fuzzy based advanced hybrid intrusion detection system to...

Research ArticleFuzzy Based Advanced Hybrid Intrusion DetectionSystem to Detect Malicious Nodes in Wireless Sensor Networks

Rupinder Singh Jatinder Singh and Ravinder Singh

I K Gujral Punjab Technical University Kapurthala Punjab India

Correspondence should be addressed to Rupinder Singh rupi_singh76yahoocom

Received 4 October 2016 Revised 2 February 2017 Accepted 7 February 2017 Published 3 April 2017

Academic Editor Paolo Barsocchi

Copyright copy 2017 Rupinder Singh et alThis is an open access article distributed under the Creative CommonsAttribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

In this paper an Advanced Hybrid Intrusion Detection System (AHIDS) that automatically detects the WSNs attacks is proposedAHIDS makes use of cluster-based architecture with enhanced LEACH protocol that intends to reduce the level of energyconsumption by the sensor nodes AHIDS uses anomaly detection and misuse detection based on fuzzy rule sets along withthe Multilayer Perceptron Neural Network The Feed Forward Neural Network along with the Backpropagation Neural Networkare utilized to integrate the detection results and indicate the different types of attackers (ie Sybil attack wormhole attack andhello flood attack) For detection of Sybil attack Advanced Sybil Attack Detection Algorithm is developed while the detection ofwormhole attack is done by Wormhole Resistant Hybrid Technique The detection of hello flood attack is done by using signalstrength and distance An experimental analysis is carried out in a set of nodes 1333 of the nodes are determined as misbehavingnodes which classified attackers along with a detection rate of the true positive rate and false positive rate Sybil attack is detectedat a rate of 9940 hello flood attack has a detection rate of 98 20 and wormhole attack has a detection rate of 99 20

1 Introduction

Wireless sensor networks (WSNs) are a recent technology andhave received huge attention among researchers Normallythe WSN environment comprises low power low cost anda huge number of sensors that are distributed arbitrarilyover the target location or are redeployed manually Wirelesssensor networks have become a powerful and familiar tech-nology due to their potential features and applications such ashealthcare monitoring domestic applications surveillancesystems and disaster management [1] Wireless sensor nodeshave poor capacities in terms of communication compu-tation and energy In wireless sensor networks broadcastmessage is an effective and a popular prototype that permitsmultiple users to combine and distribute message packetsthroughout the network effectively in order to get data oftheir interest An example diagram of WSN is demonstratedin Figure 1

Wireless sensor network is a self-organizing networkwitha huge number of sensor nodes which consumes less powerand is of low cost Wireless sensor networks are utilizedfor several applications like civil and military applications

that encounter detection security identifying environmentalconditions andweathermonitoring that is sunray detectionparticlemovement sound temperature object identificationprediction disaster sensing and so on [2] This sort ofnetwork has restricted battery storage for the nodes and thusefficient and proper utilization of the energy inWSN nodes isvery essential to improve the network lifespan

These sensor nodes are termed lightweight and transfer-able devices having the capacities of communicating sensingand processing the data from one node to the destinationnode in a larger networkThey have a restricted transmissionrange and hence send the data directly to the desired userwith a transmission range limit Data transmission in longerdistances can be performed through intermediate nodessinceWSNs are vulnerable to internal and external outbreaksMost commonly they do not have the capacity to handlea tough attacker owing to their resource restricted nature[3] In this condition a secondary stage of defence mostlycalled Intrusion Detection System (IDS) is needed to protectthe system from the attackers The vast attacking techniquesdeveloped by the attackers can be detected by making useof efficient IDS [4] Unfortunately majority of the sensor

HindawiWireless Communications and Mobile ComputingVolume 2017 Article ID 3548607 14 pageshttpsdoiorg10115520173548607

2 Wireless Communications and Mobile Computing

BS

CH MN

Figure 1 Cluster-based WSN architecture

networks are very sensitive towards attacks because of WSNcharacteristics and antagonists can simply create networktraffic which can also cause heavy packet drop duringbroadcasting of the packets or change the original content ofthemessage in the packets [5]Thus authentication strategiesare implemented in the network for ensuring secure commu-nication between the nodes In WSNs it is very essential tocarry out secure data transmission between the nodes

For instance if WSNs are employed in battlefield appli-cations sensor nodes are intruded upon by the attackersand destroyed Hence security plays a significant role Aprevention technique is utilized to counteract the well-established attacks Moreover a prevention scheme cannotdefend against all the attacks Thus these attackers should beidentified so the IDS are utilized commonly to identify thepackets in a network and estimate which packet is damagedby the attackers Furthermore IDS can help the preventionsystem through the developed nature of attacks [6]

The Low-Energy Adaptive Clustering Hierarchy(LEACH) protocol functions on the Medium AccessControl (MAC) protocol based on the clustering algorithmfor data collection in the WSN [7] The LEACH protocolformed as cluster architecture using WSN nodes to reducethe energy consumption level To maintain the minimalenergy consumption throughout the WSN the cluster-groupheads are selected rotationally among the sensor nodeswithin the cluster if the present cluster-group head has loweravailable energy resources than other sensor nodes

Therefore the energy load connected with being a clusterhead is evenly distributed with nodes for increasing thelifetime of the entire network In each cluster the sensornodes can communicate using Direct Sequence Spread Spec-trum (DSSS) to limit the interference with other clustersEach cluster applies a spreading sequence which does notmatch nearby clusters and cluster heads apply a reservedsequence method for making communication with the sinknode Eventually the information would be sensed in theWSN in which nodes can transfer the data to a controlcenter or sink node so that each end-user can access thedata LEACH depends on the following two assumptions thesink node is fixed and located within the area of deployedsensors and all nodes in the network are homogeneousand energy constrained Thus communication between thesensor nodes and the sink node is expensive [8]Media accessin LEACH was selected to minimize energy consumption inthe non-cluster head nodes As the cluster members know

their own cluster head they can form a new TDMA schedulethat describes to each node exactly when to transmit its dataThis allows the nodes to remain in the sleep state with internalmodules powered down as long as possible Furthermoreby utilizing a TDMA schedule it is possible to stop thecollision happening in the intracluster while transferring thedata LEACH is classified into circles Each circle starts at aninitialization process and forms the cluster structure whichis later continued by a steady state phase It forms differentframes of data for transferring the data from node to clusterhead moreover aggregated data is only transmitted to thesink nodeThe nodes must contain time synchronized stampto start the initialization process at the same time So tominimize initialization overhead the steady state phase isalso equated to the initialization process

There are modified versions of LEACH that attempt toadd secure features [8] although they still have their owndrawbacks as highlighted in the previous section and theydo not consider the impact of radio range while electing asecure cluster head upon energy consumption To identify theattackers they make use of the network monitor and providethe alarm to the remaining nodes They protect the systemfrom the attackerrsquos destruction by raising an alarm beforethe intruder initiates the attack The two important modulesin the IDS are misuse detection and anomaly detection [2]Generally anomaly detection develops a prototype to identifythe abnormal and normal behavior of the nodes by carryingout the analysis and comparison of the nodes behavior Ithas the highest detection rate and at the same time it hasthe highest false positive rateThemisuse detection identifiesthe various types of attackers by equating or comparingthe present attack behavior and the past attack behavior[9] It has the highest accuracy but with low detection rateParticularly it cannot detect unknown attackers which arenot in the base of the model Various researchers haveanalyzed a module of hybrid detection to utilize the meritsof both misuse detection and anomaly detectionThis hybriddetection methodology can identify unknown attacks withthe greatest accuracy of the misuse detection and the greatestdetection rate of anomaly detection The Hybrid IntrusionDetection System (HIDS) accomplishes the aim of obtainingthe highest detection rate with low false positive rate [1]

This paper describes the Advanced Hybrid IntrusionDetection System (AHIDS) it utilizes a Multilayer Percep-tron Neural Network (MPNN) which contains Feed For-ward Neutral Network (FFNN) and Backpropagation NeuralNetwork (BPNN) of the supervised learning approach basedon the fuzzy logic mechanism with anomaly and misusedetection technique to detect the hello flooding wormholeand Sybil attacks with higher detection ratio and lower falsealarm

At first the Sybil attack detection is based on theAdvanced Sybil Attack Detection Algorithm (ASADA) withfuzzification method along MPNN it is utilized to sep-arate the Sybil node and legitimate node even if it hasthe highest mobility through the verification process usingRSSI (Received Signal Strength Indicator) Then to identifythe wormhole attack we propose the Wormhole ResistantHybrid Technique (WRHT) with fuzzification method along

