that become CH, activates the IDS functionality (Shen and Cao 2011).
They apply the signaling game strategy to develop an intrusion detection game model.
They apply Bayesian rules to determine the state of a node.
Hybrid trust-based intrusion detection
In (Ozcelik, Irmak and Ozdemir 2017), author proposed a hybrid intrusion detection
system for hierarchical WSNs. The proposed detection scheme works using function
reputation and misuse detection rules. CHs determines the functional reputation of the
cluster nodes and communicates with BS. BS interprets these messages and determines
the malicious nodes using misuse detection rules.
3.4 IDS-based security schemes for LEACH protocol LEACH protocol is vulnerable to different types of attacks such as black hole,
selective forwarding, sink hole attack etc. In LEACH, a compromised node advertises
ADV_CH and wrong distance information in each round to become CH of as much
nodes as possible. Once it becomes the CH than it performs according to the
configuration set by the adversary. There are several proposed schemes for securing
LEACH protocol from inside attacks. These are depicted in following Table 4.
Intrusion Detection Systems for Wireless Sensor Networks
36
Table 4: IDS based security schemes for LEACH protocol
Title Approach Methodology Threat type Attack
Analysis
Testing
Environment
Intrusion
detection and
prevention (Su, et
al. 2005)
Intrusion
detection/
Cryptography
Purely distributed/
Authentication
Inside and
outside
attacks
Packet
Forwarding
Misbehavior
LEACH CAD
Tool (NS-2
based)
Secure cluster-
based sensor
network (Hsieh,
Huang and Chao
2007)
Intrusion
detection/
Cryptography
Centralized
distributed /
Authentication
Inside and
outside
attacks
Packet
Forwarding
Misbehavior
LEACH
protocol
Specification
based detection
(Lee, Lee and
Yoo 2012)
Intrusion
detection
Centralized
distributed/
Specification based
Inside attack Misbehavior
attack patterns
by member
nodes and CH
LEACH
protocol (NS-2)
Adaptive
Correctness
Monitoring
(Herbert, et al.
2007)
Intrusion
detection
Hierarchical Sensor
Network Debugging
Misbehavior Sudden faults
or sudden
change in data
trends
LEACH
protocol
(Mica2 Motes)
LEACH-S (Chen,
Yang and Chen
2010)
RSSI based
Intrusion
detection
Centralized
distributed / Received
signal strength
indicator
Inside attack Sybil attack LEACH
protocol (NS-2)
Stable Election
Protocol
(Abdullah,
Alsanee and
Alseheymi 2014)
KNN based
Intrusion
detection
Distributed/Anomaly
detection
Outliers Probe, DoS,
etc.
KDD Cup’99
using
MATLAB
Intrusion
detection
algorithm
(Sundararajan
and Arumugam
2015)
Intrusion
ratio
Centralized /
Anomaly
Inside attack Sinkhole attack TETCOS
NETSIM
Artificial Neural
Network
(Almomani, Al-
Kasasbeh and
AL-Akhras 2016)
WSN Dataset Centralized /
Anomaly
Inside attack Black-hole,
Flooding, Gray-
hole
LEACH
protocol
SSLEACH
(Kumar and
Umamakeswari
2016)
Intrusion
detection
Purely distributed/
Specification based
Inside attack Sinkhole attack LEACH
protocol (NS-2)
Anomaly
detection system
(Bansal and
Saluja 2016)
Intrusion
detection
Centralized /
Anomaly
Inside attack Black-hole
attack
LEACH
protocol (NS-2)
1.4.1 Intrusion detection and prevention
An intrusion detection as well prevention security method that safeguard against
outside attacks as well as inside attacks is proposed in (Su, et al. 2005). They presented
a distributed detection policy where CH enquires about cluster nodes and cluster nodes
3.4 IDS-based security schemes for LEACH protocol
37
watchdog the working of CH. They have tested their approach for misbehavior in packet
forwarding using LEACH protocol. The proposed scheme at two levels; cluster node
and CH. It utilizes more energy and is computationally expensive. In another work,
secure cluster-based sensor network is proposed which is an adaptive security design
that safeguard against outside attacks by authentication while centralized distributed
detection scheme for inside attacks (Hsieh, Huang and Chao 2007). Here, there is a
response unit and trust evaluation unit. Response unit is responsible to decide about the
intrusive behavior of the node in the network and takes decision. The trust evaluation
unit works at the monitor node where it maintains a trust status against each node and
lowers the trust of the nodes if it receives any claim about it that is generated by the
response unit.
1.4.2 Specification based centralized distributed detection scheme
A specification based centralized distributed detection scheme for LEACH protocol
is discussed in (Lee, Lee and Yoo 2012). According to this, cluster member nodes and
CHs act as monitor nodes and send claim message to the BS for taking proper action
against the claimed nodes. The architecture presented by (Zhang, Lee and Huang 2003)
is used for IDS agent that is installed at CH, member nodes and BS. It is a distributed
framework for mobile nodes that forms ad hoc network and favors a cooperative
approach for cooperation with neighboring IDS agents. Numerical analysis of the
proposed specification based distributed cooperative detection scheme is formulated to
find the energy efficiency.
1.4.3 Adaptive Correctness Monitoring
In (Herbert, et al. 2007), author propose a framework for the detection of invariants
or misbehavior in the installed system called hierarchical sensor network debugging.
This system is designed to help programmers to improve the system after determining
faults so that the installed system is reprogrammed having no bugs. That’s why it is
called a debugging tool. System can detect sudden changes of the environments while it
is expensive with regards to communication, computation, and storage.
1.4.4 LEACH-S
A security methodology is presented to secure LEACH protocol from Sybil attack
(Chen, Yang and Chen 2010). The proposed scheme is based on received signal strength
indicator from the nodes. It is a distributed centralized approach in which sensor nodes
detect the abnormal behavior of sensor nodes. According to the proposed approach,
intrusion detection system determines the Sybil attack once it receives more CH join
request than the certain threshold.
1.4.5 Stable Election Protocol
Abdullah et al. design an intrusion detection system based on Stable Election
Protocol (SEP) for clustered heterogeneous WSNs (Abdullah, Alsanee and Alseheymi
2014). They propose to use K Nearest Neighbor classifier to find the outliers. They
focus on LEACH routing protocol during design of IDS, but the results are prepared by
applying KNN on a well-known data set called KDD Cup’99. In a recent work,
Sundararajan et al. propose a centralized intrusion detection system where BS is
responsible for calculation intrusion ratio or maliciousness of the sensor nodes
Intrusion Detection Systems for Wireless Sensor Networks
38
(Sundararajan and Arumugam 2015). Here, intrusion ratio is measured based on the
transmission done or received by the CHs. We have countered centralized approach for
securing WSN in our previous work (Farooqi, Khan and Wang, et al. 2013) and
discussed that these scheme does not suit these networks which are infrastructure-less,
and nodes are self organized.
1.4.6 Artificial Neural Network
In (Almomani, Al-Kasasbeh and AL-Akhras 2016), an IDS solution is proposed that
detects the malicious nodes using anomaly-based detection scheme using LEACH
protocol. Here, Artificial Neural Network (ANN) has been trained on the dataset to
detect and classify different DoS attacks. We discussed earlier that anomaly-based
detection schemes do not suit WSNs.
1.4.7 SSLEACH
Kumar et al. also presented a specification-based intrusion detection scheme called
SSLEACH to secure WSNs from the sinkhole attack (Kumar and Umamakeswari
2016). They discussed the way their approach works better with respect to energy
consumption but did not provide any detail about detection rate analysis. Here, in
Algorithm 1, a node is declared malicious if the amount of packet receives is less than
the amount of packet sent to it. As we know that LEACH protocol is a hierarchical
routing protocol that works in rounds. Here, the amount of packet received by CHs are
more than the number of packets its send to BS as it applies the data aggregation.
Hence, all the node will declare the CH as malicious due to Algorithm 1. So, majority of
the nodes will be in malicious list after few rounds. The proposed solution is not
validated against the security parameters like detection rate, false positive rate and
accuracy.
1.4.8 Anomaly detection system
An anomaly detection system is proposed that detects black-hole attack at BS
(Bansal and Saluja 2016). It is a purely centralized approach, where BS maintains a list
of nodes that advertise ADV_CH messages. If the node advertises this message for
maximum times, then it is declared as malicious node. Now, BS broadcast a message
about the maliciousness of that node to the sensor nodes. The proposed approach lack to
define the value of maximum as it is a key factor to check the number of times.
Secondly, it is a centralized approach and we proved that such approach is not feasible
to handle attacks (Farooqi, Khan and Wang, et al. 2013). Lastly, the proposed anomaly-
based solution is not tested against the security parameters like detection rate, false
positive rate and accuracy. It would be considerably light-weight as the detection policy
is installed at BS only.
3.5 Summary In this chapter, a detailed discussion and analysis of the existing intrusion detection
systems for wireless sensor networks and a hierarchical routing protocol LEACH is
presented. An IDS is an essential component of security for every network. Energy-
efficient intrusion detection systems are suitable for wireless sensor networks. Purely
centralized IDS approaches are power efficient because the most powerful part of the
network (sink or BS) detects intrusion. But, these techniques are complex and require
3.5 Summary
39
some specialized routing protocol that gathers data from each sensor node to BS or sink
for anomaly detection. On the other hand, purely distributed IDS techniques are not
energy-efficient because IDS agent is installed in every node. It increases extra
computation or power consumption at node level. Distributed-centralized IDS approach
suits WSNs in accordance with energy consumption and complexity; but it has its own
constraints.
LEACH is a hierarchical routing protocol that is selected to test the proposed
intrusion detection framework in this dissertation. Hence, the work that is related to
securing LEACH protocol is presented in this chapter as well. Limitation of each
proposed approach is also provided here.
To conclude the findings of this chapter, we can say that WSNs are vulnerable to
several inside attacks that affect the overall performance of the network. These attacks
result in wrong interpretation of the sensor field. There is a requirement of an energy-
efficient intrusion detection system that works in distributed manner and cooperates
with other nodes to identify the abnormal behavior of the nodes in a sensor network.
Proposed Intrusion Detection Framework for WSNs
40
Chapter 4
Proposed Intrusion Detection
Framework for WSNs
Wireless sensor networks are used in various applications to make decision about
the area in consideration. These applications range from military to healthcare. There
are multiple that use the benefits of WSNs and the concept of cloud computing to
provide better services to the community. It is important to secure sensor network to
achieve better performance of such networks. Hence, it is eminent to have a system that
secures these networks from adversaries. Mostly security is not considered during
designing of the routing protocols (Giannetsos, Krontiris and Dimitriou 2008).
Therefore, most of the routing protocols are vulnerable to security threats. Hence, there
is a requirement of a security model that is added to these routing protocols to make
them resilient against routing attacks. In this chapter, we present a novel intrusion
detection methodology that can be added to such routing protocols to make them secure
against routing attacks.
4.1 Introduction The proposed intrusion detection framework (IDF) is a distributed detection system
that works in a distributed environment (Farooqi, Khan and Wang, et al. 2013). Figure
11 illustrates the key modules of the proposed intrusion detection framework. It works
in two modes. Online prevention allows to safeguard from those abnormal nodes that
are already declared while offline detection finds those nodes that are being
compromised by the adversary during next epoch of time. Offline detection applies
distributed detection policy to find intrusions. It collaborates with neighboring nodes for
making final decision about the maliciousness of the claimed nodes.
IDF works in promiscuous mode. It listens to every kind of traffic and after that it
takes decision whether to process it or sends it to next hop (act like a router). Whenever
a node senses any message it is collected by two modules; local auditing and data
collection. Local auditing module verifies whether it is destined to it and comes from
the legitimate neighbor. If it status is clear than sensor node processes that message and
performs normal task. Data collection unit forwards the received packets to content
suppression unit in the same time. This unit interprets the header to acquire required
information. Once the data is being processed, intrusion detection policy is applied. The
result of this unit is transmitted for cognitive decision making. If the failure level is
above certain expected value, an alert is generated. After communication with
4.2 Online prevention
41
neighboring IDS agents, it is finally declared as abnormal node or normal node. If it is
declared malicious, an action is taken against it.
Figure 11: Proposed intrusion detection framework
4.2 Online prevention Whenever a node senses any message, online prevention validates the packet
whether it is coming from legitimate neighboring node or not. If it is received from the
normal node than sensor node performs normal task otherwise it discards it
immediately. The general flow is depicted in Figure 12.
Figure 12: Online prevention
Proposed Intrusion Detection Framework for WSNs
42
Following is the description of different elements that play a part in online
prevention as shown in Figure 12.
4.2.1 Data Repository
Sensor nodes do not contain data about the already declared malicious nodes
(Roman, Zhou and Lopez 2006). There should be a container that holds this
information. Here, it is called Data Repository. It has two lists; one regarding
neighboring nodes and other contains a list of malicious nodes.
Sensor nodes have a small memory. Data repository module should not take too
much space. Sensor nodes join and leave the network. The neighborhood list (N_List)
should update on each instance. The format of N_List is shown in Table 5. It contains
three fields; neighbor node ID, time stamp of the last received packet from that node
and the status whether that node is normal or not.
Table 5: Neighborhood List (N_List)
Node_ID Time Stamp Status (Normal or Mal.)
C C_New N or M
I I_New N or M
Second list called the malicious nodes list (M_List) holds information about those
nodes that are other than the neighboring nodes but are declared abnormal nodes. The
format of M_List is shown in Table 6. It has two fields; node ID and its maliciousness
level.
Table 6: Malicious Node List (M_List)
Node_ID Status
D Mal_Level
Node_ID is indexed by taking the hash of actual ID and other fields are populated
respectively. Let a fixed size array data structure is used for N_List than a suitable hash
function helps to place the values and retrieve too. It is expensive with respect to
memory but efficient with respect to computation. In best case the computation time
complexity is O (1). The worst-case time complexity deals with the way two similar
hashing outputs is handled i.e. open chaining etc.
4.2.2 Local Auditing
The local auditing unit verifies and validates the incoming packets as mention in
Algorithm 1. It consults with data repository module and takes decision whether to
discard it or forward it for further processing. Here “processing” means to perform
normal activities. It purely depends on the configuration and application of sensor node.
The systematic working of this module is discussed in Algorithm 1.
It works in promiscuous listening mode as discuss earlier. It listens to all the
communications that takes place in the radio range of that node. Whenever it receives
any packet it makes decision whether to process it or drop it. Firstly, the packet should
be destined to it. After that it checks the resident of arrival. This should be the address
or ID of any neighbor node (N_List). It is discarded if it does not belong to the
4.3 Offline detection
43
neighborhood. Here, this approach takes care of laptop attack as well. Let the received
packet is from one of the neighboring node than the status of that neighbor is checked.
The received message is processed further if it is from the normal node.
Algorithm 1: Local Auditing at node J
Input: Packets from other nodes
Output: Validation of packet (discard or accepted)
Begin
If received packet is destined for node J
If it is from neighbor (Tally N_List)
If neighbor is not malicious
accept it for further processing
Else
discard it
End If
Else
discard it
End If
Else
discard it
End If
End
This unit consults regularly with the data repository. Hence, the performance of this
unit is directly associated with the implementation of data repository. If it is array based
than in best case, the time complexity while tallying is O (1) and if it is implemented
using link list than it would be O (n) where n is the length of the list.
4.3 Offline detection Offline detection finds those nodes that are being compromised by an adversary
after the installation of the sensor network. It is composed of various elements as shown
in Figure 11. It works in promiscuous mode. Data collection unit listens to every kind of
traffic and forwards the received packets to content suppression unit. This unit interprets
the header to acquire required information. Once the data is being processed, detection
policy is applied. The result of this unit is transmitted for cognitive decision making. If
the failure level is above certain expected value, an alert is generated. After
communication with neighboring IDS agents, it is finally declared as abnormal node or
normal node. If it is declared malicious, an action is taken against it by consolation unit.
Consider, a flat wireless sensor network of 24 nodes (A – X) shown in Figure 3.
They communicate with the BS using some routing protocol. We have made few
assumptions about the sensor network that help to understand the proposed mechanism.
