See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/339130936

A Collaborative Security Framework for Software-Defined Wireless Sensor

Networks

Article  in  IEEE Transactions on Information Forensics and Security · February 2020

DOI: 10.1109/TIFS.2020.2973875

CITATIONS

19READS

510

5 authors, including:

Some of the authors of this publication are also working on these related projects:

CALL FOR PAPERS: "Chaotic and Index Modulations: Emerging Paradigms for Future Wireless Communications" View project

Frequency Support Oriented Efficient Scheduling Mechanism for Data Centers and Electric Vehicles in Smart City View project

Christian Miranda

ETS

5 PUBLICATIONS   72 CITATIONS   

SEE PROFILE

Georges Kaddoum

École de Technologie Supérieure

303 PUBLICATIONS   5,766 CITATIONS   

SEE PROFILE

Elias Bou-Harb

University of Texas at San Antonio

99 PUBLICATIONS   1,312 CITATIONS   

SEE PROFILE

Sahil Garg

École de Technologie Supérieure

124 PUBLICATIONS   1,798 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Elias Bou-Harb on 08 February 2020.

The user has requested enhancement of the downloaded file.

1

A Collaborative Security Framework forSoftware-Defined Wireless Sensor Networks

Christian Miranda, Member, IEEE, Georges Kaddoum, Member, IEEE, Elias Bou-Harb, Member, IEEE, SahilGarg, Member, IEEE, Kuljeet Kaur, Member, IEEE

Abstract—With the advent of 5G, technologies such asSoftware-Defined Networks (SDNs) and Network Function Vir-tualization (NFV) have been developed to facilitate simpleprogrammable control of Wireless Sensor Networks (WSNs).However, WSNs are typically deployed in potentially untrustedenvironments. Therefore, it is imperative to address the securitychallenges before they can be implemented. In this paper, wepropose a software-defined security framework that combinesintrusion prevention in conjunction with a collaborative anomalydetection systems. Initially, an IPS-based authentication process isdesigned to provide a lightweight intrusion prevention scheme inthe data plane. Subsequently, a collaborative anomaly detectionsystem is leveraged with the aim of supplying a cost-effectiveintrusion detection solution near the data plane. Moreover, tocorrelate the true positive alerts raised by the sensor nodesin the network edge, a Smart Monitoring System (SMS) isexploited in the control plane. The performance of the proposedmodel is evaluated under different security scenarios as well ascompared with other methods, where the model’s high securityand reduction of false alarms are demonstrated.

Index Terms—Intrusion Prevention, Intrusion Detection,Anomaly Detection, Collaborative Security, Fog computing,Software-Defined Network.

I. INTRODUCTION

Wireless Sensor Networks (WSNs) provide infrastructure-free communications over the shared wireless channels withoutthe need for fixed infrastructures or centralized access points.Sensor networks comprise of a set of dynamic cooperatingnodes; forming one of the most promising wireless technolo-gies which introduce a new wireless transmission paradigmby employing multi-hops for information transfer. WSNs havesignificant potential applications in the fields of transportation,agriculture, industrial automation, process monitoring, mil-itary surveillance, environment monitoring, health-care, etc.According to [1], these wireless sensors need to be self-configured into a network to process and interpret sensormeasurements, and convey this information to a centralizedcontrol location.

Moreover, traditional WSNs typically consist of routers andswitches as network devices. Therefore, as they grow, theybecome difficult to monitor and update. Meanwhile large-scale WSNs are also heterogeneous due to the use of differentcommunication protocols, which fundamentally means they

C. Miranda, G. Kaddoum, S. Garg, and K. Kaur are with the Department ofElectrical Engineering, Ecole de Technologie Superieure, Montreal, Canada.C. Miranda and G. Kaddoum are the corresponding authors, (e-mails:christian.miranda-moreira.1@ens.etsmtl.ca, georges.kaddoum@etsmtl.ca)

E. Bou-Harb with the Department of Information Systems and CyberSecurity at the University of Texas at San Antonio (USA).

consist of different network clusters that only cooperate at lowlevel of communication [2]. Since the distributed managementof a communication protocol determines which node canreceive or transmit data, this makes the global vision and theapplicability of security mechanisms in the network a verycomplex task. Further, as the scale of the WSN expands,it is faced with several constraints, such as resource andenergy restrictions, processing, memory, and communicationcapabilities. To address these constraints, the deployment of alightweight security framework which includes the centraliza-tion of intelligent features becomes essential.With the emergence of 5G, promising technologies such

as Software-Defined Networks (SDNs) and Network FunctionVirtualization (NFV) have been designed to support innova-tions and enable simple programmable control of data pathsin wireless sensor nodes [3]. These technologies provideWSNs with the capability of being programmed upon re-quest. In addition, they allow multiple isolated sensor func-tions, by addressing and forwarding mechanisms, to sharethe same physical infrastructure. Furthermore, SDNs allownetwork administrators to manage network services throughthe abstraction of lower level functionalities. This is done bydecoupling the control plane that makes decisions about wheretraffic is sent from the underlying data plane to the selecteddestinations. As a consequence, computational complexity isreduced while throughput is enhanced. In addition, the SDNapproach to WSNs seeks to alleviate most of the challengesand ultimately foster efficiency and sustainability in WSNs.Thus, the control plane can dynamically enforce flow ruleswhen the data plane requires it. However, this control operationcan cause serious problems when there are excessive requestsfrom the data plane to the control plane. On the other hand,if the data plane receives many requests in a short period oftime, it can flood the messages to the control plane. Moreover,a flow table in the constrained data plane can also be floodedby rules for handling requests [4].Despite the high programmability and automation of WSNs

gained from 5G, these networks are not immune to ma-licious users. Since, network intelligence is centralized inSDN controllers, protecting the communications throughoutthe data and the control planes is critical [5]. For instance,the centralized network intelligence might become victim ofmalware [6].In the SDN environment, some WSN-unique data plane

threats can take place. Under such scenarios, fake traffic flowscaused by both flawed devices and malicious sensor nodes cancompromise the entire SDN architecture. Similarly, OpenFlow

2

switches and resource-constrained nodes can be disrupted bynetwork elements infected with Denial of Service Attacks(DoS) such as Black hole attacks, Selective Forwarding at-tacks, Hello Flood attacks, and Sybil attacks [6], [7]. It isevident from the above discussion that the disruptive SDNtechnology is also prone to different attack vectors.

In this vein, several works have been proposed to leveragethe benefits of the SDN architecture for enhanced networksecurity such as virtual firewall, access control, and deeppacket inspector systems [6]. Motivated by their findings, themajor contribution of the proposed work is on addressingthe security issues prevalent in the SDN’s data plane. In thisdirection, the work emphasizes the problem of authenticationand high-precision anomaly detection in the untrusted andresource-constrained data plane of SDNs.

I.1 MotivationAlong this line of thought, a hierarchical security frame-

work is proposed in this work. The proposed frameworkamalgamates a lightweight authentication with a collaborativeanomaly detection system [8], which correlates the alerts ofthe lightweight IDSs distributed across the WSN.

The lightweight authentication system for the SDN’sresource-constrained data plane demands an efficient Intru-sion Prevention System (IPS)-based authentication scheme forSoftware Defined Wireless Sensor Networks (SDWSNs). Thisscheme protects the network by allowing only correct infor-mation to be inserted by the authenticated nodes. Thus, au-thentication of the nodes needs to be performed continuouslyand frequently; thereby considerably increasing its complexity[9]. Furthermore, an IPS-based authentication scheme can beperformed by using one or more validation factors includingcredentials, knowledge factors (keys interchange), possessionfactors (tokens), and biometric factors (eg., fingerprint recog-nition, iris, face, retina, etc.) [10]. Although validation factorsmight present a low-latency solution, they also introduce com-plexity due to recurrent authentication handovers. Nonetheless,traditional IPS-based authentication procedures rely on crypto-graphic keys and multiple handshakes, such as Authenticationand Key Agreement (AKA) protocols. However, due to theirhigh latency, infrequent handovers, and high computationalcost, they were found unsuitable for the requirements of SD-WSNs [11]. Although IPS-based authentication procedures caneffectively identify malicious nodes, they cannot eliminate allof them, especially the ones launched from inside the network.Further, the captured nodes can quickly lunch attacks as theyhave total control over the encryption and authentication keys.Consequently, mobile nodes without an additional protectionare prone to be compromised, corrupted, and hijacked. To ad-dress these issues, IDS-based solutions can be an indispensablesecond line of defense to safeguard the data plane from insiderattacks in SDWSNs. To this end, machine learning procedureslike Support Vector Machine (SVM) and neural networks [12]are usually employed. Nevertheless, such techniques typicallyintroduce a non-negligible overhead and high computationalcost in SDWNs [13]. To minimize the overhead introducedby machine learning solutions, edge-based energy predictionmodels might be used [14].

