Intrusion Detection Algorithm Based on Change Rates of Multiple Attributes for WSN

Bai, Hongying; Zhang, Xiaotong; Liu, Fangjie

doi:https://doi.org/10.1155/2020/8898847

Wireless Communications and Mobile Computing

On this page

Abstract Introduction Discussion Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2020 | Article ID 8898847 | https://doi.org/10.1155/2020/8898847

Intrusion Detection Algorithm Based on Change Rates of Multiple Attributes for WSN

Hongying Bai,^1,2Xiaotong Zhang ,¹and Fangjie Liu¹

Academic Editor: Ernestina Cianca

Received25 Apr 2020

Revised04 Oct 2020

Accepted16 Nov 2020

Published02 Dec 2020

Abstract

Intrusion detection system (IDS) is a second line of the security mechanism for the wireless sensor network (WSN), and it has a great influence on confidentiality, integrity, and availability. However, many existing IDS only detect single attack or multiple known attacks. In this paper, a novel intrusion detection algorithm based on change rates of multiple attributes (CRMA) is proposed, which can detect multiple attacks including known and unknown types simultaneously. The change rates of multiple attributes for sensor nodes usually reflect the running states of WSN over a period of time. First, the Observed Change Rate of attributes at different times is obtained by observing multiple attributes of different sensor nodes. Then, the convex optimization is alternately used to obtain the Normal Change Rate and corresponding weights by minimizing the distance between the Observed Change Rate and the Normal Change Rate of each attribute. Finally, the WSN is considered to be attacked when the weighted deviation of the Observed Change Rate and Normal Change Rate is beyond the corresponding threshold. Experimental results show that the CRMA can detect multiple attacks including known and unknown types simultaneously and has a fast convergence rate. The average true positive rates (TPR) of CRMA are high, and the average false positive rates (FPR) of CRMA are low. The detection performance of CRMA is superior to that of the ARMA and NeTMids algorithms.

1. Introduction

Due to the characteristics of flexibility, low cost, wireless communication, and self-organization ability, the wireless sensor network (WSN) plays an important role in healthcare [1, 2], the military [3], industry [4], and many other fields, for instance, traffic monitoring, smart home system, medical facilities, and so on [5, 6]. However, the WSN is vulnerable to be attacked because sensor nodes are usually deployed in the unmanned environment. Therefore, the security issue is the main challenge to construct a robust and reliable WSN [7].

Researchers have paid attention to encryption, decryption, identification, authentication, key management, and secure routing of the WSN. But such security measures cannot provide a wide range of protection against a variety of attacks and threats in the WSN. The intrusion detection system (IDS) is one possible solution to address a wide range of security attacks in the WSN [8]. The main tasks of an ID are to detect intruders trying to disrupt the WSN network [9, 10] and to monitor the security of WSN and identify vulnerability to guarantee the accurate network performance [11–13].

The key intrusion detection technology of the WSN has attracted a lot of attention in recent years. Misuse detection does very well in detecting known attacks, but it works badly in detecting attacks which are unknown or undefined [14]. Mehmood et al. proposed a knowledge-based context-aware approach for handling the intrusions generated by malicious nodes [15]. Ghosal and Halder proposed a survey on energy efficient intrusion detection in wireless sensor networks [16]. A hybrid anomaly detection method for misdirection and black hole attacks employing the K-medoid customized clustering technique is proposed in [17].

A lot of existing intrusion detection schemes of the WSN detects some known attacks. Hu et al. detect selective forwarding attacks in WSN by monitoring the loss rate of the packet and construct a trusted mechanism [18]. Motamedi and Yazdani use UAV to detect black hole attacks in WSN [19]. Gara et al. proposed a mobile WSN intrusion detection system based on IPv6, which specifically detects selective forwarding attacks in the network [20]. Many papers present IDS for WSN which only detect one kind of attack, such as the DoS attack [21, 22], selective forwarding attack [23], and sinkhole attack [24].

Some intrusion detection algorithms detect attacks by predicting attributes of network flow, such as using the Autoregressive Moving Average (ARMA) or Markov model to predict traffic. It indicates that an attack occurring in the network when the normal flow value is significantly different from the predicted flow value [25]. Although the ARMA intrusion detection algorithm has higher detection accuracy, it only detects attacks related to the selected flow value, and it cannot detect multiple attack types at the same time.