Wireless Communications and Mobile Computing 3

FFNN The proposed WRHT allows the source node inthe sensor network to calculate the wormhole presenceprobability (WPP) for a path in addition to HC (Hop Count)information WRHT makes use of dual mode detection bycalculation of PLP (Packet Loss Probability) and TDP (TimeDelay Probability) if it finds out packet loss at the receivingend then it is concluded that the wormhole attacker isworking in encapsulation mode (hidden mode) Finally fordetecting hello flooding attack sensor nodes of RSS anddistance along with their threshold values are moved tothe BPNN The fuzzy interface in the fuzzy based detectormodule uses both anomaly and misuse detector in order toestimate the hello flooding attack in the adversary model inAHIDS Here the trusted neighbor nodes are instructed toflood a fixed number of fake packets into the sensor networkat the same time If the suspicious node passes this test thenit is directed to send-received check If it fails this test thenthe node is considered as malicious and stored as blacklisted

2 Literature Review

In recent years the research about the WSNs had con-centrated on the security of the sensor networks Due tothe resource limited environment of the WSN conventionalsecurity strategies had not been employed as they requiredtoo much energy as discussed by Zhu et al [10] Thereforeresearchers were aiming to provide lightweight securityschemes for all the security aspects of WSNs (such as routingprotocol IDS and secure data aggregation) In this paper weconcentrate on identifying the three different attackers helloflooding wormhole and Sybil attacks some related securityschemes are discussed below

Zhu et al [10] had demonstrated a scheme LEAP+which is a development of the LEAP protocol LEAP+ utilizes4 categories of keys as per the node requirement (i) asingle key shared with the sink node (ii) an individual keyshared with another node (iii) a group key shared withnearby nodes in the same cluster and (iv) a cluster keyshared with all the nodes in the entire networks In the keymanagement system it produced a master key and storedit in the nodesrsquo memory before node deployment Lateron during deployment each node was produced from theoriginal master key and forwarded the hello packet whichhas its own identifiers to its neighbor After it received anacknowledgement from its neighbor verification took placein the MAC layer

Y Lee and S Lee [11] illustrated the authentication and keymanagement scheme to produce the secure communicationchannel in the WSN The base station was utilized to storethe public key of all the nodes before making deploymentin the WSN It is very essential to enhance the security ofthe networks the authors incorporated their technique intwo classes of authentication (handshake) The first class ofauthentication took place between the sink node and thesensor node The node produced a symmetric key that useda public key for the encryption process in the sink node Ittransmitted the encrypted key to the sink node without beingdecrypted as the desired node does not know the secret keyof the sink node The next category of authentication was

performed between the sink node and a pair of nodes in thenetworks so that it can authenticate the nodes

Turkanovic et al [12] illustrated a new protocol thathandled various types of keys like the LEAP protocol Themajor difference was that group keys were estimated byeach and every node inside the specified cluster Despite thismodification it cannot produce a solution due to the lackof rekeying solution An extensive survey on protocols andtechniques used to detect the hello flooding attack has beenpresented in [12] The authors have distinguished methodsused in the noncryptographic and cryptographic techniquesHowever because of the time higher energy and memorydemands of the cryptographic methods it is preferable toutilize the noncryptographic method Hongbin et al [13]presented cluster key management for hierarchical sensornetworksThis mechanism estimated the cluster key utilizingthe partial key in the sink node By utilizing the randomtechnique the child node of the partial key was produced andthen it wasmoved to the group head to estimate its partial keyso that the cluster key was estimated at last

Pires et al [14] introduced signal strength based detectionof hello flooding attack The proposed mechanism identifiedthe attackers based on the Received Signal Strength (RSS)if a node seems to be distrusted in the network then itis considered as an adversary nodes are tested with theirtransmission range with the help of RSS Hence the nodesare detected as eithermalicious nodes or nonmalicious nodesWhenever the malicious nodes are detected they are labelledas ldquosuspiciousrdquo Singh et al [15] proposed a signal strengthbased detection approach for the suspicious node Nodeswould be represented as a stranger or a friend depending onthe signal strength of hello messages sent by them Nodesclassified as strangers are further validated by sending asimple test packet if the reply of the test packet comes backin a predefined time then it is regarded as valid otherwiseit is treated as malicious However the major demerit of thismethod is the bit overhead problem Magotra and Kumar [7]enhanced this mechanism and depended on the identifica-tion of the malicious node using the signal strength alongwith distance between the nodes Nevertheless when both ofthese parameters exhibit a certain threshold value then thetest packet will increase the communication overhead whichaffects the transmission time

Oliveira et al [16] introduced FLEACH a protocolwhich is designed to provide security for node-to-nodecommunication in LEACH-basedWSNs It utilized random-key predistribution technique to enhance the transmissionsecurity in the LEACH protocol along with symmetric-keycryptography in this protocol FLEACH provides integrityauthenticity confidentiality and freshness in node-to-nodetransmission communication but it is dangerous to nodeidentifying attack The authors of [17] proposed SLEACHwhich is the first modified version of LEACH in regard toimproving the security They analyzed the security relatedproblem while adding a cluster-based communication proto-col for the WSN with various restricted resources SLEACHgives security with the use of security protocol for WSNmessage authentication code and symmetric-keymethods inthe LEACHprotocolThe proposed SLEACHdefends against


hello flooding attacks and sinkhole and selective forwardingattacks It prevents attackers from transmitting bogus sensorinformation to the cluster head and prevents the cluster headfrom transmitting a bogus message meanwhile SLEACHwould forbid the crowded cluster in the time slot scheduleleading to DoS attack Moreover it reduces the throughput ofthe cluster head and does not provide data confidentiality

Ibriq andMahgoub [18] illustrated the secure hierarchicalenergy efficient routing protocol (SHEER) which providessecure communication in the network layer It utilizes theprobabilistic broadcast scheme and higher level hierarchicalclustering to develop the network performance by creatingefficient energy consumption which improves the networklifetime To provide the security the SHEER implementssymmetric-key cryptography and a secure key transmissionprotocol called HIKES The authors have analyzed the per-formances with the LEACH protocol and proved that theproposed SLEACH is efficient and significant This protocolis dependent on the LEACH protocol marked as authenti-cation confidentiality cluster-based secure routing protocolIt employs both private and public key encryption using thedigital signature cryptographyThis protocol handles interiorantagonists or attackers or compromised nodes As a result ofthe greater computational demand with the use of public keycryptography it is not significant for WSNs

Sec-LEACH [19] is furnished as a significant solutionfor providing secure communication in LEACH It utilizesTESLA and random-key predistribution for providing thedynamic cluster formation in the secure hierarchical WSNSec-LEACH utilizes random-key dispersion to LEACH withproposed symmetric key while one-way hash claims to givefreshness and confidentiality Sec-LEACH gives integrityauthenticity confidentiality and freshness to transmissioncommunication Sec-LEACH enhances the technique forselecting cluster heads and makes dynamic stochastic mul-tidirectional cluster heads forms to transmit to the sinknode In this same mechanism it would minimize thepower efficiency and therefore the network lifetime has beenimproved It utilized self-localization and key predistributionto transmit the data securely to the LEACH protocol Itprevented the compromised node from taking place in theWSN and maintained the secrecy of the data packet

In [20] the author proposed RLEACH for secure trans-mission in the LEACH protocol in which the clusteringdata have been organized dynamically and sporadicallyIn RLEACH the orphan node issues arose as a result ofrandom pairwise key mechanism so the authors have utilizedenhanced random pairwise key mechanism to detect theattackers RLEACH utilized symmetric hash chain andasymmetric cryptography to develop security in the LEACHhierarchical routing protocol RLEACH resists multipleattacks such as sinkhole attack Sybil attack hello floodingattack and wormhole attack

3 Advanced Hybrid IntrusionDetection System

The proposed work aims to detect the hello flooding worm-hole and Sybil attacks in the WSN by using the AHIDS

We utilize the enhanced LEACH protocol (with fuzzy rules)to identify the attackers of different types AHIDS makesbenefits from both anomaly detection and misuse detectionmodels for the detection of the above said attacks Theproposed AHIDS can obtain a greater detection rate and lowpositive rate value Meanwhile it can find and include newinstances by machine learning strategy of MPNN practicallythrough enduring the unknown attacks AHIDS proposed inthis research contains two important elements as representedin Figure 5 the FFNN and the BPNN

AHIDS first makes use of anomaly detection block inorder to recognize the data packets as abnormal or normalLater on the misuse detection block covers the abnormaldata packets to recognize the several types of attack detection[21] Eventually the effects of the two detection blocks arecombined by the fuzzy block with MPNN in order to make adecision for identifying any intrusion and the different kindsof intrusion and bring back the same to the authority toprotect the system from the attackers

The anomaly detection models are generally utilized torecognize the abnormal packets for further detection ofmalicious nodes Due to this anomaly detection utilizesa standard method to detect the normal behavior of thenodes a data packet is identified to be abnormal in thenetwork once the present behavior changes from that ofnormal behavior As an outcome the anomaly detectiongenerally identifies the common transmission as well asabnormal transmission of data packets which forms theissues of classifying the erroneous nodes in the networkNevertheless it rarely considers an abnormal transmissionas the normal transmission Hence the anomaly detectionmethod is utilized to sort a huge number of data packetsrecords first and make further detection analysis with themisuse detection method whenever the amount of data isminimized

