research article wsn-ds: a dataset for intrusion...

Research ArticleWSN-DS: A Dataset for Intrusion Detection Systems inWireless Sensor Networks

Iman Almomani,1,2 Bassam Al-Kasasbeh,2 and Mousa AL-Akhras2,3

1Computer Science Department, College of Computer and Information Sciences, Prince Sultan University, Riyadh, Saudi Arabia2Computer Science Department/Computer Information Systems Department, King Abdullah II School forInformation Technology (KASIT), The University of Jordan, Amman, Jordan3Computer Science Department, College of Computation and Informatics, Saudi Electronic University, Riyadh, Saudi Arabia

Correspondence should be addressed to Iman Almomani; [email protected]

Received 25 March 2016; Accepted 28 August 2016

Academic Editor: Hana Vaisocherova

Copyright © 2016 Iman Almomani et al. This is an open access article distributed under the Creative Commons AttributionLicense, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properlycited.

Wireless Sensor Networks (WSN) have become increasingly one of the hottest research areas in computer science due to their widerange of applications including critical military and civilian applications. Such applications have created various security threats,especially in unattended environments. To ensure the security and dependability of WSN services, an Intrusion Detection System(IDS) should be in place.This IDS has to be compatible with the characteristics ofWSNs and capable of detecting the largest possiblenumber of security threats. In this paper a specialized dataset for WSN is developed to help better detect and classify four types ofDenial of Service (DoS) attacks: Blackhole, Grayhole, Flooding, and Scheduling attacks. This paper considers the use of LEACHprotocol which is one of the most popular hierarchical routing protocols in WSNs. A scheme has been defined to collect datafrom Network Simulator 2 (NS-2) and then processed to produce 23 features. The collected dataset is called WSN-DS. ArtificialNeural Network (ANN) has been trained on the dataset to detect and classify different DoS attacks. The results show that WSN-DS improved the ability of IDS to achieve higher classification accuracy rate. WEKA toolbox was used with holdout and 10-FoldCross Validation methods. The best results were achieved with 10-Fold Cross Validation with one hidden layer. The classificationaccuracies of attacks were 92.8%, 99.4%, 92.2%, 75.6%, and 99.8% for Blackhole, Flooding, Scheduling, and Grayhole attacks, inaddition to the normal case (without attacks), respectively.

1. Introduction

Wireless Sensor Networks (WSN) have become increasinglyan important field of research due to their wide range ofreal-time applications like critical military surveillance, bat-tlefields, building securitymonitoring, forest firemonitoring,and healthcare [1]. A WSN consists of large number ofautonomous sensor nodes, which are distributed in differentareas of interest to gather important data and cooperativelytransmit the collected datawirelessly to amore powerful nodecalled sink node or Base Station (BS) [2, 3].Thedata transmit-ted across the network depend on specializedWSNprotocols.Therefore, protecting WSN from different security threatsis essential. Unfortunately, achieving this objective becomesa major challenge because of the constrained resources of

WSNs including battery energy, memory, and processingcapabilities [4]. Such limiting characteristicsmake traditionalsecurity measures like cryptography not always sufficient forsuch networks.

WSNs are highly vulnerable to attacks, due to their openand distributed nature and limited resources of the sensornodes. Moreover, in WSNs packets broadcasting has to bedone frequently, sensor nodes can be deployed randomlyin an environment so an attacker adversary can be easilyinjected to a WSN [5].

An attacker can compromise a sensor node, eavesdropmessages, inject fake messages, alter the integrity of the data,and waste network resources. Denial of Service (DoS) attackis considered one of the most general and dangerous attacksthat threaten WSN security. This attack has several forms

Hindawi Publishing CorporationJournal of SensorsVolume 2016, Article ID 4731953, 16 pageshttp://dx.doi.org/10.1155/2016/4731953

2 Journal of Sensors

and its main objective is to interrupt or suspend the servicesprovided by WSNs [6, 7].