Few intrusion detection algorithms can detect multiple attacks simultaneously. Sajjad et al. proposed IDS based on the trustworthiness of neighbor nodes. Each node in the intrusion detection system analyzes the trust level of its neighbor nodes by analyzing the statistical data in the network and calculates the credibility value, thus determining the credibility of neighbor nodes. It can detect hello flood attacks, blocking attacks, and selective forwarding attacks. The intrusion detection system uses a lightweight intrusion detection algorithm NeTMids [26]. The NeTMids algorithm applies a variety of attributes to intrusion detection and analysis of nodes in the network and can detect multiple attack types at the same time. However, the accuracy of detection of NeTMids is not very high.

According to the above circumstances, there are many problems in IDS for WSN as follows: (a)The detection accuracy of some intrusion detection systems is low(b)Many IDS only detect known attack types and cannot detect unknown attack types(c)Many IDS only detect one or two attack types at the same time and cannot detect multiple attacks simultaneously

Therefore, we should design or improve the intrusion detection algorithm for the WSN to improve current intrusion detection technology.

Aiming at detecting a variety of internal attacks of the WSN, a novel change rates of multiple attributes (CRMA) intrusion detection algorithm is proposed in this paper, which can detect multiple intrusion attacks including known and unknown types simultaneously. In CRMA, we obtain the Observed Change Rate of attributes through observing the values of different attributes of different nodes over a period of time. The Normal Change Rates of attributes are calculated by minimizing the weighted deviation between the Observed and Normal Change Rates by convex optimization. The IDS considered to be attacked when the Observed Change Rate deviates from the Normal Change Rate beyond the corresponding threshold.

This paper is organized as follows. Section 2 gives the IDS model and multiple attributes of the WSN. In Section 3, we describe the CRMA intrusion detection algorithm and discuss some issues in the algorithm. In Section 4, we offer experimental analysis and performance evaluation of the IDS. In the final section, the conclusion is given.

2. IDS Model and Multiple Attributes of WSN

In this section, we introduce the IDS model, attributes of the WSN, and symbol representations of CRMA.

2.1. IDS Model

The model of the intrusion detection system designed in this paper is shown in Figure 1. The IDS agents perform intrusion detection and data transmission. We assume that the IDS agents are trusted nodes and have sufficient energy. IDS agents interact with sensor nodes and base stations (BS). IDS agents will perform deep packet inspection on the ID and attributes of nodes. We assume encrypted traffic by default and IDS agents know the keys of the detected nodes in advance. The IDS agents can decrypt received data and perform deep packet inspection.

The deployment principle of IDS agents is to make IDS agents cover as many nodes as possible and reduce the area of overlap. IDS agents should be deployed in the monitoring region and as far as possible to cover the entire WSN.

2.2. Attributes of WSN

The sensor nodes of the WSN have some characteristic attributes that can be utilized by intrusion detection algorithms. In [27], the attributes of the WSN are divided into two types. One is the audit data in local detection which includes the packet collision rate, the waiting time of transmission, the number of neighbors, the energy consumption rate, and the rate of sensor reading report. Second, the audit data based on packets in the network includes the packet type, RSSI, arrival rate of sensor data, and packet loss rate.

The WSN attributes may be affected by different types of attacks. We find that the more attributes you choose, the more they reflect the WSN situation. However, due to the limited resources of the WSN, it is necessary to select several different attributes to participate in the intrusion detection calculation according to the situation.

2.3. Symbolic Representations

Some symbols which would be used in the CRMA intrusion detection and the explanations of what they represent are shown in Table 1.