IHIDS (Intelligent Hybrid Intrusion Detection System)and AIHIDS (Artificial Immune based Hybrid IntrusionDetection System) are similar but the important differencebetween them is that IHIDS does not support artificialneutral network [22] Hence it cannot analyze and distin-guish new intruders immediately while it suffers from theunknown assaults whereas AIHIDS detects the attackerswith the use of MPNN The difficulty with the LEACH-based implementation is that the resources of the cluster headare less than the base nodes Due to the higher number ofresources in the base nodes it does not have any restrictionswhile utilizing the resources In case cluster heads take a lotof resources of performing and energy to identify intrusionthen the overall network lifespan becomes lesser Hence tominimize the workload of AIHIDS there is no supervisedlearning of neutral network mechanism between the basenode and cluster heads The feedback mechanism is used forfeeding the information of new assaults which is used for thelearning process of AIHIDS This corresponds to the misusedetection scheme of the proposed AHIDS for training thedataset

This procedure not only obtains the AIHIDS but alsogets the same performance of IHIDS which consumes someadditional resources to detect the new attacks When AHIDS


gets the feedback message from the learning mechanism ofAIHIDS the misuse detection model of IHIDS is retrainedusing the data of new attacks at the next training for addingnew detection classes Because the anomaly detection modelmisuse detection model and decision-making model inAHIDS are the same as those in IHIDS the details of systemstructure are not described again

31 Analysis on the Attackers

311 Detection of Sybil Attack In Sybil attack the attackerscan get identities by twoways At first it has the ability to forgeits own identities for instance forming an arbitrary identifierThen it applies stolen identities which means spoofing theidentities of legitimate nodes (masquerading) in the WSNThe proposed mechanism is developed for recognizing newidentity formed by a Sybil attacker We consider that themalicious node enters the network with its one identity andthat themisbehaving nodes do not conspire with one anotherWe also considered that nodes do not increase or decreasetheir transmit powerThe Sybil attack has the following effectson the WSNs [23]

(i) The routing table size is elaborated in a WSN and itcauses confusion in the data routing packets

(ii) The Sybil attack interrupts the trust basedmechanismin WSNs by decreasing or increasing the nodersquos trustvalue

(iii) Sybil attack produces confusion between illegitimatenode and legitimate node in the WSN

(iv) The wireless sensor networkrsquos life gets decreased dueto the single nodersquos reaction to the various nodesrequests

(v) The performance and throughput of the network arereduced significantly because of the Sybil attack

To identify the Sybil attack we propose the Advanced SybilAttack Detection Algorithm (ASADA) with fuzzificationmethod along MPNN it is utilized to separate the Sybil nodeand the legitimate node even if it has the highest mobilitythrough the verification process The AHIDS absorbs eachnode RSSI value in the table with respect to the time periodand it analyzes whether the first RSSI value is lesser thanthreshold or not If not AHIDS includes it to the attacker listand updates its neighborsrsquo list Due to the battery restrictionsevery sensor node maintains only 5 lists Figure 2 shows ascenario of Sybil attack in WSN

The proposed ASADA is combined with the rule basedanomaly detection module In this mechanism the anomalydetector utilizes fuzzy rules set to differentiate data unitsas normality or anomalies While supervising the WSNthese fuzzy rules sets are chosen appropriately and employedto the supervised data If the fuzzy rules are satisfied indetermining an anomaly is announced The ASADA theunderlying detector is compiled into four processes towardsobserving Sybil attacks in the wireless sensor networks Inthis first process nearby nodes identify the path for the datatransmission utilizing the range-enabled scheme [3] which

Malicious nodeLegitimate nodeSybil node

n0

n1

n2

n3

n4

n5

n6

n7

n8

n9

n10

Figure 2 Sybil node detection analysis

sends hello packets to the neighbor nodes (which are alsocalled beacons) The data packets are utilized within theparticular range in order to receive the effective RSSI signal ifthey cross a certain distance or range then the signal strengthbecomes weaker which has the possibility of getting affectedby the malicious nodes so we include the ranging estimationscheme In this scheme each packet has the PHY header(PHR) with particular bit which is called the ranging bitmoreover each packet broadcasts the PHY for the frames setsmeant for ranging [3]

In the next phase each node develops the table compris-ing the locally calculated ranging estimation that is at firstit calculates the distance 119889119899119886119887 from every neighboring node itidentified Here we consider that 119889119899119886119887 represents the detecteddistance between the node 119899119886 and the node 119899119887 as calculatedby the node 119899119886 Nevertheless the distance detection maynot be error-free and it may contain ranging error whichis indicated as 119890 error units which happens because ofthe wireless network of the ranging communication andthe imperfections of the fundamental PHY and because ofthe misbehavior node performing a distance increasing ordecreasing attack Therefore by 119889119890119886119887 we represent the exactdistance between the node 119899119886 and the node 119899119887 Evidently itapplies that (119889119899119886119887 minus 1198992) lt 119889119899119886119887 lt (119889119899119886119887 + 1198992) at average foreach node 119899119886 119899119887

In this next process every node in the WSN severallyexecutes multiple distance matching verification This indi-cates that node 119899119886 equates the rangingmeasurements of everypossible pair of nodes 119899119886 and 119899119887 represented in its neighbornode list that is for all 119887 119888 = 119886 1 le 119887If

1003816100381610038161003816119889119899119886119887 minus 1198891198991198861198881003816100381610038161003816 lt 119890 then rasie an alarm1003816100381610038161003816119889119899119886119887 minus 1198891198991198861198881003816100381610038161003816 ge 119890 else continue normal operation

(1)

With the above conditions the rules set that in case node119899119886 determines that two nodes other than trenchant noderepresented by 119899119887 and 119899119888 have a difference in distance smaller


X

Y

A

B

Figure 3 Construction of wormhole tunnel

than 119890 quadratic metric units then the node performing thedistance verification considers that a Sybil attack is active andcontinues with the procedure of identifying the blacklistingof nodes 119899119887 and 119899119888 As evident this premise could produce afalse (positive) value in the fuzzy table set 1 the two distancematching nodes 119899119887 and 119899119888 are legitimate sensor nodesAccordingly the network performance and the applicabilityare based on the false probability [24]Therefore the analyticframework has been developed to enhance the accuracy ofthe detection mechanism

Under this condition it is very essential to describe thatthe third process of the proposed algorithm is a repeatingprocess intending that distance checks are performed spo-radically The time period in which each node runs circularbased Sybil attack detection algorithm is based on the fuzzyset rules with neural network Each sensor nodemoves to theneighbor route discovery seeking for the fresh neighbors inits locality Each time a wireless sensor node finds older orfresh neighbors it rejoins the distance checks This processalso sets the requirements to ensure that distance verificationsare invariably upgraded between the freshly added neighborand every other older node in the neighbor list based uponthe distance and the threshold point of the fuzzification isused to determine the percentage of the Sybil attackers

312 Detection of Wormhole Attack The specific attackduring the routing functionality in the wireless networksreferred to as the wormhole attack has been proposed inthe context of ad hoc networks [25] When the attack isactive a misbehavior node can absorb one data packet fromone location in the wireless network and ldquotunnelrdquo it to someother assaults node at a particular point which reproduces itlocallyThe tunnel would be demonstrated in variousmannerpaths such as through an out-of-band hidden channel (egwired link) high powered transmission or data packetencapsulation [26] This channel tunnel builds the tunneleddata packet that would come either faster or with minimumnumber of hops while equating to the data packets carriedover patternmultihop routesThis produces the delusion thatthe two end points of the tunnel are very near to each otherThe wormhole attack is shown in Figure 3

Awormhole tunnel can be generally practicable if utilizedfor transmission of all the data packets Nevertheless inits misbehavior incarnation it can be utilized by the twomisbehavior end points of the wormhole tunnel to entertraffic congestion during the routing which affects all routes

through them The misbehavior nodes end points may thenintroduce different types of attacks which results in thetraffic congestion occurring in the wormhole Therefore thewormhole attack would influence the route established byprotecting any two sensor nodes in the wireless network thatare much bigger than two hop nodes away from exposingroutes to each other The wormhole attack may influencevarious applications and energy utilization in wireless ad hocnetworks such as clustering protocols data aggregation andlocation based wireless network systems [25] At last thewormhole attack is regarded as especially pernicious as it canbe established without experiencing access to any legitimatenode in the network