Because the process of avoiding or preventing securitythreats cannot be always successful, an Intrusion DetectionSystem (IDS) is needed to detect known andunknown attacksand alert sensor nodes about them [3, 4]. IDS allows detectingsuspicious or abnormal activities and triggers an alarm whenan intrusion occurs. The implementation of IDSs for WSNsare more difficult than other systems because sensor nodesare usually designed to be tiny and cheap, and they do nothave enough hardware resources. Additionally, there is nospecialized dataset that contains normal profiles and attacksin WSN that can be used to detect an attacker signature[3]. Considering the above challenges, there are mainly twoconditionswhile designing IDS forWSNs:The IDSmust be ofhigh degree of accuracy in detecting an intruder that includesunknown attacks, and it also must be lightweight to ensureminimum overhead on the infrastructure of WSNs [8].

In this paper a specialized WSN dataset is constructedto characterize four types of DoS attacks in addition to thenormal behavior when no attacks exist.WSNs’ characteristicsand challenges were considered when Low Energy AwareCluster Hierarchy (LEACH) [9] routing protocol was usedin this study. This choice was made since LEACH is oneof the most popular hierarchical routing protocols in WSNsthat consumes limited energy and is characterized by itssimplicity. The constructed dataset is called WSN-DS.

The rest of paper is organized as follows. Section 2provides an overview of LEACH protocol, IDSs, and reviewsrelated work. Section 3 analyzes LEACH protocol math-ematically; Section 4 describes the extracted features ofthe constructed dataset. Section 5 models different attacks.Section 6 presents the experimental results obtained fromIDS and discusses the importance of the achieved results.Conclusions and avenues for future work are presented inSection 7.

2. Background and Related Works

This section presents an overview of LEACH protocol,LEACH-based protocols, DoS, and IDS in WSNs.

2.1. LEACH Protocol Overview. LEACH is a hierarchicalrouting protocol used in WSNs to increase the network’slifetime [9–11]. LEACH is a clustering, adaptive, and self-organizing protocol. LEACH assumes that BS is fixed andlocated far from sensor nodes. Additionally, all sensor nodesare homogeneous and have limited energy and memory.Sensors can communicate among each other and they cancommunicate directly with the BS. The main idea of LEACHprotocol is to organize nodes into clusters to distribute theenergy among all nodes in the network. Also, in each clusterthere is a node called Cluster Head (CH) which aggregatesthe data received from sensors within its cluster and forwardthem to the BS. Figure 1 shows the structure of nodes inLEACH routing protocol. Each round in LEACH protocolconsists mainly of two phases: setup phase and steady-statephase. In the setup phase, clusters are formed, whereas in the

Cluster head Member node

Cluster 1

Cluster 2

Cluster 3

Sink

Figure 1: Nodes structure in LEACH routing protocol.

steady-state phase, sensed data will be transferred to the sinknode [12].

At the beginning of the setup phase, every node generatesa random number between 0 and 1, and it then computesa threshold formula 𝑇(𝑛), as shown in (1). If the selectedrandom number is less than the threshold value, the nodebecomes a CH:

𝑇 (𝑛) = {{{01 − 𝑝 × (𝑟 mod 𝑝−1) , ∀𝑛 ∈ 𝑁

0, otherwise, (1)

where 𝑝 is the CH probability (usually in LEACH a nodebecomes CHwith a probability of 0.05),𝑁: is the set of nodesthat have not been a CH, in the last 1/𝑝 rounds, and 𝑟 is thecurrent round.

CH in the first round cannot be CH again in the next1/𝑝 rounds. After 1/𝑝 − 1 rounds, the threshold valuebecomes 1 for any sensor node that has not been CHyet, and after 1/𝑝 rounds, all nodes are eligible again tobecome CHs. Once CHs are assigned for all clusters, eachCH will broadcast an advertisement message (ADV CH) tothe rest of nodes using Carrier Sense Multiple Access-MediaAccess Control (CSMA-MAC) protocol [9]. After receivingADV CH message, each node decides to which cluster itbelongs by selecting a CH based on the Received SignalStrength Indication (RSSI) of the advertisement message, thenode then sends a (JOIN REQ) message to the selected CHwith the highest RSSI. Each node uses CSMA-MAC protocolto transmit its selection [9, 10]. During the setup phase,all CHs keep their receivers ON. After clusters formation,each CH creates a Time Division Multiple Access (TDMA)schedule according to the number of nodes in its cluster calledCluster Members (CM) and broadcasts it to them.

During steady-state phase, each sensor node collects dataand transmits them to its CH during its allocated time slotaccording to the TDMA schedule. CHs receive all the dataand aggregate them before sending them to the BS. Aftera predetermined time, the network starts another round bygoing back to the setup and steady-state phases again [9].