3. Intrusion Detection Algorithm Based on Change Rates of Multiple Attributes (CRMA)

The basic idea of the CRMA intrusion detection algorithm is as follows: (a)The Observed Change Rate of attributes is obtained by observing multiple attributes of different nodes(b)Convex optimization is alternately used to obtain the Normal Change Rate of attribute and corresponding weights(c)When the Observed Change Rate deviates from the Normal Change Rate beyond the corresponding threshold, the IDS would determine that the WSN is attacked

3.1. CRMA Framework

The change rates of attributes are steady or change slowly when the WSN is running normally. For instance, the reduction of energy will follow a regular pattern when the sensor node transmits packets at a certain rate. If the change rates of attributes are abnormal, the network is considered to be under attack. In CRMA, convex optimization is used to obtain the Normal Change Rates of attributes and corresponding weights by minimizing the distance between the Observed Change Rate and the Normal Change Rate of each attribute.

3.1.1. Observed Change Rate

The is the difference between the th attribute of th node between time and the previous time . The range and magnitude of each attribute may be different. We define the relative change rate as the Observed Change Rate in CRMA.

3.1.2. Deviation Function

The is the Normal Change Rate of th attribute of th node in the period of interval time which can reflect the regular pattern during the stable operation. In CRMA, the deviation function is the square of the distance between the and . The value of the deviation function is small when the Observed Change Rate is close to the Normal Change Rate.

3.1.3. Constraint Function

The corresponding time weight represents the reliability of the Observed Change Rate in a certain period of time. The parameter is the weight of th node at time . A higher indicates that the Observed Change Rate of the th node at time is closer to the Normal Change Rate. The is set of , , which is the weights of the th node in the period time of . The constraint function specifies the range of time weights which reflects the distributions of weights at different times. The constraint function maps the time weights uniformly to a particular range which can improve the convergence speed and accuracy of the IDS. We define a constraint function and a domain to make locate at a certain numerical range. Different constraint functions may have different influences on the result. We set the value of to be 1 for the sake of simplicity. We choose an exponential function as the constraint function, and the domain of weights expands into .

3.1.4. Optimization Problem of CRMA

The intrusion detection algorithm based on the change rates of multiattributes is proposed in this paper. The is a known value, and the is an unknown value. We construct a convex optimization problem to calculate the Normal Change Rate of attributes by minimizing the weighted deviation between the Observed Change Rate and the Normal Change Rate. The objective function is shown as follows: where the is a set of . The attribute vector comprises a fixed number of Normal Change Rate of all attributes . Each node constructs some attribute vector which reflects the operation status of the network in interval time . The and are unknown vectors that correspond to the set of and time weights, respectively. For an optimization problem with two unknown vectors, to minimize the objective function, a vector can be fixed and another unknown vector can be found through multiple iterations until the vector converges. This iterative approach, referred to as the block coordinate descent method [28], will gradually reduce the updated value of the objective function until it reaches the minimum value. The and can be obtained by following two iterative convergent procedures.

(1) Weight Update. We determine the by fixing . With the estimation of the initial the value of , we can obtain through minimizing the objective function, as follows:

(2) Normal Change Rate Update

We determine the by fixing . We obtain the Normal Change Rate minimizing the weighted deviation between the Observed Change Rate and the Normal Change Rate based on the calculated in the step above.

The -value is the difference in the value of the two adjacent iterations. When the -value is less than the threshold, the iterative process is stopped. During multiple iterations, the gradually converges to a fixed value, which is the Normal Change Rate in time period .

There is another CRMA intrusion detection framework. The objective function is shown as (7). The is the weight of the th dimension attribute of the th node at moment . The solving process of (7) is similar to (4). But this form of CRMA intrusion detection assigns weights to each node at each time of the observation phase. Calculating the state of each node separately can improve the accuracy of the IDS. However, it greatly increases the complexity of the algorithm, and larger space is needed to store weights, which is a huge burden for resource-constrained sensor nodes.

The selection of attributes depends on what type of attack you want to detect. For example, when the WSN is under a flooding attack, the distribution of the packet type would be abnormal immediately and the RSSI would be exceptionally high. In order to detect the flooding attack successfully, the IDS should involve the attributes that would be affected in the detection procedure. On the other hand, if we select multiple attributes properly, we could detect multiple types of attacks at the same time.