First, sensor network is a static one. Second, sensor nodes cannot join after some time
interval called initialization phase. It is the period in which nodes make a topology after
communicating with their neighbors to find a route to the sink or BS. Sensor nodes send
data messages after some random time interval. Lastly, nodes should initiate route
Proposed Intrusion Detection Framework for WSNs
44
discovery after some specific time interval. It must be equal or greater than the time
required for IDF to make some decision.
We explain the working of different elements of offline detection through above
discussed network topology. Consider, node J as an example node having seven
neighbors (C, D, E, F, I, O and M).
4.3.1 Data Collection
Sensor nodes usually listen promiscuously to the communication between
neighboring nodes that reside in its radio range. In our proposed framework, data
collection unit simply listens to these packets and transmits them to data processing
unit. It does not store these packets. It is just like a channel between outside world and
inner detection body.
4.3.2 Content Suppression
Whenever a packet is received from data collection unit, its header is interpreted to
analyze the actual transaction and values are updated in audit data list (A_List). It is a
list that holds useful data that is utilized by intrusion detection unit to get maliciousness
level of the surrounding nodes. The format of this list for the above mention example
scenario is shown in Table 7.
Table 7: Audit Data List (A_List) at node J
Node_ID Packet Sent
(A_snt)
Packet Received
(A_rec)
Packet
Forward
(A_fwd)
Packet
Retransmit
(A_rtm)
C C1 C2 C3 C4
I I1 I2 I3 I4
… … … … …
Let node J senses a packet. It interprets the header and gets that it is sent by node I
to node C. So, node J increments its A_List against sent and received field of node I and
node C respectively. Consider node C does not forwards that packet further for some
time “t” than node I retransmits the same packet again. Hence, two values change in
A_List of node J, one for node I; retransmit fields, and one for node C; received field.
Now let node C forwards that packet which it received from node I, then A_List updates
only field of node C; forward field.
The implementation of A_List is like that of N_List because it is updated for each
instance of the surroundings. The length of A_List depends on the number of nodes
from which the node is listening messages. Hence, we can make some assumption about
the length of A_list if we know the density of the network. It is clear from the above
discussion of A_List that no packet is stored but some fields of every packet are
checked and then packet is discarded.
The above process continues till some time epoch. After this A_List is cleared by
removing the entries of the already declared as malicious by tallying with M_List. The
final A_List is sent to intrusion detection unit. Once it is communicated than A_List is
refreshed, and content suppression starts again.
4.3 Offline detection
45
4.3.3 Intrusion Detection
Specification based detection schemes are considered more favorable (Roman, Zhou
and Lopez 2006) (Krontiris and Dimitriou 2007) (Da Silva, et al. 2005) for WSNs
because misuse detection approaches cannot cater with unknown attacks while anomaly
detection techniques are computationally expensive. In this module, some specific rules
are applied that are designed for a routing protocol to detect routing attacks by
validating the data collected from content suppression unit. These rules are formulated
according to routing protocols such as (Dimitriou, Krontiris and Giannetsos 2008)
discussed various rules to detect sink-hole attack for MintRoute routing protocol and
(Loo, et al. 2006) formulated different rules to detect various routing attacks for AODV
routing protocol. These rules are designed after the analysis of the normal working of
the network and the way network behaves after some specific attacks is launched.
We explained the launching effect of different routing attacks for above mentioned
example of a flat WSN (Farooqi and Khan 2012) in previous chapter. We made rules to
detect various routing attacks that are inspired from (Stetsko, Folkman and Vashek
2010) (Da Silva, et al. 2005) (Hai, Khan and Huh 2007) (Phuong, et al. 2006) but it
differs the way they are formulated for the presented network scenario. Here, the
detection scheme sets thresholds after normal execution of the flat WSN. If sensor
node’s behavior violates these thresholds during next epoch of time than a flag is set
against the respective field in the flag list (F_List).
The structure (shown in Table 8) and implementation of flag list is like that of
A_List but it contains some flags in respective field positions. These are
• N (miN): if value is less than the minimum threshold value and shows any attack
pattern
• X (maX): if value is greater than the maximum threshold value and shows any
attack pattern
• L (normaL): if value is between N and X or less/ greater than threshold value but
does not show any attack pattern
Table 8: Flag List (F_List)
Node_ID Packet Sent
(F_snt)
Packet Received
(F_rec)
Packet Forward
(F_fwd)
Packet Retransmit
(F_rtm)
C N | X |L N | X |L N | X |L N | X |L
I N | X |L N | X |L N | X |L N | X |L
… … … … …
Threshold values may be set by using any specific algorithm or any stochastic
process that includes any intelligence. As far as the present sensor network scenario is
considered, these values may be set by executing the sensor network normally. In other
words, consider a simulator that runs normally and calculate these values accordingly.
These values are stored in a threshold list (T_List) shown in Table 9.
Proposed Intrusion Detection Framework for WSNs
46
Table 9: Threshold List (T_List)
Node_I
D
N_Snt X_Snt N_Rec X_Rec N_Fwd X_Fwd N_Rtm X_Rtm
C CN_Sn
t
CX_Sn
t
CN_Re
c
CX_Re
c
CN_Fw
d
CX_Fw
d
CN_Rt
m
CX_Rt
m
I IN_Snt IX_Snt IN_Rec IX_Rec IN_Fwd IX_Fwd IN_Rtm IX_Rtm
… … … … … … … … …
There are two ways through which T_List can be maintained. Firstly, take the
average of obtained values of all the nodes for each field. Secondly, simulate the sensor
network for n number of times and then calculate thresholds for each node, by taking
the averages of obtained values for each node. T_List contains single value for all the
nodes in the first type of implementation while it has more than one in second one. The
second case seems more realistic because it suits the dynamic nature of sensor network.
The following algorithm (Algorithm 2) explains the detection policy. There are two
inputs A_List and T_List for this algorithm. These lists are analyzed to populate F_List.
Algorithm 2: Detection Policy
Input: Audit Data List (A_List), Threshold List (T_List)
Output: Flag List (F_List)
Begin
Case I: (Packet Sent)
If Node_ID.A_snt < Node_ID.N_Snt
Node_ID.F_snt == N
Else If Node_ID.A_snt > Node_ID.X_Snt
Node_ID.F_snt == X
Else
Node_ID.F_snt == L
End If
Case II: (Packet Receive)
If Node_ID.A_rec < Node_ID.N_Rec
Node_ID.F_rec == L
Else If Node_ID.A_rec > Node_ID.X_Rec
Node_ID.F_rec == X
Else
Node_ID.F_rec == L
End If
Case III: (Packet Forward)
If Node_ID.A_fwd < Node_ID.N_Fwd
Node_ID.F_fwd == N
Else If Node_ID.A_fwd > Node_ID.X_Fwd
Node_ID.F_fwd == L
Else
Node_ID.F_fwd == L
End If
Case IV: (Packet Retransmit)
4.3 Offline detection
47
If Node_ID.A_rtm < Node_ID.N_Rtm
Node_ID.F_rtm == L
Else If Node_ID.A_rtm > Node_ID.X_Rtm
Node_ID.F_rtm == X
Else
Node_ID.F_rtm == L
End If
End
The values that are stored against each node ID in A_List are compared with relative
field value of T_List to find whether it is less, equal or more than that value. Following
is the explanation of the Algorithm 2.
1. Case I (Sending rate analysis)
• Less than miN: Node might be damaged or exhausted.
• More than maX: Flooding attack or any other routing attack that compromises
the node to send many packets.
2. Case II (Receiving rate analysis)
• Less than miN: Not affected. It might be due to other compromise node.
• More than maX: Transport or routing attack; collision, flooding, worm-hole,
sink-hole, black-hole, selective forwarding attack
3. Case III (Forward rate analysis)
• Less than miN: routing attack (node compromised with homing, selective
forwarding or black-hole attack)
• More than maX: Not affected. It might be due to other compromise node.
4. Case IV (Retransmission rate analysis)
• Less than miN: Not affected. It might be due to other compromise node.
• More than maX: Collision attack.
We have implemented a simulator in Visual Studio .NET 2008 using C#. The basic
purpose of developing a simulator is to make a test-bed that can be used to test the
efficiency of a specification-based detection policy. Result shows that the proposed
detection mechanism receives high intrusion detection rate and achieves low false
positive rate.
4.3.4 Cognition
Cognition module is responsible for making decision about the behavior of the
sensor nodes. Cognitive decision making starts once F_List is updated from A_List and
T_list. We propose three postulates for this procedure:
1) If numbers of L are less than or equal to two than its maliciousness level is
considered high (HIG).
Proposed Intrusion Detection Framework for WSNs
48
2) If numbers of L are three than its maliciousness level is considered medium
(MED).
3) Sensor node is a normal one if the node’ behavior does not follow any one of the
above. Its maliciousness level is considered low (LOW).
At the end of this phase, a list is populated that contains maliciousness information
of each node called maliciousness level list (ML_List). The format of this list is shown
in Table 10.
Table 10: Maliciousness Level List (ML_List)
Node_ID Maliciousness Level
C HIG
D MED
I LOW
Suppose node C violates many rules while node D violates few of them and node I
does not violate any; hence their maliciousness level is HIG, MED and LOW
respectively.
4.3.5 Collaborative inquiry
Ideally, sensor nodes should make decision on their own without collaborating with
their neighborhood, but this seems to be unrealistic. Because, they do not contain the
whole picture of the network and they cannot detect the compromised node by
individual analysis in most of the cases. Authors favor the collaboration of the node
with its neighboring nodes (Roman, Zhou and Lopez 2006) (Dimitriou, Krontiris and
Giannetsos 2008) (Marchang and Datta 2008) (Kim, Chitti and Song 2011). According
to our model, sensor node consults with the neighbors for those nodes only whose
maliciousness level is MED.
A consensus-based validation mechanism for distributed IDS methodology to
incorporate cooperation in these approaches is proposed in (Shaikh, et al. 2008). It
identifies compromise node(s) and takes care from already declared malicious node
during decision making. In our model, the collaboration module is inspired from this
work, but it differs too. Their work is expensive in a sense:
• Sensor node requires neighbor information of each malicious node.
• It finds common neighbors of claiming node and claimed node.
• It eliminates the already declared malicious node from the common node list.
• After that, claiming node sends claim_packet to ‘n’ number of neighbors
according to the maliciousness level.
• When it gets the response from the consulting nodes it performs decision
making by validating.
Our proposed methodology also works in two phases; consensus phase and
validation phase. It differs in several ways (1) It does not include the neighbor list of
claimed node, (2) It does not look for common normal nodes for consulting, (3) It
4.3 Offline detection
49
communicates with the neighboring nodes to find the status of the claimed nodes, and
(4) Its computational complexity is very low because it does not perform consensus for
each claimed node at a time.
Consensus Phase: In this phase, monitor node communicates with the neighboring
nodes to find the status of the claimed nodes. It sends a message contains a list of those
nodes that have medium maliciousness level called claim list (C_List). It is acquired
from the ML_List.
Table 11: Initial Status List (S_List) of MED level Malicious Nodes
Malicious Node (Node_ID) Number of Claims N_Claim
D 1
An initial status list (S_List) is maintained that contains the IDs of malicious nodes
and their claim status is ‘1’ as shown in Table 11.
During consensus phase, claiming sensor node updates its S_List after receiving
S_List from other neighboring nodes according to Algorithm 3. Algorithm 3 states that
if the received S_List is from the normal neighbor than it should be used otherwise it
should not be discarded. The respective N_Claim in S_List should be updated against
each corresponding node, whenever it receives the message in response of C_List that
contains S_List.
Algorithm 3: Consensus Phase
Input: Maliciousness level list (ML_List) => Claim List (C_List)
Output: Status List (S_List)
Begin
For i=1 to (n.N_List) / 2 // n.N_List = Total number of Neighbors
If rand(Node_ID.N_List) is Normal
F1--> send C_List (rand(Node_ID.N_List))
Else
decrement i
End If
End For
F2-->Receive S_List
F3-->Update S_List
End
Note: F1, F2 and F3 are three functions.
Proposed Intrusion Detection Framework for WSNs
50
Validation Phase: The next phase validates the maliciousness of the claimed node
by analyzing the N_Claim of the final S_List. It performs a check that whether the
N_Claim number is less than the validation threshold or not and updates the ML_List
accordingly. If it is less than this value than its maliciousness level status is updated to
LOW. In other case, if it is more than that value, it is declared abnormal node and its
maliciousness level status is updated to HIG.
Let node J receives S_List from its neighbors. It updates its S_List accordingly and
we assume that half of the neighboring nodes declare node D as a malicious entity.
Hence, it maliciousness status is updated to HIG.
4.3.6 Consolation
The last phase of our proposed framework is consolation. It works based on final
ML_List and only those nodes are considered that have HIG maliciousness level. It
differs from (Dimitriou, Krontiris and Giannetsos 2008) and works according to the
following steps:
• Update N_List. The neighbor nodes that have high maliciousness level should be
declared as malicious.
• Update M_List. Nodes that are not neighbors but are malicious should be
highlighted.
• Apply route discovery. Find new routes that do not contain any malicious node
as intermediate node.
• Notify the sink. Make a message that contains the list of malicious nodes and
send it to the sink through a secure channel.
Here ML_List contains two nodes; node C and node D. Online prevention takes care
from these nodes in future and does not allow them to affect the data aggregation and
other application dependent functions.
4.4 Experiments and Analysis A simulator is implemented in Visual Studio .NET 2008 using C# to test the
efficiency of the purely distributed specification-based detection scheme. The focus of
our test is to provide an insight about centralized distributed approaches (security
systems in which monitor nodes analyze the network and communicate with the BS
using any secure communication mechanism) that they do not figure out the actual
condition of the network properly.
4.4.1 Trace List
Let there is a sensor node X. It has n number of neighboring nodes. The numbers of
nodes vary and are equal to 20, 40, 60, 80 or 100. A trace list (Trace_List) is randomly
produced for 10,000 instances. The format of this list is shown below.
Table 12: Trace List
Transaction Type Node X Node Y
Send A B
4.4 Experiments and Analysis
51
In our experiment, 100 different trace files are generated. Hence, there are 100 audit
lists which are used to find minimum and maximum sending rates. These are placed in
T_List. Once the Trace_List is populated, the A_List is formalized by counting the
number of sends, receive, forward and retransmit for each node. Audit lists help in
adjusting the threshold values in T_List.
4.4.2 Attack Scenario (AS)
The proposed strategy is tested by launching four types of attack scenarios. The
plotted values are acquired by taking average after running the simulation for 10 times
in each case. In most cases, the average value of all the nodes that is calculated in
attacked scenarios is nearby the average value of normal execution. But, the average
value of attacker nodes is higher or lower according to the AS type. These are discussed
below.
Increased sending rate (AS-I)
During flood attack, the attacker sends more number of packets. Hence, the sending
rate of the attacker nodes is increased by some fraction. There are nA number of
attackers that are randomly selected, and their sending rates are increased.
Figure 13: Sending rate Analysis
Figure 13 provides sending rate analysis. It shows that attacker nodes are sending
more number of packets than normal nodes.
Forward C D
Retransmit E F
Proposed Intrusion Detection Framework for WSNs
52
Increased receiving rate (AS-II)
In black-hole, sink-hole or worm-hole attack, the attacker receives more number of
packets. Hence, the receiving rate of the attacker nodes is increased by some fraction.
There are nA number of attackers that are randomly selected, and their receiving rates
are increased.
Figure 14: Receiving rate Analysis
Figure 14 provides receiving rate analysis. It shows that the attacker nodes are
receiving more number of packets than normal nodes.
Decreased forwarding rate (AS-III)
During selective forwarding, black-hole or sink-hole attack, the attacker forwards
less number of packets. Hence, the forwarding rate of the attacker nodes is decreased by
some fraction. There are nA number of attackers that are randomly selected, and their
forwarding rates are decreased.
4.4 Experiments and Analysis
53
Figure 15: Forwarding rate Analysis
Figure 15 provides forwarding rate analysis. It shows that the attacker nodes are
forwarding less number of packets than normal nodes.
Increased retransmission rate (AS-IV)
In collision attack, the node that is attacked by a compromised node retransmits
more number of same packets. Hence, the retransmission rate of the sender is increased
by some fraction. There are nA number of such nodes that are randomly selected, and
their retransmission rates are increased.