However, the sensor nodes are individually prone to gener-ate a tremendous number of alerts. According to [15], an alertdoes not always implies a problem; instead, it may just bean indication that the sensor has inspected some traffic whichhas matched a signature or a pattern. Thus, the malicious andtrusted activity are considered an anomaly. These alerts arecalled false positives and can overwhelm a sensor network.This is because the sensor nodes only have local visibility ofthe network behavior. On the other hand, the stochastic natureof energy features in wireless communications contributes toan IDS-enabled energy prediction model might cause falsepositives as well. Accordingly, to minimize false alarms andmake the decision-making process more efficient by correlat-ing the decisions already taken by an IDS, the deployment ofa real-time Smart Monitoring System (SMS) with the aid ofa machine learning algorithm in the control plane becomes anencouraging solution.Since the proposed SMS is located in the control plane,

it can be customized with additional security services thataddress the topology and network operator specific re-quirements/issues. Consequently, instead of isolated securityschemes, this work proposes a collaborative software-definedsecurity framework to coordinate different security controlson each framework layer. Each security control is designedbased on the criticality of the wireless environment, its securitycriteria, and its resource constraints.

I.2 Related workA plethora of research works have been performed to

address high security and low-latency solutions for resource-constrained WSNs. In this context, some of the existing IPS-based authentication procedures have been developed usingclassical key management authentication mechanisms. Forexample, an IPS combining Internet Protocol (IP) trace-backwith an enhanced adaptive acknowledgment (EAACK) wasproposed in [16]. Moreover, Location-Based Keys (LBKs),binding private keys of individual nodes to both their identifi-cations and geographic locations was proposed in [17]. Theseapproaches improved the security at the cost of increasing thelatency of the network. To address the challenges associatedwith the low-latency requirements, some works used physicallayer features. For instance, a two-factor user authenticationmechanism was recommended in [18], where the authors de-vised an authentication mechanism comprising of registrationand authentication phases. Furthermore, the authors in [19]–[21], explored a biometric-based continuous authenticationtechnique, without the the need for an authentication server.These approaches reduced the latency but at the cost ofincreasing the complexity of the authentication procedures.Furthermore, some works also exploited physical layer fea-

tures in IDS to achieve low-latency in WSNs. In this context,a novel intrusion detection scheme based on energy predictionfor cluster-based WSNs was introduced in [22], wherein theauthors used the energy states of wireless sensor nodes topredict malicious behaviors at a given time. Excessive falsealarms are a common artifact of these approaches.Consequently, machine learning procedures have been

widely used to develop IDS-based solutions. For instance,

3

(a) SDN-based three layers’ framework (b) Security framework stack

Fig. 1: A collaborative security framework for SDWSNs

the use of neural networks and watermarking techniques wassuggested in [23]. A SVM methodology was proposed in[24], while a hybrid machine learning approach for networkanomaly detection was put forward in [13]. A hybrid anomaly-based IDS was recommended in [12] which employed SVMand multi-layer perceptron (MLP) to identify anomalies in thenetwork. Further, the authors in [25] presented an intrusiondetection engine based on neural networks combined with aprotection method-based on a watermarking technique. Whilethese algorithms improve the accuracy of network anomalydetection models, they also introduce high computational costwhich is inadequate for WSNs. Even though relevant workshave been proposed in the literature to target security issuesin SDWSNs, challenges such as high security, excessive falsealarms, low-latency, and high computational cost still remainunaddressed.

I.3 Contributions

To address these imperative challenges, in this paper, abottom-up security framework is designed. The novelty of theproposed work lies in devising and evaluating a collaborativeframework which amalgamates a recurrent lightweight authen-tication method in conjunction with an intrusion detection anda real-time smart monitoring system; achieving lightweightauthentication and enhanced anomaly detection mechanismsin SDWSNs.

Since a single-gateway (cluster head) architecture is notscalable and might cause an incremental overhead in large-scale WSNs, the proposed work uses a cluster-based SDWSNarchitecture that provides a hierarchical organization to a flatsensor network topology, considerably reduces the latency ofthe network [26]. This architecture consists of four kindsof dynamic nodes, namely, cluster members, cluster heads,link nodes, and sink nodes. Further, in this framework, aDistributed Snapshot Algorithm (DSA) is executed to capturenetwork snapshots periodically so as to obtain the global

energy state of the WSN; wherein the global energy state cor-responds to a map of the energy state for each node at a givenmoment. Moreover, the DSA is also used to dynamically adaptthe network topology within the cluster to reduce the energyconsumed for communication; thus, extending the lifetime ofthe network while achieving an acceptable performance fordata transmission [14].The proposed framework hierarchically combines three se-

curity layers. At the bottom of this approach (Layer L1),an IPS-based authentication process is designed to provide alightweight security scheme in the data plane. In the middle ofthe framework (Layer L2), an IDS-enabled energy predictionmodel within the edge is designed with the aim of supplying acost-effective intrusion detection solution near the data plane.Finally, at the top of this framework (Layer L3), in the controlplane, a SMS-based SVM algorithm is introduced to achieveisolation, high performance, enhanced anomaly detection, andefficient mitigation by segregating malicious nodes over theSDWSNs. Since the SMS-based SVM algorithm has globalvisibility of the sensor network, it can see the correlations be-tween true positives, which lets it filter out the false positives.Thus, the main contributions of this work are summarized asfollows:1) A novel security scheme based on network snapshot

readings, providing continuous authentication in large-scale SDWSNs, is proposed.

2) A watermarking technique is exploited to guarantee theaccuracy of concurrent authentications while performingdata integrity checks for the entire SDWSN.

3) The authentication method is improved by introducinga link node, which creates a connection between all thecluster of sensors.

4) An edge computing empowered IDS is leveraged toefficiently handle the limited resources in SDWSNs.

5) A two label dataset is generated in the edge, with theaim to train an SVM classification algorithm that is

4

+

-Compute

-Generate watermark (x)

-Embed

-Compute

-Compute watermark (y)

-Detect y from

If (x==y) then

AUTHENTICATED

CLUSTER MEMBERS

(DATA TRANSMISSION)

CLUSTER HEAD

(DATA COLLECTION) SINK

(DATA PROCESSING)

Mwhite,i

uESi,ti

u Mwhite,i

uESi,ti Mwhite,i

uESi,ti+ + +

u u

+ + Mred

Ku

th

Ku

th

C uS + + MredC uS + + MredC uS + + MredC uS

R u

R u

R u

Fig. 2: DSA-based authentication and a watermarking technique

subsequently used by the SMS; wherein the latter isdeployed at the control plane and is designed to correlatethe alerts from the low-delay IDSs distributed across theedge network.

Moreover, analysis of the computational complexity isprovided and simulations showing the effectiveness of theproposed framework are executed by leveraging the AVISPAtool and MATLAB. The results demonstrate an accuracy of84.75%.

The remainder of this paper is organized as follows: SectionII and Section III introduce the different layers of the proposedframework. In Section IV, security analysis and performanceevaluation are conducted. Finally, the paper is concluded inSection V, where some future endeavors are also put forward.