3.2. Parameter Setting and Performance Analysis of CRMA

3.2.1. Initial Value of the Normal Change Rate

The Normal Change Rate is obtained by solving the convex optimization problem by minimizing the weighted distance between the Observed Change Rate and solving the Normal Change Rate of each attribute. However, we need to set the initial value of at first which is crucial to solving the convex optimization problem efficiently. In theory, if the optimization problem is convex, the initial value of would not affect the final optimal solution. But good initial values make the algorithm converge quickly and save computing resources. The selecting principle of the initial value of Normal Change Rate is that the chosen value is close to actuality. In CRMA, we use the average method to set the initial value of the Normal Change Rate.

3.2.2. Threshold Setting

The threshold setting is related to the accuracy of the intrusion detection. There are two methods that can be used to set the threshold according to the actual situation to improve the accuracy of the detection. (1)In the training phase of the intrusion detection algorithm, the average and standard deviation of each attribute are calculated by collecting and analyzing data of each node in the time period . The value of average attribute is as shown in (8). The standard deviation is calculated as shown in

The is the parameter determined during the experiment. For any , if , it can be judged that there are no intrusion attacks in the WSN. Otherwise, it can be judged that the network is attacked. The corresponding parameters in different environments of the WSN may be different (2)If the multiple attributes are independent, the joint judgment will increase the false negative rate. If the multiple attributes are related to each other, the joint judgment will get a higher true positive rate. The value of the average attribute is shown in (10). The standard deviation is shown in (11). The average Normal Change Rate of multiple attributes of the node is calculated as shown in (12).

Similarly, if , it can be judged that there are no intrusion attacks in the WSN. Otherwise, it can be judged that there are intrusion attacks in the WSN. The is the parameter determined during the experiment

The computational complexity of (11) is much greater than (9). We can decide which judgment to choose according to the actual situation.

Based on the above description, the flow chart of the CRMA intrusion detection algorithm is shown in Figure 2. (a)The Observed Change Rate of attributes at different times obtained by observing the values of different attributes of sensor nodes over a period of time. We set the initial value of the Normal Change Rate as (b)Convex optimization is used to obtain the normal attribute change rate by minimizing the weighted distance between the rate of the Observed Change Rate and the normal change of each attribute. When the -value is less than the threshold, the iterative process of convex optimization is stopped(c)The IDS would turn on the alarm when the Observed Change Rate deviates from the Normal Change Rate beyond the corresponding threshold. If (or ), it can be judged that there are no intrusion attacks in the WSN. Otherwise, it can be judged that there are intrusion attacks in the WSN

3.2.3. Proof of Convexity

Based on the CRMA intrusion detection algorithm described above, the following theorems are given.

Theorem 1. The constraint function (3) and the optimization problem (4) constitute a convex optimization problem when is fixed.

Proof. According to constraint condition (3), the change domain of is which is a convex set. So, the domain of the objective function in (4) is a convex set. When is fixed, the objective function is a linear affine function for .
For any , It satisfies the definition of a convex function . Therefore, the objective function is a convex function. The constraint function (3) and optimization problem (4) constitute a convex optimization problem involving equality and inequality constraints, which can be solved by the convex optimization solution method. We use the Lagrangian multiplier to solve .
Let , then, .
The optimization problem is converted to Let the partial derivative of be 0, and get Obtained by the constraint , Combine with and obtain

It is obvious that the weight is inversely proportional to the deviation between the observation and the actuality which means the weight is greater when the Observed Change Rate is closer to the Normal Change Rate.

Theorem 2. The change rate (1), deviation function (2), constraint function (3), and optimization problem (4) constitute a convex optimization problem when is fixed.

Proof. The change rate (1) limits the value range of the property change rate to the real number domain , so the set of the definition domain of the independent variable of the deviation function is a convex set.
For any , Namely, We get that Due to , the above formula is obviously wrong. So, we get that

According to the definition of the convex function, the deviation function is a convex function. The constraint function (3) combined with is nonnegative, and the objective function (6) is a nonnegative linear combination of convex functions. According to the nature of the convex function, the objective function of the optimization problem is also a convex function. So, (1), (2), (3), and (4) constitute an unconstrained convex optimization problem. There is only one optimal solution, and the locally optimal solution is also the global optimal solution when the optimization problem is a convex optimization problem [28].

According to (2) and (6), we get that

Let the partial derivative with respect to be equal to 0, and then, we derive the solution of Normal Change Rate .