Proposed Intrusion Detection Framework for WSNs
54
Figure 16: Retransmission rate Analysis
Figure 16 provides retransmission rate analysis. It shows that the attacking nodes are
retransmitting more number of packets than the normal nodes.
4.4.3 Discussion
The results show that if the node X sends the average value to the sink or BS to
analyze the network whether it is in attack or not than it cannot figure out the actual
scenario. But if the sensor node makes decision on its own and analyze the behavior of
individual node than it can detect the abnormal node efficiently. This shows that a
centralized distributed approach cannot figure out the actual condition of the network
properly. Therefore, a purely distributed security system is more appropriate for WSNs.
Here, an average audit list is maintained after generating 10 trace files for each
attack pattern. These attack patterns vary from each other based on following
parameters:
• Attack scenario (AS-I to AS-IV)
• Number of neighbors (10, 20… 50)
• Number of attackers (1, 3 or 5)
They are used to test two types of performance metrics to judge the effectiveness of
the proposed scheme. These are intrusion detection rate and false positive rate.
Intrusion detection rate (IDR)
100% detection rate means that the applied technique detects all the nodes that are
compromised or not working properly. The formula of detection rate is mentioned
below:
4.5 Summary
55
𝐼𝐷𝑅 =𝐴
𝐴 + 𝐵 {
𝐴 = 𝑇𝑟𝑢𝑒 𝑃𝑜𝑠𝑖𝑡𝑖𝑣𝑒 𝐵 = 𝐹𝑎𝑙𝑠𝑒 𝑁𝑒𝑔𝑎𝑡𝑖𝑣𝑒
If the node is normal and it is declared normal as well by the detection policy than it
is A while if node is abnormal but declared normal than it is B.
Our proposed methodology is working after random generation of trace files that are
used to set thresholds. The attack scenarios are generated as described in previous
section. Results depicted in previous section clarifies that the compromised nodes
deviate from the normal behavior. The interpretation of Flag_List shows that B is
almost zero for each case. Hence, intrusion detection rate is almost 100%.
False positive rate (FPR)
False positive means that a node is normal but wrongly declared as abnormal. The
formula that is used to find the false positive rate of a system is mentioned below:
𝐹𝑃𝑅 =𝐶
𝐶 + 𝐷 {
𝐶 = 𝐹𝑎𝑙𝑠𝑒 𝑃𝑜𝑠𝑖𝑡𝑖𝑣𝑒 𝐷 = 𝑇𝑟𝑢𝑒 𝑁𝑒𝑔𝑎𝑡𝑖𝑣𝑒
The average false positive rate of various AS for different number of neighboring
nodes shows that the false positive rate of the proposed detection scheme is below 0.06
in most cases.
4.5 Summary In this chapter, we have presented a novel intrusion detection framework to secure
wireless sensor networks from routing attacks. The proposed approach is explained
thoroughly using a flat wireless sensor network scenario. We test the specification-
based detection scheme proposed for the presented example using a simulator that is
implemented in C#. The results show that the specification-based detection scheme
achieves higher detection rate and receives low false positive rate. These results also
guide that each node should be treated independently in WSNs, and centralized
distributed detection schemes may fail to identify the network behavior whether it is
normal, or it is under any attack. Therefore, a purely distributed security system is more
appropriate for WSNs.
We applied the proposed intrusion detection framework to a clustering hierarchical
routing protocol for WSN such as LEACH protocol in next chapter to show its
effectiveness with respect to throughput and energy efficiency.
Securing LEACH protocol against Routing Attacks
56
Chapter 5
Securing LEACH protocol against
Routing Attacks
5.1 Introduction In (Heinzelman, Chandrakasan and Balakrishnan 2000), authors present an energy
efficient hierarchical routing protocol for WSNs called low energy adaptive clustering
hierarchy (LEACH). LEACH protocol works in rounds and each round is composed of
two phases: setup phase takes less time while steady phase is for longer period. In setup
phase, sensor nodes make clusters and CHs set TDMA for each cluster node. Different
clusters use different timings to avoid collision among the cluster nodes. Sensor nodes
send data message to their CHs in steady phase and these CHs deliver the data message
after aggregating to the BS. Hence, LEACH avoids extra usage of energy. LEACH
protocol is vulnerable to different types of attacks that are discussed already. In this
work, we consider three attacks as they show similarity in launching their impact during
the setup phase of LEACH such as sink-hole, black-hole and selective Forwarding
(SBS-F) attacks. Here, a compromised node tries to become CH to perform maliciously.
In (Sharma and Jena 2011), they analyze various secure and energy efficient
hierarchical routing protocols based on security goals, prevention from attacks, and the
way security mechanism works. A security solution for LEACH protocol called
RLEACH is presented in (Zhang, Wang and Wang. 2008). This scheme is based on a
key management protocol. According to them, random pair wise key is a lightweight
solution to avoid several attacks. In another work, an efficient security model for
LEACH protocol called ESMR is discussed (Chen, Zhang and Hu. 2008). The proposed
solution is based on public key cryptography to secure from outside attacks. It would
increase overall energy of the system and add burden to LEACH protocol due to the
complexity of cryptography. A random key distribution solution for securing clustered
sensor networks from outside attacks is also proposed in (Oliveira, et al. 2006). It
provides secure transmission but lacks to cater with inside attack launched by a
compromised node. We discussed other various security schemes in previous chapter as
well and few here, but they show limitations with respect to testing or completeness of a
model.
In this chapter, we add the proposed framework to the LEACH routing protocol to
verify its effectiveness for WSNs. For that, we consider three attacks, i.e., sinkhole,
black hole, and selective forwarding attacks. These attacks show a common feature: a
compromised node tries to become the CH to behave maliciously. We call the modified
LEACH protocol as LEACH++. Two kinds of tests are carried out to check the
5.1 Introduction
57
efficiency of this modified protocol. Numerical analysis guides us about the effect on
overall energy utilization and throughput. Network Simulator-2 (NS-2) simulations help
to validate the impact of LEACH++ during attack scenario with respect to throughput
gained at the BS. The results show that LEACH++ receives more throughput than
LEACH during attack, while it puts some burden on LEACH with respect to overall
energy consumption of the system. Normally, secure schemes bring some overhead than
insecure solutions as they consume more energy due to computation and
communication for the detection and collaboration (Masdari, Bazarchi and Bidaki
2013). NS-2 simulation results also favor LEACH++ because it achieves higher
throughput than the LEACH under attack. The proposed approach provides a way to get
more throughput even in the attack scenarios. It is better to adopt such a mechanism that
gives access to the data to make better decisions in a cloud-based environment.
Figure 17: Workflow of proposed LEACH++ protocol
Securing LEACH protocol against Routing Attacks
58
5.2 Proposed security solution for LEACH protocol Sensor nodes develop a topology in each round to send the sensed data to the CHs.
These CHs are responsible to transmit data to the BS. It is the responsibility of the
LEACH protocol to assure that a node does not advertise ADV_CH in consecutive
rounds. An adversary can launch sinkhole, black-hole, or selective forwarding attacks
by modifying the LEACH configuration of a compromised node. Here, we assume that
the compromised node becomes CH in each round and behaves maliciously.
In this sub-section, we explain the way the proposed IDF can be added to the
LEACH protocol to secure it from sinkhole, black-hole, and selective forwarding
attacks. Figure 17 shows how the IDF is installed in LEACH in both setup and steady
phases. The modified protocol is called LEACH++.
5.2.1 Online prevention
Whenever a node receives ADV_CH message, the online prevention validates it by
checking whether it is advertised by a legitimate node. If it is received from the normal
node, then the sensor node adds it in the CH Choices table otherwise it discards it
immediately. Sensor nodes do not have any knowledge about already declared
malicious nodes. We propose that each sensor node should maintain a data repository,
called ML_List, for those nodes that are already declared as malicious. Local detection
unit is responsible for validating the incoming ADV_CH. It works according to
Algorithm 1 as follows:
Algorithm 4: Local Auditing at node X
Input: ADV_CH from other nodes
Output: Validation of packet (discard or accepted)
Begin
Foreach nodeID in Mal_List
If nodeID of ADV_CH = nodeID
discard it
End If
Otherwise
Add in Current Cluster head choices
End
Local detection units check the node ID of the received ADV_CH whether it is
available in ML_List or not. If it is available then it discards the ADV_CH, otherwise it
adds the node ID in the current CH Choices table.
5.2.2 Offline detection
Sensor nodes do not maintain any record about CHs of previous rounds. So, they are
not capable of identifying whether they are making same node as CH again and again.
Offline detection finds those nodes that are trying to become CH in consecutive rounds.
The following is the illustration of the key elements of IDF according to LEACH++.
5.2 Proposed security solution for LEACH protocol
59
Data collection
Sensor node listens to the communication between neighboring nodes in
promiscuous mode. In our proposed LEACH++ protocol, the data collection unit listens
to ADV_CH packets and transmits them to content suppression unit.
Content suppression
Whenever some information is received from the data collection unit, the values are
updated in an audit data list (A_List). Every node should maintain an A_List. It is a list
that holds information about the past occurrences of the CHs. According to our analysis,
after simulating LEACH protocol in NS-2, a node usually does not advertise itself as a
CH in consecutive rounds. Hence, we propose that the length of A_List should be 3 *
Number of CHs allowed in a round. It means that a node stores the CH information for
three rounds. The values swap after the third round and so on to keep track of three
consecutive rounds. Consider a sensor network having 100 sensor nodes with five CHs.
Table 13 shows an example of the normal occurrences of CHs in three consecutive
rounds A, B, and C.
Table 13: An example of Audit List (A_List) for normal occurrences of Cluster Heads
CH #1 CH #2 CH #3 CH #4 CH #5
Round A Node 5 Node 13 Node 44 Node 71 Node 95
Round B Node 12 Node 33 Node 56 Node 82 Node 91
Round C Node 7 Node 17 Node 37 Node 66 Node 78
After Round C, values stored for round B and C shift to round A and B respectively
while round C stores the CHs of current round. This continues till the last round.
Table 14: An example of Audit List (A_List) during SBS-F attacks
CH #1 CH #2 CH #3 CH #4 CH #5
Round A Node 5 Node 13 Node 44 Node 71 Node 95
Round B Node 13 Node 33 Node 56 Node 82 Node 91
Round C Node 7 Node 13 Node 37 Node 66 Node 78
Consider node ID 13 is compromised by an adversary and it tries to become CH in
each round. Table 14 shows the attack pattern in this scenario.
Intrusion detection
Specification-based intrusion detection scheme is favored for WSNs by (Da Silva, et
al. 2005) (Roman, Zhou and Lopez 2006) (Krontiris and Dimitriou 2007). This
detection technique is lightweight and can detect unknown attacks, while misuse
detection mechanism cannot find unknown attacks and anomaly detection approach is
expensive (Farooqi and Khan 2012). We propose some specifications for the detection
of intrusions for the LEACH protocol, as follows:
Securing LEACH protocol against Routing Attacks
60
• Step #1: The sensor node searches through A_List to check whether the received
ADV_CH packet is from the node that advertised the same packet in the
previous consecutive rounds.
• Step #2: If the outcome of Step #1 is true, then it adds it to the claim list
(C_List) and collaborates with other nodes to find its behavior at their sides.
Otherwise, it follows the normal cluster formation steps.
The format of C_List is very simple. It contains node IDs of claimed nodes only.
The proposed approach lies in purely distributed IDS category (Farooqi and Khan
2012). Every node performs intrusion detection to find the compromised nodes.
Collaborative Inquiry
Sensor nodes advertise C_List once they detect any malicious node. If the rule in
Step #2 fires, then this unit activates and shares the status of malicious nodes with other
nodes. The authors in (Roman, Zhou and Lopez 2006) (Dimitriou, Krontiris and
Giannetsos 2008) (Marchang and Datta 2008) favor the collaborative inquiry about the
maliciousness of a node with other nodes. Here, collaborative inquiry unit works in two
phases: consensus and validation.
Consensus phase: In this phase, the monitor node advertises C_List to tell others
about the detected malicious nodes. Once the other nodes detect the malicious nodes at
their end, they advertise C_List as well in their slotted time. Sensor nodes receive
C_List from other nodes in the setup phase and maintain status list (S_List).
Validation phase: Compromised node can act maliciously and can advertise wrong
claims. Hence, validation unit shows whether the received C_List is from a legitimate
node or already declared malicious node.
S_List contains node IDs of claimed nodes and their status. Initially status is “1”.
Once a node receives C_List from other nodes, it updates S_List and increments the
status values against those nodes that are already present in the S_List.
Table 15: S_List at node X
Node ID Status
node 12 1
node 13 1
Let a node X detects two nodes that advertise ADV_CH in three consecutive rounds
as shown in Table 15. Node X receives C_List from a node Y and it contains two node
IDs; node 16 and node 13. Node X updates its S_List by adding node 16 and status
value as “1”, while it increments status value of node 13 by 1 as shown in Table 16.
Table 16: Updated S_List
Node ID Status
node 12 1
node 13 2
Node 16 1
5.3 Numerical Analysis of LEACH++
61
Consolation
Consolation performs actions to assure that malicious node should not take part in
further degradation of the system’s throughput. We propose that if the status value of
any node is above certain expected value; it should be added in the malicious node list
(ML_List). Here, expected value can be any ratio of total number of nodes and CHs.
Hence, online prevention avoids these nodes to become CH in future.
5.3 Numerical Analysis of LEACH++
LEACH protocol works in two phases: setup phase and steady phase. These phases
consume different amount of energy. Setup phase takes less time while steady phase
continues till the end of each round. We formulate equations to analyze the energy
utilization and throughput by LEACH protocol in three scenarios: (1) normal execution,
(2) attack launched by adversary, and (3) LEACH++ (Farooqi and Khan 2017). Here,
our focus is to find the effect of proposed solution on the transmission of messages
during collaborative inquiry, which increases routing overhead. The proposed solution
increases the energy used in computation, but it is negligible as compared to overall
working of the LEACH protocol. Table 17 describes different notations that are used to
drive the equations.
Table 17: Notations used in Numerical analysis
Notation Description
𝐸1 Amount of energy that is utilized by a node during sending a message to
CH and vice versa. It is the energy consumed during short range
communication.
𝐸2 Amount of energy that is utilized when a CH sends message to BS and vice
versa. In other words, it is the energy consumed during long range
communication.
𝐸𝑆𝑒𝑡𝑢𝑝 Total amount of energy used by sensor nodes during setup phase.
𝐸𝑆𝑡𝑒𝑎𝑑𝑦 Total amount of energy used by sensor nodes during steady phase.
𝑇𝑁𝑜𝑑𝑒𝑠 Total number of sensor nodes in the sensor field
𝑇𝐶𝐻𝑒𝑎𝑑𝑠 Total number of CHs
𝐶𝐶𝐻𝑒𝑎𝑑𝑠 Number of compromised sensor nodes
𝑁𝐷𝑎𝑡𝑎 Amount of data messages send by each node to CH in 1 sec
𝐶𝐷𝑎𝑡𝑎 Amount of data messages send by CH to BS in 1 sec
𝑅𝑆𝑒𝑐 Length of a round in seconds. We assume that rounds have fixed length.
5.3.1 Normal execution
Sensor nodes develop a topology after their installation in a sensor field. This
topology depends on the routing protocol. Here, sensor nodes use LEACH protocol to
form a path that is used for transmission of information to the BS. The amount of
energy these nodes consume in normal scenario during the formation of topology and
data transmission is discussed below:
Securing LEACH protocol against Routing Attacks
62
Energy used in Setup Phase
When a sensor network is deployed, ideally TCHeads number of nodes advertise
ADV_CH message to form clusters.
Energy used in cluster setup = TCHeads ∗ E2 (1)
Sensor nodes reply with JOIN_REQ message to join the clusters and CHs respond
with an acknowledgement.