To identify the wormhole attack we propose the Worm-hole Resistant Hybrid Technique (WRHT) with fuzzificationmethod along FFNN The proposed technique WRHT is ahybrid technique based on the concept of watchdog [26]and Delphi [27] Watchdog (packet drop) and RTT basedtechniqueDelphi are based on the assumption that the packetdrop and RTT of a route in the network are very closelyrelated to the value of its hop count (HC) and distanceWRHT makes use of the information about the packet dropthe delay per each hop and the complete route in the sensornetwork The foundation behind WRHT is to build up awormhole detection methodology that is able to manageevery category of wormholes which is possible for everytype of WSN device and scenarios of the network withoutthe earning of significant computational costs WHRT isconsidered as an extension to routing protocolThe proposedWRHT allows the source node in the sensor network tocalculate thewormhole presence probability (WPP) for a pathin addition to HC information During packet encapsulationin wormhole attack the packets are transmitted via thelegitimate path only the packet that reaches a colluding nodeis encapsulated so that the nodes on the way are not ableto increase the hop count When the packet reaches theother colluding node at the receiving end this node thendecides whether to drop the packet or retransmit it in thenetwork Since WRHT makes use of dual mode detection bycalculation of PLP and TDP if it finds out packet loss at thereceiving end then it concludes that the wormhole attacker isworking in encapsulation mode (hidden mode)

The following formulas are used for calculating thepresence of the wormhole

TDPHTOTAL = TDPHRREQ + TDPHRREP (2)

where TDPHRREQ is the time delay probability of a nodeduring RREQ and TDPHRREP is the time delay probability ofa node during RREP

(TDP119875) = 1 minus ( 119899prod119895=1

(1 minus TDP119895)) (3)

where TDP119895 is the time delay probability measured at node 119895(PLP119875) = 1 minus ( 119899prod

119895=1

(1 minus PLP119895)) (4)

where PLP119895 is the packet loss probability measured at node 119895


Figure 4 Hello flooding attack in WSN

Since the two events time delay and packet loss are notmutually exclusive (as there may be loss of packets and timedelay at the same time) the wormhole presence probability(WPP) for a path can be defined as

WPPp = TDP119875 + PLP119875 minus (TDP119875 and PLP119875) (5)

Here the calculated values of (2)ndash(5) aremoved to the FFNNThe fuzzy interface in the fuzzy based detector module usesboth anomaly and misuse detectors in order to estimate thewormhole attack in the adversary model in AHIDS Heremalicious nodes are detected and stored as blacklisted

313 Detection of Hello Flooding Attack The hello floodingattackworks as an assaults node disseminates hello packets byapplying a more powerful transceiver than common sensornodes The attack is shown in Figure 4 The wireless sensornodes obtaining such hello packets may incorrectly considerthat they are inside the RSS of the transmitter and attempt totransmit their data packets through the misbehavior nodesThese packets would be lost as they may not reach thedestination sensor nodes RSS can be estimated by the nearestneighbor of a misbehaving node as this RSS is effectivelyhigher than the signal received from other neighbors [7]

To minimize the communication overhead of the datapacket in the previous RSS established methodology inthis paper we consider the clustered based wireless sensornetwork based on the RSS and distance threshold of theelected cluster head nodesThe distance of nodes is estimatedby the following

Dist = sqrt [sq (1199092 minus 1199091) + sq (1199102 minus 1199101)] (6)

Here (1199091 1199101) represent the location coordinates of thedestination node that is receiving packet while (1199092 1199102) arethe CH location coordinates that are sent through advertisinghello packet Receiving nodes calculate RSS threshold valueTRSS which corresponds to each node radio range inWSN Receiving nodes also calculate the value for distance

threshold (TDIST) which corresponds to the radio rangedistance covered Each sensor node joins a CH if

(RSS lt TRSS) ampamp (Distance lt TDIST) (7)

Here sensor nodes RSS and distance along with their thresh-old values are moved to the BPNNThe fuzzy interface in thefuzzy based detector module uses both anomaly and misusedetector in order to estimate the hello flooding attack in theadversarymodel in AHIDSHere the trusted neighbor nodesare instructed to flood a fixed number of fake packets intothe sensor network at the same time If the suspicious nodepasses this test then it is directed to send-received check Ifit fails this test then the node is considered as malicious andstored as blacklisted AHIDS utilize the fuzzy based MPNNwhich contains the FFNN and BPNN of supervised learningapproach in order to identify the all three attackers with thehelp of fuzziness rules set

32 To Detect the Malicious Nodes in the Advanced HybridIntrusion Detection System In this paper we consider aclustered based WSN it is very important for the datapackets to demonstrate the common patterns of normal nodebehavior for supervising the condition of the data packetsHence in this paper the fuzzy rule based analysis is utilized todevelop the anomaly detection scheme and the representingrules are determined by the expertsThework flowmodel canbe explained in three steps which are represented below

Process 1 It evaluates the data packet transmission historycompletely In a cluster-based wireless sensor network thedata packets move through the base node and are forwardedfrom the neighbor of cluster heads to the MPNN in whichthey moved to FFNN Hence the previous data packets thatcommunicate on the base node are gathered to evaluate andthe data packet is classified into two types that is abnormaland normal

Process 2This process is used to select the feature set lookingfor recognition of the key elements that emerged to separatethe abnormal and the normal packets

Process 3 This process includes the establishement ofanomaly intrusion detection rules It depends on the res-olution of a common data packet and it chooses the bestfeatures and then the fuzzy based rules are produced Lateron the BPNN along with well-known rules sets is stored inthe knowledge base

In clustered based wireless sensor networks when allclustered heads transmit the data to the base nodes entiredata packets which pass through the base nodes have to bechecked by the anomaly detection method to find whetherthere are any abnormal data packets In case such abnormaldata packets are identified they should be moved to thesecond process in which the misuse detection methodappears for any misjudgments that have occurred using thefuzzy based Multilayer Perceptron Neural Network whichwill distinguish the attackers and provide detection ratio


Testing data

Training data

Unlabeled data

New training data High fuzziness Low fuzziness

Mild fuzziness

MPNN model

MPNN model

Attack detection accuracy

BPNN

FFNN

Fuzzificationclassification

unlabeled dataFuzziness F(V)

Figure 5 The proposed methodology

321 Modules Description

(1) Fuzziness The word fuzziness connects to the unclearboundary value limits considering two important linguisticfactors and it is dependent on the fuzzy sets and mem-bership function It was first discovered by Zadeh [28] in1965 Later on fuzziness was defined as the quantitativemeasure of uncertainty with 1 nonprobabilistic entropy by theauthor Shannon (Shannonrsquos information entropy) They alsointroduced three important properties that fuzziness shouldcontain These properties would describe the fuzziness thefuzziness degree must reach its maximum value as themembership degrees of each and every attribute are equaland its minimum value as each and every attribute eitherdenotes the fuzzy set or utterly not In this proposed studywe consider fuzziness as a type of cognitive uncertainty in theneutral network determining the transition of uncertaintyfrom one linguistic condition to another whereas a linguisticcondition is defined as a fuzzy set in a certain universe ofdiscourse The fuzziness of a fuzzy set can be evaluated by afunction 119865 rarr [0 1]119883 satisfying the following axioms [29]

(1) 119865(120583) = 0 if and only if 120583 is a crisp set

(2) 119865(120583) obtains its maximum value if and only if 120583(119909) =05 forall119909 isin 119883

(3) If 120583 le 119904120590 then 119865(120583) ge 119865(120590)(4) 119865(120583) = 119865(1205831015840) where 1205831015840(119909) = 1 minus 120583(119909) forall119909 isin 119883

(5) 119865(120583 cup 120590) + 119865(120583 cap 120590) = 119865(120583) + 119865(120590)

(2) Fuzzy Based Detector Model The anomaly detector andmisuse detection methods use several methodologies ofwell-established attack behaviors so that we develop thenew strategy to overcome or defend against these attacksbehaviors [30] Most of the intrusion detection techniquespromise to detect the attacks through the training data butthey fail uncertainly The proposed work is based on MPNNconsisting of FFNN along with BPNN and is applied in thisstudy in order to provide the highest detection rate in thesupervised learning approach The proposed methodologydemonstrated figures outside the corresponding relationshipbetween input and output variables and that matches thecorresponding weight It can minimize the error rate thatoccurs in the interface for obtaining the greatest accuracyHence we proposed fuzzy based FFNN and BPNN to obtainthe highest accuracy level in the detection of the attacks forthe clustered based AHIDS through massive training

In this research multiple-layer perception in the neutralnetwork is utilized for the detection strategy mechanismof AHIDS that admits a hidden layer an input layer andan output layer In the FFNN process all the performancesparameters are determined and the error rate is estimated byapplying this formula

119890119903119894 = 119889119894 minus 119886119894 (8)

