Professional Documents
Culture Documents
ABSTRACT
Background: Network security policies of system informatics are designed for handling the
integrity, availability and confidentiality of the data for their trusted users. The Intrusion
Detection System (IDS) is introduced to monitor the illegal activities carried out by the malicious
nodes in the Wireless Sensor Network (WSN) environment.
Method: In this paper, we have proposed an Advanced Hybrid Intrusion Detection System
(AHIDS) that automatically detects the WSNs attacks. AHIDS makes use of cluster-based
architecture with the help of enhanced LEACH protocol that intends to reduce the level of
energy consumption by the nodes. AHIDS uses anomaly detection and misuse detection based on
fuzzy rule sets along with the Multilayer Perception Neural Network (MPNN). The feed forward
neural network (FFNN) and back propagation neural networks (BPNN) is utilized to integrate
the detection results and indicate the different types of attackers like Sybil attack, worm hole
attack and hello flood attack.
Results: The experimental analysis is carried out in set of 50 nodes, 13.33% of nodes are
determined as misbehaviour nodes, which classified attackers along with detection rate of True
Positive Rate (TPR) and False Positive Rate (FPR), sybil attack is detected as 99, 40 %, Hello
packet attack with detection rate of 98, 20% and Worm Hole attack with detection rate of 99, 20
%.
Conclusion: The experimental results prove that the proposed system is capable of identifying
the malicious nodes in an efficient way that is caused by hello flood, wormhole, and Sybil attack.
Keywords: Advanced Hybrid Intrusion Detection System, Enhanced LEACH protocol, Fuzzy
mechanism, Multilayer Perceptron Neural Network.
I. INTRODUCTION
WSN is the recent technology and has received huge attention among the researchers.
Normally, the WSN environment comprises of low power, low cost and huge number of sensor
that occurs arbitrarily over the target location or redeployed manually. Wireless sensor networks
have become a powerful and familiar technology due to its potential features and applications
such as health care, monitoring, domestic, surveillance systems and disaster management [1].
The wireless sensor nodes have poor capacities in terms of communication, computation and
energy. In wireless sensor networks, broadcast message is an effective and a popular prototype
that permits multiple users to combine and distribute message packets throughout the network
effectively in order to get data of their interest. It is demonstrated in the fig.1, example diagram
of WSN. Wireless sensor network is a self- organizing network with huge number of sensor
nodes which consumes less power and low cost. Wireless sensor network are utilized for several
applications like civil and military applications that encounters detection, security, identifying
environmental conditions and weather monitoring, i.e., sun ray, particle movement, sound
temperature, object identification, prediction and disaster sensing and so on [2]. This sort of
network has restricted battery storage for the nodes, thus efficient and proper utilization of the
energy in WSN nodes is very essential to improve the network life span.
These sensor nodes are termed as light weight and transferable devices having the
capacities of communicating, sensing and processing the data from one node to the destination
node in larger network. They have restricted transmission range and that send the data directly to
the desired user with transmission range limit. The data transmission in longer distance can be
performed through intermediate nodes, since the WSN are vulnerable for internal and external
outbreaks. Most commonly, it does not have the capacity to handle the tough attacker owing to
its resource restricted nature [3]. In this condition, secondary stage of defense is mostly called as
IDS, which is needed to prevent the system from the attackers. There is vast development in the
attackers, which can be detected using the IDS [4]. Unfortunately, majority of the sensor
networks are very sensitive towards attacks because of WSN characteristics and antagonists can
simply create the network traffic, which can also causes heavy packet drop during broadcasting
of the packets or change the original content of the message in the packets [5]. Thus, the
authentication strategies managed to the network for assuring secure communication between the
nodes. In WSN, it is very essential to carry out the secure data transmission between the nodes.
For instance, if WSNs is employed in battlefield applications, sensor nodes are intruded by the
attackers and destroyed. Hence, the security plays a significant role. A prevention technique is
utilized to counteract the well-established attacks. Moreover, prevention scheme cannot defend
all the attacks. Thus, these attackers require to be identified, so the IDS are utilized commonly to
identify the packets in a network, and estimate which packet is damaged by the attackers.
Furthermore, IDS can help the prevention system through developed nature of attacks [6].
It has the highest accuracy but with low detection rate. Particularly, it cannot detect the
unknown attackers, which are not in the base of the model. Various researchers have analyzed a
module of hybrid detection to utilize the merits of the both misuse detection and anomaly
detection. This hybrid detection methodology can identify unknown attacks with the greatest
accuracy of the misuse detection and greatest detection rate of anomaly detection. The HIDS
accomplishes the aim of obtaining the highest detection rate with low false positive rate [1].