2.2. LEACH-Based Protocols. LEACHwas and still is studiedin enormous number of research articles. The authors in [13]

Journal of Sensors 3

provided a review of 27 clustering and routing techniquesbased on LEACH protocol for WSNs that includes a com-prehensive discussion and comparisons among them. Theauthors in [14, 15] highlighted LEACHprotocol andpresentedfifteen LEACH improved versions introduced in the liter-ature. The papers have compared some features of severalvariants of LEACH protocol not empirically but based ontheir descriptions. In [16] the author proposed and evaluatedtwo new clustering-based protocols for heterogeneousWSNsthat were built based on LEACH protocol by consideringthree types of nodes with different battery energies, whichwas the source of heterogeneity in the author’s protocols.

LEACH-ICE (LEACH Inner Cluster Election) algorithmbased on LEACH algorithm was introduced in [17]. Thethreshold function of the node selected as CH is adjusted.Also, direct communication with the BS occurs when a nodeis closer to the BS. To improve the clustering mechanism,LEACH-ICE elects a new CH inside the cluster when theresident energy of the current CH is lower than a predefinedthreshold.

In [18] the authors proposed an energy efficient secondaryCH selection algorithm forWSN. By controlling the distancesamong the CHs, a uniform distribution of CHs is satisfied.Two-level hierarchy mode was applied to transmit data to theBS. LEACH is compared with the improved LEACH-TLCHmethod. Simulation results show that the improved methodcan reduce the network consumption of energy and lengthenthe network’s lifetime.

In [19], a distributive Energy Neutral Clustering (ENC)protocol was proposed to group the network into severalclusters, with the goal of providing perpetual network oper-ation. ENC employs a novel Cluster Head Group (CHG)mechanism that allows a cluster to use multiple CHs to shareheavy traffic load and to reduce the frequency of clusterreformation. An extension to ENC based on convex opti-mization techniques of the number of clusters was proposedto group the network into equal-sized clusters to maximizenetwork information gathering. According to the authors’experiments, the proposed protocol can successfully preventsensors from shutting down due to excessive usage of energy.

2.3. DoS and IDS in WSN. As mentioned earlier, DoS is acommon attack that could have a severe impact on WSN’sfunctionalities and services [20]. Many different types of DoSattacks have been identified so far, for example, Blackholeattack, Grayhole attack, Flooding attack, andWormhole. Theseriousness of DoS attack stems from the fact that mostWSNapplications require the deployment of a sensor node in harshenvironments where they are far away and difficult to becontrolled [20, 21]. Recently, many researches are going onin an attempt to find solutions for DoS attacks, but mainlythey have tackled one or two forms of these attacks but notthe majority [2, 22–24]. Moreover, they offer partial solutionsand they cannot be applied concurrently because they willconsume high energy, which is not practical in WSNs [2, 25].Therefore, a mechanism should be found to identify differentbehaviors of DoS attacks and classify them to take effectivecountermeasures.

Cryptography is a security mechanism that is used forprotecting WSN against external attacks. It ensures manysecurity services including integrity and authentication bychecking the data packet source and its contents usingseveral techniques such as symmetric encryption, public keycryptography, and hash functions [25]. These techniquescannot be used to detect internal attacks when security keysare exposed to the attacker which uses them to performencryption and decryption of messages’ contents. Conse-quently, such techniques serve as first line of defense [5].Attackers always attempt to launch new and unknown attacksin more than one way; therefore, it is necessary to create anefficient IDS, which acts as a second line of defense to detectknown and unknown attacks and alert sensor nodes aboutthem. IDS allows detecting suspicious or abnormal activitiesand triggers alarms when intrusions are detected [26].

The National Institute of Standards and Technology(NIST) [27] categorized intrusion detection into two mainapproaches: anomaly detection and misuse detection. Inanomaly detection the system depends on prior knowledge ofnormal behavior of the network which will be then comparedwith its current activities. In misuse detection, the systemdepends on prior knowledge of attack signatures. It comparesthe signature with the current activities in the network.

