The wide application of wireless sensor networks (WSN) brings challenges to the maintenance of their security, integrity, and confidentiality. As an important active defense technology, intrusion detection plays an effective defense line for WSN. In view of the uniqueness of WSN, it is necessary to balance the tradeoff between reliable data transmission and limited sensor energy, as well as the conflict between the detection effect and the lack of network resources. This paper proposes a lightweight Intelligent Intrusion Detection Model for WSN. Combining k-nearest neighbor algorithm (kNN) and sine cosine algorithm (SCA) can significantly improve the classification accuracy and greatly reduce the false alarm rate, thereby intelligently detecting a variety of attacks including unknown attacks. In order to control the complexity of the model, the compact mechanism is applied to SCA (CSCA) to save the calculation time and space, and the polymorphic mutation (PM) strategy is used to compensate for the loss of optimization accuracy. The proposed PM-CSCA algorithm performs well in the benchmark functions test. In the simulation test based on NSL-KDD and UNSW-NB15 data sets, the designed intrusion detection algorithm achieved satisfactory results. In addition, the model can be deployed in an architecture based on cloud computing and fog computing to further improve the real-time, energy-saving, and efficiency of intrusion detection.

1. Introduction

Wireless sensor networks (WSN) provide the necessary underlying support for the Internet of Things and also build a landing platform for artificial intelligence (AI). Both of them have achieved deep integration and active promotion in WSN. The research and application of WSN have been involved in many fields, from the initial military reconnaissance to many aspects of social life, such as smart city, medical health, industrial production, environmental monitoring, and disaster warning [1]. WSN is a kind of wireless communication network that is composed of a large number of sensor nodes in a certain topological structure through self-organization. The sensor node monitors the target area or object and transmits the collected sensor data to the user along the network route [2]. WSN can break through the limitations of traditional monitoring methods, which not only significantly reduces the cost of detection, but also greatly simplifies the cumbersome process. With the rapid development of sensor technology, wireless communication technology, big data, computing intelligence, etc., the low-cost and easy-to-deploy WSN can satisfy our urgent desire to learn more about the surrounding environment or ourselves. This technology will greatly enhance the breadth and depth of our perception of the world [3].

The application scenarios of WSN are complex and changeable. Compared with the traditional wired network, it faces many unique problems and challenges. First of all, the computing power and storage capacity of a single sensor node are quite limited, and the communication ability between nodes is weak. Furthermore, the sensor nodes are often scattered in a wide range or in a complex or even harsh physical environment, which makes it difficult or impossible to perform maintenance tasks such as energy supply. In addition, it is an open network with dynamic and random topology. So, it is necessary to carry out a series of targeted research to ensure the real-time, energy-saving, reliability, and other operational requirements of WSN [4]. As a data-centric network, more and more sensitive data are collected, stored, transmitted, and processed in WSN. Its security problem has become increasingly serious [5]. Due to the limitations and characteristics of WSN itself, the data is easy to be destroyed, stolen, or tampered with. How to protect network security effectively in the face of various network attacks is an important research topic. Unfortunately, passive defense only through firewalls, access control, and other means is not enough to prevent all the network attacks. Intrusion detection is a proactive security protection technology that can monitor the operating status of network systems and detect intrusions such as internal attacks, external attacks, or misoperations, so that the network system can intercept and respond as necessary [6]. Wired network intrusion detection technology has been relatively mature and can be divided into two types: misuse-based and anomaly-based. The prerequisite of misuse detection is that the knowledge of attack method has been acquired, and the intrusion mode has been defined in advance. Intrusion is detected by judging whether the collected data characteristics match the intrusion pattern database. Therefore, it only has a high detection rate for specific attack methods and is invalid for unknown attacks. In order to cope with the endless emergence of various attacks, anomaly detection method can be considered. This method assumes that cyber attacks are uncommon compared to normal behaviors. By comparing the captured network behavior with normal patterns, it can be judged whether an intrusion has occurred. Anomaly detection can deal with unpredictable attacks, but it needs to learn a lot of historical data for training [7]. In order to improve the detection efficiency, the introduction of AI is expected. Many scholars have tried to apply artificial neural network [8, 9], machine learning [10], evolutionary computing [1113], etc. to the field of intrusion detection and have achieved constructive research results [14]. However, WSN has its own characteristics and limitations in terms of network scale, computing power, storage space, energy supply, communication bandwidth, and networking mode, which makes it impossible to directly use the traditional intrusion detection system (IDS) architecture. AI technology generally requires high computing power and consumes relatively large amounts of running time, storage resources, and energy. Therefore, it is necessary to make modifications and adjustments to the WSN intrusion detection model according to the actual application scenarios and user requirements and seek the balance between security, energy consumption, real-time, and other objectives [15, 16].