Therefore, the CRMA intrusion detection algorithm will converge to fixed value during the iterative process.

3.2.4. Time Complexity

The time complexity of the CRMA intrusion detection algorithm will vary when using a different deviation function, constraint function, and objective function. If (2), (3), and (4) are used, the time complexity of CRMA is shown as follows: where is the time range and , is the number of sensor nodes, and is the number of attributes of the nodes.

If the squared deviation function (2), (3), and (7) is used, the time complexity of CRMA is (25).

In (7), the CRMA intrusion detection assigns weights to each node at each time of the observation phase. Calculating the state of each node separately can improve the accuracy of the IDS. But, it greatly increases the complexity of the algorithm.

4. Experiments and Discussion

Attacks from the internal network are the biggest threats to the WSN. Attacks from the external network only make the attacker become a legitimate node to obtain the network information. However, internal attacks often destroy or modify the network data. In this paper, we hope to find an effective way to detect internal attacks.

The parameters to measure the performance of the intrusion detection system are set as (26)–(29). There are four concepts: true positive (TP), false positive (FP), true negative (TN), and false negative (FN). The TP occurs when normal patterns are correctly classified as normal. The FP occurs when abnormal patterns are incorrectly classified as normal. The TN occurs when abnormal patterns are correctly classified as abnormal. The FN occurs when normal patterns are incorrectly classified as abnormal. The true positive rate (TPR) is the probability of successfully detecting the intrusion attacks. The true negative rate (TNR) is the probability that abnormal patterns are incorrectly classified as normal. The false positive rate (FPR) is the probability that attacks will be issued no attacks. The false negative rate (FNR) is the probability that nonattacks will falsely be classified as attacks [29, 30]. The high performance of IDS should achieve a high TPR and low FPR to ensure the efficiency and reliability of the IDS and guarantee the security of the network.

We simulated several typical attacks based on MATLAB; the simulation parameters are given in Table 2.

We validate our algorithms with several typical internal attacks in the WSN including hello flooding attacks, selective forwarding attacks, DoS attacks, sinkhole attacks, and their hybrid attacks (multiple attacks). Table 3 shows the characteristics and impacts of simulated attacks. The multiple attacks are that the above four kinds of attacks exist simultaneously.

In the CRMA, we detect the change rate of attributes based on the characteristics and impacts of the simulated attacks. We assume that the base station (BS) and IDS agents are trusted nodes. CRMA can detect multiple attacks simultaneously. Each point in the following figures is the average of the results of hundreds of tests, and each line has been accumulated over thousands of tests in this paper.

Figure 3 shows that the CRMA has higher true positive rates (TPR) for the four simulated attacks and their hybrid attack (multiple attacks). The TPR for the sinkhole attacks is relatively low. This is because the change rate of the attribute caused by the sinkhole attack is small. So, the CRMA is not good at detecting such attacks. The TPR of the DoS attacks can reach 100% when the number of nodes is large. This is because once the node launches the DoS attacks, the node stops all functions, which will immediately cause the node to change attributes, such as stopping the sending and receiving of data packets, stopping the collection of sensor data, etc. So, the CRMA will more easily detect changes in these attributes.

Figure 4 shows that CRMA has lower false positive rates (FPR) for the four types of attacks and their hybrid attacks. When the number of nodes is relatively small, the FPR is relatively high. But as the number of nodes increases, the false positive rate will decrease. In (29), the FP occurs when abnormal patterns are incorrectly classified as normal and the TN occurs when abnormal patterns are correctly classified as abnormal. With the increase of nodes, the number of attributes also increases. The ability of the system to judge what is abnormal becomes stronger.

The performance of networks is significantly affected by the malicious nodes [31]. In this paper, it is divided into three levels according to the percentage of malicious nodes. There is a low percentage of malicious nodes when the number of attack nodes is 5%~10% of the total nodes, and there is a medium percentage of malicious nodes when the number of attack nodes is 10%~30% of the total nodes. When the number of attack nodes is 30%~50% of the total nodes, there is a high percentage of malicious nodes.

Figure 5 shows the true positive rate (TPR) of CRMA intrusion detection system under different percentages of malicious nodes. The TPR of the system decreases as the percentage of malicious nodes increases.