IDS has become an important security component ofWSNs; however, the implementation of IDS in WSNs intro-duces number of challenges that can have negative impacton WSN performance [28]. It is inefficient to use IDS inevery sensor node due to the resource-constrained nature ofsuch nodes. IDS components should be installed in placeswhere sensor nodes can be followed to be able to defendagainst certain threats to the network. IDS is also used inWSNs where huge amount of traffic is transmitted; therefore,there is a possibility an intrusion could be missed as sensornodes generally have restrictions in handling huge data in thenetwork.

There are two main components of IDS, features extrac-tion and modeling algorithm. Features extraction definesmeasured attributes that are linked to the IDS functionalities.Modeling algorithm is the main component; the accuracyand the efficiency of detecting and responding to intrusionsdepend on the modeling algorithm. IDS may have compo-nents that depend on the network characteristics and possibleintrusions [29]. Most of IDSs have six common componentsas shown in Figure 2:

(1) Monitoring component: which is used for local activ-ity monitoring or for monitoring neighbor sensornodes. This component mostly monitors internalactivities, traffic patterns, and resource utilization.

(2) Analysis component: which contains all records ofnormal and abnormal behaviors for all nodes in thenetwork [30].

(3) Detection component: which is the main componentthat is built based on the modeling algorithm. Itworks after analyzing network behaviors. Decisionsaremade to declare such behaviors asmalicious or not[31].


Monitoring Analysis Detection

Logging

Alarming

Prevention

Figure 2: IDS components.

The other three components of IDS consist of actions thatcan be taken, either one, two, or all of them [32]:

(4) Logging: storing each packet in a log file so that secu-rity administrator can use it for later analysis.

(5) Alarming: a responding generating component incase of detection of an intrusion. The responsemay trigger an alarm to announce the misbehavingnode(s).

(6) Prevention: an advanced step that can be added to IDSto enable it to take an action to prevent dealingwith anattack once detected. This can be done, for example,by excluding harmful nodes from the network [30].

Designing a specialized dataset forWSN to achieve betterdetection and classification of DoS attacks is the main aim ofthis paper. The authors in [30] presented current IDSs and acomparison among them. The authors revised mechanisms,attacks, and evaluation metrics but without mentioning theuse of specialized datasets. The comparison depended on thetype of IDSs, whether it is anomaly-based, signature-based,hybrid, or cross layer.

Knowledge Discovery and Data Mining Tools Competi-tion (KDD) dataset [33] was constructed for Local Area Net-work (LAN). KDD is not specialized for wireless in generaland WSN in particular, even though many researchers haveused it to deal with fraud and intrusion detection [34].

Anomaly, signature, and hybrid-based IDSs have beenreviewed in [35].Mainly KDDCup-99was used in these IDSs.For example, in the eight studied hybrid-based IDSs, four ofthem have used KDDCup-99 and the rest have used real datasamples.

Other researches which also considered KDD in theiranalysis and classifications can be found in [36–38].

It can be concluded that there is no specialized datasetforWSN that has been reported in the literature for detectingand classifying as many DoS as possible. Therefore, there isan urgent need to define a labelled, specialized dataset thatsuccessfully characterizes WSN to help in studying normaland anomaly behaviors. The construction and testing of suchdataset are proposed in this paper.

3. LEACH Mathematical Analysis

To ensure the correctness of the constructed dataset calledWSN-DS, a mathematical analysis has been conducted to allLEACH phases and then has been compared to the results ofsimulation in case of normal situation when there is no DoSattack. The terms used in LEACH’s mathematical model arelisted as follows:

LEACHMathematical Model Terms

𝑁: number of sensor nodes in WSNS𝑖: senor node 𝑖NC: number of CHsCM: number of members within a clusterADV-CH-SENT: number of advertisement messagessent by CHADV-CH-RCVD: number of advertisementmessagesreceived by sensor nodesJOIN-REQ-SENT: number of join request messagessent by sensor nodesJOIN-REQ-RCVD: number of join request messagesreceived by CHsTDMA-SENT: number of TDMA schedules sent byCHsTDMA-RCVD: number of TDMA schedules receivedby sensor nodesNO-DATA-PKT: number of data packets received bya CH

3.1. Advertisement Phase. Theorem 1 calculates the numberof advertisement messages that are sent by CHs and receivedby CMs in a specific round as follows.

Theorem 1. In the advertisement phase of LEACH, maximumADV-CH-SENT in a specific round is 𝑁𝐶 and the maximumADV-CH-RCVD is (𝑁 − 1) ∗ 𝑁𝐶.