Obviously, WSN intrusion detection is a technical problem with multiple constraints. How to provide a feasible and effective solution is an important issue to be solved urgently. Many scholars have done fruitful work in this field [17]. Feature selection is an important and practical strategy for lightweight intrusion detection. Dimension reduction can improve the generalization performance and detection efficiency of intrusion detection. Literature [18] proposed a novel feature selection algorithm named DRFSA, combining an intelligent extension to the decision tree algorithm and convolution neural networks, to classify large volume of data in WSN. This model provides better intrusion detection accuracy, packet delivery ratio, and network throughput, while it reduces the network delay and false negative rate. The researchers also introduced a cryptographic mechanism to ensure the confidentiality and integrity of the data in the WSN and achieved encouraging results [19]. Literature [20] proposed a detection scheme for SQL injection attacks, which does not require access to the source code of the application, so it can be directly applied to the cloud environment. Literature [21] proposed a certificate-based aggregate signature scheme in WSN, which can resist forgery attacks. In addition, various machine learning and deep learning technologies are increasingly used to solve the WSN intrusion detection problem [22, 23].

This paper proposes a lightweight intelligent intrusion detection model for WSN. This model implements detection based on abnormal traffic data and can quickly and accurately discover attack behaviors in WSN. The k-nearest neighbors algorithm (kNN) is selected as the classifier. kNN is simple to implement and easy to understand. It supports nonlinear problems well and can provide relatively robust recognition results. The time complexity of the kNN is lower than that of the support vector machine (SVM) [24, 25]. Compared with naive Bayes algorithm [26], kNN has no hypothesis on data and is not sensitive to outliers. Therefore, compared with other machine learning algorithms, KNN meets the requirements of lightweight data classification. In order to further improve the classification effect, this paper uses evolutionary algorithm to optimize kNN. The selected evolutionary algorithm is the sine cosine algorithm (SCA). Among many metaheuristic optimization algorithms, SCA has low computational complexity, simple parameters, and good optimization performance. Taking into account the many limitations of WSN intrusion detection, the compact mechanism is applied to SCA (CSCA), which greatly reduces the time and space occupied in the optimization process. In order to ensure that the accuracy requirements are met, a polymorphic mutation strategy (PM) is designed, and an improved version of SCA is proposed (PM-CSCA). The organic combination of kNN and PM-CSCA constitutes a lightweight intelligent intrusion detection model for WSN. On the one hand, the intelligent detection is realized by means of evolutionary computation and machine learning; on the other hand, the computational burden of evolutionary algorithm is greatly reduced, so as to ensure the lightweight of the designed intrusion detection model.

This article is organized as follows: the second part is related work, introducing the SCA and kNN used in the intrusion detection algorithm proposed in this paper. The third part introduces the architecture of the intrusion detection system. The fourth part is the design of intrusion detection algorithm, including the improvement of SCA, and how to combine it with kNN. The fifth part is the simulation results and discussion. The last part is the conclusion and future work.

2.1. Sine Cosine Algorithm (SCA)

SCA is a metaheuristic swarm intelligence optimization algorithm. The algorithm has a concise structure, has fewer parameters, and is easy to understand and implement. The search trajectory for the optimal solution is mainly affected by the sine and cosine functions [2729].