𝐸𝑛𝑒𝑟𝑔𝑦 𝑢𝑠𝑒𝑑 𝑖𝑛 𝑐𝑙𝑢𝑠𝑡𝑒𝑟 𝑓𝑜𝑟𝑚𝑎𝑡𝑖𝑜𝑛 = (𝑇𝑁𝑜𝑑𝑒𝑠 ∗ 𝐸1 ) + (𝑇𝐶𝐻𝑒𝑎𝑑𝑠 ∗ 𝐸1) (2)
Hence from Equations (1) and (2), we conclude that
𝐸𝑆𝑒𝑡𝑢𝑝(𝐿𝐸𝐴𝐶𝐻) = 𝐸2 ∗ (𝑇𝐶𝐻𝑒𝑎𝑑𝑠) + 𝐸1 ∗ (𝑇𝑁𝑜𝑑𝑒𝑠 + 𝑇𝐶𝐻𝑒𝑎𝑑𝑠) (3)
Energy used in steady phase
In steady phase, sensor nodes start sending messages to CHs and CHs pass the
information after aggregation. So, we track the amount of data packets that are sent
during this phase to calculate energy usage. Here, we assume that clusters have same
size, or they are of uniform size. Hence number of nodes in a cluster is equal to(TNodes/TCHeads). If there are 100 sensor nodes, then each cluster has 20 nodes. But here, we use
the cluster formation algorithm to determine the number of nodes in each cluster, as
shown in Algorithm 5.
Algorithm # 5: Cluster formation
Input: Number of normal nodes and cluster size
Output: Clusters with different number of nodes
Begin
For all cluster size DO
Temp_Array: Assign random number between 10 to 50 to a temporary
array
Sum: It holds the sum of these numbers
End for
For all cluster size again DO
Clusters: Assign value to cluster equal to (Temp_Array/Sum) * Number
of normal nodes
End For
End
Cluster size defines the number of clusters to be formed, while the number of nodes
define the nodes that will be in these clusters. Initially, a random number is assigned to
each cluster that sets the percentage of nodes to be present in that cluster, which ranges
from 10 to 50. Here, we want that a cluster should have at least 10 nodes or maximum
50 nodes out of 100. In the next FOR loop, number of nodes are assigned with reference
to its percentage. The results of this algorithm show that most of the time, the clusters
are of different sizes.
5.3 Numerical Analysis of LEACH++
63
The next step is to determine the number of data packets received by a CH in one
round. Here, we assume that a node sends about 1 to 10 data messages in one round to
the CH. To achieve that, the following algorithm is used:
Algorithm # 6: Amount of Cluster data and Total data in a round
Input: Clusters return by cluster formation algorithm and cluster size
Output: Each cluster data and total data of all clusters in a round
Begin
For all cluster size DO
For all cluster nodes of this cluster DO
Node data (N Data) = Node data + Random number between 1 to
10
End for
Cluster data of that cluster (C Data) = Node data
Total data (T Data) = Total data + Cluster data of that cluster
End for
End
Clusters having different number of nodes returned by the cluster formation
algorithm. Each node in the cluster sends 1 to 10 data messages in a round known as
NData which collectively consider as the cluster data CData. Here we consider that once
the CH receives 20 data messages; it sends an aggregated message to BS. Hence, the
energy consumption in steady phase is as follow:
𝐸𝑆𝑡𝑒𝑎𝑑𝑦(𝐿𝐸𝐴𝐶𝐻) = 𝐸1 ∗ 𝑇𝐷𝑎𝑡𝑎(𝑅𝑆𝑒𝑐) + 𝐸2 ∗ 𝑇𝐷𝑎𝑡𝑎(𝑅𝑆𝑒𝑐)/20 (4)
Total Energy and Throughput
Total energy consumed by the LEACH protocol by executing in normal fashion can
be achieved from Equations. (3) and (4).
𝑇𝐸𝑛𝑒𝑟𝑔𝑦 (𝐿𝐸𝐴𝐶𝐻) = ∑ 𝐸𝑆𝑒𝑡𝑢𝑝 (𝐿𝐸𝐴𝐶𝐻) + 𝐸𝑆𝑡𝑒𝑎𝑑𝑦 (𝐿𝐸𝐴𝐶𝐻)𝑛𝑖=0 (5)
Here, n is the number of rounds. Throughput is the amount of data packets received
by the BS. From Algorithm 6, we calculate
𝑇𝑇ℎ𝑟𝑜𝑢𝑔ℎ𝑝𝑢𝑡 (𝐿𝐸𝐴𝐶𝐻) = ∑ 𝐶𝐷𝑎𝑡𝑎 [𝑖] ∗ 𝑅𝑆𝑒𝑐𝑛𝑖=0 (6)
5.3.2 Attack launched by adversary
LEACH protocol shows resilience to a number of attacks due to its adaptive nature
of the clustering mechanism. However, there are some attacks that can degrade the
performance of the LEACH protocol. Black-hole, sinkhole, and selective forwarding
attacks are among these attacks. In these attacks, a legitimate node can be compromised
to perform the malicious activity. This malicious activity depends on the type of attack,
such as dropping of packets, sending data packets containing wrong information, and
Securing LEACH protocol against Routing Attacks
64
dropping a fraction of packets. These attacks are considered as insider attacks because
these are launched by nodes that are part of the current network.
Here, we assume that a compromised node becomes a CH in each round and does
not send any message to the BS. It means that the attacking node drops all the packets
that should be transmitted to the BS after taking aggregate of the data received from
cluster nodes. Here, we called it ALEACH: LEACH under attack.
Energy used in Setup Phase
Total energy utilization for this phase remains same as in Equation (3) for the attack
scenario because compromised nodes work like the other nodes. In the attack scenario,
the compromised nodes advertise ADV_CH message to assure that it becomes CH in
each round. This does not affect the overall energy consumption in setup phase.
Energy used in steady phase
In attack scenario, amount of data messages received by a CH remains the same as
Algorithm 6. This is because according to our assumption, a compromised node
becomes the CH in each round, while the working of the other nodes remains the same.
The messages receive by CH:
𝑁𝐷𝑎𝑡𝑎 (𝑅𝑆𝑒𝑐) = 𝑁𝐷𝑎𝑡𝑎 ∗ 𝑇𝑁𝑜𝑑𝑒𝑠 ∗ 𝑅𝑆𝑒𝑐 (7)
There are CCHeads number of compromised nodes that form clusters. These nodes do
not send messages to BS. Hence, the amount of data packets received by a BS in a
round during attack are:
𝐶𝐷𝑎𝑡𝑎 (𝑅𝑆𝑒𝑐) = 𝐶𝐷𝑎𝑡𝑎 𝑜𝑓𝑛𝑜𝑟𝑚𝑎𝑙 𝑛𝑜𝑑𝑒 ∗ 𝑅𝑆𝑒𝑐- 𝐶𝐷𝑎𝑡𝑎 𝑜𝑓𝑐𝑜𝑚𝑝𝑟𝑜𝑚𝑖𝑠𝑒𝑑 𝑛𝑜𝑑𝑒 ∗ 𝐶𝐶𝐻𝑒𝑎𝑑𝑠
(8)
Therefore, from Equations (7) and (8), we have:
𝐸𝑆𝑡𝑒𝑎𝑑𝑦(𝐴𝐿𝐸𝐴𝐶𝐻) = 𝐸1 ∗ 𝑁𝐷𝑎𝑡𝑎 (𝑅𝑆𝑒𝑐) + 𝐸2 ∗ 𝐶𝐷𝑎𝑡𝑎 (𝑅𝑆𝑒𝑐)/20 (9)
Total Energy
Total energy consumed by the attacked LEACH by executing in normal fashion can
be achieved from Equations (3) and (9).
𝑇𝐸𝑛𝑒𝑟𝑔𝑦 (𝐴𝐿𝐸𝐴𝐶𝐻) = ∑ 𝐸𝑆𝑒𝑡𝑢𝑝 (𝐴𝐿𝐸𝐴𝐶𝐻) + 𝐸𝑆𝑡𝑒𝑎𝑑𝑦 (𝐴𝐿𝐸𝐴𝐶𝐻)𝑛𝑖=1 (10)
Here, n is the number of rounds in which network is under attack. Throughput is the
amount of data packets received by BS.
𝑇𝑇ℎ𝑟𝑜𝑢𝑔ℎ𝑝𝑢𝑡 (𝐴𝐿𝐸𝐴𝐶𝐻) = ∑ 𝐶𝐷𝑎𝑡𝑎[𝑖] ∗ 𝑅𝑆𝑒𝑐 − 𝐶𝐷𝑎𝑡𝑎 𝑜𝑓𝑐𝑜𝑚𝑝𝑟𝑜𝑚𝑖𝑠𝑒𝑑 𝑛𝑜𝑑𝑒 ∗ 𝐶𝐶𝐻𝑒𝑎𝑑𝑠 𝑛
𝑖=1
(11)
5.3.3 LEACH++
Here, we calculate the effect of the proposed IDF to the original LEACH protocol
with respect to energy consumption and throughput after securing from attacks
5.3 Numerical Analysis of LEACH++
65
Energy used in Setup Phase
The proposed mechanism may increase the energy usage in the setup phase. Let a
node X detects that node Y advertises to become CH in consecutive rounds; node X
advertises the claim list (C_List) to make the final decision. Meanwhile, other nodes
also share their claim lists and nodes maintain the status of the claimed nodes. If a node
is declared as a malicious node, then the first node among the detectors advertises
ADV_CH to become the CH.
Amount of energy used for detecting and changing CH is as follow:
𝐸𝐶ℎ𝑎𝑛𝑔𝑒𝐶𝐻 = 2𝐸1 ∗ (𝑇𝑁𝑜𝑑𝑒𝑠
𝑇𝐶𝐻𝑒𝑎𝑑𝑠 ) + 𝐸2(𝑇𝑁𝑜𝑑𝑒𝑠) + 𝐸2 (12)
Here, E2(TNodes) energy is used for sharing the claim list. E2 amount of energy is
used by a node that advertise ADV_CH message and 2E1 ∗ (TNodes/TCHeads) energy is
again used to join the CH.
Hence, the overall energy utilization in setup phase is the sum of Equations (3) and
(12), as shown in Equation (13).
𝐸𝑆𝑒𝑡𝑢𝑝(𝐿𝐸𝐴𝐶𝐻 + +) = {𝐸2 ∗ (𝑇𝐶𝐻𝑒𝑎𝑑𝑠) + 𝐸1 ∗ (𝑇𝑁𝑜𝑑𝑒𝑠 + 𝑇𝐶𝐻𝑒𝑎𝑑𝑠)} + 𝐸𝐶ℎ𝑎𝑛𝑔𝑒𝐶𝐻 (13)
Energy used in steady phase
The proposed approach does not play any role in the steady phase. The total energy
that is consumed in this phase may differ from the LEACH protocol because the
compromised node does not send any message during this phase due to its
configuration. Hence, the number of nodes that send data to CHs differs by the number
of compromised nodes.
𝐸𝑆𝑡𝑒𝑎𝑑𝑦(𝐿𝐸𝐴𝐶𝐻 + +)
= 𝐸1 ∗ (𝑁𝐷𝑎𝑡𝑎 ∗ ( 𝑇𝑁𝑜𝑑𝑒𝑠 – 𝐶𝐶𝐻𝑒𝑎𝑑𝑠) ∗ 𝑅𝑆𝑒𝑐) + 𝐸2 ∗ (𝐶𝐷𝑎𝑡𝑎 ∗ 𝑇𝐶𝐻𝑒𝑎𝑑𝑠 ∗ 𝑅𝑆𝑒𝑐)
(14)
Total Energy
Total energy consumed by LEACH++ protocol by executing in normal fashion can
be achieved from Equations (13) and (14).
𝑇𝐸𝑛𝑒𝑟𝑔𝑦 (𝐿𝐸𝐴𝐶𝐻 + +) = ∑ 𝐸𝑆𝑒𝑡𝑢𝑝 (𝐿𝐸𝐴𝐶𝐻 + +) + 𝐸𝑆𝑡𝑒𝑎𝑑𝑦 (𝐿𝐸𝐴𝐶𝐻 + +)𝑛𝑖 (15)
Here, n is the number of rounds in which nodes detect any malicious activity.
Throughput differs in different rounds based on the impact of the attackers on the
network, the time when the malicious activity is detected, and the round in which
isolation of the compromised node is achieved.
Data loss during the attack is high as the compromised node drops all or selectively
forwards few data messages to the BS. Here, when the attacker becomes successful, it
drops all the packets of that cluster. The impact of the attacker remains, as it does not
provide its own information throughout its lifetime. Hence, even if the network detects
the malicious node, there is still some data loss. This is measured using the Algorithm 7.
Securing LEACH protocol against Routing Attacks
66
Algorithm # 7: Data lose during and after detection of attack
Input: Clusters, Cluster Data, Number of attackers
Output: Data lose (D Lose)
Begin
For all rounds DO
If network is under attack DO
For all successful attackers DO
Data lose = Data lose + Cluster data of compromised cluster
End for
Else IF network recovered from attack DO
Data lose = Data discard by the attacking node
End if
End for
End
𝑇𝑇ℎ𝑟𝑜𝑢𝑔ℎ𝑝𝑢𝑡 (𝐿𝐸𝐴𝐶𝐻 + +) = ∑ 𝐶𝐷𝑎𝑡𝑎 ∗ 𝑇𝐶𝐻𝑒𝑎𝑑𝑠 ∗ 𝑅𝑆𝑒𝑐𝑛𝑖 (16)
Here, n is the number of rounds in which nodes detect any malicious activity.
5.3.4 Experiments and Discussion
We simulate and test the effect of the proposed approach on the LEACH protocol.
Simulation parameters are shown in Table 18. We assume that the sensor nodes
communicate in two ranges and consume different amounts of energies, e.g., nodes
utilize three times more energy for long distance communication than for the short-
range communication. There are 10 rounds with 25 s for each round in a simulation of
250 s. There are 100 nodes and varying number of CHs. The amount of data a node
sends to the CH in one round is a random number between 1 and 10 data packets, while
the CH sends 1 packet once it receives 20 data messages from the cluster nodes.
Table 18: Simulation Parameters for numerical analysis
Simulation Time 250 secs
Rounds 10
R_Sec 25 secs
E1 1 Unit
E2 3 Unit
T_Nodes 100
T_CHeads 5, 10
C_CHeads 1, 3
N_Data Random (1-10)
C_Data Total Data / 20
5.3 Numerical Analysis of LEACH++
67
Hierarchical routing protocols can minimize the overall impact of attacks on the
throughput by increasing the number of CHs. We test the LEACH protocol by
increasing the number of CHs for each round and launch different numbers of attacks.
The results are calculated after launching 1, 2, and 3 attackers in 10 different
simulations by setting the number of CHs as 5 and 10.
Figure 18: Impact of sinkhole, black-hole, and selective forwarding attacks on normal
LEACH with respect to throughput by varying the CHs
Here, we use the average value acquired from the results after simulation. First, CHs
are set to 5 and attackers vary like 1, 2, and 3, and then CHs are set to 10 and attackers
vary like 1, 2, and 3 for few simulations. The normal throughput of LEACH having 5
and 10 clusters are depicted for 10 rounds by setting the simulation time as 250 s and
round time as 25 s. The results are very close to each other while the results acquired by
launching different numbers of attacks and taking the average shows less degradation in
case of 5 clusters. The degradation for 5 CHs is about 37%while for 10 CHs, it is
around 20%. Still the effect is high for both the cases as it degrades the performance of
the output acquired from such missing data. However, there is a negative impact of
increasing CHs in the LEACH protocol. This directly affects the energy utilization of
the system.
Cluster size should be kept optimal to achieve high throughput and ensure low
energy consumption. Consider the results shown in Figure 19.
Securing LEACH protocol against Routing Attacks
68
Figure 19: Average energy and throughput utilization by LEACH protocol for a
different number of CHs
CHs take more energy to communicate with BS as compared to energy used by
nodes to communicate with the CHs. In Figure 19, we simulated for 10 times each by
setting the CH as 1 to 10. The workload of an individual cluster in different sized
clusters is depicted by averaging all the simulation results and rounds in it. If there are
no clusters or only one cluster, then the load on the CH is very high and that helps it to
die soon. The optimal cluster size here is 5, as the average throughput or energy
utilization of the CH does not change more for latter cluster sizes. As the cluster size
increases, it puts extra burden on the network. The above results also prove that increase
in the number of CHs is directly proportional to a factor increase in energy utilization.