Table 1: Comparison between the mathematical model and simulation results.

Round Number of clusters ADV-CH-Sent ADV-CH-Rcvd Join-Req-Sent Join-Req-Rcvd BS receivesMath Sim. Math Sim. Math Sim. Math Sim. Math Sim.

1 4 4 4 396 396 96 96 96 96 238 2382 2 2 2 198 198 98 98 98 98 53 533 3 3 3 297 297 97 97 97 97 126 1264 2 2 2 198 198 98 98 98 98 59 595 7 7 7 693 693 93 93 93 93 563 5636 6 6 6 594 594 94 94 94 94 516 5167 4 4 4 396 396 96 96 96 96 268 2688 4 4 4 396 396 96 96 96 96 291 2919 5 5 5 495 495 95 95 95 95 447 44710 7 7 7 693 693 93 93 93 93 695 69511 6 6 6 594 594 94 94 94 94 456 45612 6 6 6 594 594 94 94 94 94 363 36313 1 1 1 99 99 99 99 99 99 13 1314 7 7 7 693 693 93 93 93 93 629 629

Table 2: ApplyingTheorem 3 equation to round 1 of simulation round.

Cluster number Number of nodes within CH Number of packets received(No-DATA-PKT) Number of packets sent to BSCluster 1 25 1200 48Cluster 2 30 1230 41Cluster 3 8 880 111Cluster 4 33 1254 38

ApplyingTheorem 3 equation ∑NC𝑖=1(NO-DATA-PKT/CM of CH𝑖) Total: 238

Proof. According to LEACH, each CH in each round issupposed to broadcast an advertisement message to the restof nodes. Therefore, in case of having NC cluster heads,then ADV-CH-SENT equals NC. On the other hand, theseadvertisement messages (NC) will be received by all sensornodes (𝑁) except the CH node itself which equals (𝑁 − 1) ∗NC.

3.2. Cluster Setup Phase. Theorem 2 calculates the number ofjoin request messages sent by sensor nodes and received byCHs in order to associate with them.

Theorem 2. In clusters setup phase of LEACH, the maximumJOIN-REQ-SENT equals JOIN-REQ-RCVD which is𝑁−𝑁𝐶.Proof. According to LEACH, once each sensor node hasdecided to which cluster it will belong, then it informs itsCH by sending a (JOIN REQ) message. Therefore, all sensornodes (𝑁) except CHs (NC) will send (JOIN REQ) messages(𝑁 − NC) and these messages will also be received byCHs.

3.3. Data Transmission Phase. Theorem 3 calculates theamount of sensed data packets that are delivered to the BSat the end of each round.

Theorem 3. In the data transmission phase of LEACH, atthe end of each round, BS receives ∑𝑁𝐶

𝑖=1(𝑁𝑂-𝐷𝐴𝑇𝐴-𝑃𝐾𝑇/𝐶𝑀 𝑜𝑓 𝐶𝐻𝑖) packets.

Proof. According to LEACH, when the CH receives thesensed data from the sensors nodes (CMs) according to theirtime slots assigned by TDMA schedule, it aggregates theminto one packet and sends it to the BS. Throughout theround, the number of packets sent to the CH from CMs is(NO-DATA-PKT) but due to the aggregation process only(NO-DATA-PKT/CMs of CH𝑖) packets will be sent to theBS. Having NC of CHs, then the overall data packets receivedby BS are ∑NC

𝑖=1(NO-DATA-PKT/CM of CH𝑖).

3.4. Comparison betweenMathematicalModel and SimulationResults. To confirm the correctness of the simulation whichis used to collect data to construct the dataset, a comparisonis performed between the mathematical analysis and simula-tion results. The comparison will be based on sample of thesimulation results representing the first 14 rounds as after thisround nodes start to die. In the first 14 rounds, the numberof alive nodes is 100. Table 1 shows this comparison. Themathematical results were obtained by applying the equationsin Theorems 1–3, while the simulation results were obtainedfrom Network Simulator 2 (NS-2) simulator.

For more clarification, Table 2 presents how the mathe-matical formula of Theorem 3 is applied to a sample round(Round 1) in one of the simulation scenarios to calculate thenumber of received data packets by BS.

Table 1 shows 100% match between the mathemati-cal model and the simulation results. This is due to thebehavior of LEACH protocol which implements dynamic


Table 3: Observations for five different simulation scenarios (A–E) when determining the number of nodes monitored by each node.