Here 119889119894 denotes the desired output and 119886119894 denotes theactual output which resulted from the MPNN In the backpropagation process the error rate or signal is propagated


by the MLP network Since the proposed methodology inte-grates the anomaly detection and misuse detection schemewe use abnormal packets which were determined by theanomaly detection scheme as the input layer The number ofperforming units in input vector is decided by the selectedcharacteristics of the data packets Furthermore the numberof performing units is included in the hidden layer whichis developed by increasing the amount of output layers andthe input layers Performing units in the output layer providevarious attacks and a single normal behavior of the node todecide whether the inserted packet is an attacker or intrusionthat forms a classification

The overall complete details of the data packets are gath-ered which move towards the base nodes in clustered basedwireless sensor networks as the common data for trainingThe majority of the data packets are normal in clusteredbased wireless sensor networks which makes the trainingdata imbalanced On the other hand the abnormal datapackets are eliminated by FFNN because of their minimumoccurrence ratio Therefore to avoid such issue the trainingdata are percolated through the anomaly detection schemeat first later on the abnormal data are distinguished whichhave been obtained from the training Before forwarding tothe training data to BPNN the training data were generalizedinto an identical form of BPNN On the other hand the datapacket records are converted into a stream binary value andthen set to BPNN To obtain good convergence the detectionrate is kept at 01 to 10 The actual learning ratio is obtainedfrom the simulation Furthermore we allocate values fromthe range of 0 to 1 as the biases and weights haphazardly

After the training data are incorporated into the BPNNwe equate the actual output results through the mechanismof the FFNNThe error and rectification value of hidden andoutput layers are estimated through the mechanism of theback propagation in the MPNN To modify the biases andweights of networks unless all the training data have beenutilized such duration is called the epoch The training datawould be discovered continuously and organize the weightsaccording to the layers frequently with the help of the epochsunless the output layer value is the same as the target valueand then the training data is finished

Hence complete abnormal packets are identified by theanomaly detection scheme and then for further verificationthey are forwarded to misuse detection scheme At first weapply the preprocessing step to covert the abnormal packetsinto a binary value and then the binary value is forwardedto the misuse detection scheme to estimate the output valueAt last the outcome of the detection value is delivered to thefuzzy module with MPNN model in order to obtain the bestintegration

The fuzzy module is utilized to make the best decision-making in order to identify the attackers and their differenttypes of attack by integrating anomaly detection scheme andmisuse detectionmoduleThe fuzzy rule basedmechanism isutilized to support the decision-making model by applyingthe rules to aggregate the outputs of the two detectionschemes and the major merit of this study is to obtainfast and accurate results The fuzzy based rules are given inthe tabulation This mechanism operates using fuzzy logic

Table 1 Fuzzy rules based MPNN

FFNN BPNN FuzzinessVery high Very long Mid fuzzinessVery high Long Mid fuzzinessVery high Medium Low fuzzinessVery high Short Low fuzzinessVery high Very short Low fuzzinessHigh Very long Mid fuzzinessHigh Long Mid fuzzinessHigh Medium Mid fuzzinessHigh Short Low fuzzinessHigh Very short Low fuzzinessMedium Very long High fuzzinessMedium Long High fuzzinessMedium Medium Mid fuzzinessMedium Short Low fuzzinessMedium Very short Low fuzzinessLow Very long High fuzzinessLow Long High fuzzinessLow Medium Mid fuzzinessLow Short Mid fuzzinessLow Very short Mid fuzzinessVery low Very long High fuzzinessVery low Long High fuzzinessVery low Medium High fuzzinessVery low Short MediumVery low Very short Medium

controller first the input parameters (FPNN) are assignedin the fuzzification process and these parameters moveto the Fuzzy Inference System (FIS) FIS performs basedon the fuzzy membership (triangular) and the fuzzy rulethat are applied on the input parameters to determine thesuitable fuzziness to determine the attackers types The fuzzysets considered for the input parameters are very low lowmedium high and very high and this is represented inTable 1 and the hidden layer input (BPNN) is given asvery short short medium long and very long and this ispresented in Table 1 Thus these parameters are analyzed inFIS that checks the fuzzy rules and functions for producingthe results to defuzzification where the output parametersare extracted as low fuzziness (Sybil attack) mild fuzziness(wormhole attack) and high fuzziness (hello flooding attack)

4 Multilayer Perceptron Neural Network(MPNN) Model Supervised Learning

TheMPNNmodel is categorized into FFNNandBPNNand isused to estimate the detection accuracy of the three differentattackers mentioned above in this paper The attackers areimproving day by day due to the development of advancedtechnology hence it is very necessary to improve the existingIntrusion Detection System as well as the system capacity Toovercome such issues our proposed AHIDS is an advanced


intelligent detection system When the system identifies thenew types of attacks machine learning mechanism has thecapacity to identify and learn them Nevertheless the datapackets cannot be accurately assorted by misuse detectionmodel which would be noticed as an unknown assaultFurthermore these data packets would be transmitted tothe MPNN to understand and introduce the new type ofdetection system for identifying the different types of attacks

The proposed methodology is provided in Figure 5 Weadopt the MPNN to develop the FFNN and BPNN mecha-nism of IHIDS because these neutral networks couldmanagewith a huge number of data to continue the system stabilityand they have the capacity to listen to different types of attack-ers On the other hand FFNNwould progress with detectionand estimate the new types of attacks simultaneously Theproposed BPNN is utilized to cluster unknown attacks for ourMPNN supervised learning mechanism that incorporates aninput layer a hidden layer and an output layer The patternof the supervised learning system is represented in Figure 6In the misuse detection a scheme cannot detect exact attacksfrom the data packets because input layer and the numberof input nodes are decided through the selected features forthe data packets The number of output nodes is found at thestarting stage Therefore various kinds of clusters would beproduced by using the proposed fuzzy based MPNN Hencethe output nodes results are improved when each outputnode establishes a fresh type method to detect the attackers

Each data packet of unknown attackers is inserted to theartificial supervised learning mechanism in order to estimatethe corresponding points for each output result Later onit detects the winning output node results to estimate thecorresponding value of winning output node If this value ishigher than the vigilance value this indicates that the insertedpackets correspond to the output node hence it belongs toclusters and MPNN just has to modify the weights On theother hand when the corresponding value of the winningoutput node is lesser than the alertness value this indicatesthat the inserted data packet is not equal to the connectedweight therefore it does notmatch this cluster It has to detectthe next winning node results to check whether it can passthe alertness test or else it would produce a fresh outputresult node which means a fresh attack has been identifiedFurthermore to determine the desirable vigilance value itis examined by the sample data through the experimentalsimulation In order to include fresh detection classes theinformation about cluster is carried to retrain the MPNN ofthemisuse detection schemewhile the clustermember valuesobtain the defined threshold

41 Fuzzy Rules Set Based Multilayer Perceptron Neural Net-work The proposed methodology of the fuzzy based rulesin the MPNN supervised learning is described in Table 1From the given dataset of labeled examples a dataset ofunlabeled examples and a testing dataset the data are trainusing supervised FFNN classifier by applying the 223 hiddennodes The hidden node is applied with BPNN supervisedclassifier in order to get the final output as the sigmoidactivation algorithm Then as membership 223 vector 119881 isachieved on every unlabeled sample by analyzing119880 applying

MPNN supervised learning method the membership vectorof each 224 unlabeled sample that is produced throughoutthis process is further applied to get the fuzziness 119865(119881) byusing

119865 (119881) = minus1119899119899sum119894=1

(120583119894 log120583119894 + (1 minus 120583119894) log (1 minus 120583119894)) (9)

where 119881 = 1205831 1205832 120583119899 is a fuzzy setThe fuzziness value is further classified into three different

groups low fuzziness group high fuzziness group andmid fuzziness group Those samples which denote the highfuzziness and low fuzziness groups are extracted and thesegroups are further included with 119879119903 to get a revised dataset119879119903_new for training the FFNN and testing it using BPNNThisis represented in Figures 5 and 6

5 Results and Discussion

In this approach we utilize the KDD datasets to coordinatethe pattern To determine the clustered based wireless sensornetwork we have introduced an efficient training MPNN forminimizing the energy utilization by reducing the variablesize dummy packets Therefore the dummy packets areremoved from the network during the preprocessing stagewhich can improve the strength of the data utility Thus thesize of the dummy variable packet is varied below or abovethe normal data packets to reduce the energy utilizationThis will finally make the adversary model separate the datapackets between the legitimate packets and a fake packetand it does not provide the data about the actual size of thereal packets however the proposed methodology providesseveral benefits to improve the data packets security andto minimize the energy consumption in the wireless sensornetworks in the AHIDS

The performance of the proposed AHIDS can be esti-mated by applying the following

(1) Accuracy

Acc = sum119862119894=1 TP119894119873 (10)

(2) Recall

Recall = TP119894TP119894 + FN119894

(11)

(3) Average accuracy

AAcc = 1119862119888sum119894=1

Recall119894 (12)