The algorithm first initializes the population , that is, to create random candidate solutions . They are then guided to move through the search space using mathematical models based on sine and cosine functions. The optimization process is divided into two stages: global exploration and local exploitation. The formula for updating the position of the solution is as follows:where is the current number of iterations, is the position of the current optimal solution in the dimension, and represents the absolute value. There are only four parameters involved here: and . , which controls the distance the solution moves each time. , which gives a random weight to the current optimal solution. , which controls the switching between the sine and cosine update modes to ensure the same probability of using both. The above three parameters are random numbers that obey a normal distribution within their respective ranges. The parameter determines the direction of movement. When , the solution will move to the area between the current position and the target position to exploit the local potential space. When , the solution is to move away from the current optimal position to explore a larger search space. decreases linearly as the number of iterations increases, realizing the transition from exploration to exploitation. The updated formula of is shown in equation (2). Generally, , and represents the maximum number of iterations.

2.2. The k-Nearest Neighbors Algorithm (kNN)

kNN algorithm is commonly used in data mining and machine learning. As one of the simplest classification algorithms, kNN is widely used in many fields. The core idea is that, in the feature space, if most of the k samples closest to a sample belong to a certain category, then this sample also belongs to this category and has all its characteristics. So, only the category of the k most similar samples is used to determine the category of the pending sample when making a classification decision [30, 31]. The implementation method is that all samples are mapped to points in D-dimensional space; k known samples nearest to the unknown sample are selected as reference, and the distances between them are calculated, respectively; according to the majority voting rule, the unknown sample is classified into the category of most of its k-nearest neighbors. Obviously, kNN algorithm mainly considers three elements: the value of K, the way of distance measurement, and classification decision rules. The majority voting method is usually used to make decisions. The focus is usually on the choice of k value and the measurement of distance.

As the only parameter, the value of k has a crucial impact on the prediction results of kNN [32]. If k is relatively small, the approximate error of learning will decrease, but the estimation error will increase, and it is easy to learn noise. In severe cases, the model becomes complicated, and overfitting occurs. Similarly, if the k is large, the model will become too simple and underfit, which will also lead to inaccurate predictions. In actual engineering practice, k is generally selected by cross-validation. There is no fixed experience to guide the setting of k [33]. This has caused inconvenience in using the kNN algorithm.

We also need to pay attention to the distance measurement in the sample space. The shorter the distance, the higher the similarity between the two sample points, and conversely, the lower the similarity. The commonly used distance measurement methods are Minkowski Distance, Euclidean Distance, Manhattan Distance, Chebyshev Distance, Mahalanobis Distance, etc.

Suppose that there are two samples and in the D-dimensional feature space, which are expressed as and . The distance between the two samples is denoted as . kNN classifiers generally use Euclidean distance to measure the similarity between samples, as shown in

But in the process of classification, the importance of features is often different. Some features are strongly correlated with the classification results, some are weakly correlated, and some are even negatively correlated. If the distance between samples is largely dominated by weakly correlated or irrelevant features, it will easily lead to confusion in classification. To solve this problem, a certain weight can be assigned to each feature dimension to express its importance. So, the distance between samples can be transformed into the following formula:

As a popular machine learning algorithm, kNN has been successfully applied in many fields [34, 35]. Some literatures try to improve it, mostly around the adjustment of parameter [36, 37]. In fact, there is no universal experience in the determination of , the selection of distance function, or the setting of distance weight. All of these should be based on the distribution of samples, the characteristics of data, and the needs of analysis. This can be regarded as a typical optimization problem. With the help of the optimization ability of metaheuristic algorithm, a more reasonable and effective kNN classification model can be constructed [38].

3. WSN Intrusion Detection System Architecture

Intrusion detection is a security mechanism that collects information from several key nodes in the network system and analyzes it to try to find out whether there is any behavior that violates the security policy or signs of being attacked. The data in WSN shows an explosive growth trend. This requires high data processing capabilities, and intrusion detection also requires sufficient computing power.