The results depicted here show about 10% increase in the overall working of the
network having 10 clusters, rather than having 5 clusters. In our experiments, we have
mostly used the cluster size equal to 5.
Now, consider there are 100 nodes with 5 CHs. The pattern of energy utilization by
LEACH and LEACH++ during each round acquired from the above numerical analysis
is shown in Figure 20. It shows that LEACH++ consumes more energy than LEACH.
The factors that influence the results are discussed below.
5.3 Numerical Analysis of LEACH++
69
Figure 20: Comparison of energy consumption between LEACH and LEACH++
The energy utilization of the previous round is added in the current round to have a
clear look at the difference. In round 1, both consume the same amount of energy
because the security patch that is included in LEACH for LEACH++ works after an
attack is detected. There is a change in energy consumption from round 3 onwards. We
assume that the sensor network is attacked by the adversary at this point. Hence, the
energy consumed by the network is according to Equation (13). The compromised CH
does not communicate with the BS, so it does not take part in enhancing the energy. In
round 4, LEACH++ performs its activity and utilizes more energy than LEACH. It is
not a considerable amount by looking at the solution it provides to secure the LEACH
from various attacks. From round 4 onwards, the network works according to LEACH
because there are no more attacks for which any change in energy occurs. We ignore the
energy utilization on the computation, as it is negligible as compared to communication
overhead. We conclude that LEACH++ puts some burden on LEACH protocol but
considering the positive impact of this overhead, it can be neglected.
In our next result, we show the importance of the security patch and show its impact
on throughput. Figure 21 shows the effect of the attack on throughput for both LEACH
and LEACH++ having 5 CHs and attacking nodes.
Securing LEACH protocol against Routing Attacks
70
Figure 21: Throughput analysis. LEACH++ performs better in Attacked scenario
The throughput achieved by LEACH++ as compared to the attacked LEACH shows
that LEACH++ recovers from the attack while the performance of LEACH protocol
degrades after an attack is launched. Here, we can conclude that LEACH++ can provide
better throughput in case of attack on the LEACH protocol.
5.4 Simulation and analysis of LEACH++ using NS-2 LEACH protocol is implemented in NS-2.15b for initial testing (Heinzelman,
Balakrishnan and Chandrakasan 2002). This implementation is online available at (W.
Heinzelman 2011). There is also a patch for LEACH is available for NS-2.34. We use
that patch to test our proposed approach. In this section, we provide detail about the
implementation of the attacker node and discuss the way the LEACH is modified to
LEACH++. We further provide the simulation details and results discussion.
5.4.1 Attack implementation and LEACH modification
Here, we discuss the implementation of an attacker node, the way it gets
compromised and becomes attacker w.r.t. to the detail provided in Chapter 3. We also
provide the modification done to add the proposed IDS solution to detect the
maliciousness and perform some appropriate action.
Introduction of a malicious node
Three changes are required to launch black-hole, selective forwarding or sink-hole
attack in LEACH protocol. These are (1) Increase the energy of malicious node, (2)
5.4 Simulation and analysis of LEACH++ using NS-2
71
Make it a CH in each round, and (3) Dropping of all packets or selectively dropping of
important messages. Here, we assume that once the compromised node becomes CH, it
drops all the packets. The implementation details are as follows:
Increasing Energy: Energy of the malicious node is increased so that it does not die
throughout the simulation and shows others that it has more energy to play the role of a
CH.We made some changes in a file “uamps.tcl” and modify the function “proc
leachcreate-mobile-node {id}” to increase the energy of the attacking node. It sets
infinite amount of energy for the attacking node.
Making cluster head: Attacking node should be a part of cluster choices for each node in
every round. There are different ways to achieve it. In our experiments, we append the
malicious node request to the CH choices. Hence, it appends the node’s ID of the
attacking node in the list of cluster choices. So, there are some nodes that make it a CH
in consecutive rounds
Dropping packets: Once an attacking node becomes a CH, it drops all the packets. We
made some modification that drops the packet received by the malicious node. It checks
for the attacker node’s ID to avoid sending data to the BS. It also updates the number of
times it does not forward the message to record the number of packets that are dropped.
LEACH++ implementation
Original implementation of LEACH protocol is modified to add more security
against inside attacks. The propose approach works in two phases: online prevention
and offline detection. In this section, we present the details of their implementation in
NS-2.
1) Online prevention:
• Local detection engine validates and verifies the incoming packets whether
these are from legitimate nodes or not. For LEACH protocol, it verifies the
list of cluster choices whether it contains any node that is already declared as
malicious. If it finds that node, then it eliminates it from the list of cluster
choices.
• The function that provides the list of possible CHs in a round is
“Application/LEACH instproc recvADV_CH{msg}” available in “ns-
leach.tcl”. ClusterChoices_ is the array that contains the list of current
choices for the CH. In function “findBestCluster {}”, a list is introduced
called malicious node list. This list contains node IDs of those nodes that are
declared as malicious by offline detection. This avoids the malicious nodes
from becoming CH again by removing the IDs of the malicious nodes from
the cluster choices.
Securing LEACH protocol against Routing Attacks
72
2) Offline detection:
• Intrusion detection works after collecting some amount of data. We simulate
LEACH protocol for 100 nodes having 5 CHs for 25 times keeping the
simulation time as 800 s to find whether nodes advertise ADV_CH in
consecutive rounds or not. We find that nodes do not advertise ADV_CH in
consecutive rounds. So, we track three consecutive rounds rather than judging
for more rounds to make the decision about the maliciousness of a node.
• In offline detection, data collection unit provides data to the content suppression
unit to arrange the data for intrusion detection. “clusterChoices_” is the data that
is provided to the content suppression unit. It makes a record list of cluster
choices for three consecutive rounds. Here, if a node is selected as a CH by a
node for third consecutive time; it is declared as malicious. The process of
detecting intrusions continues until the last round to avoid the malicious node
from becoming CH in continuous rounds.
• Intrusion detection checks whether a node becomes a CH for three consecutive
times. If it detects such a behavior, then it appends it in a maliciousNodes_ list.
“ns-leach.tcl” executes for each node in every round. Therefore,
maliciousNodes_ is visible for all the nodes. Hence, we do not need to
implement the collaboration part here. But, in real scenarios, the collaborative
inquiry will be required
5.4.2 NS-2 Simulation results and discussion
LEACH++ implementation shows that the modification does not put burden on
LEACH protocol with respect to overall memory utilization and computation. We
simulate LEACH++ using NS-2.34 in Fedora 12 to analyze its impact on energy
consumption and throughput. The simulation parameters used to carry out the test are
mentioned in Table 19. Simulation results are discussed below.
Table 19: Simulation parameters for NS2
Simulation Time 800sec
Sensor Nodes 100
Base station 1
Base Station Location 70 * 100
Number of clusters 5
Initial Energy 2 Joules
Dimension 1000 * 1000
There are 100 sensor nodes and a BS while the initial energy of the sensor nodes is
set to 2 J. The sensor network topology used for the simulation is available at (W.
Heinzelman 2011) , which is shown in Figure 10. The BS is located at (70,100) colored
as metallic black with 5 nodes randomly selected as CHs, which are colored in green.
Here, we have kept 5 CHs as it is considered as an optimal number (Tian, ChangDu and
Huang 2012). If the CH of high density is compromised, then the sensor network will be
affected more than compromising any other CH.
5.4 Simulation and analysis of LEACH++ using NS-2
73
Clusters shown in Figure 22 are almost uniform as CHs are at a good distance from
each other and close to 20% of nodes in each case. While in Figure 23, CHs are very
close to each other, which may cause heterogeneous clusters. In such a case, if a cluster
having more density gets compromised, then the effect is higher than the one having
low cluster size. That is why we have simulated for more than 10 times for each
scenario to cover this impact.
Figure 22: Sensor network having 101 nodes with 5 CHs and 1 BS
LEACH protocol supports heterogeneous clusters, and this may lead to the
formation of worse clusters as shown in Figure 23. Here, the five adjacent nodes are
selected as CHs. So, the nodes may have a very minute difference among the distance
from the CHs. This is the reason why we have performed different numbers of
simulations and used the average value in our results. In our simulations, for attacked
LEACH and LEACH++, we have changed the attacker node in each simulation to have
a variety in the affected percentage. This can also be ensured automatically as CHs do
not remain the same throughout the simulation
Securing LEACH protocol against Routing Attacks
74
Figure 23: Varying cluster size as LEACH supports heterogeneous cluster formation
Energy consumption in Rounds
Energy utilization is a key feature to evaluate the performance of routing protocol.
LEACH utilizes less energy during its working, but it lacks the security aspects.
LEACH++ add some overhead to normal LEACH as it includes security mechanism for
reliable delivery of message to the destination node.
Sensor node consumes some energy for some computation steps and for the
communication after detecting the malicious node. Each node consumes some extra
energy due to the security policy during the setup phase in each round. This energy
relates to the computation overhead enforced by the IDF on the LEACH protocol.
However, this overhead is negligible as compared to the communication overhead, as
shown in Figure 24.
5.4 Simulation and analysis of LEACH++ using NS-2
75
Figure 24: Comparison between LEACH++ and normal LEACH with respect to energy
utilization
Data delivery in rounds
We have analyzed the data delivery at BS that occurred during the normal LEACH,
attacked LEACH and LEACH++. The amount of data received at BS depends on the
data messages sent by CHs. In the attack scenario, CH drops or selectively forwards the
data communicated by the cluster nodes. In our simulation, there is a CH that drops all
the packets. Hence, if there are 5 CHs in each round and one CH drops all the packets,
then there will be about 20% reduction in the packets received at the BS as compared to
the normal scenario. However, LEACH works in a random environment, so the number
of messages sent in each round is not fixed for every simulation. So, the drop ratio
calculated varies for each round for different simulations. We use the average of these
simulations and show it in the following results in Figure 25.
Sensor nodes will detect the malicious activity in the next round as per the detection
policy set for the LEACH protocol, while the detection of the cluster node takes place in
the current round by the CH. Here, the cluster nodes do not select a node as CH, which
is selected by it in previous rounds, or the one who advertises CH JOIN request in every
round. Sensor network remains affected for first two rounds and recovers from it in next
rounds by avoiding the malicious node from becoming the CH. The impact of data
received at the BS is shown in Figure 25. Results show that about 22% of the data is
saved by the LEACH++ protocol, which is compromised during the attacked scenario.
Securing LEACH protocol against Routing Attacks
76
Figure 25: Throughput comparison of LEACH, attacked LEACH, and LEACH++
5.5 Summary In this chapter, we modified the low-energy adaptive clustering hierarchy (LEACH)
protocol for WSNs and added the functionality of intrusion detection to secure WSNs
from sinkhole, blackhole, and selective forwarding attacks. We analyzed the energy
consumption and throughput of the proposed LEACH++ protocol both numerically as
well as using the NS-2 simulator.
The results show that LEACH++ receives more throughput than LEACH during
attack, while it does not affect the overall energy consumption of the system. The
proposed intrusion detection framework is lightweight and does not put much burden on
the LEACH protocol with respect to memory utilization and computation. The proposed
protocol can be effectively used for cloud-based WSN environments.
6.1 Introduction
77
Chapter 6
Comprehensive Security Analysis of
LEACH++ Clustering Protocol
6.1 Introduction During the last few years, malicious traffic detection become an active area of
network security because the WSNs has observed a heave in malicious traffic generated
by adversaries (Shanthi and G. Rajan 2016). They launched various DoS attacks such as
black-hole, selective forwarding, and sink-hole attacks to make network performance
inefficient and troubles users. Various malicious traffic detection techniques are
proposed to counter these attacks. IDSs are commonly used today. They are used to
detect various kinds of abnormal traffics and network communications with the mission
to preserve the system from damages (Ho, et al. 2012).
A specification-based approach to secure LEACH protocol is proposed in (Lee, Lee
and Yoo 2012) but it isn’t tested properly and lack any simulation results. Hence, the
efficiency of the proposed scheme cannot be justified. In another work (Kumar and
Umamakeswari 2016), a specification-based intrusion detection scheme is also
presented called SSLEACH to secure WSNs from the sinkhole attack. They discussed
the way their approach works better with respect to energy consumption but did not
provide any detail about detection rate analysis. An IDS solution that detects the
malicious nodes using anomaly-based detection scheme is presented in (Almomani, Al-
Kasasbeh and AL-Akhras 2016) using LEACH protocol. Here, artificial neural network
is trained on the WSN dataset collected by simulating LEACH protocol to classify
various DoS attacks. We discussed earlier that anomaly-based detection schemes do not
suit WSNs.
An IDS monitors the activities of the sensor field and interprets whether these
activities are normal or malicious. There is chance that the IDS consider a normal
activity as abnormal and generates an alarm regarding the maliciousness of the node
vice versa there is an abnormal activity, but IDS cannot judge it as malicious. Hence,
there is a requirement to test the proposed IDS schemes against detection rates.
Commonly, proposed schemes are tested for false positive rates and intrusion detection
rates. In this chapter, we performed the detection rate analysis for our proposed
specification-based detection scheme for LEACH++. We analyze the proposed
approach by launching black-hole and sink-hole attacks in different patterns and in
different numbers.
Three performance metrics are used to evaluate the efficiency of the proposed work
i.e. false positive rate, detection rate, and accuracy. Detection policy can declare a
Comprehensive Security Analysis of LEACH++ Clustering Protocol
78
normal activity as malicious and it can be possible it does not detect an abnormal
activity. Systems that focus on achieving high detection rate may end with high false
positive rate and low accuracy. On the other hand, if the focus is to achieve low false
positive rate then it can affect the intrusion detection rate and affect accuracy as well.
So, the systems should be an intermediate solution that achieve low false positive rate
while high detection and accuracy rate.
Results show that the proposed specification-based detection policy achieve low
false positive rate and high detection rate as well high accuracy by keeping records three
consecutive rounds.
6.2 False positive rate, intrusion detection rate, and
accuracy Detection schemes are used to detect the abnormal behavior of a node and called it a
malicious activity. Sometimes, a normal node which is not malicious, but for some
reason it performs such actions that allows the detection scheme to declare it a
malicious node. This phenomenon is known as false positive. It is natural for every type
of security mechanism, that it encounters the issue of false positive (Mcdermott and
Petrovki 2017). On the other hand, intrusion detection rate (IDR) provides the capability
of the detection scheme to determine the compromised nodes efficiently. False positives
and detection rates are the key performance parameters in IDS (Otoum, Kantarci and
Hussein 2017). Another fundamental parameter that is used to calculate the efficiency
of proposed IDS is accuracy (Bahl and Sharma 2015) (Milenkoski, et al. 2016).
Following formulas are used to determine these rates:
6.2.1 False positive rate (FPR)
In false positive, the focus is on the incorrectly notifying a normal behavior as
abnormal. The formula of false positive rate is mentioned below:
𝐹𝑃𝑅 =𝐹𝑃
𝐹𝑃 + 𝑇𝑁 {
𝐹𝑃 = 𝐹𝑎𝑙𝑠𝑒 𝑃𝑜𝑠𝑖𝑡𝑖𝑣𝑒 𝑇𝑁 = 𝑇𝑟𝑢𝑒 𝑁𝑒𝑔𝑎𝑡𝑖𝑣𝑒
False positive (FP): CHs that are normal but considered as malicious.
True negative (TN): CHs that are normal and correctly identified as normal.
If the CH node is normal and it is declared malicious by the detection policy, then it
is FP, while if node is normal and correctly identified as normal, then it is TN.
6.2.2 Intrusion detection rate (IDR)
Detection rate focuses on the applied technique to appropriately detects the
malicious node. If the technique couldn’t detect the malicious node(s) correctly then the
detection rate lowers accordingly. The formula of detection rate is mentioned below:
𝐼𝐷𝑅 =𝑇𝑃
𝑇𝑃 + 𝐹𝑁 {
𝑇𝑃 = 𝑇𝑟𝑢𝑒 𝑃𝑜𝑠𝑖𝑡𝑖𝑣𝑒 𝐹𝑁 = 𝐹𝑎𝑙𝑠𝑒 𝑁𝑒𝑔𝑎𝑡𝑖𝑣𝑒
6.3 Simulation parameters and Experiments detail
79
True positive (TP): CHs that are malicious and correctly identified as malicious.