II. SYSTEM MODEL

Aiming to achieve high-security, address the limited re-sources constraints and take advantage of SDN architectures,our work proposes a collaborative security framework design,as depicted in Fig. 1a. To summarize, the proposed securityframework possesses a hierarchical structure and comprisesof three layers. At the bottom of the framework stack, inthe data plane, in L1, an IPS-based authentication processis performed. At the middle, at the edge, in L2, an IDS-enabled energy prediction model is executed, and finally, inthe control plane, in L3, the SMS-based SVM algorithm isdesigned. In this context, in L1, a cluster-based WSN is created[14] and DSA is employed, where the sink nodes initiate thesnapshot acquisition process by sending a marker message totheir cluster heads in order to form a global energy state of thenetwork. Afterwards, the marker message is propagated to thecluster members. Each member sends its energy state back toits cluster head post receiving the message. Once the clusterhead collects the global energy state from its cluster members,it protects the data using a watermarking-embedded methodwith the aid of a generated public key and other securityparameters to ensure that the derived data will not be altered

on the fly by possible malicious attackers. Consequently, thenetwork snapshot and the watermarked data is forwarded to thesink node. Likewise, the sink sends a copy of the energy mapto the control plane, which is located in the cloud. Moreover,in the edge, the sink node periodically receives the snapshotreadings aiming to detect the embedded watermark for thesake of continuous authentication and for the subsequentenergy consumption prediction procedure. Furthermore, theappropriate watermarked data is considered reliable, while thedata without a correct watermark is marked as unreliable. Sub-sequently, in L2, an IDS-enabled energy prediction model isexecuted, where a Markov chain prediction procedure is usedto detect nodes’ misbehavior. Conclusively, to amalgamate thisframework, in the control plane, in L3, an SMS-based SVMalgorithm is designed where the dataset resulting from L2 isprocessed by employing a SVM classification algorithm. Asummary of the security framework stack is presented in Fig.1b.

III. PROPOSED SCHEME

In the following subsections, the proposed L1, L2, and L3layers along with their corresponding stack of algorithms areelaborated.

III.1 L1:IPS-based authentication processIn SDWSN applications, the reliability and the integrity

features of the cluster nodes should not be compromised.However, if the data transmission is not reliable, the integrityof the whole network is affected. To handle this securitychallenge, this work considers deploying an IPS-based authen-tication mechanism which is an amalgamation of the DSA andwatermarking techniques. The designed mechanism aims toprovide a two-way authentication handover between the clusternode, the cluster head, and the sink node.In the following subsections, the sublayers, the DSA-based

authentication procedure, and the watermarking-based authen-tication technique are detailed.

5

III.1.1 L1.1:DSA-based authentication procedure

As illustrated in Fig. 2, this procedure starts when the sinknode initiates snapshot acquisition by sending the first messageto its cluster head; from there, the request message is propa-gated to every cluster member. After receiving this message,every cluster member sends its energy state back to its clusterhead which is then used to generate the key fingerprint withother security parameters. It is worth mentioning that a linknode could receive multiple request messages from multipleclusters’ heads. Thus, each link node must send a reply back toall of them, in order to provide scalability for large-scale WSNand maximize the efficiency of the authentication procedure.Before data transmission, the energy state of the cluster headsis embedded into the global energy state gathered by them.The concurrent snapshot readings gathered in a given time bythe uth cluster head are represented as follows.

GSul = [ESu

1,t1 , ESu2,t2 . . . , ESu

i,ti ], (1)

where GSul represents the snapshot readings collected in l

cycles at ti time of arrival from the ith cluster member ESui,ti

to the uth cluster head. This time of arrival significantlyreduces the possibility of impersonation of the GSu

l vectorby an intruder. This is due to the random behavior of wirelesscommunications which makes the time of arrival unforeseeable[27]. The cluster head then averages the GSu

l vector togenerate the kthu fingerprint using the following equation.

kthu = E[GSul ], (2)

where E[.] is the mean operator.

Afterwards, the kthu fingerprint is encrypted with the ad-vanced encryption standard (AES) algorithm with a key lengthof 128 bits [28]. The generated kthu fingerprint contributes tomaking the public key unpredictable.

Further, the aim of the DSA is to obtain a distributednetwork global state by recording the consistent energy stateat a specific time [29]. In this sense, as shown in Fig. 1b, theDSA is divided in four algorithms hierarchically distributed asfollows:

• The Snapshot-Initiation (SI) algorithm (L1.1.1), launchedby the sink node;

• The Snapshot-Acquisition (SA) algorithm (L1.1.2), ex-ploited by the cluster head;

• The Snapshot-Gathering (SG) algorithm (L1.1.3), exe-cuted by the cluster members;

• The Snapshot-Synchronization (SC) algorithm (L1.1.4),exploited by the sink and the cluster head nodes.

Next, we detail the four algorithms which use the notationspresented in Table I.

TABLE I: Algorithms’ notations

Notation DescriptionS Represents the vector of cluster heads’ identificationCu Represents the vector of cluster members’ identificationZu Is the vector of cluster members’ identification whose snap-

shot is not collected by the sink at timeoutRu Is the watermarked dataMred Is a request message from the sink node to the ith cluster

membersMu

white,i Is a response message from the ith cluster members to thesink

tw Illustrates the timeout for generating a new snapshot messageat the sink node

Wu Is a random position used to select the most significant bits(MSB) at the uth cluster head

vu Is a value used to control the proportion of the marked dataat the uth cluster head

αu Is a value used to calculate the embedded location of themarked data at the uth cluster head

a) L1.1.1:Snapshot-initiation algorithm

Since DSA collects snapshots through messages, it is im-portant to ensure message delivery. Thus, in order to solvethis problem, we implement a two-way handshake betweenthe cluster node and the sink node. Here, the authenticationprocedure relies on the SI algorithm, which assumes that thenumber of sensor nodes and their first snapshot is known bythe sink in a setup stage. The sink ensures reliable ESu

i,tidelivery by keeping a table indexed with nodes’ identification.In this context, the sink node sends an initial Mred messageto its cluster head. The SI algorithm execution ends onlywhen the sink node acquires the network snapshot from allfunctioning nodes. In this manner, the sink node waits untiltimeout tw expires. Once the sink receives Ru, a flag is set totrue for all the nodes that have already sent their correspondingESu

i,ti, otherwise, it remains false as shown in Algorithm 1.

After the timeout expiration, the sink node checks the contentof the table in order to explore the nodes which have not yetsent their energy state.

Algorithm 1 SI algorithm

procedure SNAPSHOT-INITIATION()mMessage← Mred

while tw = timeout doRu ←SNAPSHOT-ACQUISITION(S, Cu , mMessage)

if ESui,ti= null then

flag ← trueWATERMARK-DETECT(Ru ,S, Cu , kthu ,Wu ,vu , αu )

elseflag ← false

b) L1.1.2:Snapshot-acquisition algorithm

In response to the sink’s request, the SA algorithm isexecuted. Initially, the uth cluster head takes a backup of theircurrent ESu

i,tito be used, if necessary, by the SC algorithm, if

necessary. Subsequently, the periodic snapshot acquisition isperformed where the uth cluster head acquires the initialMred,

6

which is propagated to its cluster members. This procedurecontinues until the cluster head collects the energy states ofall the cluster members. The acquisition of the initial messageis achieved by the SA algorithm as follows.

Algorithm 2 SA algorithm

procedure SNAPSHOT-ACQUISITION(S, Cu , mMessage)while S = null do

GSul ←SNAPSHOT-GATHERED((S,Cu , mMessage)

mMessage← Muwhite,i

return WATERMARK-EMBED(GSul ,data,k

thu ,Wu ,vu , αu)

c) L1.1.3:Snapshot-gathering algorithmOnce a cluster member receives Mred from its cluster head,

it takes a backup of their current ESui,ti

. Then, it sets its markermessage to Mu

white,i. Afterwards, as noted in Algorithm 3, itsends its ESu

i,tiand the marker message to its cluster head.

As soon as the cluster head gathers ESui,ti

from all its clustermembers, it averages the GSu

l vector to generate the kthufingerprint.