Number ofneighbors towatch

Max number of monitors for aspecific node

Min number of monitors for aspecific node

Number of overall monitorednodes

A B C D E A B C D E A B C D E3 6 7 7 6 7 0 0 0 1 0 97 99 99 100 974 7 9 8 8 9 0 0 0 1 0 99 99 99 100 995 10 9 10 10 10 1 1 1 1 2 100 100 100 100 1006 11 12 11 10 13 1 1 1 2 2 100 100 100 100 100

TDMA Scheduling technique at the data transmission level.Additionally, it uses both Code Division Multiple Access(CDMA) andCSMA codes to avoid and reduce collisions andinterferences that may exist in the network.

4. WSN-DS Dataset Description and Creation

In order to build the dataset and collect the required datafrom the sent and received packets withinWSN, amonitoringservice is needed with minimum cost. On the other hand, weneed to guarantee that necessary data related to the networkwhich help in detecting, classifying, and then preventingdifferent possible attacks are collected. In this research, todistribute the load among sensor nodes, each sensor will takepart in the monitoring process and should be able to monitorset of its neighbors.The challenge was how to find the suitablenumber of nodes to be watched by a sensor node in orderto monitor all network sensors. Many experiments have beenconducted to decide on this number and the summary of theresults is shown in Table 3.

When each sensor node has watched 3 nodes of itsneighbors, it has been noticed that the largest number ofsensor nodes which could be monitored by a single node wasseven. In other words, the BS has received seven differentreports about the same node from seven different watchingnodes. Tomake sure that the received information are correct,these reports could be checked for consistency. In somescenarios, some sensor nodes were not monitored by anysensor. This indicates that monitoring 3 neighboring nodesis not enough to get information about all network sensornodes.

Additionally, an improvement has occurred when 4neighbors are being watched. But only when the numberis 5, all sensor nodes are being watched in all 5 scenarios.Similar results have been obtained when a sensor node waswatching 6 of its neighbors. Consequently, it has been foundthat monitoring 5 neighbors is enough to get informationabout all nodes in the network and there is no need to increasethe computational complexity by going further.

Choosing 5 neighbors to be monitored is done at thebeginning of the simulation. All nodes broadcast a Hellomessage. Accordingly, each node selects the first 5 nodesit heard from. Then it monitors them over the simulationperiod, so that each node sends a report to its CH at theend of each round. Then the CH sends the received reportsto the BS. For security purposes and in case of suspectingthe CH and having one monitor for this node (one report),

these reports could be sent directly to the BS at the expenseof consuming more energy if this node is further from the BSthan theCH.After deep study of LEACHrouting protocol, wehave succeeded to extract 23 attributes to help in identifyingthe status of each node in the network, These attributes arelisted as follows.

WSN-DS Dataset Attributes

Node ID: a unique ID to distinguish the sensor nodein any round and at any stage. For example, nodenumber 25 in the third round and in the first stageis to be symbolized as 001 003 025.Time: the current simulation time of the node.Is CH? A flag to distinguish whether the node is CHwith value 1 or normal node with value 0.Who CH?The ID of the CH in the current round.RSSI: Received Signal Strength Indication betweenthe node and its CH in the current round.Distance to CH: the distance between the node and itsCH in the current round.Max distance to CH: the maximum distance betweenthe CH and the nodes within the cluster.Average distance to CH: the average distance betweennodes in the cluster to their CH.Current energy: the current energy for the node in thecurrent round.Energy consumption: the amount of energy con-sumed in the previous round.ADV CH send: the number of advertise CH’s broad-cast messages sent to the nodes.ADV CH receives: the number of advertise CH mes-sages received from CHsJoin REQ send: the number of join request messagessent by the nodes to the CH.Join REQ receive: the number of join request mes-sages received by the CH from the nodes.ADV SCH send: the number of advertise TDMAschedule broadcast messages sent to the nodes.ADV SCH receives: the number of TDMA schedulemessages received from CHs.Rank: the order of this node within the TDMAschedule.