This paper describes about the Advanced Hybrid Intrusion Detection System, it utilizes a
Multilayer Perceptron Neural Network (MPNN), which contains feed forward neutral network(
FFNN) and back propagation neural networks (BPNN) of the supervised learning approach
based on the Fuzzy logic mechanism with anomaly and misuse detection technique to detect the
Hello flooding, Wormhole, and Sybil attack with higher detection ratio and lower false alarm.
At first, the Sybil attack detection is based on the Advanced Sybil Attack Detection
Algorithm (ASADA) with Fuzzification method along MPNN, it is utilized to separate the Sybil
node and legitimate node even has the highest mobility through the verification process using
RSSI ( Received Signal Strength Indicator).
Then, to identify the wormhole attack, we propose the Wormhole Resistant Hybrid
Technique (WRHT) with Fuzzification method along FFNN. The proposed WRHT allows the
source node in the sensor network to calculate the wormhole presence probability (WPPp) for a
path in addition to HC ( Hop Count )information. Hence. WRHT makes use of dual mode
detection by calculation PLPp (packet loss probability ) and TDPp (time delay probability), if it
finds out the packet loss at the receiving end, then conclude that the wormhole attacker is
working in encapsulation mode (hidden mode).
Finally for detecting hello flood attack, sensor nodes of RSS and distance along with their
threshold values are moved to the BPNN. The fuzzy interface in the fuzzy based detector module
uses both anomaly and misuse detector in order to the estimate the Hello flood attack in the
adversary model in AHIDS. Here, the trusted neighbor nodes are instructed to flood a fixed
number of fake packets into the sensor network at the same time. If the suspicious node passes
this test then it is directed to send-received check. If it fails this test, then the node is considered
as malicious and stored as blacklisted.
The proposed work aims to detect the Hello flooding, Wormhole, and Sybil attack in
the WSN by using the AHIDS. We utilize the Enhanced LEACH protocol (with fuzzy rules) to
identify the attackers of different types. AHIDS makes benefits from both anomaly detection and
the misuse detection models for the detection of above said attacks. The proposed AHIDS can
obtain a greater detection rate and low positive rate value. Meanwhile, it can find and include
new instances by machine learning strategy of Multilayer Perceptron Neural Network (MPNN)
through practically when it endures about the unknown attacks. AHIDS proposed in this
research, contains of two important elements as represented figure.5, the Feed Forward Neural
Network (FFNN) and the Back Propagation Neutral Network (BPNN).
AHIDS first makes use of anomaly detection block in order to recognize the data packets
as abnormal or normal. Later on, the misuse detection block covers the abnormal data packets to
recognize the several types of attack detection [21]. Eventually, the effects of the two detection
blocks are combined by the fuzzy block with MPNN in order to make decision for identifying
any intrusion and the different kinds of intrusion, and bring back the same to authority to prevent
the system from the attackers.
The anomaly detection models are generally utilized to recognize the abnormal packets
for further detection of malicious nodes. Due to this anomaly detection utilizes a standard
method to detect the normal behavior of the nodes; a data packet is identified to be abnormal in
the network once present behavior changes from that of normal behavior. As an outcome, the
anomaly detection generally identifies the common transmission as well as abnormal
transmission of data packets, which forms the issues of classifying the erroneous nodes in the
network. Nevertheless, it rarely considers an abnormal transmission as the normal transmission.
Hence, the anomaly detection method is utilized to sort a huge number of data packets records
first and make further detection analysis with the misuse detection method, whenever the amount
of data is minimized.
IHIDS (Intelligent Hybrid Intrusion Detection System) and AIHIDS (Artificial Immune
based Hybrid Intrusion Detection System) are similar, but the important difference between them
is that IHIDS does not support artificial neutral network [22]; Hence, it cannot analyze and
distinguish new intruders immediately while it suffers from the unknown assaults, whereas
AIHIDS detects the attackers with the use of MPNN. The difficulty with the LEACH based
implementation is that the resources of the cluster head are less than the base nodes. Due to
higher number of resource in the base nodes, it doesnt have any restrictions while utilizing the
resources. In case cluster heads takes lot of resources of performing and energy to identify
intrusion, then the overall network lifespan becomes lesser. Hence to minimize the workload of
AIHIDS, there is no supervised learning of Neutral Network mechanism between the base node
and cluster heads. The feedback mechanism feeds the information of new assaults, which the
learning process of AIHIDS accomplices to the misuse detection scheme of proposed AHIDS for
training the data set.