Algorithm 3 SG algorithm

procedure SNAPSHOT-GATHERED((S, Cu , mMessage)while Cu = null do

mMessage← Muwhite,i

return ESui,ti

, mMessage

d) L1.1.4:Snapshot-synchronization algorithmThe SC algorithm aims to achieve reliability in detecting

the missing control states within a defined acquisition timeframe and forces these specific nodes to resend their backed-up states to the sink node. In this manner, if a node receives aretransmission request from its cluster head, it means that thesink did not gather yet its energy state.

The synchronization algorithm is designed to handle twoscenarios, which might cause premature delivery. The firstscenario is when the initial message is not picked by the node,(i.e., snapshot is not taken), and the ESu

i,tiis not generated.

The second scenario is when the initial message is received,and the ESu

i,tiis sent but it does not reach the sink node.

Once the sink node receives the global energy states fromits cluster heads, it sets the flag belonging to the sendernode to indicate successful reception of the state information.When tw expires, if there are flags containing false, the sinkperforms the synchronization procedure to the nodes in Zu,i.e., the nodes from which the ESu

i,tiis not gathered yet. The

synchronization procedure is provided in Algorithm 4.

Algorithm 4 SC algorithm

procedure SNAPSHOT-SYNCHRONIZATION(S, Zu , Mred)while Zu = null do

SNAPSHOT-ADQUISITION(S, Zu , Mred)

Intuitively, a snapshot reading can be visualized as a repre-sentation of the energy map collected from the entire sensornetwork, where each node is analogous to a pixel, and itsreading indicates the pixel’s intensity. Therefore this snapshotcan be embedded within a watermark [30].In the following subsection, a continuous watermarking-

based authentication technique is considered to ensure thereliability of data transmission by authenticating the identityof sensor nodes.

III.1.2 L1.2:Watermarking-based authentication technique

The watermarking-based authentication technique is de-signed to determine the authenticity of the data transmittingnode and guarantee the integrity of the data. For this purpose,the proposed technique is composed of three algorithms dis-tributed hierarchically as follows:

• The Watermark-Generation (WG) algorithm (L1.2.1), ex-ecuted by the cluster head;

• The Watermark-Embedding (WE) algorithm (L1.2.2),performed by the cluster head;

• The Watermark-Detection (WD) algorithm (L1.2.3),launched by the sink node.

According to this model, the proposed technique operatesin three phases: data transmission, data collection and dataprocessing as depicted in Fig. 2. In this context, an approxi-mation of the algorithm in [31] is used with the aid of the kthufingerprint, which was previously built in the data processingphase.

a) L1.2.1:Watermark-generation algorithm

WG algorithm employs the most significant bit (MSB)and the least significant bit (LSB) techniques to improve theintegrity of the procedure [32], [33]. Each element of thecollected data is given by Eq. (1). For each data element, GSu

l

and kthu are inputted into a one-way hash function followingwhich h = Hash (kthu , GSu

l ) is calculated. A bit of watermarkWM [i] is obtained by calculating the XOR of the Wu bits ofthe MSB (h), which represents the most significant bits of h.The watermark WM is the collection of WM [i]. Thus, thesnapshot is only authenticated by the watermark generationalgorithm which is shown in Algorithm 5.

Algorithm 5 WG algorithm

procedure WATERMARK-GENERATE(GSul ,k

thu ,Wu)

for each GSul do

h← Hash (kthu ,GSul )▷ select Wu bits from MSB(h)

WM [i]←XOR (MSB (h), W u)end forreturn WM [i]

b) L1.2.2:Watermark-embedding algorithm

The aim of this algorithm is to embed the watermarkgenerated in WG into the sent data. Towards this end, weuse the LSB technique which is executed before inserting

7

some random values to the sent data of each watermark bitWM. The random value of each snapshot is calculated byintroducing the most significant bits of the sent data, GSu

l andthe kthu key into a random function. The kthu key is the same asin WG. The parameter vu is chosen in a range from two to nineto control the proportion of the marked data. The watermarkis embedded into each data item only when the random valuecan be split precisely by the proportion of the marked data,vu. Consecutively, the random values are used to calculate theembedding location in the least significant bits. Conclusively,the xth LSB of each data item is replaced by the watermarkbits WM generated by Algorithm 5. The Watermarking-Embedding (WE) technique is shown in Algorithm 6.

Algorithm 6 WE Algorithm

procedure WATERMARK-EMBED(GSul ,data, kthu ,Wu ,vu ,

αu)WATERMARK-GENERATE(GSu

l ,kthu ,Wu)

for each WM do ▷ calculate the random value for thedata item

g ← Rand (kthu ,GSul , MSB (data))

if (g mod(vu) == 0) then ▷ calculate the embeddinglocation

x←g mod(αu)xth LSB (data)←WM [i]

end for

c) L1.2.3:Watermark-detection algorithm

Once the watermark message is constructed by the clusterhead with the energy state of each cluster member, the kthukey, and other security parameters, the cluster head is thenable to forward it in a distributed manner to the sink node. Assoon as the watermarked message is received by the sink, awatermark-detection algorithm is initiated which extracts andverifies the watermark to determine each node’s authenticity.The Watermark-Detection (WD) technique is described inAlgorithm 7. If the watermark-detection rate is larger than athreshold β, then the watermark is detected which corroboratesthe node’s authenticity. The value of β is given by each energystate and its corresponding energy consumption threshold,which needs to be set up in the configuration stage [34].To maintain the security framework’s performance, only thedata transmission process among the cluster head and thesink node is watermarked. It is worth mentioning that theunwatermarked ESu

i,titransmitted between the member nodes

does not affect the reliability of the proposed architecture.This is because a cluster member could share the ESu

i,tiwith more than one cluster head, creating a link between thecluster nodes rendering the continuous network snapshots andreadings unpredictable.

Algorithm 7 WD Algorithm

procedure WATERMARK-DETECT(Ru , GSul ,kthu ,Wu ,vu ,

αu ) ▷ kthu , Wu, vu and αu are the same as in Algorithm 6tot← 0match← 0WATERMARK-GENERATE(GSu

l ,kthu ,Wu)for each WM do

g ← Rand (kthu , GSul , MSB (Ru))

if g mod(vu) = 0 thenx←g mod(αu)tot← tot+ 1if xth LSB (Ru) =WM [i] then

match← match+ 1

end forrate← tot/matchif rate >β then return true else return false

Furthermore, it is important to highlight that the snapshotsynchronization and watermark detection processes are addedto the data processing phase to address the limited computa-tional capabilities and storage capacity in SDWSNs.

III.2 L2:IDS-enabled energy prediction modelTo execute DoS attacks, malicious nodes have to use

additional energy. In this context, energy thresholds are setto identify malicious attacks [35]. Once the network nodesare authenticated, a second line of defense is initiated, takingadvantage of physical layer features. Precisely, an IDS-enabledenergy prediction model is employed at the edge with the aimof detecting DoS attacks such as Black hole attacks, SelectiveForwarding attacks, Hello Flood attacks and Sybil attacks.Towards this end, we propose a snapshot prediction procedure(SPP) to detect the nodes’ misbehavior. Further, a Markovchain model [14] is leveraged in order to predict energy statesof SDWSNs.

a) L2.1:Snapshot prediction procedure

In this framework layer, a Markov chain model is presentedas a promising solution to predict wireless sensor nodes’snapshots behavior. Towards this end, the nodes’ energy statesare represented by the transition states of a Markov chainmodel. In this context, each sensor node has m transitionstates. Therefore, the m transition states are classified into mϵ {0-sensing, 1-transmitting, 2-receiving and 3-sleeping}. Eq.(1) is used as a sequence of random vectors to represent thetransition probability of staying at each state in a given time.Thus, ESu

i,ti,l= m, assuming that the energy sate of the ith

cluster node to the uth cluster head, gathered at ti time andl cycles, is in mode of operation m [36]. Furthermore, thetransition probability of Pm,j , a node which is presently instate m will be in state j at the next transition is representedby:

Pm,j = P{ESui,ti,l+1 = j|ESu

i,ti,l = m}, (3)

8

The two-stage transition probability can be defined as

P(2)m,j = P{ESu

i,ti,l+2 = j|ESui,ti,l = m}, (4)

where P(2)m,j can be computed from Pm,j using the following

equation.