(4) Precision

Precision119894 = TP119894TP119894 + FP119894

(13)


Classifier

Training data

Testing data

Unlabeled data(1) Preprocessing(2) Identifying dummy

variables(3) Normalization

KDD dataset

Testing data

Unlabeled data

Training data FFNN

BPNN

Fuzziness rules set

MPNNDetection accuracy

Time duration

Figure 6 Fuzziness based MPPN

(5) 119865-measure

FM119894 = 2 sdot Recall119894 sdot Precision119894Recall119894 + Precision119894

(14)

(6) Attacker accuracy

Attacc = 1119862 minus 1119888sum119894=2

Recall119894 (15)

(7) Attacker detection rate

Adr = sum119888119894=2 TP119894sum119888119894=2 TP119894 + FN119894 (16)

Here 119862 denotes the number of classes 119873 stands forthe number of examples TP119894 is the number of truepositive values of the 119894th class FP119894 is the number offalse positive values of the 119894th class and FN119894 is thenumber of false negative values of the 119894th class

6 Simulation-Based Implementation andExperimental Results

In this experimental setup we evaluate the performanceof the proposed AHIDS in the wireless sensor network byusing the NS2 network simulator version 233 (NS233) withparameters of the simulation used defined in Table 2

We estimate the different types of attackers such as helloflooding wormhole and Sybil attacks and their detectionaccuracy for the wireless sensor networks in the AHIDS withfuzzy rules basedMPNN In Table 3 the results demonstratedthat the misbehavior nodes are detected in the true positive

Table 2 Simulation parameters

Parameter ValueSimulator used NS 23Area (meters) 1600 times 900Number of nodes 42Routing protocol DSDVChannel type WirelessPacket size 512 bytesInitial energy of nodes 10 joules

Table 3 Detection rate

TPR FPR55 (mid fuzziness) 5 (low fuzziness)57 (mid fuzziness) 12 (low fuzziness)63 (high fuzziness) 17 (low fuzziness)77 (high fuzziness) 20 (low fuzziness)

rate (TPR) and false positive rate (FPR) which is detectedwith the MPNN using fuzzy logic mechanism For instanceout of 100 nodes 2333 of the nodes are determined asmisbehaving nodes which have cut down the data passingthrough them The obtained results have proved that theproposed fuzzy logic mechanism is able to identify themisbehavior nodes in the system with higher positive ratioand lower false positive rate Table 3 illustrates detectionrates under each level of node speed Table 4 representsthe detection rate and false negative for the attack of helloflooding wormhole and Sybil

We first deploy WSN by defining the base station (BS)and clusters with each having a cluster head (CH) As shown


Figure 7 Detection of hello flooding Sybil and wormhole attacks

Table 4 Detection ratio and false negative rate for three attackers

Attack Detection rate False negativeSybil attack 9940 412Hello flooding attack 9820 222Wormhole attack 99205 516

in Figure 7 node 9 is the BS with nodes 1 4 8 13 16 2027 and 35 as CH Figure 7 provides a scenario of the sensornetwork having node 10 as selfish node (ie hello floodingnode)Node 10 is dropping packets and is detected as the helloflooding attacker by the proposed AHIDS Node 7 and node41 as shown in Figure 7 are detected as Sybil and wormholeattacks by AHIDS These malicious nodes 7 10 and 41 areisolated from the network for the normal function of WSNby AHIDS

61 Throughput of AHIDS In the first experiment we mea-sure the sensor network throughput as this is one of thecrucial network parameters Network throughput is definedas the average successful rate of delivered packets Through-put is calculated depending on the total number of receivedpackets at the destination in sensor network per unit of timeThroughput is calculated as

Throughput

= (Total number of received packets at destination)(simulation time) (17)

Figure 8 shows the throughput analysis in the case of thesensor network under attack and after implementation ofAHIDSThe figure clearly shows that the proposed techniqueafter the isolation of the attacks results in the increase ofthroughput

62 Packet Delivery Ratio of WRHT Packet delivery ratio(PDR) is defined as ratio of the total received packets at thedestination to the total packets generated by source nodePDR is calculated as

PDR = ( Packets receivedpackets generated

) lowast 100 (18)

Figure 8 Throughput of WRHT

Figure 9 PDR of WRHT

Figure 9 shows the PDR analysis in the case of the sensornetwork under attack and after implementation of AHIDSThe figure clearly shows that the proposed technique after theisolation of the attacks results in the increase of PDR A highvalue of PDR is an indication that there is less packet loss inthe sensor network

63 Energy Consumption of AHIDS For the energy compu-tation of sensor nodes we assign initial value of 10 joules atthe beginning of the simulation This energy is termed initialenergy In simulation the variable energy is used to representthe energy level in a sensor node at any specified time Thevalue of initial energy is passed as an input argument Asensor node loses a specific amount of energy for everypacket being transmitted and received As a result of this thevalue of initial energy in a sensor node gets decreased Theenergy consumption level of a sensor node at any time of thesimulation is determined by finding the difference betweenthe current energy value and initial energy value If an energylevel of a sensor node reaches zero it cannot transmit orreceive any more packets Figure 10 shows that the AHIDSreduces the energy consumption as compared to the attackingscenario of the sensor network

64 Packet Loss of AHIDS Packet loss is defined as thedifference between the packets generated by the source node


Figure 10 Energy consumption of AHIDS

Figure 11 Packet loss of AHIDS

and the number of packets received by the destination nodePacket loss is calculated as

Packet Loss = Generated Packets

minus Received Packets (19)

Figure 11 shows the packet loss analysis in the case of thesensor network under attack and after implementation ofAHIDSThe figure clearly shows that the proposed techniqueafter the isolation of the attacks results in the decrease inpacket loss A smaller value of packet loss is an indication thatthere is high PDR in the sensor network

65 Intrusion versus Membership Figure 12 represents therelationship between the intrusion detection in the networkand the membership function of AHIDS

7 Conclusion and Future Works

In this paper we provide a combined defence mechanismagainst hello floodingwormhole and Sybil attacks inwirelesssensor networks An Advanced Hybrid Intrusion Detectionmodel is proposed for wireless sensor networks which makesuse of both anomaly detection and misuse detection for the

Figure 12 Intrusion versus membership of AHIDS

detection of attacks The proposed Advanced Hybrid Intru-sionDetection Systemutilizes aMultilayer PerceptronNeuralNetwork which contains Feed Forward Neural Network andBackpropagation Neural Network of the supervised learningapproach based on the fuzzy logic mechanism with anomalyand misuse detection technique to detect the hello floodingwormhole and Sybil attacks The combination of these twotechniques is used to provide an Advanced Hybrid IntrusionDetection System with a high detection rate and low falsepositive rate The detection mechanism is incorporated ina cluster-based topology with LEACH protocol to decreasecommunication costs and energy consumption which leadsto an increase in the network lifespan improving the lifetimeof the networkThe simulation results show that the proposedIntrusion Detection System is capable of attaining high truepositive rate and low false positive rateThe results also provethat the proposed system is highly efficient for the parametersof throughput packet loss energy consumption PDR andso forth For the future work more analysis on this topicis required to be undertaken with detailed simulation ofdifferent attack scenarios to evaluate the performance of theproposed work

Conflicts of Interest

The authors declare that there are no conflicts of interest

Acknowledgments

The authors are highly thankful to the Department of RICI K Gujral Punjab Technical University Kapurthala PunjabIndia for providing the opportunity to conduct this researchwork

References

[1] Y Maleh A Ezzatib Y Qasmaouic and M Mbidac ldquoA globalhybrid intrusion detection system forwireless sensor networksrdquoProcedia Computer Science vol 52 pp 1047ndash1052 2015

[2] S Shamshirband N B Anuar M L M Kiah et al ldquoCo-FAIS cooperative fuzzy artificial immune system for detectingintrusion in wireless sensor networksrdquo Journal of Network andComputer Applications vol 42 pp 102ndash117 2014


[3] P Sarigiannidis E Karapistoli and A A Economides ldquoDetect-ing Sybil attacks in wireless sensor networks using UWBranging-based informationrdquo Expert Systems with Applicationsvol 42 no 21 pp 7560ndash7572 2015

[4] O Depren M Topallar E Anarim and M K Ciliz ldquoAn intel-ligent intrusion detection system (IDS) for anomaly andmisusedetection in computer networksrdquo Expert Systems with Applica-tions vol 29 no 4 pp 713ndash722 2005

[5] Y Shen S Liu and Z Zhang ldquoDetection of hello flood attackcaused by malicious cluster heads on LEACH protocolrdquo Inter-national Journal of Advancements in Computing Technology vol7 no 2 pp 40ndash47 2015

[6] S K Saini and M Gupta ldquoDetection of malicious cluster headcausing hello flood attack in LEACHprotocol in wireless sensornetworksrdquo International Journal of Application or Innovation inEngineering amp Management vol 3 no 5 pp 384ndash391 2014