This procedure not only obtains the AIHIDS but also gets the same performance of
that IHIDS which consumes some additionally resources to detect the new attacks. When AHIDS
gets the feedback message from the learning mechanism of AIHIDS, the misuse detection model
of IHIDS is retrained using the data of new attacks at the next training for adding new detection
classes. Because the anomaly detection model, misuse detection model and decision making
model in AHIDS are same as those in IHIDS, the details of system structure are not described
again.
In Sybil attack, the attackers can get identities by two ways. At first, it has the ability to forge
its own identities for instance, forming an arbitrary identifier. Then, it applies stolen identities,
which means spoof the identities of legitimate nodes (masquerading) in the WSN. The proposed
mechanism is developed for recognizing new identity formed by a Sybil attacker. We consider
that malicious node enter the network with its one identity, and that the misbehaving node does
not conspire with one another. We also considered that nodes does not increase or decrease their
transmit power. The Sybil attack makes the following affects on the WSNs [23]:
The routing table size is elaborated in a WSN and it makes confusion in the data routing
packets.
The Sybil attack interrupts the trusts based mechanism in WSNs by decreasing or
increasing the nodes trust value.
Sybil attack produces confusion between illegitimate node and legitimate node in the
WSN.
The wireless sensor networks life gets decreased due to the single nodes reaction to the
various nodes requests.
The performance and throughput of the network are reduced significantly because of the
Sybil attack.
To identify the Sybil attack, we propose the Advanced Sybil Attack Detection Algorithm
(ASADA) with Fuzzification method along MPNN, it is utilized to separate the Sybil node and
legitimate node even has the highest mobility through the verification process. The AHIDS
absorbs the each node RSSI ( Received Signal Strength Indicator ) value in the table with respect
to the time period, it analyze whether first RSSI value is lesser than threshold or not. If not,
AHIDS include it to attacker list and update to its neighbors list. Since the battery restrictions,
every sensor node maintains only 5 lists. Figure 2 shows a scenario of Sybil attack in WSN.
The proposed ASADA is combined with the rule based anomaly detection module. In this
mechanism, the anomaly detector utilizes fuzzy rules set to differentiate data units as normality
or anomalies. While supervising the WSN, these fuzzy rules set are chosen appropriately and
employed to the supervised data. If the fuzzy rules are satisfied in determining, an anomaly is
announced. The ASADA, the underlying detector compiles into four processes, towards
observing Sybil attacks in the wireless sensor networks. In this first process, nearby nodes
identifies the path for the data transmission, it utilizes the ranging-enabled scheme [3] which
hello packets to the neighbor nodes (which is also called as beacons). The data packets are
utilized within the particular range in order to receive the effective RSSI signal; if they cross
certain the distance or the range then the signal strength becomes weaker which has the
possibilities of getting the affected by the malicious nodes, so, we include the ranging estimation
scheme. In this scheme, each packet has the PHY header (PHR) with particular bit which is
called as the ranging bit, moreover, each packet broadcasting the PHY for the frames sets meant
for ranging [3].
In the next phase, each node develops the table comprising about the locally calculated
ranging estimation, i.e., it needs to evaluate the distance of the nodes which lies in the ranging-
enabled scheme for data transmission in order to eliminate the node which is out of the range. At
first, it calculates about the distance d from the every neighboring node it identified. Here, we
n
ab
consider that, n
d ab represents about the detected distance between the node na and the node nb as
calculated by the node n a . Nevertheless, the distance detection may not be the error free, it may
contain the ranging error, which is indicated as e error units, which happens because of the
wireless network of the ranging communication and the imperfections of the fundamental PHY
and because of the misbehavior node performing a distance increasing or decreasing attack.
Therefore, by d we represent the exact distance between node n a and the node n b . Evidently,
e
ab
it applies that ( 2 ) < < ( + 2 ) at average for each node n a , n b .
In this next process, every node in the WSN severally executes the multiple distance
matching verification. This indicates that node n a equates the ranging measurements of every
possible pair of nodes na and n b , represented in its neighbor node list, i.e. for all b , c a , 1 b ,
c M :
| d a b d a c | e
n n
,
If { (1)
| d a b d a c | e
n n
,
The above conditions rules sets that in case node na determines that two nodes other,
trenchant node, represented by n b and n c , have a difference in distance smaller than e quadratic
metric units, then the node performing the distance verifies considers that a Sybil attack is active
and continues with the procedure of identifying the blacklisting of nodes n b and n c . As evident,
these premises could produce a false (positive) value in the Fuzzy table set 1, the two distance
matching nodes n b and n c , are legitimate sensor nodes. Accordingly, the network performance
and the applicability are based on the false probability [24]. Therefore, the analytic framework
has been a developed to enhance the accuracy of the detection mechanism.