The cloud computing platform has powerful computing and storage capabilities, as well as open, flexible, and shared characteristics, which provides a new research idea for WSN to break through the bottleneck restricting its development. In order to reduce the burden of importing and exporting data from the cloud and relieve the pressure of bandwidth shortage, fog computing can be further introduced. As a new generation of distributed computing, fog computing is closer to the edge of the network, providing space for a wider range of nodes to access. Comprehensive utilization of cloud computing and fog computing can achieve efficient collaborative computing. The powerful data processing and storage capabilities of the cloud computing platform provide technical support for big data analysis of WSN.

The intrusion detection system designed in this paper is deployed in the network architecture that combines cloud computing and fog computing, which can give full play to its advantages and better meet the data security requirements of WSN. The intrusion detection model can be deployed on the cloud server. Fog computing can be implemented by sink nodes with rich resources, which can independently assist the cloud to complete data processing, storage, and other tasks. WSN generally adopts hierarchical network structure and is divided into several clusters. The common sensor nodes in the cluster collect data and send it to the cluster heads, which transmit the data to the fog computing virtual network composed of sink nodes in a multihop manner. Figure 1 shows the architecture of the above WSN intrusion detection system.

4. Proposed Works

4.1. The Improvement of SCA

SCA is less computationally expensive compared with many other optimization algorithms. It is a reasonable choice for solving optimization problems that require low computational complexity and high real-time performance. In order to further improve the convergence speed of SCA, this paper uses the compact mechanism to make the algorithm more lightweight. Compact SCA (CSCA) can greatly reduce the computing load, but it will inevitably lose optimization accuracy to a certain extent. To solve this problem, a polymorphic mutation strategy (PM) is proposed to enrich the diversity of population and compensate for the loss of precision. The framework structure of PM-CSCA is shown in Figure 2. In this part, the main ideas and implementation schemes of the proposed PM-CSCA are described in detail.

4.1.1. Compact SCA (CSCA)

Compact is an optimization mechanism of swarm intelligence algorithm. After compact processing, the memory requirement of the algorithm will be significantly reduced [39, 40]. Because this technology will greatly alleviate the computational burden of the population-based metaheuristic algorithm, it is particularly suitable for devices with limited computing power and scarce storage space, such as sensor nodes, wearable devices, and embedded devices. SCA is an intelligent optimization algorithm based on population. The optimization process is as follows: solutions are randomly generated in the D-dimensional space, and the positions of the solutions are constantly updated in the iterative process to realize the evolution of the population and finally find the global optimal solution. When the number of solutions is large, or the dimensionality is high, this calculation mode consumes more computing power. In application scenarios with high real-time requirements or limited storage space, the optimization algorithm needs to make necessary adjustments. The main idea of compact technology is to transform the original population into the form of a probability model that reflects its distribution characteristics. All operations on the original population are also transferred to its probability model [41, 42]. Since the number of variables and storage space required by the probabilistic model are far less than the original population, the algorithm runs more efficiently in time and space. The data structure of perturbation vector (PV) is usually used to describe the macroscopic probability distribution of the population: . Here, µ and σ are the mean and standard deviation of PV, respectively, and represents the current iteration number. Each pair of µ and σ in PV corresponds to a probability density function (PDF) [43] and is updated with the iteration of the algorithm. Generally, PDF is a truncated normal distribution in the interval [-1, 1], and the calculation formula is as follows:

It can be seen that PDF is a function of µ and σ. Among them, , represents error function, and means dimension. Next, the cumulative distribution function (CDF) corresponding to the PDF can be obtained. The calculation method is as follows:

Since PDF is a truncated normal distribution in the interval [−1, 1], the CDF range is from 0 to 1. With the inverse function of CDF, a virtual solution can be obtained by using :where , is the inverse function of , and is a random number between . It is necessary to map the virtual solution to the solution of the decision space. Assuming that, in the -dimensional decision space, the upper and lower limits of a certain dimension are and , respectively. can be mapped to using then attempts to move using equation (1). Evaluate the quality of the position before and after the movement, and record them as and , which are used to update the . Please see equations (9) and (10) for details.