False negative (FN): CHs that are malicious but incorrectly identified as normal.
If the CH node is malicious and it is declared malicious as well by the detection
policy, then it is TP, while if node is abnormal, but incorrectly declared as normal, then
it is FN.
6.2.3 Accuracy rate
Accuracy is one of the fundamental performance metric for detection schemes along
with false positive rate and detection rate. It is defined as the number of tasters
appropriately classified in test data divided by total number of tasters in test data
(Jabbar, Aluvalu and Reddy 2017). Consider, a detection system that is applied on a
dataset of patients of a hospital and it achieves 75% accuracy. Hence, it means that the
system has identify the disease of 75 out of 100 patients correctly. To determine the
accuracy of any test, the TP and TN are calculated for all possibilities. The formula of
accuracy is mentioned below:
𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 =𝑇𝑃 + 𝑇𝑁
𝑇𝑃 + 𝑇𝑁 + 𝐹𝑃 + 𝐹𝑁 {
𝑇𝑃 = 𝑇𝑟𝑢𝑒 𝑃𝑜𝑠𝑖𝑡𝑖𝑣𝑒𝑇𝑁 = 𝑇𝑟𝑢𝑒 𝑁𝑒𝑔𝑎𝑡𝑖𝑣𝑒 𝐹𝑃 = 𝐹𝑎𝑙𝑠𝑒 𝑃𝑜𝑠𝑖𝑡𝑖𝑣𝑒
𝐹𝑁 = 𝐹𝑎𝑙𝑠𝑒 𝑁𝑒𝑔𝑎𝑡𝑖𝑣𝑒
If a detection system declares the normal CHs as normal, and the malicious CHs are
correctly detected as abnormal, then such system achieves high accuracy.
6.3 Simulation parameters and Experiments detail We simulate LEACH++ using NS-2.34 in Fedora 12 to find intrusion detection rate
and false positive rate. The simulation parameters used to carry out the tests are
mentioned in Table 20. The network scenario is same as the one used in previous
chapter to determine the impact of energy consumption and throughput for LEACH++.
There are 100 normal nodes that are randomly placed and one BS that is situated at (70,
100). Overall time for each simulation is 800s while each round is composed of 20
seconds. Hence, each simulation will have 40 rounds. We discussed earlier that number
of CHs are set to 5, but it doesn’t mean that each round will have 5 CH. But due to the
self-controlled nature of sensor nodes, the number of CHs changes and their range is
between 3 to 10 for most of the time. So, for each test, we perform multiple simulations
and finalized a single value by taking the average.
Table 20: Simulation parameters for detection rate analysis
Simulation Time 800sec
Sensor Nodes 100
Base station 1
Base Station Location 70 * 100
Comprehensive Security Analysis of LEACH++ Clustering Protocol
80
Number of clusters 5
Initial Energy 2 Joules
Dimension 1000 * 1000
Detection rate analysis is done for the detection policy that is proposed for
LEACH++. A specification-based detection policy is proposed that works in two steps
as discussed below:
• Step #1: The sensor node searches through A_List to check whether the received
ADV_CH packet is from the node that advertised the same packet in the previous
consecutive rounds.
• Step #2: If the outcome of Step #1 is true, then it adds it to the claim list (C_List)
and collaborates with other nodes to find its behavior at their sides. Otherwise, it
follows the normal cluster formation steps.
Here, sensor nodes searches through A_List which stores CHs record of previous
rounds. In this chapter, we test the impact of keeping records for 2, 3 or 4 consecutive
rounds in A_List. We used the terminology for these in our tests as consecutive rounds
2 (CR-2), consecutive rounds 3 (CR-3), and consecutive rounds 4 (CR-4).
We performed various tests to evaluate false positive rates (FPRs) and intrusion
detection rates (IDRs) after launching black-hole attacks. In this work, different
numbers of attacks are launched in each test i.e. 1, 2, or 3 attacks. Here, we further
perform test by launching the attacks in different patterns, if they are more than 1. These
are as follows:
• Purely random (PR): In this scenario, once the attack is launched than the second
attack will not be launched until the first the successfully detected.
• Overlapping (OL): In this scenario, once the attack is launched than the second
attack will be launched in any of the next rounds before the first attack is detected.
• Same time (ST): All the attacks are launched at the same time.
FPR is calculated for different configurations of A_List and varying number of
attackers. While IDR is calculated for different configurations of A_List, varying
number of attacker, and by changing the launching pattern.
6.4 Detection rate analysis for Black-hole attack Black-hole attack is one of the serious security problems for WSNs. In this problem,
an adversary tries to gain more attention from the neighboring nodes to intercepts more
packets by advertising wrong information. Here, the compromised node drops all the
received packets that are to be forwarded (Ghugar and Pradhan 2016). A compromised
node can launch black-hole attack in LEACH by transmitting ADV_CH in every round
during the setup phase to become CH. And then, it starts dropping all the packets that it
must send to base station. A specification-based detection scheme is proposed to detect
this attack and then avoid that node from becoming CH in latter rounds. We discuss the
FPR, IDR, accuracy rate analysis for this type of attack in following sub-sections.
6.4 Detection rate analysis for Black-hole attack
81
6.4.1 FPR analysis
Security schemes encounter false positive, but it should be minimum to avoid
degradation in the performance of a system, as this leads to inaccuracy of the overall
results. Because, if a normal node is declared malicious than other nodes drops the
packets received from such node, which cause the loss of data. Table 21 depicts the
FPR, that are achieved after simulation of the proposed detection scheme. Test are
carried out for different configurations of the A_List and launching of different numbers
of attacks in PR manner. Results show that the FPR rate is high for CR-2 while the FPR
rate is very low for CR-4.
Table 21: FPR for black-hole attack
1A_70 2A_70 3A_70 1A_100 2A_100 3A_100
CR-2 0.015 0.015 0.015 0.025 0.025 0.025
CR-3 0.0 0.0 0.0 0.01 0.01 0.01
CR-4 0.0 0.0 0.0 0.0025 0.0025 0.0025
The simulations are carried out for 800 seconds and there is always chance that the
simulation ends before it reaches the stop time. In LEACH, node consumes energy more
when it is acting like CH. Mostly, nodes start dying after the simulation reaches to 70%
of its execution time. The results are shown to cover these two phases of the network
when most of the nodes are alive and when the nodes start dying. 1A_70, 2A_70, or
3A_70 shows the impact of one, two, or three attackers respectively during the first
70% of the simulation time. While 1A_100, 2A_100, or 3A_100 shows the impact of
one, two, or three attackers respectively for complete execution of the simulation.
There is a rare chance that a legitimate node tries to become CH in four consecutive
rounds. Hence, FPR for CR-4 is minute as compared to others. The only chance is
when, there are less number of nodes are present and every other node tries to become
CH to share the messages with BS. In our simulation, that is only possible during the
termination of the simulation period. Hence, for first 70% of simulation time, FPR is
zero, while for complete simulation time, it is as low as 0.0025.
Simulation results show that CR-2 archives high FPR as compared to CR-3 and CR-
4 in both the situations. There is likeliness that the sensor node sends ADV_CH
message in consecutive two rounds but the possibility to send it in consecutive three
rounds is not so common. Result shows that during the 70% of the simulation time,
almost none of the nodes tries to become CH in consecutive three rounds but there is a
chance that the node tries in two consecutive rounds. Hence, the CR-2 consider a
normal node as malicious more than the CR-3 and CR-4. During the last quarter of the
simulation, where nodes start dying in quick secession, the chance of the node to
become CH in consecutive rounds increases. That is the issue, due to which CR-3
achieves some FPR in last quarter. But still it is lower as compared to CR-2.
6.4.2 IDR analysis
Intrusion detection rate provides the capability of the detection scheme to determine
the compromised nodes efficiently. We proposed a specification base detection policy
that maintains a list of previous CHs and then determines the malicious node. Consider
a scenario, that is depicted in following Table 22, where CR-3 is used for A_List.
Comprehensive Security Analysis of LEACH++ Clustering Protocol
82
Table 22: Example illustrating IDR calculation
CH#1 CH#2 CH#3 CH#4 CH#5
Round#10 12 23 45 67 89
Round#11 33 46 77 86 97
Round#12 22 46 55 62 93
Round#13 14 46 66 75 90
Round#14 15 24 39 71 92
According to our test, we calculate the IDR of each round. For given example,
Round#10, Round#13 and Round#14 are normal while Round#11 and Round#12 are
compromised by a malicious node “46”. In Round#13, it will be declared as malicious
and sensor nodes will not communicate with it. So, its impact remains for two rounds
only. The IDR for Round#10, Round#13 and Round#14 is 100% while Round#11 and
Round#12 is 0%. Finally, we average the IDR of all the rounds. Hence, here IDR
provides the percentage of time where the system works normally.
IDR for PR attack pattern for black-hole attack is calculated for three configurations
of A_List i.e. CR-2, CR-3, and CR-4 as shown in Table 23. In PR attack pattern, for
single attack, network remains compromised for one round in CR-2, two rounds in CR-
3, and three rounds in CR-4. Hence, the IDR value is low for CR-4 while high for CR-2.
Network remains compromised for more rounds for three attackers. Currently, the
simulation has 40 rounds only. If the number of rounds in each simulation is increased
to 100 rounds than the impact will be low. In that case, there will be light difference
between IDR of CR-2 and CR-3, but there will remain some gape between CR-2 and
CR-4. i.e. for 1A_PR, the IDR for CR-2 would become 0.99 while for CR-3, it would
become 0.98 and for 3A_PR, the IDR for CR-2 would become 0.98 while for CR-3, it
would become 0.945.
Table 23: IDR for purely random attack pattern for black-hole attack
1A_PR 2A_PR 3A_PR
CR-2 0.975 0.95 0.925
CR-3 0.95 0.90 0.85
CR-4 0.925 0.85 0.775
Further, we simulated black-hole attack for different attack patterns i.e. OL and ST.
These results are shown in Table 24. It shows that PR attack pattern affects the network
performance more than the OL and ST, while ST has less impact than the others. It is
obvious that if the attacks are launched in the same round than they will be likely
detected in the same round as well. So, as per our calculation, the network will remain
compromised for one round in CR-2, two rounds in CR-3, and three rounds in CR-4 for
1A, 2A, and 3A for ST attack pattern. While the number of compromised round differs
for OL attack pattern. OL attack pattern affects more than the ST pattern, but low than
PR attack pattern.
6.4 Detection rate analysis for Black-hole attack
83
Table 24: IDR for different attack patterns for black-hole attack having 2 & 3 attackers
2A_ PR 2A_OL 2A_ST 3A_ PR 3A_OL 3A_ST
CR-2 0.95 0.963 0.975 0.925 0.95 0.975
CR-3 0.90 0.93 0.95 0.85 0.91 0.95
CR-4 0.85 0.89 0.925 0.775 0.86 0.925
Table 25 presents the average IDR for black-hole attack. It shows that CR-2
performs better than CR-3 and CR-4 and achieves high detection rate. It also shows that
CR-4 does not provide good results as compared to CR-3 with respect to intrusion
detection rate. For CR-4, network remains in normal condition for average 89% of time,
while for CR-3, network remains uncompromised for 93% of time.
Table 25: Average IDR for black-hole attack
1A_Avg 2A_Avg 3A_Avg Average
CR-2 0.975 0.963 0.95 0.96
CR-3 0.95 0.927 0.903 0.93
CR-4 0.925 0.888 0.853 0.89
Hence, we can conclude that CR-3 is better than CR-4 in current tests while CR-3
can achieve good results in comparison to CR-2 if the simulation time is increased. In
short, CR-2 achieves high intrusion detection rates in all tests as compared to CR-3 and
CR-4.
6.4.3 Accuracy rate
Accuracy is the rate of correctly identifying the normal and malicious nodes (Javaid,
et al. 2015). Detection scheme can fail to identify malicious node as well as can fail to
correctly declare the normal node as normal. So, to calculate this impact we determine
accuracy rate also by simulating LEACH++ protocol for different configurations of
A_List and by launching attacks in different patterns. Here, we determine the accuracy
of each round and finally taken the average of them. Consider the scenario mentioned in
Table 22 and A_List configuration as CR-3. The accuracy rate for Round#10,
Round#13, and Round#14 will be 100% while for Round#11 and Round#12 it will be
80%. As in Round#10 and Round#14, all the nodes are normal and declared normal.
While in Round#11 and Round#13, one node is malicious, but it is not declared
malicious. In Round#13, all the 5 CHs are correctly identified as normal or malicious.
Hence, the accuracy rate is 100% here.
Table 26: Accuracy rate for purely random attack pattern for black-hole attack
1A_PR 2A_PR 3A_PR Average
CR-2 0.974 0.969 0.964 0.969
CR-3 0.978 0.972 0.962 0.970
CR-4 0.985 0.966 0.955 0.968
Comprehensive Security Analysis of LEACH++ Clustering Protocol
84
Table 26 presents the accuracy rates that are found by launching black hole attack in
PR attack pattern for different configuration of A_List. The proposed specification-
based detection policy achieves 97% accuracy as an average for CR-3 while the
accuracy rates for CR-2 and CR-4 are also around 97%. Hence, we can conclude that
the proposed scheme works better for all configurations with respect to accuracy rate.
6.5 Detection rate analysis for Sink-hole attack Sink-hole attack is among the intelligent attacks in WSNs. In this attack, the
malicious node portrays itself more striking to the neighboring nodes with respect to the
routing metric to get more traffic (Agrwal, et al. 2016). Once it starts receiving more
traffic, it can perform various activities with the packets such as modification in the
message, dropping the packets and others. A compromised node can launch sink-hole
attack in LEACH by transmitting ADV_CH in every round during the setup phase and
wrong distance information in each round to become CH of as much nodes as possible.
Once it becomes the CH than it performs according to the configuration set by the
adversary. We proposed a specification-based detection scheme to detect this attack and
avoid the malicious node from becoming CH in latter rounds. We discuss the FPR, IDR,
accuracy rate analysis for this type of attack in following sub-sections.
6.5.1 FPR analysis
Table 27 depicts the FPR, that are achieved after simulation of the proposed
detection scheme after launching sink-hole attacks in PR manner. Results show that the
FPR rate is high for CR-2 while the FPR rate is very low for CR-4.
Table 27: FPR rate for sink-hole attack
1A_70 2A_70 3A_70 1A_100 2A_100 3A_100
CR-2 0.015 0.016 0.016 0.035 0.028 0.030
CR-3 0.0 0.0 0.0 0.01 0.01 0.01
CR-4 0.0 0.0 0.0 0.0010 0.0025 0.0015
The simulations are also carried out for 800 seconds for sink-hole attacks. The
results are shown to cover two phases of the network when most of the nodes are alive
and when the nodes start dying. 1A_70, 2A_70, or 3A_70 shows the impact of one, two,
or three attackers respectively during the first 70% of the simulation time. While
1A_100, 2A_100, or 3A_100 shows the impact of one, two, or three attackers
respectively for complete execution of the simulation.
There is a rare chance that a legitimate node tries to become CH in four consecutive
rounds. Hence, FPR for CR-4 is very low as compared to others. The only chance is
when, less number of nodes are present, and every other node tries to become CH to
share the messages with BS. In our simulation, that is only possible at the termination of
the simulation period. Hence, for first 70% of simulation time, FPR is zero, while for
complete simulation time, it is as low as 0.001.
Simulation results show that the impact of sink-hole attack is like black-hole attack.
CR-2 archives high FPR as compared to CR-3 and CR-4 in both the situations. Result
also shows that during the 70% of the simulation time, almost none of the nodes tries to
become CH in consecutive three rounds but there is a chance that the node tries in two
6.5 Detection rate analysis for Sink-hole attack
85
consecutive rounds. Hence, the CR-2 consider a normal node as malicious more than
the CR-3 and CR-4. During the last quarter of the simulation, where nodes start dying in
quick secession, the chance of the node to become CH in consecutive rounds increases.
That is the issue, due to which CR-3 achieves some FPR in last quarter. But still it is
lower as compared to CR-2.
6.5.2 IDR analysis
Here, we test our proposed intrusion detection systems, whether it determines all the
sink-hole attackers that are launched in different numbers at different time of interval.