Figure 6 shows the false positive rate (FPR) of CRMA intrusion detection system under different percentages of malicious nodes. The FPR of the system decreases as the percentage of malicious nodes increases.

The experimental results show that CRMA has a fast convergence rate. Table 4 shows an example of the value of the objective function of each round in the process of iteration. It can be seen that the value of the objective function gradually decreases, and the difference of the value of the objective function is approximately equal to 0.

In this paper, ARMA [25] and NeTMids [26] are compared with CRMA. ARMA predicts the traffic attributes of the WSN and only detects one type of attribute. The packet forwarding rate is selected as an attribute of ARMA. Among the above four intrusion attacks, only the sinkhole attacks will affect the packet forwarding rate. Therefore, the ARMA and CRMA algorithms compare the detection results under sinkhole attacks.

Figure 7 shows the true positive rates of ARMA and CRMA under sinkhole attacks and the aforementioned hybrid attacks (multiple attacks). It can be seen that the ARMA algorithm has a high TPR when the number of nodes is small and a low TPR when the number of nodes is large. The TPR of CRMA is much higher than that of ARMA under multiple attacks. Therefore, CRMA will be a better choice when there are more nodes or multiple attacks in the WSN.

Figure 8 shows the false positive rates of ARMA and CRMA under sinkhole attacks and multiple attacks. When the number of nodes is large, the CRMA intrusion detection algorithm has very low false positive rates for the detection of sinkhole attacks and multiple attacks. In practical applications, the types of attacks are unknown, and the number of nodes maybe very large. At this time, ARMA is not a good choice.

Figure 9 shows the false negative rates (FNR) of ARMA and CRMA under sinkhole attacks and multiple attacks which can be obtained by combining Figure 7 with formula (27). Figure 10 shows the true negative rates (TNR) of ARMA and CRMA under sinkhole attacks and multiple attacks which can be obtained by combining Figure 8 with formula (28). The FNR of ARMA is much higher than that of CRMA under multiple attacks.

The CRMA is compared with the NeTMids [26] intrusion detection algorithm, which uses different attributes of the WSN to detect different attacks. Figure 11 shows the true positive rates of NeTMids and CRMA under the above-mentioned four hybrid attacks (multiple attacks). It can be seen that the true positive rates of NeTMids are significantly lower than those of CRMA.

Figure 12 shows the false positive rates of NeTMids and CRMA under multiple attacks. The NeTMids algorithm has relatively higher false positive rates. Although the NeTMids algorithm is relatively simple and consumes fewer resources, the intrusion detection results are not as good as those of CRMA, and CRMA can detect unknown attacks through the detection of change rates of attributes.

Packet delivery ratio (PDR) is defined as the ratio of the total data packets received to the number of data packets sent [31]. The performance of the WSN is also studied by analyzing the PDR. Figure 13 illustrates the PDR with CRMA and without IDS. The performance of the PDR without any malicious nodes is also presented for comparison. The PDR dramatically decreases from 92% to 43% in the presence of an attacker in WSN. The use of CRMA improves the delivery performance of the system packet from 43% to 85%.

The performance of the network is also studied by analyzing the average end-to-end delay (EED). Figure 14 illustrates the average EED with CRMA and without IDS. The EED dramatically increases in the presence of attacks. The use of CRMA reduces the EED of the WSN.

5. Conclusion

The intrusion detection algorithm based on the change rates of multiple attributes (CRMA) can detect multiple attacks including known and unknown types simultaneously. In CRMA, the Normal Change Rate is calculated by minimizing the weighted deviation between the Observed Change Rate and the normal one through convex optimization. We also give proof that CRMA will converge to a fixed value during the iterative process. Especially in the case where multiple attacks exist simultaneously, the true positive rates of CRMA are 88%~95%. Compared with ARMA and NeTMids, the CRMA has robust detection performance under multiple attacks.

Further, we will improve the CRMA intrusion detection algorithm to reduce its computational complexity and storage requirements. How to set the threshold in CRMA and other parameters according to the actual situation is also a research direction.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This research was partly funded by the National Natural Science Foundation of China (61971031) and the Scientific Research Projects of Ordos Institute of Technology (KYYB2018006).