P(2)m,j =

N∑d=1

Pm,dPd,j , (5)

In cluster-based sensor networks, each cycle l contains qtransition probabilities. Therefore, the transition probabilityq, denoted as P

(q)m,j , is defined by the Chapman-Kolmogorov

equation [37].

P(q)m,j =

N∑d=1

P(r)m,dP

(q−r)d,j , for 0 < r < q, (6)

Indeed, if the sink node is aware of the probabilities P(q)m,j

for all the network nodes and its initial state ESi,ti,l, it is easyto predict the energy transition of each sensor node. Thus, theprediction process can be described as follows:

1) When a sensor node is in a state m, the sink node countsthe number of q transition probabilities that a node willstay in state j each cycle l. Since each cycle l containsq transition probabilities, the calculation is representedby∑l

q=1 P(q)m,j .

2) Hence, the sink node predicts the energy consumptionof the sensor node as follows

Ep =

4∑j=1

(l∑

q=1

P(q)m,j

)Eu

i,j , (7)

where Eui,j represents the energy consumption of the ith

cluster member to the uth cluster head in state j after onetransition. Aiming to predict a sensor node’s energy state,given its initial node operation Ep1 , the procedure uses thefirst network snapshot collected by the sink node in the setupstage. Accordingly, once the snapshot is received, the nextcycle for the sink node is the residual energy state Er1 . Thus,the actual energy state Ea1

is given by:

Ea1= Ep1

− Er1 . (8)

Subsequently, the residual energy Er1 received from all thenodes in the next cycle is denoted as Er1 . The next energystate is represented as follows.

Ea1= Er1 − Er1 . (9)

Therefore, if the actual energy state Ea1 is different fromthe predicted one Ep1

, the sensor node is labeled maliciousin the operating environment. On the contrary, if the currentenergy state Ea1

is equal to the predicted one Ep1or within

the allowed threshold, the sensor node is labeled trusted inthe same environment. Afterwards, this dataset is watermarkedusing Algorithm 6 and forwarded to the control plane.On the other hand, since a cluster member might become a

cluster head in the next iteration, its actual energy consumption

will be higher than the previous iteration due to the collect-ing and watermarking processes. Hence, this means that itsincreasing energy state transition likelihood will be inaccuratewhen the energy prediction procedure runs on the edge. Thismight cause a prediction error.In addition, because they only have local visibility, the

sensor nodes deployed across the data plane are individuallyprone to false positives. Both trusted and malicious activitiescause changes in energy patterns on these nodes, thus, both canbe considered as anomalous activities. In this sense, there willbe a lot of similarity between true positive alerts generatedby different nodes in the network. Further, the predictionerror is impacted by several environmental parameters suchas the number of sensor nodes, the sink node’s position, thenetwork size, the communication range, and so on. Thus, theseparameters might generate excessive false alarms as well. Tothis end, it becomes necessary to empower our IDS located inthe edge with an additional layer of detection, which allows itto see the correlations between multiple instances of an attack.This is explained in the sequel.

III.3 L3:SMS-based SVM algorithm designAt the top of the security framework, as depicted in Fig.

1a, a collaborative anomaly detection mechanism is introducedas a real time centralized smart monitoring system based onSVM [13]. Towards this end, the information of trusted andmalicious nodes, which is continuously received by the sink,is used to create a training dataset that contains 200 features(i.e., energy state transitions), and is labeled as either trusted ormalicious node. Thus, the dataset is watermarked and deliveredto the control plane. Since the SMS-based SVM has a globalvisibility of the WSN, it can see the correlations between truepositives from a large number of weak sensors’ classifiersproviding a higher detection rate and considerable reductionof false alarms.The use of SVM in the IDS domain introduces several

advantages, including the support for kernels and binary clas-sification. However, it has some limitations since SVM, beinga supervised learning method, requires labeled informationfor efficient learning. Thereby, it is essential to mention thatsuch restrictions do not affect our proposed solution since thesmart monitoring system receives marked information by theedge. On the other hand, the SVM classification algorithmwas chosen because of its ability to provide a higher detectionaccuracy in pattern recognition problems [38], [39].Nevertheless, once the control plane receives the water-

marked dataset, Algorithm 7 is immediately executed to verifythe sink node’s authenticity and recover the labeled datasetto execute the SVM classification algorithm. As a result, themalicious misclassified nodes will be segregated from the dataplane by removing them from the OpenFlow table.

a) L3.1:SVM classification algorithm

The SVM classification algorithm has a slack function anda penalty function to organize non-separable models [39]. Ini-tially, given a set of points Xi ϵ R

d; i = 1, . . . , N , where eachXi belongs to one of the two classes with tags Yi ϵ (−1, 1).

9

These two classes define the detection of nodes. Assumingthere is a hyperplane which separates the positive class (S)from the negative class (G), the positive ones represent thebehavior of the trusted nodes and the negative ones representthe behavior of the malicious ones. All the training class issatisfied in Eq. (10).

wTXi + b ≥ 1, for all Xi ϵ S

wTXi + b ≤ −1, for all Xi ϵ G,(10)

where w is an adjustable weight vector, Xi represents theinput set of points, and b is the bias term as shown in Eq.(11).

Yi(wTXi + b) ≥ 1, for all i =1 . . .N, (11)

Therefore, the set of data received by the control plane islinearly separable, where the distance between the hyperplaneand the set of points Xi is 1

w . Therefore, the margin of theseparation hyperplane is defined by 2

w . The learning problemis reformulated, since by minimizing w2 = wT , w becomessubject to the linear separation limitations shown in Eq. (12).This formulation is equivalent to maximizing the hyperplanedistance between the two classes, for which the maximumdistance is called a support vector.

Minimizew,b ϕ(w) =1

2∥w∥2

s.t. Yi(wTXi + b) ≥ 1 Xi ≥ 0, i = 1 . . . N,

(12)

Since ϕ(w) = 12 ∥w∥

2 is convex in w and the constraintsare linear in w and b, we can guarantee an optimum solution.For this solution, the parameters in the quadratic programming(QP) only affect the training time and not the quality of thesolution. On the other hand, the anomalies in the energy statesensors’ transitions present characteristics of non-linearity andas a result are very difficult to classify. In this sense, to proceedwith the non-linear approach, the Lagrange solution for thisproblem is described as

L(w, b,Λ) =1

2∥w∥2 −

N∑i=1

λi[Yi(wTXi + b)− 1], (13)

where Λ = (λi . . . λh)T are the Lagrange multipliers, one for

each data point. The solution to this quadratic programmingproblem is obtained by maximizing L with respect to Λ ≥ 0and minimizing 1

2w2 with respect to w and b. Lagrange

multipliers are only non-zero when Yi(wTXi + b) = 1, and

the vectors for this case are called support vectors, since theyare closest to the separating hyperplane. Furthermore, in thenon-separable case, forcing zero training error leads to poorgeneralization. The SVM classification method uses a vectorof slack variables σ = (ξi . . . ξh)

T that measure the amountof violation of the constraints, taking into account the fact

that some data points might be misclassified. The currentoptimization problem becomes the following:

Minimizew,b,σ ϕ(w, b, σ) =1

2∥w∥2 +D

N∑i=1

ξ2i

s.t. yiϕ(wTXi + b) ≥ 1− ξi, ξi ≥ 0, i = 1 . . . N,

(14)

where D is a regularization parameter that handles the balancebetween maximizing the margin and minimizing the trainingerror. The value of D is of importance since if D is too small,insufficient stress is placed on fitting the training data, whereasif D is too high, the algorithm might overfit the dataset.

IV. SECURITY ANALYSIS AND PERFORMANCEEVALUATION

In the following subsections, we analyze the security fea-tures of the proposed IPS-based authentication process usingthe AVISPA tool. Moreover, a performance evaluation oflayers L2 and L3 is also conducted using MATLAB.