N →Network SizeSN→ Sensor NodeMN→Malicious NodeCH→ Cluster HeadBS→ Base StationCM→ Cluster MemberNC→ Cluster Heads listx → Integer value between 0 and𝑁 − 1∀ SN𝑖, 0 < 𝑖 ≤ 𝑁, compute𝑇(SN

𝑖) and random 𝑟SN𝑖

IF (𝑟SN𝑖 < 𝑇(SN𝑖)) THEN

SN𝑖= CH

ELSESN𝑖= CM

ENDIF∀CH𝑗, 𝑗 ∈ NC{CH𝑗 broadcasts the advertisement message (ADV CH)x CMs will join CH𝑗CH𝑗 creates TDMA schedulex CMs send data to CH𝑗 in the corresponding TDMA time slot}

IF CH𝑗 = MN THENPerforms the attack by dropping all packets

ELSESends aggregated data to BS

ENDIF

Algorithm 1: Model of Blackhole attack.

Data sent: the number of data packets sent from asensor to its CH.Data received: the number of data packets receivedfrom CH.Data sent to BS: the number of data packets sent tothe BS.Distance CH to BS: the distance between the CH andthe BS.Send Code: the cluster sending code.Attack Type: type of the node. It is a class of five pos-sible values, namely, Blackhole, Grayhole, Flooding,and Scheduling, in addition to normal, if the node isnot an attacker.

5. Attack Models

Four types of DoS attacks in LEACH protocol are imple-mented in the constructed dataset; Blackhole, Grayhole,Flooding, and Scheduling attacks. This section models eachone of these attacks. To ensure proper distribution of theattacker nodes, the network terrain has been divided into 10regions.Then the attackers’ ratios according to the simulationscenario were distributed randomly within these regions.

5.1. Blackhole Attack. Blackhole attack is a type of DoS attackwhere the attacker affects LEACH protocol by advertisingitself as a CH at the beginning of the round. Thus, any nodethat has joined this CH during this round will send the data

packets to it in order to be forwarded to the BS.The Blackholeattacker assumes the role of CH and it will keep droppingthese data packets and not forwarding them to the BS [39–41]. Algorithm 1 shows the algorithm of Blackhole attack.

To implement this attack in the simulation environment,several attackers’ intensities (10%, 30%, and 50%) have beeninjected randomly to perform Blackhole attack.These attack-ers which act as CHs will drop all the packets relayed throughthem in their way to the BS.

5.2. Grayhole Attack. Grayhole attack is a type of DoS attackwhere the attacker affects LEACH protocol by advertisingitself as a CH for other nodes.Therefore, when the forged CHreceives data packets from other nodes, it drops some packets(randomly or selectively) and prevents them from reachingthe BS [40–42]. Algorithm 2 shows the algorithm of Grayholeattack.

Similar to Blackhole attack, 10%, 30%, and 50% ofthe sensor nodes are injected randomly to implement theGrayhole attack. The decision whether to forward a specificpacket or not is also devised randomly. But the decision canbe done selectively based on the sensitivity of the sensed datacarried by the packet.

5.3. Flooding Attack. Flooding attack is a type of DoS attackwhere the attacker affects LEACH protocol in more thanone way. This research studies the impact of Floodingattack by sending large number of advertising CH massages(ADV CH) with high transmission power. Consequently,when sensors receive large number of ADV CH messages,


N → Network SizeSN→ Sensor NodeMN→Malicious NodeCH→ Cluster HeadBS→ Base StationCM→ Cluster MemberNC→ Cluster Heads listx → Integer value between 0 and𝑁 − 1∀ SN𝑖, 0 < 𝑖 ≤ 𝑁, compute𝑇(SN



SN𝑖= CH

ELSESN𝑖= CM

ENDIF∀CH𝑗, 𝑗 ∈ NC{CH𝑗 broadcasts the advertisement message (ADV CH)x CMs will join CH𝑗CH𝑗 creates TDMA schedulex CMs send data to CH𝑗 in the corresponding TDMA time slot}IF CH = MN THEN

Performs the attack by dropping some packets (randomly or selectively)ELSE

Sends aggregated data to BSENDIF

Algorithm 2: Model of Grayhole attack.

this will consume sensors’ energy and waste more time todetermine which CH to join. Moreover, the attacker attemptsto cheat victims to choose it as a CH, especially those nodesthat are located on a far distance from it in order to consumetheir energy [40, 43]. Algorithm 3 shows the algorithm ofFlooding attack.