References

P. Gope and T. Hwang, “BSN-Care: a secure IoT-based modern healthcare system using body sensor network,” IEEE Sensors Journal, vol. 16, no. 5, pp. 1368–1376, 2016.
View at: Publisher Site | Google Scholar
M. al Ameen, J. Liu, and K. Kwak, “Security and privacy issues in wireless sensor networks for healthcare applications,” Journal of Medical Systems, vol. 36, no. 1, pp. 93–101, 2012.
View at: Publisher Site | Google Scholar
K. A. Kumar, A. V. N. Krishna, and K. S. Chatrapati, “New secure routing protocol with elliptic curve cryptography for military heterogeneous wireless sensor networks,” Journal of Information & Optimization Sciences, vol. 38, no. 2, pp. 341–365, 2017.
View at: Publisher Site | Google Scholar
D. V. Queiroz, M. S. Alencar, R. D. Gomes, I. E. Fonseca, and C. Benavente-Peces, “Survey and systematic mapping of industrial wireless sensor networks,” Journal of Network & Computer Applications, vol. 97, pp. 96–125, 2017.
View at: Publisher Site | Google Scholar
M. C. Chen, W. R. Chang, H. T. Lin, and H. H. Lee, “Design and performance evaluation of aquatic-pollution monitoring scheme over a waterborne wireless sensor network,” Computer Communications, vol. 40, pp. 51–64, 2014.
View at: Publisher Site | Google Scholar
F. Sadoughi, A. Behmanesh, and N. Sayfouri, “Internet of things in medicine: a systematic mapping study,” Journal of Biomedical Informatics, vol. 103, article 103383, 2020.
View at: Publisher Site | Google Scholar
H. Radhappa, L. Pan, J. Xi Zheng, and S. Wen, “Practical overview of security issues in wireless sensor network applications,” International Journal of Computers and Applications, vol. 40, no. 4, pp. 202–213, 2018.
View at: Publisher Site | Google Scholar
N. Alrajeh, S. Khan, and B. Shams, “Intrusion detection systems in wireless sensor networks: a review,” International Journal of Distributed Sensor Networks, vol. 9, no. 5, Article ID 167575, 2013.
View at: Publisher Site | Google Scholar
F. Raza and S. Bashir, “Optimizing nodes proportion for intrusion detection in uniform and Gaussian distributed heterogeneous WSN,” in 2015 12th International Bhurban Conference on Applied Sciences and Technology (IBCAST), pp. 623–628, Islamabad, Pakistan, 2015.
View at: Publisher Site | Google Scholar
S. Raza, L. Wallgren, and T. Voigt, “SVELTE: real-time intrusion detection in the Internet of things,” Ad Hoc Networks, vol. 11, no. 8, pp. 2661–2674, 2013.
View at: Publisher Site | Google Scholar
P. Ganeshkumar, K. P. Vijayakumar, and M. Anandaraj, “A novel jammer detection framework for cluster-based wireless sensor networks,” EURASIP Journal on Wireless Communications and Networking, vol. 2016, no. 1, 2016.
View at: Publisher Site | Google Scholar
X. Jin, J. Wei, and W. Tong, “Research on intrusion detection algorithm for wireless sensor networks,” IOP Conference Series: Materials Science and Engineering, vol. 452, 2018.
View at: Publisher Site | Google Scholar
S. Shanthi and E. G. Rajan, “Comprehensive analysis of security attacks and intrusion detection system in wireless sensor networks,” in 2016 2nd International Conference on Next Generation Computing Technologies (NGCT), pp. 426–431, Dehradun, India, 2016.
View at: Publisher Site | Google Scholar
R. Mitchell and I. R. Chen, “A survey of intrusion detection in wireless network applications,” Computer Communications, vol. 42, no. 4, pp. 1–23, 2014.
View at: Publisher Site | Google Scholar
A. Mehmood, A. Khanan, M. M. Umar, S. Abdullah, K. A. Z. Ariffin, and H. Song, “Secure knowledge and cluster-based intrusion detection mechanism for smart wireless sensor networks,” IEEE Access, vol. 6, pp. 5688–5694, 2018.
View at: Publisher Site | Google Scholar