IDR for PR attack pattern for sink-hole attack is calculated for three configurations of
A_List i.e. CR-2, CR-3, and CR-4 as shown in Table 28. In PR attack pattern, for single
attack, network remains compromised for one round in CR-2, two rounds in CR-3, and
three rounds in CR-4. Hence, the IDR value is low for CR-4 while high for CR-2.
Results show that the network remains compromised for more rounds for three
attackers. Here, CR-2 achieves higher IDR over CR-3 and CR-4. The highest detection
rate is 97% for CR-2 while CR-3 achieves 96%. But as the attackers increases the IDR
start decreases. Currently, the simulation has 40 rounds only. If the number of rounds in
each simulation is increased to 100 rounds than the impact will be low. In that case,
there will be light difference between IDR of CR-2 and CR-3, but there will remain
some gape between CR-2 and CR-4. i.e. for 1A_PR, the IDR for CR-2 would become
0.99 while for CR-3, it would become 0.98 and for 3A_PR, the IDR for CR-2 would
become 0.98 while for CR-3, it would become 0.95.
Table 28: IDR for purely random attack pattern for sink-hole attack
1A_PR 2A_PR 3A_PR
CR-2 0.97 0.967 0.93
CR-3 0.96 0.92 0.88
CR-4 0.93 0.87 0.80
Hence, we can conclude that CR-3 is better than CR-4 in current tests while CR-3
can achieve good results in comparison to CR-2 if the simulation time is increased. In
short, CR-2 achieves high intrusion detection rates as compared to CR-3 and CR-4.
6.5.3 Accuracy rate
Accuracy is calculated similarly as discussed in previous section for black-hole
attack. Here, we calculated the rate of correctly identifying the normal and sink-hole
attacker nodes. Detection scheme can fail to identify sink-hole attack due to its changing
and intelligent behavior. Here, the sink-hole attacker should need to become CH firstly
to affect the network performance. Hence, we make rules to avoid the sink-hole attacker
from becoming CH in consecutive rounds. Results are shown in following table for
accuracy rate for sink-hole attack.
Table 29: Accuracy rate for purely random attack pattern for sink-hole attack
1A_PR 2A_PR 3A_PR Average
CR-2 0.972 0.963 0.960 0.965
Comprehensive Security Analysis of LEACH++ Clustering Protocol
86
CR-3 0.982 0.975 0.970 0.975
CR-4 0.984 0.966 0.955 0.968
Table 29 presents the accuracy rates that are found by launching black hole attack in
PR attack pattern for different configuration of A_List. The proposed specification-
based detection policy achieves 97.5% accuracy as an average for CR-3 while the
accuracy rates for CR-2 and CR-4 are also around 97%. Hence, we can conclude that
the proposed scheme works better for all configurations with respect to accuracy rate.
6.6 Summary In this chapter, we performed the detection rate analysis of our proposed
specification-based detection policy. We simulate LEACH++ by launching various
number of attacks (1, 2, and 3) in different pattern (PR, OL, and ST) for different
configurations (CR-2, CR-3, and CR-4) to determine accuracy, intrusion detection, and
false positive rates.
FPR results shows that CR-2 achieves high FP as compared to CR-3, while CR-3
and CR-4 achieves very low FPR during the first three quarters of the simulation time.
IDR results favor CR-2, as it archives high IDR as compared to CR-3 and CR-4. While
if the simulation time is increased than there is slight difference between the IDR value
for CR-2 and CR-3. Accuracy rate for all the configuration is almost similar, but CR-3
achieves better accuracy.
In short, CR-3 works better than CR-4 with respect to IDR while it achieves better
FPR as compared to CR-2.
7.1 Summary of the Contributions
87
Chapter 7
Conclusion
7.1 Summary of the Contributions
Usage of cloud computing due to its decentralized processing and storage of data
and online access to computing services is increased day by day. Cloud computing will
play a major role in recent years by providing healthcare services to smart homes,
healthcare institutes, e-healthcare systems, and people at remote locations. Here, the
data is acquired from sensors through the wireless medium. Studies show that WSNs
are vulnerable to various kinds of security threats and there is a requirement of a
security solution that safeguards them from lethal attacks. Key management,
authentication and secure routing protocols cannot guarantee the security against inside
attacks. IDS provide a solution to this problem by analyzing the network to detect
abnormal behavior of the sensor nodes.
The focus of this thesis is to develop a robust technique, using intrusion detection
approach, having the ability to correctly identify malicious activity. It should be
lightweight and achieves high throughput. The following paragraphs explain the
summary of the proposed approaches.
Chapter 3 presents a comprehensive survey of security schemes that are earlier proposed
for wireless sensor networks. These approaches are classified into three categories based
on IDS agent installation. Survey of IDS based solutions for LEACH protocol are also
discussed here.
Chapter 4 presents the salient features of our proposed intrusion detection framework. It
works in two modes; offline detection and online prevention. Online prevention allows
safeguarding from those abnormal nodes that are already declared as malicious, while
offline detection finds those nodes that are being compromised by the adversary during
the next epoch of time. Further, we performed experiment to show the efficacy of purely
distributed approach over centralized distributed scheme of security.
Chapter 5 presents the detail about the LEACH protocol and the way it is secured by
adding the proposed intrusion detection framework called LEACH++. It also presents
the analysis of the energy consumption and throughput of the proposed LEACH++
protocol both numerically as well as using the NS-2 simulator. The results show that
LEACH++ receives more throughput than LEACH during attack, while it does not
Conclusion
88
affect the overall energy consumption of the system. The proposed intrusion detection
framework (IDF) is lightweight and does not put much burden on the LEACH protocol
with respect to memory utilization and computation. The proposed protocol can be
effectively used for cloud-based WSN environments.
Chapter 6 presents the detection rate analysis of our proposed specification-based
detection policy. LEACH++ is tested by launching various number of attacks (1, 2, and
3) in different pattern (PR, OL, and ST) for different configurations (CR-2, CR-3, and
CR-4) to find intrusion detection rate and false positive rate. FPR results shows that CR-
2 achieves high FP as compared to CR-3, while CR-3 and CR-4 achieves very low FPR
during the first three quarters of the simulation time. IDR results favor CR-2, as it
archives high IDR as compared to CR-3 and CR-4. While if the simulation time is
increased than there is slight difference between the IDR value for CR-2 and CR-3. In
short, CR-3 works better than CR-4 with respect to IDR while it archives better FPR as
compared to CR-2.
7.2 Future Work
We believe that intrusion detection system does not counter all the attacks that are
encounter by wireless sensor networks. It can help to detect the inside attacks, but it
cannot control the outside attacks launched by adversary. Hence, there is need for a
protocol that works with the intrusion detection system that provide secure
transmission. So, the complete solution will be an IDS that ensures reliable transmission
and a cryptographic solution that ensure secure transmission.
It is important that the fusion of IDS solution and cryptography would improve the
overall security of the system. There are number of cryptographic solutions are
proposed for WSNs but there is need to test them by inclusion of proposed intrusion
detection framework.
In future, we will test our proposed work by including any secure transmission
protocol for collaboration with neighbors and BS.
References
Aazam, M., E. Huh, M. St-Hilaire, C. H. Lung, and I. Lambadaris. 2015. “Cloud of
Things: Integration of IoT with Cloud Computing.” Robots and Sensor Clouds
36: 77-94.
Abdullah, Manal, Ebtesam Alsanee, and Nada Alseheymi. 2014. “Energy Efficient
Cluster-Based Intrusion Detection System for Wireless Sensor Networks.”
International Journal of Advanced Computer Science and Applications 5 (9):
10-15.
Agrwal, S. L., R. Khandelwal, P. Sharma, and S. K. Gupta. 2016. “Analysis of detection
algorithm of Sinkhole attack & QoS on AODV for MANET.” 2nd International
Conference on Next Generation Computing Technologies. Dehradun, India:
IEEE. 839-842.
Ahmed, K. R., K. Ahmed, S. Munir, and A. Asad. 2008. “Abnormal Node Detection in
Wireless Sensor Network by Pair Based Approach using IDS Secure Routing
Methodology.” International Journal of Computer Science and Network
Security VIII (12): 339-342.
Akkaya, K., and M. Younis. 2005. “A survey on routing protocols for wireless sensor
networks.” Elsevier Ad Hoc Networks 325-349.
Akyildiz, I. F., T. Melodia, and K. R. Chowdhury. 2007. “A survey on wireless
multimedia sensor networks.” Computer Networks: The International Journal of
Computer and Telecommunications Networking 51 (4): 921-960.
Akyildiz, I. F., W. Su, Y. Sankarsubramaniam, and E. Cayirci. 2002. “A survey on
sensor networks.” IEEE Communication Magazine 102-114.
Almomani, I., B. Al-Kasasbeh, and M. AL-Akhras. 2016. “WSN-DS: A Dataset for
Intrusion Detection Systems in Wireless Sensor Networks.” Journal of Sensors
2016: 1-16.
Al-Shurman, M, S. M Yoo, and S Park. 2004. “Black Hole Attack in Mobile Ad Hoc
Networks.” 42nd Annual Southeast Regional Conference ACM-SE. Huntsville,
Alabama: ACM. 96-97.
Atakli, I. M., H. Hu, Y. Chen, W. S. Ku, and Z. Su. 2008. “Malicious Node Detection in
Wireless Sensor Networks using Weighted Trust Evaluation.” The Symposium
on Simulation of Systems Security. Ottawa, Canada: Society for Computer
Simulation International. 836-843.
Bahl, S., and S. K. Sharma. 2015. “Improving Classification Accuracy of Intrusion
Detection System Using Feature Subset Selection.” IEEE Fifth International
Conference on Advanced Computing & Communication Technologies. IEEE:
Haryana, India. 431-436.
Bansal, V., and K. K. Saluja. 2016. “Anomaly based detection of Black Hole attack on
LEACH protocol in WSN.” IEEE International conference on Wireless
Communications, Singal processing and Networking. Chennai, India: IEEE.
1924-1928.
Bojkovic, Z. S., B. M. Bakmaz, and M. R. Bakmaz. 2008. “Security Issues in Wireless
Sensor Networks.” International Journal of Communications II (1): 106-115.
90
Botta, A., W. Donato, V. Persico, and A. Pescape. 2016. “Integration of Cloud
computing and Internet of Things: A survey.” Future Generation Computer
Systems 56: 684-700.
Buettner, M., B. Greenstein, A. Sample, J. R. Smith, and D. Wetherall. 2009.
“Revisiting smart dust with rfid sensor networks.” 11th international conference
on Ubiquitous computing. Orlando: ACM. 51-60.
Butun, I., S. D. Morgera, and R. Sankar. 2013. “A survey of intrusion detection systems
in wireless sensor networks.” IEEE Communications Surveys & Tutorials 16 (1):
266-282.
Camara, C., P. Peris-Lopez, and J.E. Tapiador. 2015. “Security and Privacy Issues in
Implantable Medical Devices.” Journal of Biomedical Information 55: 272–289.
Chen, J., H. Zhang, and J. Hu. 2008. “An efficiency security model of routing protocol
in wireless sensor networks.” 2008 Second Asia International Conference on
Modelling and Simulation. Washington, DC, USA: IEEE. 59–64.
Chen, S., G. Yang, and S. Chen. 2010. “A Security Routing Mechanism against Sybil
Attack for Wireless Sensor Networks.” International Conference on
Communications and Mobile Computing. Shenzhen, China: IEEE. 142-146.
Cordeiro, C. M., and D. P. Agrawal. 2006. Ad Hoc and Sensor Networks: Theory and
Applications. Singapore: World Scientific.
Da Silva, A. P. R., M. H. T. Martins, B. P. S. Rocha, A. A. F. Loureiro, L. B. Ruiz, and
W. C. Wong. 2005. “Decentralized intrusion detection in wireless sensor
networks.” Proceedings of the 1st ACM international workshop on Quality of
service & security in wireless and mobile networks. Quebec, Canada: ACM. 16-
23.
Deng, H., W. Li, and Dharma P. Agrawal. 2002. “Routing Security in Ad Hoc
Networks.” IEEE Communications Magazine, Special Topics on security in
Telecommunication Networks 40 (10): 70-75.
Dimitriou, T., I. Krontiris, and T Giannetsos. 2008. “LIDeA: A distributed lightweight
intrusion detection architecture for sensor networks.” ACM Secure
Communication. Istanbol, Turkey: Fourth International Conference on Security
and Privacy for Communication Networks.
Doukas, C., and I. Maglogiannis. 2011. “Managing Wearable Sensor Data through
Cloud Computing.” Third IEEE International Conference on Coud Computing
Technology and Science. Athens, Greece: IEEE. 440-445.
Drozda, M., and H. Szczerbicka. 2006. “Artificial Immune Systems: Survey and
Applications in Ad Hoc Wireless Networks.” International Symposium on
Performance Evaluation of Computer and Telecommunication Systems. Calgary,
Canada: IEEE. 485-492.
Drozda, M., S. Schaust, and H. Szczerbicka. 2007. “AIS for Misbehaviour Detection in
Wireless Sensor Networks: Performance and Design Principles.” Congress on
Evolutionary Computation. Singapore: IEEE. 3719-3726.
Farooqi, A. H., and A. Munir. 2008. “Intrusion Detection System for IP Multimedia
Subsystem Using K-Nearest Neighbor classifier.” 12th IEEE International
Multitopic Conference. Karachi, Pakistan: IEEE. 423-428.
Farooqi, A. H., and F. A. Khan. 2012. “A survey of Intrusion Detection Systems for
Wireless Sensor Networks.” International Journal of Ad Hoc and Ubiquitous
Computing (International Journal of Ad Hoc and Ubiquitous Computing) 9 (2):
69-83.
91
Farooqi, A. H., and F. A. Khan. 2017. “Securing wireless sensor networks for improved
performance in cloud-based environments.” Annals of Telecommunications 72
(5): 265-282.
Farooqi, A. H., F. A. Khan, J. Wang, and S. Lee. 2013. “A novel intrusion detection
framework for wireless sensor networks.” Personal and ubiquitous computing
17 (5): 907-919.
Ferreira, A. C., M. A. Vilaça, L. B. Oliveira, E. Habib, H. C. Wong, and A. A. Loureiro.
2005. “On the security of cluster-based communication protocols for wireless
sensor networks.” 4th IEEE International Conference on Networking. Berlin,
Heidelberg: Springer. 449–458.
Ghosal, A., and S. Halder. 2017. “A survey on energy efficient intrusion detection in
wireless sensor networks.” Journal of Ambient Intelligence and Smart
Environments 9 (2): 239-261.
Ghugar, U., and J. Pradhan. 2016. “A Study on Black Hole Attack in Wireless Sensor
Networks.” National Conference on Next Generation Computing and its
Applications in Science & Technology. IGIT, Sarang: Public Knowledge Project.
1-3.
Giannetsos, T., I. Krontiris, and T. Dimitriou. 2008. “Launching a Sinkhole Attack in
Wireless Sensor Networks; The Intruder Side.” International Conference on
Wireless and Mobile Computing Networking and Communications. Avignon,
France: IEEE. 526-531.
Gunasekaran, M., and S. Periakaruppan. 2017. “A hybrid protection approaches for
denial of service attacks in wireless sensor networks.” International Journal of
Electronics 104 (6): 993-1007.
Gupta, S., R. Zheng, and A. M. K. Cheng. 2007. “ANDES: an Anomaly Detection
System for Wireless Sensor Networks.” International Conference on Mobile Ad
hoc and Sensor Systems. Pisa, Italy: IEEE. 1-9.
Hai, T. H., F. Khan, and E. N. Huh. 2007. “Hybrid Intrusion Detection System for
Wireless Sensor Networks.” In Computational Science and Its Applications,
edited by O. Gervasi and Gavrilova M., 383-396. Berlin, Heidelberg: Springer.
Haque, S. A. Rahman, M., and S. M. Aziz. 2015. “Sensor Anomaly Detection in
Wireless Sensor Networks for Healthcare.” Sensors 15 (4): 8764-8786.