[7] S Magotra and K Kumar ldquoDetection of HELLO flood attackon LEACH protocolrdquo in Proceedings of the IEEE InternationalAdvance Computing Conference (IACC rsquo14) pp 193ndash198 Gur-gaon India February 2014

[8] V K Arora ldquoA survey on LEACH and otherrsquos routing protocolsin wireless sensor networkrdquo International Journal for Light andElectron Optics vol 127 no 16 2016

[9] T M Rahayu S-G Lee and H-J Lee ldquoSecurity analysis ofsecure data aggregation protocols in wireless sensor networksrdquoin Proceedings of the 16th International Conference on AdvancedCommunication Technology pp 471ndash474 February 2014

[10] S Zhu S Setia and S Jajodia ldquoLEAP+ efficient securitymechanisms for large-scale distributed sensor networksrdquo ACMTransactions on Sensor Networks vol 2 no 4 pp 500ndash5282006

[11] Y Lee and S Lee ldquoA new efficient key management protocolfor wireless sensor and actor networksrdquo International Journal ofComputer Science and Information Security vol 6 no 2 2009

[12] M Turkanovic B Brumen and M Holbl ldquoA novel userauthentication and key agreement scheme for heterogeneous adhoc wireless sensor networks based on the Internet of Thingsnotionrdquo Ad Hoc Networks vol 20 pp 96ndash112 2014

[13] M Hongbin W Yingli Y Shuang Y Hai and L ZhenhaildquoHybrid key management mechanism based on double clusterhead structurerdquo in Proceedings of the IEEE 2nd InternationalConference on Instrumentation Measurement Computer Com-munication and Control pp 164ndash167 Harbin City ChinaDecember 2012

[14] W R Pires J T H de Paula Figueiredo H C Wong and AA F Loureiro ldquoMalicious node detection in wireless sensornetworksrdquo in Proceedings of the IEEE 18th International ParallelDistributed Processing Symposium vol 1 p 24 Santa Fe NMUSA April 2004

[15] V P Singh A S A Ukey and S Jain ldquoSignal strength basedhello flood attack detection and prevention in wireless sensornetworksrdquo International Journal of Computer Applications vol62 no 15 pp 1ndash6 2013

[16] L B Oliveira H C Wong M Bern R Dahab and A AF Loureiro ldquoSecLeachmdasha random key distribution solutionfor securing clustered sensor networksrdquo in Proceedings of the5th IEEE International Symposium on Network Computing andApplications pp 145ndash154 Washington DC USA 2006

[17] A C Ferreira M A Vilaca L B Oliveira E Habib HC Wong and A A Loureiro ldquoOn the security of cluster-based communication protocols for wireless sensor networksrdquo

in Proceedings of the 4th IEEE International Conference onNetworking vol 3420 of Lecture Notes in Computer Science pp449ndash458 2005

[18] J Ibriq and I Mahgoub ldquoA Secure Hierarchical Routingprotocol for wireless sensor networksrdquo in Proceedings of the 10thIEEE Singapore International Conference on CommunicationsSystems (ICCS rsquo06) pp 1ndash6 IEEE Singapore November 2006

[19] L B Oliveira A Ferreira M A Vilaca et al ldquoSecLEACHmdashonthe security of clustered sensor networksrdquo Signal Processing vol87 no 12 pp 2882ndash2895 2007

[20] K Zhang C Wang and C Wang ldquoA secure routing protocolfor cluster-based wireless sensor networks using group keymanagementrdquo in Proceedings of the 4th IEEE International Con-ference on Wireless Communications Networking and MobileComputing pp 1ndash5 October 2008

[21] R Alcala Y Nojima H Ishibuchi and F Herrera ldquoSpecialissue on evolutionary fuzzy systemsrdquo International Journal ofComputational Intelligence Systems vol 5 no 2 pp 209ndash2112012

[22] Y Y Chung and N Wahid ldquoA hybrid network intrusiondetection system using simplified swarm optimization (SSO)rdquoApplied Soft Computing vol 12 no 9 pp 3014ndash3022 2012

[23] P Rathee and S Malhotra ldquoPreventing sybil attack in wirelesssensor networksrdquo International Journal for Innovative Researchin Science amp Technology vol 1 no 12 2015

[24] F Cao H Ye and D Wang ldquoA probabilistic learning algo-rithm for robust modeling using neural networks with randomweightsrdquo Information Sciences vol 313 pp 62ndash78 2015

[25] V Obada K Djouani and Y Hamam ldquoHidden Markov modelfor shortest paths testing to detect a wormhole attack in alocalized wireless sensor networkrdquo Procedia Computer Sciencevol 10 pp 1010ndash1017 2012

[26] J Rupareliya S Vithlani and C Gohel ldquoSecuring VANETby preventing attacker node using watchdog and Bayesiannetwork theoryrdquo in Proceedings of the International Conferenceon Communication Computing and Virtualization vol 79 pp649ndash656 Mumbai India February 2016

[27] P Amish and V B Vaghela ldquoDetection and prevention ofwormhole attack in wireless sensor network using AOMDVprotocolrdquo in Proceedings of the 7th International Conference onCommunication Computing and Virtualization (ICCCV rsquo16)vol 79 pp 700ndash707 February 2016

[28] A Zadeh ldquoFuzzy rule setsrdquo in Information and ControlDepartment of Electrical Engineering and Electronics ResearchLaboratory University of California Berkeley Calif USA 1965

[29] A Zadeh ldquoFuzzy sets and information granularityrdquo in FuzzySets Fuzzy Logic and Fuzzy Systems pp 433ndash448 WorldScientific 1996

[30] K Q Yan S C Wang S S Wang and C W Liu ldquoHybridIntrusion Detection System for enhancing the security of acluster-based Wireless Sensor Networkrdquo in Proceedings of the3rd IEEE International Conference on Computer Science andInformation Technology (ICCSIT rsquo10) pp 114ndash118 ChengduChina July 2010

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of


International Journal of

RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal of

Volume 201

Submit your manuscripts athttpswwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



BS

CH MN

Figure 1 Cluster-based WSN architecture

networks are very sensitive towards attacks because of WSNcharacteristics and antagonists can simply create networktraffic which can also cause heavy packet drop duringbroadcasting of the packets or change the original content ofthemessage in the packets [5]Thus authentication strategiesare implemented in the network for ensuring secure commu-nication between the nodes In WSNs it is very essential tocarry out secure data transmission between the nodes

For instance if WSNs are employed in battlefield appli-cations sensor nodes are intruded upon by the attackersand destroyed Hence security plays a significant role Aprevention technique is utilized to counteract the well-established attacks Moreover a prevention scheme cannotdefend against all the attacks Thus these attackers should beidentified so the IDS are utilized commonly to identify thepackets in a network and estimate which packet is damagedby the attackers Furthermore IDS can help the preventionsystem through the developed nature of attacks [6]

The Low-Energy Adaptive Clustering Hierarchy(LEACH) protocol functions on the Medium AccessControl (MAC) protocol based on the clustering algorithmfor data collection in the WSN [7] The LEACH protocolformed as cluster architecture using WSN nodes to reducethe energy consumption level To maintain the minimalenergy consumption throughout the WSN the cluster-groupheads are selected rotationally among the sensor nodeswithin the cluster if the present cluster-group head has loweravailable energy resources than other sensor nodes

Therefore the energy load connected with being a clusterhead is evenly distributed with nodes for increasing thelifetime of the entire network In each cluster the sensornodes can communicate using Direct Sequence Spread Spec-trum (DSSS) to limit the interference with other clustersEach cluster applies a spreading sequence which does notmatch nearby clusters and cluster heads apply a reservedsequence method for making communication with the sinknode Eventually the information would be sensed in theWSN in which nodes can transfer the data to a controlcenter or sink node so that each end-user can access thedata LEACH depends on the following two assumptions thesink node is fixed and located within the area of deployedsensors and all nodes in the network are homogeneousand energy constrained Thus communication between thesensor nodes and the sink node is expensive [8]Media accessin LEACH was selected to minimize energy consumption inthe non-cluster head nodes As the cluster members know

their own cluster head they can form a new TDMA schedulethat describes to each node exactly when to transmit its dataThis allows the nodes to remain in the sleep state with internalmodules powered down as long as possible Furthermoreby utilizing a TDMA schedule it is possible to stop thecollision happening in the intracluster while transferring thedata LEACH is classified into circles Each circle starts at aninitialization process and forms the cluster structure whichis later continued by a steady state phase It forms differentframes of data for transferring the data from node to clusterhead moreover aggregated data is only transmitted to thesink nodeThe nodes must contain time synchronized stampto start the initialization process at the same time So tominimize initialization overhead the steady state phase isalso equated to the initialization process