A. Ghosal and S. Halder, “A survey on energy efficient intrusion detection in wireless sensor networks,” Journal of Ambient Intelligence & Smart Environments, vol. 9, no. 2, pp. 239–261, 2017.
View at: Publisher Site | Google Scholar
B. Ahmad, W. Jian, Z. A. Ali, S. Tanvir, and M. S. A. Khan, “Hybrid anomaly detection by using clustering for wireless sensor network,” Wireless Personal Communications, vol. 106, no. 4, pp. 1841–1853, 2019.
View at: Publisher Site | Google Scholar
Y. Hu, Y. Wu, and H. Wang, “Detection of insider selective forwarding attack based on monitor node and trust mechanism in WSN,” Wireless Sensor Network, vol. 6, no. 11, pp. 237–248, 2014.
View at: Publisher Site | Google Scholar
M. Motamedi and N. Yazdani, “Detection of black hole attack in wireless sensor network using UAV,” in 2015 7th Conference on Information and Knowledge Technology (IKT), pp. 1–5, Urmia, Iran, 2015.
View at: Publisher Site | Google Scholar
F. Gara, L. B. Saad, and R. B. Ayed, “An intrusion detection system for selective forwarding attack in IPv6-based mobile WSNs,” in 2017 13th International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 276–281, Valencia, Spain, 2017.
View at: Publisher Site | Google Scholar
O. Osanaiye, A. S. Alfa, and G. P. Hancke, “Denial of service defence for resource availability in wireless sensor networks,” IEEE Access, vol. 6, pp. 6975–7004, 2018.
View at: Publisher Site | Google Scholar
Y. Cao, L. Han, X. Zhao, and X. Pan, “AccFlow: Defending against the Low-Rate TCP DoS Attack in Wireless Sensor Networks,” 2019, https://arxiv.org/abs/1903.06394.
View at: Google Scholar
Q. Yaseen, F. Albalas, Y. Jararwah, and M. Al-Ayyoub, “Leveraging fog computing and software defined systems for selective forwarding attacks detection in mobile wireless sensor networks,” Transactions on Emerging Telecommunications Technologies, vol. 29, no. 4, 2018.
View at: Publisher Site | Google Scholar
A. Rehman, S. U. Rehman, and H. Raheem, “Sinkhole attacks in wireless sensor networks: a survey,” Wireless Personal Communications, vol. 106, no. 4, pp. 2291–2313, 2019.
View at: Publisher Site | Google Scholar
J. Peng, Q. Yu, and M. He, “WSN intrusion detection technology based on traffic prediction,” Computer Applications & Software, vol. 2, pp. 310–313, 2016.
View at: Google Scholar
S. M. Sajjad, S. H. Bouk, and M. Yousaf, “Neighbor node trust based intrusion detection system for WSN,” Procedia Computer Science, vol. 63, pp. 183–188, 2015.
View at: Publisher Site | Google Scholar
Z. Yu and J. J. P. Tsai, “A framework of machine learning based intrusion detection for wireless sensor networks,” in 2008 IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (sutc 2008), pp. 272–279, Taichung, Taiwan, 2008.
View at: Publisher Site | Google Scholar
T. H. Tsang, D. M. Himmelblau, and T. F. Edgar, “Optimal control via collocation and non-linear programming,” International Journal of Control, vol. 21, pp. 763–768, 2016.
View at: Publisher Site | Google Scholar
M. Poggiolini and A. Engelbrecht, “Application of the feature-detection rule to the negative selection algorithm,” Expert Systems with Applications, vol. 40, no. 8, pp. 3001–3014, 2013.
View at: Publisher Site | Google Scholar
Z. Sun, Y. Xu, G. Liang, and Z. Zhou, “An intrusion detection model for wireless sensor networks with an improved V-detector algorithm,” IEEE Sensors Journal, vol. 18, no. 5, pp. 1971–1984, 2018.
View at: Publisher Site | Google Scholar
E. A. Shams and A. Rizaner, “A novel support vector machine based intrusion detection system for mobile ad hoc networks,” Wireless Networks, vol. 24, no. 5, pp. 1821–1829, 2018.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2020 Hongying Bai et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

424

Downloads

697

Citations