Among them, is the number of solutions in the virtual population. In the process of updating , the global optimal position is updated synchronously, and then the next iteration is carried out. With the help of compact mechanism, the original population is greatly reduced in size, and considerable benefits are achieved in both time and space [4446]. However, due to the use of approximate probability distribution to simulate the real distribution of data, it is inevitable to bring the risk of loss of optimization accuracy, resulting in the occurrence of local traps or missing the global optima.

4.1.2. Polymorphic Mutation Strategy (PM)

In order to make up for the possible loss of precision in compact SCA, a polymorphic mutation strategy (PM) is proposed. Based on the SCA initial population, a variety of distribution functions are introduced to realize polymorphic variation, and then the population with better quality is obtained through greedy selection. This can effectively increase the diversity of the population and create more opportunities for covering potential search areas, thereby improving the optimization accuracy. Three distribution functions are used here: Gaussian distribution, Cauchy distribution, and distribution. Gaussian distribution is a kind of thin-tailed distribution, which is an important probability distribution in statistics. It is often used to represent an uncertain random variable. Cauchy distribution belongs to fat-tailed distribution, and the possibility of extreme values is greater than that of Gaussian distribution. Among all the distributions, the generalized Cauchy distribution has the largest spreading characteristic. distribution can be approximated as heavy-tailed distribution. It can be used to generate flight, that is a random walk with relatively high probability of having a larger stride. So, the search efficiency of flight is better in the unknown environment or in large space [47].

In PM strategy, the population initialized by SCA is randomly divided into three subpopulations: . Generate three variables between [0,1]: , which obey different probability distributions: , , . Perform mutation based on Gaussian distribution on to obtain a new subpopulation , as shown in equation (11). In the same way, mutations based on Cauchy distribution and distribution are applied to and , respectively; and and are obtained according to equations (12) and (13).

Here, , , . The product means entry-wise multiplications. According to the fitness value obtained by the evaluation function f (·), all solutions from the population , , and are sorted, and the better population is obtained by greedy selection.

The computational complexity of the proposed PM-SCA depends on the following processes: initial population, polymorphic mutation, fitness evaluation, greedy selection, update population, and compact mechanism. Suppose that the number of solutions is , the dimension is , and the number of iterations is . The computational complexity of initializing -dimensional solutions is . The computational complexity of evaluating all solutions is . The complexity of greedy selection is . The computational complexity of updating all solutions is . Among them, the computational complexity of polymorphic mutation is , and the compact mechanism hardly brings about an increase in computational complexity. In general, the computational complexity of PM-SCA is the same as that of original SCA.

The pseudocode of PM-CSCA is shown in Algorithm 1. When the maximum number of iterations is reached, or other termination conditions are met, the global optimal solution and its corresponding fitness value are output.

 Initialize the parameters related to the algorithm: ub, lb, Dim, max_iter, ;
 Generate initial population X containing N individual ;
 Divide X into three subpopulations X1, X2, X3;
 Realize the mutation of three subpopulations by using equations (11)–(13), respectively;
 Evaluate each individual by the objective function;
 Greedy selection: select N individuals from X, X1, X2 and X3 using greedy strategy, and get new population ;
  Update SCA parameter: ;
  Get y1 from PV by equations (5)–(8);
  Update the y1 by SCA to get y2;
  Evaluate y1 and y2 by the objective function to get [winner, loser];
  for i = 1:Dim
   Update PV via by equations (9) and (10);
    Update the best solution obtained so far;
 while () or (get the expected function value);
 Return the best solution obtained so far as the global optimum;
4.1.3. Experiment Results

In order to test the performance of the algorithm, this part uses benchmark functions to carry out comparative experiments in the five algorithms of PM-CSCA, CSCA, SCA, Particle Swarm Optimization (PSO), and Whale Optimization Algorithm (WOA). 12 typical benchmark functions are selected here, including 3 unimodal functions (), 3 multimodal functions (), and 6 complex functions (), as shown in Table 1.