IV.1 Formal Security Analysis of L1

In SDWSNs, the nodes could function as routers thatdiscover and maintain the routing path among network nodes.The predicament is that the path relies on the trustworthinessof all the cluster nodes. Therefore, DoS attacks can easilybe executed against routing paths in SDWSNs. DoS attacksattempt to suspend network operations by injecting maliciouspackets into the data stream or by modifying packets. For thispurpose, DoS attacks based on our proposed L1 are analyzed.Foremost, in L1, a comparison of a conventional authenti-

cation procedure against the proposed authentication methodis conducted under two use cases. In the first use case, thesecurity of the traditional AKA protocol is executed [11].Since this protocol shares its public key over the air, this usecase considers that a malicious cluster head in the networkknows the key. Hence, a fake node can perform a coordinatedhijacking attack, taking control of the communication over thewireless data channel. On the contrary, in the second use case,in our proposed protocol, a malicious cluster head is unable toacquire knowledge about the key. This is because the proposedprotocol does not send the key and other parameters over theair. These uses cases are formalized and then assessed usingthe AVISPA tool as follows.

• Use Case 1: In this case, the Cluster Head (CH) sendsGSu

l and the kthu fingerprint in plain text on the fly toauthenticate themselves at the sink. As depicted in Fig.3a, the analysis indicates UNSAFE, revealing that theprotocol is vulnerable to being impersonated.

• Use Case 2: In the proposed protocol, CH sendsGSul and

the kthu fingerprint obscured by a watermarked messageon the fly to the sink. In contrast to the conventionalalgorithm, the cluster head, the sink, and the control planegenerate the kthu fingerprint and the watermark messageseparately which improves the security as the kthu key isnever sent in plain text on the fly. The results shown inFig. 3b indicate that this protocol is SAFE against theanalyzed threats.

10

SINK CHMred

Ku

thMwhite,i

u

ACK

UNSAFE(a) Without watermarked message

SINK CHMred

Mwhite,iu

ACK

SAFE(b) With watermarked message

Fig. 3: Simulation results using Security Protocol Animator for AVISPA (SPAN)

IV.2 Informal Security Analysis of L1

In the following, we analyze how different DoS attacksmight be performed, and how our proposed IPS prevents suchattacks.

• Black hole attacks. This is an active attack [40], wherethe intruder node listens to a route request packet inthe network, and responds with a claim of having ashorter route to the destination node thus intercepting thepackets, without actually having access to the route. Asa result, the intruder node could easily redirect big loadsof network traffic to itself and can manipulate all thepackets passing through it. Accordingly, this attack failsif the malicious node is unable to obtain the legitimatenode’s identity from the sink. In the proposed solution,the sink node extracts the watermark message with thekthu fingerprint and other parameters. In this manner, theauthentication request is denied if the sink node fails tomatch the watermarked data sent by the cluster head.Such a technique solves the problem of miss-chargedbilling in SDWSNs [41]. Thus, the proposed schemeimmunes SDWSNs from black hole attacks.

• Selective Forwarding attacks. A selective forwarding at-tack is a network layer attack described in [42]. In multi-hop SDWSNs, the nodes send packets to their neighborsassuming that they have forwarded the messages to thedestinations faithfully. In selective forwarding attacks,malicious nodes purposely refuse some packets and dropthem. In this active attack, an intruder that is interested toeavesdrop packets originating from a few selected nodescan reliably forward the remaining traffic by limiting thechances of being detected. In this matter, to identify andmitigate this attack, the proposed authentication methodprevents the intruder from manipulating the traffic if thesink fails to match the watermarked data sent by thecluster head.

• Hello Flood attacks. Within SDWSNs, an intruder typi-cally attempts to drain the energy of a node or exhaustits resources. An intruder with vast transmission powercould broadcast HELLO packets to convince every othernode in the network that the adversary is within one-hopcommunication range, causing a large number of nodesto waste energy in sending packets to this imaginaryneighbor [40]. Subsequently, this active attack might beeasily prevented if the sink is aware of the energy stateof each network node. For this purpose, our IPS thatoperates at the edge, performs a watermarking technique,

validating the authenticity of the data transmitting nodeand guaranteeing the integrity of the send data.

• Sybil attacks. This active attack was introduced in [43],wherein the attacker (Sybil node) tries to forge multipleidentifications in a particular region. A Sybil node can fixthe vote on group-based decisions and cause disruptionin network services. When these nodes can no longercommunicate, the attacker sends fake traffic, impersonat-ing the network nodes. Therefore, to address this securitythreat, the first layer of the framework prevents the nodesfrom being imitated. Hence, the watermark message,the kthu fingerprint, and other parameters are used tostrengthen the two-way authentication process. These pa-rameters are independently generated between the clusternodes and the sink node to safeguard nodes and providedata authenticity. Furthermore, the links between the linknode and its cluster heads reinforce the nodes and dataauthenticity. This is because the link node shares itsenergy states with more than one cluster head. Thus, eachcluster head generates the watermarked message based onthose energy states. Thereby, the more the link nodes, themore reliable our solution becomes.

IV.3 Performance Evaluation of L2 and L3

In order to evaluate the performance of our collaborativeanomaly detection approach across L2 and L3 layers, it isessential to mention that the SDN paradigm aims to reducethe non-negligible overhead introduced by IDS-based machinelearning algorithms [44]. For this reason, we assume L3 isdeployed in a SDN controller located in the cloud and L2 isperformed in a edge architecture nearby the end devices.Even though the edge architecture aims to avoid the over-

head of processing requests from the data plane towardsthe control plane, there are inaccuracies in the cluster-basedenergy model due to the overhead, packet dropping andpropagation delay of refresh messages exchanged between thecontrol plane, the sink, and the sensor nodes. To the best ofour knowledge, the model approximation is still suitable forSDWNs since frequent refreshing, and fine-tuning of routingparameters, can keep deviation within permissible limits [26].Indeed, the overload analysis of the proposed SDN-basedframework will be addressed in a future work.In the proposed work, we employed MATLAB to simulate

various DoS attacks such as Black hole, Selective Forwarding,Hello Flood, and Sybil attacks in SDN setups. During thesesimulations, we compared the energy state transitions with the

11

predicted results using the Markov chain model [45]. Towardsthis end, we employed different network parameters to depictthe SDN data plane characteristics as shown in Table II.

TABLE II: Network parameters of the data plane

Parameters ValueNumber of nodes 400

Energy state transitions 200Node placement Random

Location of the Sink 50, 50Transmission range 25mChannel bandwidth 1 MbpsSimulation time 1000 secondsPropagation mode Free Space

Packet size 512 bytesInitial energy 5 µJ/bit

Fig. 4: Energy state transitions probability of trusted vs.malicious nodes

As depicted in Fig. 4, the obtained results illustrate thedifferences between the energy state transitions of a trustednode and the malicious one across the SDWSN. In black holeattacks, the malicious node maximizes its broadcast range aswell as the signal strength. Thus, the energy consumption issignificantly larger than the energy predicted. Subsequently, inHello Flood attacks, the malicious node attracts the communi-cations of cluster heads coming from the cluster nodes. Thus,the gap between the energy state of Hello Flood attack andthe predicted result is higher at the beginning but it decreasesgradually through the simulation. Additionally, the energy statetransitions in Sybil attack is far beyond the predicted result,thus, is the easiest to detect. Moreover, the layer L2 of ourframework recognizes Selective Forwarding attacks as well,where the malicious node could be undetected at the beginningof the simulation but the probability of being inferred increasesdue to its signal strength variation in a given time.

In addition, it is worth mentioning that the energy statetransitions interconnect to each other at certain periods of time,which means that the gap between the attacks and the predictedresults is minimal. Thus, false alarms are generated.

Furthermore, Fig. 5, illustrates the gap generated betweenthe energy state transitions based on the Markov chain modelof trusted nodes and malicious nodes. Hence, the averagedetection probability of the energy transitions of the maliciousnodes reaches 24.92% which implies that the detection rateprobability of a trusted node is 75.08%. As a result, 210 nodes

were found to be trusted, whereas 190 nodes were marked asmalicious.