At this condition, it is very essential to describe that the third process of the proposed algorithm
is a repeating process, intending that distance checks are performed sporadically. The time
period with which each node performs circular based Sybil attack detection algorithm based on
the fuzzy set rules with Neutral network with which each sensor node moves to the neighbor
route discovery seeking for the fresh neighbors in its locality. Each time, a wireless sensor node
finds for older or fresh neighbors, it rejoins the distance checks. This process also makes the
requirements to assure that distance verifications are invariably to upgrade between the freshly
added neighbor and every other older node in the neighbor list, based upon the distance and the
threshold point of the fuzzification is used to determine the percentage of the Sybil attackers.
A wormhole tunnel can be generally being practicable if utilized for transmission all the data
packets. Nevertheless, in its misbehavior incarnation, it can be utilized by the two misbehaviors
end points of the wormhole tunnel to enter traffic congestion during the routing which affects all
routes through them. The misbehavior nodes end points should be then introduced different types
of attacks against the traffic congestion occurring on the wormhole. Therefore , the wormhole
attack would influence route established by protecting any two sensor nodes in the wireless
network that are much bigger than two hops nodes away from exposing routes to each other. The
wormhole attack may influences various applications and energy utilizes in wireless ad hoc
networks such as, clustering protocols, data aggregation, and location based wireless networks
systems [25]. At last, the wormhole attack is regarded especially pernicious as it can be
established without experiencing access to any legitimate node in the network.
To identify the wormhole attack, we propose the Wormhole Resistant Hybrid Technique
(WRHT) with Fuzzification method along FFNN. The proposed technique WRHT is a hybrid
technique based on the concept of watchdog [26] and Delphi [27]. Watchdog (packet drop) and
RTT based technique Delphi are based on assumption that the packet drop and RTT of a route in
the network is very closely related to the value of its Hop Count (HC) and distance.
WRHT makes use of the information about the packet drop, the delay per each hop and
for the complete route in the sensor network. The foundation behind WRHT is to build up
a wormhole detection methodology that is able to manage every category of wormholes, is
possible for every type of WSN device and scenarios of the network, without the earning of
significant computational and costs. WHRT is considered as an extension to routing protocol.
The proposed WRHT allows the source node in the sensor network to calculate
the wormhole presence probability (WPPp) for a path in addition to HC information. During
Packet Encapsulation in Wormhole attack the packets are transmitted via the legitimate path
only, the packet when reaches a colluding node is encapsulated so that the nodes on the way are
not able to increase the hop count. When the packet reaches the other colluding node at the
receiving end, this node, then decides whether to drop the packet or retransmit it in the network.
Since WRHT makes use of dual mode detection by calculation PLPp and TDPp, if it finds out
the packet loss at the receiving end, then conclude that the wormhole attacker is working in
encapsulation mode (hidden mode).
The following formulas are used for calculation the presence of wormhole
Since the two events time delay and packet loss are not mutually exclusive (as there may be loss
of packets and time delay at same time), the wormhole presence probability (WPPp) for a path
can be defined as
WPPp= TDPP + PLPP (TDPP and PLPP)} (5)
Here, calculated values of equations (2-5) are moved to the FFNN. The fuzzy interface in the
fuzzy based detector module uses both anomaly and misuse detector in order to the estimate the
wormhole attack in the adversary model in AHIDS. Here, malicious nodes are detected and
stored as blacklisted.
The hello flood attacks works, as an assaults node disseminates hello packets by applying a more
powerful transceiver than common sensor nodes. The attack is shown in figure 4. The wireless
sensor nodes obtaining such hello packets may incorrectly consider that they are inside the RSS
of the transmitter and attempt to transmit their data packets through the misbehavior nodes [28].
These packets would be lost as they may not reach the destination sensor nodes. RSS can be
estimated by the nearest neighbor of a misbehaving node as this RSS is effectively higher than
signal received from others neighbors [4].
Figure 4: HELLO flood attack in WSN
To minimize the communication overhead of the data packet in previous RSS established
methodology, in this paper, we consider the clustered based wireless sensor network, based on
the RSS and distance threshold of the elected cluster head nodes. The distance of nodes is
estimated by the following
Here, (x1,y1) represent the location coordinates of the destination node that is receiving packet,
while (x2,y2) are the CH location coordinates that are sent that through advertising HELLO
packet. Receiving nodes calculates RSS threshold value TRSS, which corresponds to each node
radio range in WSN. Receiving nodes also calculate the value for distance threshold (TDIST),
which corresponds to the radio range distance covered. Each sensor node join a CH if
Here, sensor nodes RSS and distance along with their threshold values are moved to the BPNN.