For the purpose of measuring the performance of the algorithm in a comprehensive and objective way, the algorithm runs independently 30 times in each experiment, recording the best value, average value (Avg), and standard deviation (Std), respectively. Please refer to Table 2 for specific data, and the best results have been marked in bold. The convergence curves of the benchmark functions are shown in Figure 3.

In the test of the three types of benchmark functions, PM-CSCA has achieved an absolute advantage in the algorithms participating in the comparison. The performance is particularly prominent in the optimization of complex functions. All indicators of the 6 complex functions () have got the first place. PM-CSCA shows good optimization strength and reliable stability.

4.2. Combination of PM-CSCA and kNN

kNN parameter k and distance weight determine the classification effect to a large extent. However, these aspects usually depend on the subjective decision of users, which brings great uncertainty to the performance of the algorithm. The PM-CSCA proposed in this article can be used to optimize the relevant parameters of kNN to obtain the best or approximately best configuration of the classifier.

The samples in the D-dimensional feature space correspond to the solution vectors of the evolutionary algorithm: , the specific form is shown in equation (14). The first dimension represents the parameter K of kNN, which can be set as a random integer within a certain range as required. , the random number represents the distance weight in the solution. Evolutionary algorithm will continuously search and iterate under the guidance of the objective function and finally output the optimal solution or the approximate best [4851], that is, the most suitable related parameters of kNN.

5. Simulation Results and Discussion

Machine learning usually uses the following four criteria to evaluate the performance of the model: the true positive (TP), true negative (TN), false positive (FP), and the false negative (FN). In the field of intrusion detection, their specific meanings are as follows: TP is the number of actual attack records classified as attacks, TN is the number of actual normal records classified as normal, FP is the number of actual normal records classified as attacks, and FN is the number of actual attack records classified as normal. They are also used to calculate a variety of performance evaluation indicators, such as detection rate (DR), false alarm rate (FAR), and accuracy rate (ACC). The calculation methods are as shown in the equations (15)–(17). represents the probability of positive prediction among samples with normal real value. is the probability of positive prediction among samples with abnormal real values. is to divide the number of samples with correct prediction by the total number of samples, indicating the accuracy of prediction results. Obviously, the and of intrusion detection should be high enough, while the should be as low as possible. This article uses the indicator as the fitness function , as shown in

In order to verify the performance of the intrusion detection model, this paper used the NSL-KDD and UNSW-NB15 datasets commonly used in WSN intrusion detection to conduct simulation experiments. Each sample in the NSL-KDD dataset consists of 34 numerical features, 7 symbol features, and one-dimensional labels. There are five types of samples including normal data and 4 types of attack data. The four types of attacks are denial of service (DoS), sniffing (Probe), illegal access to superuser privileges by ordinary users (U2R), and illegal access from remote machines (R2L). NSL-KDD includes two training data sets (KDDTrain+, KDDTrain+_20%) and one test data set (KDDTest+). The training data set contains 21 types of attacks, and the test set adds 17 new attacks.

UNSW-NB15 is a more recent dataset than NSL-KDD, so it is more representative of real network traffic. It includes 100 GB of original network traffic and a total of 2540044 data samples. The features of this dataset are different from NSL-KDD and are more in line with the current network protocol model. It contains 10 categories, a normal category and 9 attack categories (i.e., Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode, and Worm).