-50 0 50 100 150 200 250 300 350 400Number of Nodes

0.1

0.15

0.2

0.25

0.3

0.35

0.4

Ener

gy S

tate

s Pr

edic

tion

Rat

e

ENERGY PREDICTION PROBABILITY

0.25095

24.92%

Fig. 5: IDS-based Markov chain model

Some feature comparisons between layer L1 and layer L2against cryptographic [11], [16], and machine learning (ML)approaches [12], [39], respectively, are introduced. As a result,in Table III, it can be noted that although our L1 providesimportant security features (F1, F2, F3), thus is suitable forSDWSN, it is still not sufficient to address insider attacks (F4).

TABLE III: IPS-base Authentication Solutions’ Comparison

Solution F1:MutualAuthenti-cation

F2:FrequentHandover

F3:OutsiderAttacks’Resiliency

F4:InsiderAttacks’Resiliency

Crypto[11], [16]

✓ 7 ✓ 7

Layer L1 ✓ ✓ ✓ 7

As a consequence, in the results shown in Table IV, L2appears to tackle insider attacks (F4) while providing low la-tency features (F5). Additionally, a computational complexity(F6) comparison between our L2 and ML approaches is shownin Fig. 6. As a result, the proposed L2, maintains a linearcomplexity while ML grows exponentially as the number ofnodes increases which makes it unsuitable for edge computingecosystems. Nevertheless, L2 generates excessive false alerts(F7) as well.

TABLE IV: An illustrative comparison of IDS-based solutions

Solution F4: InsiderAttacks’Resiliency

F5: LowLatency

F7: Low Rate ofFalse Alarms

ML [12],[39]

✓ 7 ✓

Layer L2 ✓ ✓ 7

12

0.13 0.11 0.12 0.14

0.440.53

0.83

1.3

0

0.2

0.4

0.6

0.8

1

1.2

1.4

100 200 300 400

L2 MLNumber of Nodes

Time

(Seconds)

Fig. 6: An illustrative comparison of computational complexityanalysis (F6)

In this context, to minimize the number of false alarms,determine the accuracy, and correlates the detection rate ofthe IDS performed at the edge, L3 is executed in the controlplane. For this purpose, a binary SVM classifier is developedand employed in the control plane. Since the optimal parametersearch plays a crucial role in building a prediction model withhigh accuracy, we employ a grid-search technique using 5-fold cross-validation to find out the optimal parameter valuesof the kernel function for SVM [38].The results shown in Fig.7 were modeled using a Radial Basis Function (RBF).

The evaluation of L3’s classifier accuracy uses L2’s out-put as ground truth, where trusted and malicious nodes arerepresented by a non-linear classification model. The obtainedresults demonstrate that there are 61 False Alarms (FA) asshown in Table V.

Fig. 7: SMS-based SVM algorithm hyperplane

TABLE V: False alarm details

Layer TP TN FP FN FA (FP+FN)L3 183 155 26 35 61

where TP is the true positive (a malicious node detected asa malicious node), TN is the true negative (a trusted nodeidentified as a trusted node), FP represents a false positive(a trusted node detected as a malicious node), and FN is afalse negative (a malicious node recognized as a trusted node).The performance evaluation of the experiment is carried outby evaluating the accuracy Ac of the framework, the detection

rate Dr, and the false alarm Fa rate by using the followingequations [38].

Ac = (TP + TN)/(TP + TN + FP + FN), (15)

Dr = TP/(TP + FP ), (16)

Fa = FP/(FP + TN), (17)

From the experimental results and the performance evalua-tion, Ac is found to be 84.75%, Dr is equal to 87.55%, whichwas increased in comparison with the second layer, whereasthe false alarm rate is equivalent to 14.36%. To the best ofour knowledge, the concept of a unified SDN-based securityframework stack, integrating IPS, and a hierarchical collabo-rative anomaly detection system has never been attempted inany previous research works.

V. CONCLUSION

In this paper, an SDN-based collaborative security frame-work, which combines IPS, IDS, and smart monitoring sys-tems, taking the advantage of energy snapshot readings, is pro-posed and evaluated. Initially, a distributed snapshot algorithmalong with a watermarking technique is introduced aiming todecrease the latency and enhance the recurrent authenticationin wireless sensor nodes. Subsequently, the security featuresof the proposed multi-layer authentication approach regardingresiliency against various attacks is analyzed by executingautomated protocol analysis using the AVISPA tool. Conse-quently, an IDS-enabled energy prediction model is designedat the network edge. Finally, to correlate the detection rate andreduce the false alarms that could be generated at the networkedge, an SMS-based SVM algorithm is executed and testedin the control plane. In order to compute the accuracy andcomplexity of the proposed framework against the trusted andmalicious traffic collected in the lower layers, we leveragedMATLAB. The results show that the proposed frameworksatisfies 5G security requirements and simultaneously provideshigh security, low-computational complexity, and a consid-erable reduction of false alarms in SDWSNs, thanks to theintroduction of the multilayer approach and recurrent snapshotreadings. Furthermore, it is shown that the employment ofthe SMS-based SVM algorithm significantly improves theanomaly detection rate.As for future work, we will implement the proposed security

framework in an IoT-centric testbed. Moreover, our researchwill explore deep learning techniques to accurately classifyand identify unknown anomalies in SDWSN environmentswith the aid of distributed SDN controllers at the edge. Sucha deployment will promote decentralized decision-making andreduce the overhead introduced by the SDN controller locatedin the cloud.

13

REFERENCES

[1] B. Rashid and M. H. Rehmani, “Applications of wireless sensor networksfor urban areas: A survey,” Journal of Network and Computer Applicat.,vol. 60, pp. 192–219, 2016.

[2] H. I. Kobo, A. M. Abu-Mahfouz, and G. P. Hancke, “A surveyon software-defined wireless sensor networks: Challenges and designrequirements,” IEEE access, vol. 5, pp. 1872–1899, 2017.

[3] S. Sun, L. Gong, B. Rong, and K. Lu, “An intelligent SDN frameworkfor 5G heterogeneous networks,” IEEE Commun. Mag., vol. 53, no. 11,pp. 142–147, 2015.

[4] L. Fawcett, S. Scott-Hayward, M. Broadbent, A. Wright, and N. Race,“Tennison: a distributed sdn framework for scalable network security,”IEEE Journal on Sel. Areas in Commun., vol. 36, no. 12, pp. 2805–2818,2018.

[5] A. De Gante, M. Aslan, and A. Matrawy, “Smart wireless sensor networkmanagement based on software-defined networking,” in IEEE Commun.Biennial Symp., 2014, pp. 71–75.

[6] S. W. Pritchard, G. P. Hancke, and A. M. Abu-Mahfouz, “Securityin software-defined wireless sensor networks: Threats, challenges andpotential solutions,” in 2017 IEEE Int. Conf. Ind. Inform., 2017, pp.168–173.

[7] M. Liyanage, M. Ylianttila, and A. Gurtov, “Securing the control channelof software-defined mobile networks,” in IEEE Int. Symp. World ofWireless, Mobile and Multimedia Networks, 2014, pp. 1–6.

[8] N. Boggs, S. Hiremagalore, A. Stavrou, and S. J. Stolfo, “Cross-domaincollaborative anomaly detection: So far yet so close,” in Int. Workshopon Recent Advances in IDS. Springer, 2011, pp. 142–160.

[9] C. Habib, A. Makhoul, R. Darazi, and C. Salim, “Self-adaptive datacollection and fusion for health monitoring based on body sensornetworks,” IEEE Trans. Ind. Inform., vol. 12, pp. 2342–2352, 2016.

[10] P. Perera and V. M. Patel, “Efficient and low latency detection ofintruders in mobile active authentication,” IEEE Trans. Inform. Forensicsand Security, vol. 13, pp. 1392–1405, 2018.

[11] M. Zhang and Y. Fang, “Security analysis and enhancements of 3GPPauthentication and key agreement protocol,” IEEE Trans. Wireless Com-mun., vol. 4, pp. 734–742, 2005.

[12] T. Ma, Y. Yu, F. Wang, Q. Zhang, and X. Chen, “A hybrid methodologiesfor intrusion detection based deep neural network with support vectormachine and clustering technique,” in Int. Conf. Frontier Computing.Springer, 2016, pp. 123–134.