The fuzzy interface in the fuzzy based detector module uses both anomaly and misuse detector in
order to the estimate the Hello flood attack in the adversary model in AHIDS. Here, the trusted
neighbor nodes are instructed to flood a fixed number of fake packets into the sensor network at
the same time. If the suspicious node passes this test then it is directed to send-received check. If
it fails this test, then the node is considered as malicious and stored as blacklisted.
AHIDS utilize the fuzzy based MPNN, which contains the FFNN and BPNN of supervised
learning approach in order to identify the all three attackers with the help of fuzziness rules set.
Hence, d i denotes the desired output, a i denotes the actual output which is resulted by the multi-
layer network input. For the back propagation process is the error rate or signal is propagated by
the MLP network [23]. The proposed methodology integrates the anomaly detection and misuse
detection scheme; it is demonstrated in the fig. We use abnormal packets, which were
determined by the anomaly detection scheme, as the input layer. When the number of performing
units in input vector is decided by the selected characteristics for the data packets. Furthermore,
the number of performing units are included in the hidden layer is developed by increasing
amount of output layers and the input layers. Once again the analysis, there are eight common
attacks in clustered based wireless sensor networks, including altered / spoofed / replayed
routing information, Sybil attack, Denial of Service, Sinkhole attack, Hello Flooding attacks,
Wormholes and Acknowledgement spoofing. Nine performing units in the output layer provides
eight various attacks and a single normal a behavior of the node to decide whether the inserted
packet is an attacker or intrusion that forms a classification.
The overall complete details of the data packets are gathered, which moves towards the
base nodes in clustered based wireless sensor networks, as the common data for training.
Majority of the data packets are normal in clustered based wireless sensor networks, which
makes the training data has imbalanced. On another hand, the abnormal data packets have been
eliminated by FFNN because of their minimum occurrence ratio. Therefore, to avoid such issue,
the training data are percolated through the anomaly detection scheme at first, later on the
abnormal data are distinguished which have been obtained from the training. Before forwarding
to the training data to BPNN, the training data were generalized into a identical form of BPNN .
On the other hand, the data packets records are convinced into a stream binary value and then set
to BPNN. To obtain a good convergence, the detection rate is kept as 0.1 to 1.0. The actual
learning ratio is obtained from the simulation. Furthermore, we allocate values from the range of
0 to 1 as the biases and weights haphazardly. After the training data are incorporated into the
BPNN, equating the actual output results through the mechanism of the feed forward FFNN.
The error and rectification value of hidden and output layers are estimated through the
mechanism of the back propagation in the Multilayer Perceptron Neural Network model. To
modify the biases and weights of networks, unless all the training data has been utilized, such
duration is called as epoch [30]. The training data would be discovered continuously and
organize the weights according to the layers frequently with the help of the epochs, unless the
output layer value is same as the target value and then the training data is finish.
Hence, complete abnormal packets are identified by the anomaly detection scheme and
then for the further verification, it is forwarded to misuse detection scheme. At first, it apply the
pre-processing step to covert the abnormal packets into a binary value and then the binary value
is forwarded to the misuse detection scheme to estimate the output value. At last, the outcome of
the detection value is delivered to the fuzzy module with Multilayer Perceptron Neural Network
model in order to obtain the best integration.
The fuzzy module is utilized to make the best decision making in order to identify the
attackers and their different types of attackers by integrating anomaly detection scheme and
misuse detection module. The fuzzy rule based mechanism is utilized to support the decision
making model, by applying the rules to aggregate the outputs of the two detection schemes, and
the major merits of this study is to obtain the fast and accurate results. The fuzzy based rules are
given in the tabulation. This mechanism operates using fuzzy logic controller, first the input
parameters (FPNN) are assigned in the fuzzification process and these parameters moved to the
Fuzzy Inference System (FIS). In FIS, it performances based on the fuzzy membership
(triangular) and the fuzzy rule that are applied on the input parameters to determine the suitable
fuzziness to determine the attackers types. The fuzzy sets considered for the input parameters as
very low, low, medium, high and very high and it is represented in the table 1 and the hidden
layer input (BPNN) are given as very short, short, medium, long and very long i.e. is presented
in the table 1. Thus these parameters are analyzed in FIS and that checks the fuzzy rules and
functions for producing the results to defuzzication where the output parameters are extracted as
Low fuzziness (Sybil attack), mild fuzziness (Worm hole attack) and high fuzziness ( Hello
Flood attack ).