Before the implementation of the algorithms, the datasets are preprocessed, including numerical, normalization, and other operations. The detection performance of five intrusion detection models was tested, respectively (SVM, kNN, PSO + kNN, SCA + kNN, and PM-CSCA + kNN). The experimental results are shown in Table 3 and the average results of 10 independent experiments are recorded. The population size of the three evolutionary algorithms of PSO, SCA, and PM-CSCA is set to 30, and the number of iterations is 120. The model PM-CSCA + kNN achieved the best results on the three indicators of ACC, DR, and FAR (indicated in bold), which means that the model can identify most WSN attack behaviors and distinguish different types.

This paper introduces evolutionary algorithms in the intrusion detection model. Figure 4 shows the iterative process of the four optimization schemes. It was found that the result of optimizing kNN by SCA is always better than that of PSO; although CSCA has a great advantage in convergence speed, the accuracy is not stable, and sometimes it will fall into the local optimum; PM-CSCA has the best optimization effect on kNN, showing strong competitiveness both in accuracy and speed.

The confusion matrix is used to evaluate the accuracy of the four detection models on NSL-KDD, as shown in Figure 5. The horizontal axis represents the predicted value, and the vertical axis represents the true value, which visually shows the misclassification of each category. It can be seen that PM-CSCA + kNN has the best detection effect.

For WSN intrusion detection systems, reducing the false alarm rate is a challenge. We conducted five independent experiments (E1∼E5) on two data sets. Figure 6 Intuitively shows the comparison result of the false alarm rate of four different detection algorithms. It can be seen that the false alarm rate of PM-CSCA + kNN is extremely stable at a low level. For the convenience of showing the relationship between DR and FAR, the Receiver Operating Characteristics (ROC) curves based on two datasets are drawn, as shown in Figure 7. The ROC curves corresponding to the algorithm proposed in this article are all closest to the upper left boundary, so the effect of this prediction model is the best.

6. Conclusion and Future Works

Intrusion detection is one of the key issues that need to be solved urgently in practical applications of WSN. With the continuous expansion of the service area and the rapid rise of data volume, the threat and consequences of network attacks in WSN cannot be ignored. Most of the existing intrusion detection systems can only deal with specific types of attacks, and they are powerless against unknown attacks [52]. And while protecting the network security, it inevitably increases the energy consumption and transmission delay. These problems need to be paid more attention in WSN. This paper proposes a lightweight and intelligent intrusion detection model for WSN, which comprehensively considers security, energy saving, and real-time. Intelligent anomaly detection is realized through the joint use of kNN and SCA. The introduction of evolutionary algorithms makes the kNN classifier change from lazy learning to active optimization in the setting of its parameters, which significantly improves the detection accuracy. kNN and SCA are both algorithms with less computation and easy implementation, which meet the requirements of lightweight model. In order to be more efficient, this article proposes an improved version of SCA: PM-CSCA. Two technologies are integrated: compact mechanism greatly reduces the time and space required for algorithm, and PM strategy ensures the optimization accuracy, and these have been verified in tests based on benchmark functions. PM-CSCA shows good optimization ability in the benchmark function test. In simulation experiments on public data set, the intrusion detection model proposed in this paper has also been proved to be feasible and effective. In addition, the intrusion detection system for WSN is deployed in the hybrid computing mode. Cloud computing, fog computing, and AI work together to provide a feasible and efficient solution for maintaining data security in WSN.

We will do further research on the lightweight and intelligent WSN intrusion detection model, for example, how to use unsupervised machine learning techniques to deal with unpredictable cyber attacks [53]. Furthermore, more core technologies of evolutionary computing can be applied to solve big data or large-dimensional problems encountered in intrusion detection [54, 55].

The following abbreviations are used in this manuscript:


WSN:Wireless sensor networks
kNN:k-nearest neighbor algorithm
SCA:Sine cosine algorithm
CSCA:Compact SCA
PM:Polymorphic mutation
AI:Artificial intelligence
IDS:Intrusion detection system
SVM:Support vector machine
PV:Perturbation vector
PDF:Probability density function
CDF:Cumulative distribution function
PSO:Particle swarm optimization
WOA:Whale optimization algorithm.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that there is no conflict of interest regarding the publication of this paper.