Hayajneh, Thaier, Bassam J. Mohd, Muhammad Imran, Ghada Almashaqbeh, and
Athanasios V. Vasilakos. March 2016. “Secure Authentication for Remote
Patient Monitoring withWireless Medical Sensor Networks.” Sensors 16 (424):
1-25.
Heidemann, J., Y. Li, A. Syed, J. Wills, and W. Ye. 2006. “Underwater sensor
networking: Research challenges and potential applications.” Wireless
Communications & Networking Conference. Las Vegas, USA: IEEE. 228-235.
Heinzelman, W. B., A. P. Chandrakasan, and H. Balakrishnan. 2000. “Energy-efficient
routing protocols for wireless microsensor networks.” 33rd Hawaii International
Conference System Sciences. Maui, HI: IEEE.
Heinzelman, W. B., H. Balakrishnan, and A. P. Chandrakasan. 2002. “An Application-
Specific Protocol Architecture for Wireless Microsensor Networks.” IEEE
Transactions on Wireless Communications 1 (4): 660-670.
Heinzelman, Wendi. 2011.
http://www.ece.rochester.edu/~wheinzel/research.html#code.
Herbert, D., V. Sundaram, Y. H. Lu, S. Bagchi, and Z. Li. 2007. “Adaptive correctness
monitoring for wireless sensor networks using hierarchical distributed run-time
92
invariant checking.” ACM Transactions on Autonomous and Adaptive Systems 2
(3): 1-23.
Ho, C. Y., Y. D. Lin, Y. C. Lai, I. W. Chen, F. U. Wang, and W. H. Tai. 2012. “False
Positives and Negatives from Real Traffic with Intrusion Detection/Prevention
Systems.” International Journal of Future Computer and Communication 1 (2):
87-90.
Hsieh, M. Y., Y. M. Huang, and H. C. Chao. 2007. “Adaptive security design with
malicious node detection in cluster-based sensor networks.” Computer
Communications 30 (11-12): 2385-2400.
Innella, P., and O. McMillan. 2001. An Introduction to Intrusion Detection Systems.
Tetrad Digital Integrity, LLC, Washington: Security Focus.
Iqbal, I. M., and R. A. Calix. 2016. “Analysis of a Payload-based Network Intrusion
Detection System Using Pattern Recognition Processors.” International
Conference on Collaboration Technologies and Systems. Orlando, FL, USA:
IEEE. 1-6.
Jabbar, M. A., R. Aluvalu, and S. Sai Reddy. 2017. “Cluster Based Ensemble
Classification for Intrusion Detection System.” ACM 9th International
Conference on Machine Learning and Computing. Singapore: ACM. 253-257.
Jahandous, G., and F. Ghassemi. 2017. “An adaptive sinkhole aware algorithm in
wireless sensor networks.” Ad Hoc Networks 59 (1): 24-34.
Jaladi, A. R., K. Khithani, P. Pawar, K. Malvi, and G. Sahoo. 2017. “Environmental
Monitoring Using Wireless Sensor Networks(WSN) based on IoT.”
International Research Journal of Engineering and Technology 4 (1): 1371-
1378.
Javaid, A., Q. Niyaz, W. Sun, and M. Alam. 2015. “A Deep Learning Approach for
Network Intrusion Detection System.” 9th EAI International Conference on Bio-
inspired Information and Communications Technologies. New York City,
United States: ACM. 21-26.
Jin, X., J. Liang, W. Tong, L. Lu, and Z. Li. 2017. “Multi-agent trust-based intrusion
detection scheme for wireless sensor networks.” Computers & Electrical
Engineering 59 (1): 262-273.
Karlof, C., and D. Wagner. 2003. “Secure routing in wireless sensor networks: Attacks
and countermeasures.” The first IEEE International Workshop on Sensor
Network Protocols and Applications. Anchorage, AK, USA: IEEE. 113-127.
Kim, H., B. R. Chitti, and J. Song. 2011. “Handling Malicious Flooding Attacks
through Enhancement of Packet Processing Technique in Mobile Ad Hoc
Networks.” Journal of information Processing Systems 7 (1): 137-150.
Krontiris, I., and T. Dimitriou. 2007. “Towards intrusion detection in wireless sensor
networks.” 13th European Wireless Conference. Paris: ENSTA and SEE.
Krontiris, I., T. Dimitriou, T. Giannetsos, and M. Mpasoukos. 2007. “Intrusion
Detection of Sinkhole Attacks in Wireless Sensor Networks.” 3rd International
Workshop on Algorithmic Aspects of Wireless Sensor Networks. Wroclaw,
Poland: LNCS 4837. 150-161.
Kumar, S. R., and A. Umamakeswari. 2016. “SSLEACH: Specification based Secure
LEACH Protocol for Wireless Sensor Networks.” IEEE WiSPNET. Chennai,
India: IEEE. 1672-1676.
Lee, S., Y. Lee, and S. G. Yoo. 2012. “A specification based intrusion detection
mechanism for LEACH protocol.” Information Technology Journal 11 (1): 40-
48.
93
Li, G., J. He, and Y. Fu. 2008. “A group based intrusion detection scheme in wireless
sensor networks.” The 3rd International Conference on Grid and Pervasive
Computing - Workshop. Kunming, China: IEEE. 286-291.
Liu, D., P. Ning, S. Zhu, and S. Jajodia. 2005. “Practical Broadcast Authentication in
Sensor Networks.” The Second Annual International Conference on Mobile and
Ubiquitous Systems: Networking and Services. San Diego, USA: IEEE. 118-132.
Loo, C. E., M. Y. Ng, C. Leckie, and M. Palaniswami. 2006. “Intrusion Detection for
Routing Attacks in Sensor Networks.” International Journal of Distributed
Sensor Networks 2 (4): 313-332.
Marchang, N., and R. Datta. 2008. “Collaborative techniques for intrusion detection in
mobile ad-hoc networks.” Ad Hoc Networks 6 (4): 508–523.
Masdari, Mohammad, S. M. Bazarchi, and Moazam Bidaki. 2013. “Analysis of Secure
LEACH-BASED Clustering Protocols in Wireless Sensor Networks.” Journal of
Network and Computer Applications 36 (4): 1243-1260.
Mcdermott, C.D., and A. Petrovki. 2017. “Investigation of computational intelligence
techniques for intrusion detection in wireless sensor networks.” International
journal of computer networks and communications 9 (4): 45-56.
Milenkoski, A., K. R. Jayaram, N. Antunes, M. Vieira, and S. Kounev. 2016.
“Quantifying the Attack Detection Accuracy of Intrusion Detection Systems in
Virtualized Environments.” IEEE 27th International Symposium on Software
Reliability Engineering. Ottawa, Canada: IEEE. 276-286.
Mitchell, T. M. 1997. Machine Learning. McGraw-Hill Science/Engineering/Math.
Nayak, P., V. Bhiwani, and B. Lvanaya. 2015. “Impact of Black Hole Attack and Sink
Hole Attack on Routing protocols for WSN.” International Journal of Computer
Application 116 (4): 42-46.
Newsome, J., E. Shi, D. Song, and A. Perrig. 2004. “The Sybil attack in sensor
networks: Analysis and Defences.” The 3rd international symposium on
Information processing in sensor networks. California, USA: ACM. 259-268.
Oliveira, L. B., H. C. Wong, M. Bern, R. Dahab, and A. A. F. Loureiro. 2006.
“SecLEACH - A Random Key Distribution Solution for Securing Clustered
Sensor Networks.” Fifth IEEE International Symposium on Network Computing
and Applications. Cambridge, MA, USA: IEEE. 145–154.
Otoum, S., B. Kantarci, and T. M. Hussein. 2017. “Mitigating False Negative intruder
decisions in WSN-based Smart Grid monitoring.” IEEE 13th International
Wireless Communications and Mobile Computing Conference. Valencia, Spain:
IEEE. 153-158.
Ozcelik, M. M., E. Irmak, and S. Ozdemir. 2017. “A hybrid trust based intrusion
detection system for wireless sensor networks.” IEEE International Symposium
on Networks, Computers and Communications . Marrakech, Morocco: IEEE. 1-
6.
Pandey, S. K., P. Kumar, J. P. Singh, and M. P. Singh. 2016. “Intrusion detection
system using anomaly technique in wireless sensor network.” International
Conference on Computing, Communication and Automation. Noida, India:
IEEE. 611-615.
Phuong, T. V., L. X. Hung, S. J. Cho, Y. K. Lee, and S. Lee. 2006. “An Anomaly
Detection Algorithm for Detecting Attacks in Wireless Sensor Networks.”
Intelligent and Security Informatics. San Diego, USA.: IEEE. 735-736.
Raj, R. S., and V. M. Bhaskaran. 2017. “Securing cloud environment using a string
based intrusion detection system.” 4th International Conference on Advanced
Computing and Communication Systems. Coimbatore, India: IEEE. 1-7.
94
Rajasegarar, S., C. Leckie, and M. Palansiwami. 2008. “Anomaly detection in Wireless
Sensor Networks.” IEEE Wireless Communications 15 (4): 34-40.
Rolim, O. C., L. F. Koch, J. Werner, A. Fracalossi, and S. G. Salvador. 2010. “A Cloud
Computing Solution for Patient’s Data Collection in Health Care Institutions.”
Second International Conference on eHealth, Telemedicine, and Social
Medicine. St. Maarten: IEEE. 95-99.
Roman, R., J. Zhou, and J. Lopez. 2006. “Applying Intrusion Detection Systems to
wireless sensor networks.” 3rd IEEE Consumer Communications and
Networking Conference. Las Vegas, NV, USA: IEEE. 640-644.
Roosta, T., S. Shieh, and S. Sastry. 2006. “Taxonomy of Security Attacks in Sensor
Networks and Countermeasures.” First International Conference on System
Integration and Reliability Improvements. Hanoi, Vietnam: IEEE.
Sajjad, S. M., and M. Yousaf. 2015. “Neighbor Node Trust based Intrusion Detection
System for WSN.” Procedia Computer Science 63 (1): 183-188.
Sedjelmaci, H., and S. M. Senouci. 2014. “A lightweight hybrid security framework for
wireless sensor networks.” IEEE International Conference on Communications.
Sydney, NSW, Australia: IEEE. 3636-3641.
Shaikh, R. A., H. Jameel, B. J. Auriol, S. Lee, and Y. J. Song. 2008. “Trusting anomaly
and intrusion claims for cooperative distributed intrusion detection schemes of
wireless sensor networks.” The 9th International Conference for Young
Computer Scientists. Hunan: IEEE. 2038-2043.
Shanthi, S., and E. G. Rajan. 2016. “Comprehensive analysis of security attacks and
intrusion detection system in wireless sensor networks.” 2nd International
Conference on Next Generation Computing Technologies . Dehradun, India:
IEEE. 426-431.
Sharma, S., and S. K. Jena. 2011. “A Survey on Secure Hierarchical Routing Protocols
in Wireless Sensor Networks.” ACM International Conference on
Communication, Computing & Security. Odisha, India: IEEE. 146-151.
Shen, S., and Q. Cao. 2011. “Signaling game based strategy of intrusion detection in
wireless sensor networks.” Computer & Mathemetics with Applications 62 (6):
2404-2416.
Shinde, A. T., and J. R. Prasad. 2017. “IoT based Animal Health Monitoring with Naive
Bayes Classification.” International trends on emergying trends in technology 4
(2): 8104-8107.
Siqi, M., L. David, and Ning X. 2016. “Collaborative 'many to many' DDoS detection in
cloud.” International Journal of Ad Hoc and Ubiquitous Computing 23 (3): 1-
17.
Stetsko, A., L. Folkman, and M. Vashek. 2010. “Neighbor-based intrusion detection for
wireless sensor networks.” 6th IEEE International Conference on Wireless and
Mobile Communications. Valencia: IEEE. 420-425.
Su, C. C., K. M. Chang, Y. H. Kuo, and M. F. Horng. 2005. “The new intrusion
prevention and detection approaches for clustering-based sensor networks.”
IEEE Wireless Communications and Networking Conference. New Orleans, LA,
USA: IEEE. 1927-1932.
Sultan, N. 2014. “Making use of cloud computing for healthcare provision:
Opportunities and challenges.” International Journal of Information
Management 34 (2): 177-184.
Sundararajan, Ranjeeth Kumar, and Umamakeswari Arumugam. 2015. “Intrusion
Detection Algorithm for Mitigating Sinkhole Attack on LEACH Protocol in
Wireless Sensor Networks.” Journal of Sensors 2015 (1): 1-12.
95
Swain, J., B. K. Pattanayak, and B. Pati. 2017. “Study and analysis of routing issues in
MANET.” International Conference on Inventive Communication and
Computational Technologies. Coimbatore, India: IEEE. 1-4.
Tan, Y., and X. Wang. 2010. “Application of Cloud Computing in the Health
Information System.” 2010 International Conference on Computer Application
and System Modeling. Taiyuan, China: IEEE. 179-182.
Techateerawat, P., and A. Jennings. 2006. “Energy Efficiency of Intrusion Detection
Systems in Wireless Sensor Networks.” International Conference on Web
Intelligence and Intelligent Agent Technology. Hong Kong: IEEE/WIC/ACM.
227-230.
Tellez, M., S. El-Tawab, and H. M. Heydari. 2016. “Improving the Security of Wireless
Sensor Networks in an IoT Environmental Monitoring System.” IEEE Systems
and Information Engineering Design Conference. Charlottesville, VA, USA:
IEEE. 72-77.
Tian, Li, Huai ChangDu, and Yanwei Huang. 2012. “The Simulation and Analysis of
LEACH Protocol for Wireless Sensor Network Protocol for Wireless Sensor
Network Based on NS2.” International Conference on System Science and
Engineering 530-533.
Tripathi, M., and V. Laxmi. 2013. “Comparing the impact of Black Hole and Gray Hole
Attack on LEACH in WSN.” Procedia Computer Science 19 (1): 1101-1107.
Tun, Z., and A. H. Maw. 2008. “Wormhole Attack Detection in Wireless Sensor
Networks.” World Academy of Science, Engineering and Technology 36: 549-
554.
Wang, X. 2006. “Intrusion Detection Techniques in Wireless Ad Hoc Networks.” 30th
Annual International Computer Software and Applications Conference.
Chicago: IEEE. 347-349.
Wood, A. D., and J. A. Stankovic. 2002. “Denial of service in sensor networks.” IEEE
Computer (IEEE Computer Society) 35 (10): 54-62.
Wu, D., G. Hu, and G. Ni. 2008. “Research and improve on secure routing protocols in
wireless sensor networks.” 4th IEEE International Conference on Circuits and
Systems for Communications. Shanghai, China: IEEE. 853–856.
Yassen, M. B., S. Aljawaerneh, and R. Abdulraziq. 2016. “Secure Low Energy
Adaptive Clustering Hierarchal Based on Internet of Things for Wireless Sensor
Network (WSN): Survey.” IEEE International conference on Engineering &
MIS. Agadir, Morocco: IEEE. 1-9.
Zhang, K., C. Wang, and C. Wang. 2008. “A secure routing protocol for cluster-based
wireless sensor networks using group key management.” 4th IEEE International
conference on Wireless Communications, Networking and Mobile Computing.
Dalian, China: IEEE. 1–5.
Zhang, Q., T. Yu, and P. Ning. 2008. “A framework for identifying compromised nodes
in wireless sensor networks.” ACM Transaction on Information System Security
11 (3): 1-37.
Zhang, R., and L. Liu. 2010. “Security Models and Requirements for Healthcare
Application Clouds.” IEEE 3rd International Conference on Cloud Computing.
Miami, FL, USA: IEEE. 268-275.
Zhang, Y., W. Lee, and Y. A. Huang. 2003. “Intrusion detection techniques for mobile
wireless networks.” Wireless Networks 9 (5): 545-556.
Zhou, J., Z. Cao, X. Dong, and A. V. Vasilakos. 2017. “Security and Privacy for Cloud-
Based IoT: Challenges.” IEEE Communications Magazine 55 (1): 26-33.
96
Zhou, Jun, Zhenfu Cao, Xiaolei Dong, and Xiaodong Lin. 2015. “Security and Privacy
in Cloud-Assisted Wireless Wearable Communications: Challenges, Solutions
and, Future Directions .” IEEE Wireless Communications 136-144.