The Multilayer Perceptron Neural Network (MPNN) model is also called as multi-layer neural
network. MLP is categorized into Feed Forward Neural Network (FFNN) and Back Propagation
Neural Network (BPNN) back propagation model; it is used to estimate the detection accuracy of
the three different attackers so mentioned above in this paper. The attackers are improving day
by day due to the development of the advance technology and the users behavior. Hence, it is
very necessary to improve the existing Intrusion Detection System as well as the system
capacity. To overcome such issues, our proposed AHIDS should be an advanced intelligent
detection system. When the system identifies the new types of attacks, machine learning
mechanism has the capacity to identify and learn to find the new types of attacks. Nevertheless,
the data packets cannot be accurately assorted by misuse detection model would be noticed as an
unknown assault. Furthermore, these data packets would be transmitted to the MPNN to
understand and introduce the new type of detection system for identifying the different types of
attacks.
We adopt the MPNN to develop the FFNN and BPNN mechanism of IHIDS, because
these neutral network could manage with a huge number of data to continue the system stability
and it has the capacity to listen the different types of attackers. On the other terms, FFNN would
progress with detection and estimate the new types of attacks simultaneously. The proposed back
propagation BPNN utilized to cluster unknown attacks for our MPNN supervised learning
mechanism that incorporates an input layer, hidden layer and output layer, moreover the pattern
of the supervised learning system is represented in the Fig.6 In the misuse detection scheme
cannot detect exact attacks from the data packets, because input layer and the number of input
nodes is decided through the selected features for the data packets. The number of output nodes
is found at the starting stage. Therefore, various kinds of clusters would be produced by using
proposed fuzzy based Multilayer Perceptron Neural Network, Hence the output nodes results is
improved, when each output node establishes a fresh type method to detect the attackers.
Each data packet of unknown attackers is inserted to the artificial supervised learning
mechanism and estimates the corresponding points for each output results and later on it detects
the winning output node results to estimate the corresponding value of winning output node is
higher than vigilance value, this indicate the inserted packets corresponds to the output node,
hence, it belongs to this clusters and Multilayer Perceptron Neutral Network just has to modify
the weights. On the other terms, when the corresponding value of the winning output node is
lesser than alertness value, which indicates that inserted data packet is not equal to the
connected weight; therefore, it does not matches to this cluster. It has to detect the next winning
node results to check whether it can pass the alertness test. Or else, It would produce a fresh
output result node and which means a fresh attack has been identified. Furthermore, to determine
the desirable vigilance value, it is examined by the sample data through the experimental
simulation. In order to include a fresh detection classes, the information of cluster are carried to
retrain the MPNN of the misuse detection scheme while the cluster member values obtains the
defined threshold
BPNN
Training data
Unlabeled data
Fuzzification
classification
Fuzziness F(V)
unlabeled data
Mild fuzziness
Detection Classifier
MPNN
accuracy
Time duration
In this approach, we utilize the KDD data sets to coordinate the pattern. To determines
the clustered based wireless sensor network, have introduced an efficient training MPNN for
minimizing the energy utilization by reducing the variable size dummy packets. Therefore, the
dummy packets are removed in the network during the preprocessing stage, which can improve
the strength of the data utility. Thus, the size of the dummy variable packet is varied below or
above the normal data packets, to reduce the energy utilization. This will be finally make the
adversary model to separate the data packets between the legitimate packet and a fake packet,
and it does not provides the data about the actual size of the real packets, however, the proposed
methodology provides with several benefits to improve the data packets security and the
minimize the energy consumption in the wireless sensor networks in the AHIDS than global
hybrid intrusion detection method [1].
1. Accuracy
C
i 1
T Pi
A cc (10)
N
2. Recall
TPi
Recall = TP + FN
i i
(11)
3.
4. Averarge Accuracy
c
1
AAcc =
C
R e c a ll i (12)
i 1
5. Precision`
TPi
Precision i = (13)
TPi +FPi
6. F-Measure
2 . R e c a ll i . P r e c is io n i
FM i
(14)
R e c a ll i P r e c is io n i
6. Attacker accuracy
Attacc = C 1
c
1
Re calli (15)
2 i
i 2
TP i
Adr = (16)
c
i 2 TPi + FN i
Where, C denotes number of classes, N stands for the number of examples and TPi is the number
of True Positives value of the ith class, FPi the number of False Positives value of the ith class,
FNi is the number False Negative value of the ith class.
In this experimental set up, we evaluate the performance of the proposed AHIDS in the wireless
sensor network by using the NS2 network simulator version 2.33 (NS2.33) [31] with parameters
of simulation used defined in the Table 2.