There are modified versions of LEACH that attempt toadd secure features [8] although they still have their owndrawbacks as highlighted in the previous section and theydo not consider the impact of radio range while electing asecure cluster head upon energy consumption To identify theattackers they make use of the network monitor and providethe alarm to the remaining nodes They protect the systemfrom the attackerrsquos destruction by raising an alarm beforethe intruder initiates the attack The two important modulesin the IDS are misuse detection and anomaly detection [2]Generally anomaly detection develops a prototype to identifythe abnormal and normal behavior of the nodes by carryingout the analysis and comparison of the nodes behavior Ithas the highest detection rate and at the same time it hasthe highest false positive rateThemisuse detection identifiesthe various types of attackers by equating or comparingthe present attack behavior and the past attack behavior[9] It has the highest accuracy but with low detection rateParticularly it cannot detect unknown attackers which arenot in the base of the model Various researchers haveanalyzed a module of hybrid detection to utilize the meritsof both misuse detection and anomaly detectionThis hybriddetection methodology can identify unknown attacks withthe greatest accuracy of the misuse detection and the greatestdetection rate of anomaly detection The Hybrid IntrusionDetection System (HIDS) accomplishes the aim of obtainingthe highest detection rate with low false positive rate [1]

This paper describes the Advanced Hybrid IntrusionDetection System (AHIDS) it utilizes a Multilayer Percep-tron Neural Network (MPNN) which contains Feed For-ward Neutral Network (FFNN) and Backpropagation NeuralNetwork (BPNN) of the supervised learning approach basedon the fuzzy logic mechanism with anomaly and misusedetection technique to detect the hello flooding wormholeand Sybil attacks with higher detection ratio and lower falsealarm

At first the Sybil attack detection is based on theAdvanced Sybil Attack Detection Algorithm (ASADA) withfuzzification method along MPNN it is utilized to sep-arate the Sybil node and legitimate node even if it hasthe highest mobility through the verification process usingRSSI (Received Signal Strength Indicator) Then to identifythe wormhole attack we propose the Wormhole ResistantHybrid Technique (WRHT) with fuzzification method along



2 Literature Review
































n0

n1

n2

n3

n4

n5

n6

n7

n8

n9

n10






(1)



X

Y

A

B











(TDP119875) = 1 minus ( 119899prod119895=1

(1 minus TDP119895)) (3)


119895=1

(1 minus PLP119895)) (4)




















Testing data

Training data

Unlabeled data


Mild fuzziness

MPNN model

MPNN model


BPNN

FFNN









(5) 119865(120583 cup 120590) + 119865(120583 cap 120590) = 119865(120583) + 119865(120590)



119890119903119894 = 119889119894 minus 119886119894 (8)



















119865 (119881) = minus1119899119899sum119894=1







(1) Accuracy

Acc = sum119862119894=1 TP119894119873 (10)

(2) Recall

Recall = TP119894TP119894 + FN119894

(11)


AAcc = 1119862119888sum119894=1

Recall119894 (12)

(4) Precision


(13)


Classifier

Training data

Testing data



KDD dataset

Testing data

Unlabeled data

Training data FFNN

BPNN

Fuzziness rules set


Time duration


(5) 119865-measure


(14)


Attacc = 1119862 minus 1119888sum119894=2

Recall119894 (15)



















Throughput





) lowast 100 (18)




















Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











2 Literature Review
































n0

n1

n2

n3

n4

n5

n6

n7

n8

n9

n10






(1)



X

Y

A

B











(TDP119875) = 1 minus ( 119899prod119895=1

(1 minus TDP119895)) (3)


119895=1

(1 minus PLP119895)) (4)




















Testing data

Training data

Unlabeled data


Mild fuzziness

MPNN model

MPNN model


BPNN

FFNN









(5) 119865(120583 cup 120590) + 119865(120583 cap 120590) = 119865(120583) + 119865(120590)



119890119903119894 = 119889119894 minus 119886119894 (8)



















119865 (119881) = minus1119899119899sum119894=1







(1) Accuracy

Acc = sum119862119894=1 TP119894119873 (10)

(2) Recall

Recall = TP119894TP119894 + FN119894

(11)


AAcc = 1119862119888sum119894=1

Recall119894 (12)

(4) Precision


(13)


Classifier

Training data

Testing data



KDD dataset

Testing data

Unlabeled data

Training data FFNN

BPNN

Fuzziness rules set


Time duration


(5) 119865-measure


(14)


Attacc = 1119862 minus 1119888sum119894=2

Recall119894 (15)



















Throughput





) lowast 100 (18)




















Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

































n0

n1

n2

n3

n4

n5

n6

n7

n8

n9

n10






(1)



X

Y

A

B











(TDP119875) = 1 minus ( 119899prod119895=1

(1 minus TDP119895)) (3)


119895=1

(1 minus PLP119895)) (4)




















Testing data

Training data

Unlabeled data


Mild fuzziness

MPNN model

MPNN model


BPNN

FFNN









(5) 119865(120583 cup 120590) + 119865(120583 cap 120590) = 119865(120583) + 119865(120590)



119890119903119894 = 119889119894 minus 119886119894 (8)



















119865 (119881) = minus1119899119899sum119894=1







(1) Accuracy

Acc = sum119862119894=1 TP119894119873 (10)

(2) Recall

Recall = TP119894TP119894 + FN119894

(11)


AAcc = 1119862119888sum119894=1

Recall119894 (12)

(4) Precision


(13)


Classifier

Training data

Testing data



KDD dataset

Testing data

Unlabeled data

Training data FFNN

BPNN

Fuzziness rules set


Time duration


(5) 119865-measure


(14)


Attacc = 1119862 minus 1119888sum119894=2

Recall119894 (15)



















Throughput





) lowast 100 (18)




















Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










X

Y

A

B











(TDP119875) = 1 minus ( 119899prod119895=1

(1 minus TDP119895)) (3)


119895=1

(1 minus PLP119895)) (4)




















Testing data

Training data

Unlabeled data


Mild fuzziness

MPNN model

MPNN model


BPNN

FFNN









(5) 119865(120583 cup 120590) + 119865(120583 cap 120590) = 119865(120583) + 119865(120590)



119890119903119894 = 119889119894 minus 119886119894 (8)



















119865 (119881) = minus1119899119899sum119894=1







(1) Accuracy

Acc = sum119862119894=1 TP119894119873 (10)

(2) Recall

Recall = TP119894TP119894 + FN119894

(11)


AAcc = 1119862119888sum119894=1

Recall119894 (12)

(4) Precision


(13)


Classifier

Training data

Testing data



KDD dataset

Testing data

Unlabeled data

Training data FFNN

BPNN

Fuzziness rules set


Time duration


(5) 119865-measure


(14)


Attacc = 1119862 minus 1119888sum119894=2

Recall119894 (15)



















Throughput





) lowast 100 (18)




















Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation



























Testing data

Training data

Unlabeled data


Mild fuzziness

MPNN model

MPNN model


BPNN

FFNN









(5) 119865(120583 cup 120590) + 119865(120583 cap 120590) = 119865(120583) + 119865(120590)



119890119903119894 = 119889119894 minus 119886119894 (8)



















119865 (119881) = minus1119899119899sum119894=1







(1) Accuracy

Acc = sum119862119894=1 TP119894119873 (10)

(2) Recall

Recall = TP119894TP119894 + FN119894

(11)


AAcc = 1119862119888sum119894=1

Recall119894 (12)

(4) Precision


(13)


Classifier

Training data

Testing data



KDD dataset

Testing data

Unlabeled data

Training data FFNN

BPNN

Fuzziness rules set


Time duration


(5) 119865-measure


(14)


Attacc = 1119862 minus 1119888sum119894=2

Recall119894 (15)



















Throughput





) lowast 100 (18)




















Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation


























119865 (119881) = minus1119899119899sum119894=1







(1) Accuracy

Acc = sum119862119894=1 TP119894119873 (10)

(2) Recall

Recall = TP119894TP119894 + FN119894

(11)


AAcc = 1119862119888sum119894=1

Recall119894 (12)

(4) Precision


(13)


Classifier

Training data

Testing data



KDD dataset

Testing data

Unlabeled data

Training data FFNN

BPNN

Fuzziness rules set


Time duration


(5) 119865-measure


(14)


Attacc = 1119862 minus 1119888sum119894=2

Recall119894 (15)



















Throughput





) lowast 100 (18)




















Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










Classifier

Training data

Testing data



KDD dataset

Testing data

Unlabeled data

Training data FFNN

BPNN

Fuzziness rules set


Time duration


(5) 119865-measure


(14)


Attacc = 1119862 minus 1119888sum119894=2

Recall119894 (15)



















Throughput





) lowast 100 (18)




















Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation















Throughput





) lowast 100 (18)




















Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation























Acknowledgments


References

































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation







































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









fuzzy based advanced hybrid intrusion detection system to...

Documents