[13] T. Shon and J. Moon, “A hybrid machine learning approach to networkanomaly detection,” Inform. Sci., vol. 177, pp. 3799–3821, 2007.

[14] G. Han, J. Jiang, W. Shen, L. Shu, and J. Rodrigues, “Idsep: a novelintrusion detection scheme based on energy prediction in cluster-basedwireless sensor networks,” IET Inform. Security, vol. 7, no. 2, pp. 97–105, 2013.

[15] A. Milenkoski, K. Jayaram, N. Antunes, M. Vieira, and S. Kounev,“Quantifying the attack detection accuracy of intrusion detection systemsin virtualized environments,” in IEEE Int. Symp. Soft. Rel. Eng, 2016,pp. 276–286.

[16] R. Murugesan, M. Saravanan, and M. Vijyaraj, “A node authenticationclustering based security for adhoc network,” in IEEE Int. Conf. onCommun. and Signal Process, 2014, pp. 1168–1172.

[17] C. Zhu, V. C. Leung, L. T. Yang, and L. Shu, “Collaborative location-based sleep scheduling for wireless sensor networks integrated withmobile cloud computing,” IEEE Trans. Comput., vol. 64, pp. 1844–1856,2015.

[18] D. Wang, D. He, P. Wang, and C.-H. Chu, “Anonymous two-factor au-thentication in distributed systems: certain goals are beyond attainment,”IEEE Trans. Dep. and Secure Comput., vol. 12, pp. 428–442, 2015.

[19] D. Jagadiswary and D. Saraswady, “Biometric authentication using fusedmultimodal biometric,” Procedia Computer Science, vol. 85, pp. 109–116, 2016.

[20] G. Jaswal, A. Kaul, and R. Nath, “Multimodal biometric authenticationsystem using hand shape, palm print, and hand geometry,” in Compu-tational Intel.: Theories, App. and Future Directions. Springer, 2019,pp. 557–570.

[21] I. Olade, H.-n. Liang, and C. Fleming, “A review of multi-modal facial biometric authentication methods in mobile devicesand their application in head mounted displays,” in IEEE Smart-World/SCALCOM/UIC/ATC/CBDCom/IOP/SCI, 2018, pp. 1997–2004.

[22] M. Amjad, H. K. Qureshi, M. Lestas, S. Mumtaz, and J. J. Rodrigues,“Energy prediction based mac layer optimization for harvesting enabledwsns in smart cities,” in IEEE Veh. Technology Conf., 2018, pp. 1–6.

[23] C. Yin, Y. Zhu, J. Fei, and X. He, “A deep learning approach for intrusiondetection using recurrent neural networks,” IEEE Access, vol. 5, pp.21 954–21 961, 2017.

[24] M. A. Ambusaidi, X. He, P. Nanda, and Z. Tan, “Building an intrusiondetection system using a filter-based feature selection algorithm,” IEEETrans. Comput., vol. 65, pp. 2986–2998, 2016.

[25] J. Kim, J. Kim, H. L. T. Thu, and H. Kim, “Long short term memoryrecurrent neural network classifier for intrusion detection,” in IEEE Int.Conf. Plat. Technol. and Service, 2016, pp. 1–5.

[26] M. Younis, M. Youssef, and K. Arisha, “Energy-aware routing in cluster-based sensor networks,” in IEEE Int. Symp. of Comput. and Telecommun.Systems, 2002, pp. 129–136.

[27] C. M. Moreira, G. Kaddoum, and E. Bou-Harb, “Cross-layer authenti-cation protocol design for ultra-dense 5G HetNets,” in IEEE Int. Conf.on Commun., 2018, pp. 1–7.

[28] C.-C. Lu and S.-Y. Tseng, “Integrated design of aes (advanced en-cryption standard) encrypter and decrypter,” in IEEE Int. App. Sys.,Architectures and Processors, 2002, pp. 277–285.

[29] G. Uslu, K. C. Serdaroglu, and S. Baydere, “Ds+: Reliable distributedsnapshot algorithm for wireless sensor networks,” J. of Comput. Net-works and Commun., vol. 2013, 2013.

[30] K. Hameed, A. Khan, M. Ahmed, A. G. Reddy, and M. M. Rathore,“Towards a formally verified zero watermarking scheme for data in-tegrity in the internet of things based-wireless sensor networks,” FutureGeneration Computer Systems, vol. 82, pp. 274–289, 2018.

[31] D. E. Boubiche, S. Boubiche, and A. Bilami, “A cross-layerwatermarking-based mechanism for data aggregation integrity in het-erogeneous wsns,” IEEE Commun. Letters, vol. 19, no. 5, pp. 823–826,2015.

[32] P. Sole and D. Zinoviev, “The most significant bit of maximum-lengthsequences over/spl zopf/2/sup l: autocorrelation and imbalance,” IEEETrans. Inf. Theory, vol. 50, pp. 1844–1846, 2004.

[33] C.-C. Chang, J.-Y. Hsiao, and C.-S. Chan, “Finding optimal least-significant-bit substitution in image hiding by dynamic programmingstrategy,” Pattern Recognition, vol. 36, pp. 1583–1595, 2003.

[34] S. Shanthi and E. Rajan, “Comprehensive analysis of security attacksand intrusion detection system in wireless sensor networks,” in IEEEInt. Conf. Next Gen. Comput. Technologies, 2016, pp. 426–431.

[35] L. A. B. Pacheco, J. J. Gondim, P. A. S. Barreto, and E. Alchieri,“Evaluation of distributed denial of service threat in the internet ofthings,” in IEEE Int. Symp. on Network Computing and App., 2016,pp. 89–92.

[36] A. Cammarano, C. Petrioli, and D. Spenza, “Online energy harvestingprediction in environmentally powered wireless sensor networks,” IEEESensors Journal, vol. 16, no. 17, pp. 6793–6804, 2016.

[37] H. Haken and G. Mayer-Kress, “Chapman-kolmogorov equation andpath integrals for discrete chaos in presence of noise,” Zeitschrift furPhysik B Condensed Matter, vol. 43, no. 2, pp. 185–187, 1981.

[38] C. Venkatesan, P. Karthigaikumar, A. Paul, S. Satheeskumaran, andR. Kumar, “Ecg signal preprocessing and svm classifier-based abnor-mality detection in remote healthcare applications,” IEEE Access, vol. 6,pp. 9767–9773, 2018.

[39] W. Kim, M. S. Stankovic, K. H. Johansson, and H. J. Kim, “A distributedsupport vector machine learning over wireless sensor networks,” IEEETrans. Cybernetics, vol. 45, pp. 2599–2611, 2015.

[40] S. Gurung and S. Chauhan, “A review of black-hole attack mitigationtechniques and its drawbacks in mobile ad-hoc network,” in IEEE Trans.Signal Process., 2017, pp. 2379–2385.

[41] Y. Liu, M. Dong, K. Ota, and A. Liu, “Activetrust: Secure and trustablerouting in wireless sensor networks,” IEEE Trans. Inform. Forensics andSecurity, vol. 11, pp. 2013–2027, 2016.

[42] J. Ren, Y. Zhang, K. Zhang, and X. Shen, “Adaptive and channel-awaredetection of selective forwarding attacks in wireless sensor networks,”IEEE Trans. Wireless Commun., vol. 15, pp. 3718–3731, 2016.

[43] M. A. Jan, P. Nanda, X. He, and R. P. Liu, “A sybil attack detectionscheme for a centralized clustering-based hierarchical network,” in IEEETrustcom/BigDataSE/ISPA, vol. 1, 2015, pp. 318–325.

[44] A. A. Pranata, T. S. Jun, and D. S. Kim, “Overhead reduction schemefor sdn-based data center networks,” Computer Standards & Interfaces,vol. 63, pp. 1–15, 2019.

[45] X. Jinhui, T. Yang, Y. Feiyue, P. Leina, X. Juan, and H. Yao, “Intrusiondetection system for hybrid dos attacks using energy trust in wirelesssensor networks,” Procedia computer science, vol. 131, pp. 1188–1195,2018.

View publication statsView publication stats