Parameter Value
We estimate the different types of attackers such as Hello flooding, Wormhole, and Sybil attack
and their detection accuracy for the wireless sensor networks in the Advanced Hybrid Intrusion
Detection System with Fuzzy Rules Based MPNN is fairly better than global hybrid intrusion
detection method [1]. In this table 3, the results demonstrated that the misbehviour nodes are
detected in the True Positive Rate (TPR) and False Positive Rate (FPR), which is detected with
the MPNN using fuzzy logic mechansim. For experimental results, Out of 50 nodes, 13.33% of
nodes are determined as misbehaviour nodes which has cut down the data passing through it. As
per the obtained results have proved that the proposed fuzzy logic mechanism is able to identify
the misbehavior nodes in the system with higher positive ratio and lower false positive rate that
is presented in the figure 2. The table 3 illustrates that detection rates under each level of node
speed. Table 4 represents the detection rate and false negative for the attack of hello flood,
wormhole and Sybil.
TPR FPR
We first deploy WSN by defining the base station (BS), and clusters with each having a cluster
head (CH). As shown in figure 7, the node 9 is the BS with nodes 1, 4, 8, 13, 16, 20, 27, 35 as
CH. Figure 7, provides a scenario of the sensor network having node 10 as selfish node (i.e. hello
flood node). Node 10 is drooping packets and it is a hello flood attacker detected by the AHIDS.
Node 7 and node 41 as shown in figure 7 as detected as Sybil and wormhole attacks by AHIDS.
These malicious node 7, 10, 41 are isolated from the network for the normal function of WSN by
AHIDS.
Table 4: Detection Ratio and False Negative Rate for three Attackers
In this paper, we provide a combined defend mechanism against hello flood, wormhole and Sybil
attack in wireless sensor networks. We propose an advanced hybrid intrusion detection model for
wireless sensor network that makes use of both anomaly detection and misuse detection for
detecting attacks. Our proposed advanced Hybrid Intrusion Detection System utilizes a
Multilayer Perceptron Neural Network, which contains feed forward neutral network and back
propagation neural networks of the supervised learning approach based on the Fuzzy logic
mechanism with anomaly and misuse detection technique to detect the Hello flooding,
Wormhole, and Sybil attack. The combination of these two techniques is used to provide an
advanced hybrid intrusion detection system with a high detection rate and low false positive rate.
In our detection mechanism is incorporated in a cluster-based topology with R-Leach protocol, to
decrease communication costs and energy consumption, which leads to increase the network life
span, improving the lifetime of the network. The simulation results show that AIDS is capable of
performing high TPR and low FPR. The results also prove that the proposed system is highly
efficient than global hybrid intrusion detection method in terms of parameters such as
throughput, packet loss, energy consumption, PDR. For our future work, more analysis on this
topic requires to be undertaken with detail simulation of different attack scenarios to evaluate the
performance of proposed AHIDS.
ACKNOWLEDGEMENT
Authors are highly thankful to the Department of RIC, IKG Punjab Technical University,
Kapurthala, Punjab, India for providing opportunity to conduct this research work.
CONFLICTS OF INTEREST
The authors declare no conflict of interest
REFERENCES
[1] Yassine Maleh, Abdellah Ezzatib, Youssef Qasmaouic and Mohamed Mbidac, "A Global
Hybrid Intrusion Detection System for Wireless Sensor Networks", The 5th International
Symposium on Frontiers in Ambient and Mobile Systems (FAMS 2015), Procedia Computer
Science 52 ( 2015 ) 1047 1052
[2] Shahaboddin Shamshirband, Nor BadrulAnuar, Miss Laiha Mat Kiah, Dalibor Petkovi
and Sanjay Misra, "Co-FAIS: Cooperative fuzzy artificial immune system for detecting
intrusion in wireless sensor networks", Journal of Network and Computer Applications (2014),
Pg.No1084-8045
[3] Panagiotis Sarigiannidis , Eirini Karapistoli, Anastasios and Economides, "Detecting Sybil
attacks in wireless sensor networks using UWB ranging-based information", Expert System with
Applications 42(2015), 75607572
[4] Shikha Magotra, Krishan Kumar, Detection of HELLO flood Attack on LEACH Protocol,
Advance Computing Conference (IACC), 2014 IEEE International pp:193-198
[5] Yaya Shen, Sanyang Liu, Zhaohui Zhang, Detection of Hello Flood Attack Caused by
Malicious Cluster Heads on LEACH Protocol, International Journal of Advancements in
Computing Technology (IJACT)Volume 7, Number 2, March 2015.
[6] Satwinder Kaur Saini, Mansi Gupta, Detection of Malicious Cluster Head causing Hello
Flood Attack in LEACH Protocol in Wireless Sensor Networks , International Journal of
Application or Innovation in Engineering & Management,Volume 3, May 2014.
[7] Rahayu, T.M.; Sang-Gon Lee; Hoon-Jae Lee, Security analysis of secure data aggregation
protocols in wireless sensor networks 16th International Conference on Advanced
Communication Technology (ICACT), 2014 pp.471-474.
[8] Sencun Zhu, Sanjeev Setia, Sushil Jajodia LEAP: Efficient Security Mechanisms for
LargeScale Distributed Sensor Networks, Tech report, ACM 2004.
[9] J. Lee, V. Leung, K. Wong, J. Cao, and H. Chan, Key management issues in wireless sensor
networks: current proposals and future developments, IEEE Wireless Communications, vol. 14,
no. 5, pp. 76 84, 2007
[10] M. Turkanovi, B. Brumen, M. Hlbl, A novel user authentication and key agreement scheme
for heterogeneous ad hoc wireless sensor networks, based on the internet of things notion, Ad
Hoc Netw. 20 (2014) 96112
[11] M Hongbin,W Yingli,Y Shuang,Y Hai and L Zhenhai, Hybrid key management
mechanism based on double cluster head structure, 2nd International Conference on
Instrumentation, Measurement, Computer, Communication and Control (IMCCC), IEE, p.164-
167, 2012.
[12] Waldir Ribeiro Pires Junior Thiago H. de Paula Figueiredo Hao Chi Wong Antonio A.F.
Loureiro, Malicious Node Detection in Wireless Sensor Networks, 18th International Parallel
Distributed Processing Symposium(IPDPS04) Vol. 1, pp. 24, 2004.
[13] . Virendra Pal Aishwarya S. Sweta Jain, Signal Strength based HELLO Flood Attack
Detection and Prevention in Wireless Sensor Networks, International Journal of Computer
Applications (0975 8887), Vol. 62,January 2013
[14] S. Magotra and K. Kumar, Detection of HELLO flood attack on LEACH protocol, in
Proceedings of the 4th IEEE International Advance Computing Conference (IACC '14), pp. 193
198, February 2014.
[17] J. Ibriq and I. Mahgoub. A secure hierarchical routing protocol for wireless sensor networks.
In In: Proc. 10th IEEE International Conference on Communication Systems, pages 1U6,
Singapore, October 2006.
[20] Vishal Kumar Arora, A survey on LEACH and others routing protocols in wireless sensor
network, Optik - International Journal for Light and Electron Optics, Volume 127, Issue 16,
2016.
[21] R. Alcal, Y. Nojima, H. Ishibuchi, and H. Francisco, Special issue on evolutionary fuzzy
systems,. International Journal of Computational Intelligence Systems, Vol. 5, Issue 2, 2012,
pp. 209211.
[22] Y. Chung, and N. Wahid, A hybrid network intrusion detection system using simplified
swarm optimization (SSO), Applied Soft Computing, Vol. 12, Issue 9, 2012, pp. 30143022.
[23] Pankaj Rathee et al. (2015), Preventing Sybil Attack in Wireless Sensor Networks,
International Journal for Innovative Research in Science & Technology, Volume 1, Issue 12,
May 2015.
[24] F. L. Cao, H. L. Ye, D. H. Wang, A probabilistic learning algorithm for robust modeling
using neural networks with random weights, Inf. Sci., 2015, pp. 6278
[25] Victor Obada et al . (2015). Hidden Markov Model for Shortest Paths Testing to Detect a
Wormhole Attack in a Localized Wireless Sensor Network, Procedia Computer Science 10,
Published by Elsevier Ltd, 1010 1017.
[26] Jay Rupareliya et al. (2016). Securing VANET by Preventing Attacker Node Using
Watchdog and Bayesian Network Theory, Proceedings of International Conference on
Communication, Computing and Virtualization (ICCCV) 2016, Volume 79, 2016, Pages 649-
656.
[27] Parmar Amish et al ( 2016). Detection and Prevention of Wormhole Attack in Wireless
Sensor Network using AOMDV Protocol, Proceedings of International Conference on
Communication, Computing and Virtualization (ICCCV) 2016, Volume 79, 2016, Pages 700-
707.
[28]A. Zadeh. (1965). Fuzzy rule sets, Information and control, Department of electrical
engineering and electronics research laboratory, University of California, Berkeley.
[29] A. Zadeh. (1996). Fuzzy Sets and Information Granularity, Advances in Fuzzy Set
Theory and Applications, Theory Vol 6, Fuzzy Sets, Fuzzy Logic and Fuzzy Systems,
Singapore: World Scientific, 1996.
[30] K.K. Q. Yan, S.C. Wang, S.S. Wang, Hybrid intrusion detetection system for enhancing
the security of a cluster-based wireless sensor network, Proceedings of 3rd IEEE International
conference on computer science and information technology, china, 2013, pp. 114-118.
[31] Teerawat Issariyakul, Ekram Hossain. (2009). Introduction to Network Simulator NS2, US:
Springer; 2009.