Flooding attack has been implemented in several waysin the simulation environment. In some experiments 10ADV CHmessages were sent by the attacker; other scenariosconsider 50 ADV CH messages to be sent or a randomnumber between 10 and 50.The idea is when more ADV CHmessages are sent, more messages will be received andmore energy will be consumed. We have already studied in[44] the impact of Flooding attack on WSN lifetime. Theenergy consumption was shown in each round using severalattackers’ ratios.

5.4. Scheduling Attack. Scheduling attack was introduced in aprevious study of the authors [44]. Scheduling attack occursduring the setup phase of LEACH protocol, when CHs setup TDMA schedules for the data transmission time slots.Theattackerwhich acts as aCHwill assign all nodes the same timeslot to send data. This is done by changing the behavior frombroadcast to unicast TDMA schedule. Such change will causepackets collision which leads to data loss. Algorithm 4 showsthe algorithm of Scheduling attack.

The implementation of Scheduling attack is performedby setting the same time for all Cluster Members to sendtheir data packets. Other scenarios assign every two nodesthe same time or every five nodes the same time.

In [44] it has been shown that the risk of DoS attackers onLEACH protocol services could be significant. The attackerscan influence the network in more than one way, throughwasting the nodes’ energy or dropping their data packets.This badly affects the services provided by WSN. Therefore,a methodology to detect such attacks and protect differentservices provided by WSN is urgently required.

Section 6 illustrates the importance of studying normaland anomaly (under attack) behaviors of WSN protocolsand presenting them through a specialized dataset (WSN-DS). WSN-DS allows several intelligent and data miningapproaches to be applied for the aim of better detectionand classification of DoS attacks. As a result, sensor nodeswill be more experienced with the normal behaviors andattackers’ signatures andwill be able tomake proper decisionsat the right time. In this research ANN is applied to test theconstructed dataset andmeasure its accuracy in detecting andclassifying four types of DoS attacks.

6. Experiments and Results

In this paper, WSN-DS, a specialized dataset for WSN todetect DoS attacks, was constructed. LEACH protocol wasused to collect the dataset because it is one of the mostcommon and widely used routing protocols in WSNs. WSN-DS contains 374661 records that represent four types ofDoS attacks: Blackhole, Grayhole, Flooding, and Schedul-ing attack, in addition to the normal behavior (no-attack)records. Table 4 shows sample fromWSN-DS dataset to helpin detecting and classifying DoS attacks.


N → Network SizeSN→ Sensor NodeMN→Malicious NodeCH→ Cluster HeadBS→ Base StationCM→ Cluster MemberNC→ Cluster Heads listx→ Integer value between 0 and𝑁 − 1∀ SN𝑖, 0 < 𝑖 ≤ 𝑁, compute𝑇(SN



SN𝑖= CH

ELSESN𝑖= CM

ENDIF∀CH𝑗, 𝑗 ∈ NC{IF CH𝑗 = MN THEN

CH𝑗 broadcasts a lot of advertisement messages (ADV CH) withhigh transmitting power.

ELSECH𝑗 broadcasts normal advertisement message (ADV CH)

ENDIFx CMs will join CH𝑗CH𝑗 creates TDMA schedulex CMs send data to CH𝑗 in the corresponding TDMA time slot}

Algorithm 3: Model of Flooding attack.

N→ Network SizeSN→ Sensor NodeMN→Malicious NodeCH→ Cluster HeadBS→ Base StationCM→ Cluster MemberNC→ Cluster Heads listx→ Integer value between 0 and𝑁 − 1∀ SN𝑖, 0 < 𝑖 ≤ 𝑁, compute𝑇(SN



SN𝑖= CH

ELSESN𝑖= CM

ENDIF∀CH𝑗, 𝑗 ∈ NC{CH𝑗 broadcasts the advertisement message (ADV CH)x CMs will join CH𝑗IF CH𝑗 = MN THEN

CH𝑗 performs the attack by creating the TDMA schedule and give all nodessame time slot to send data

ELSECH𝑗 creates normal TDMA schedule

ENDIFx CMs send data to CH𝑗 in the corresponding TDMA time slotCH𝑗 sends aggregated data to BS}

Algorithm 4: Model of Scheduling attack.


Table4:Samplefrom

WSN

-DSdataset.

IdTime

IsCH

Who

CHDist

ToCH

ADV

SADV

RJO

INS

JOIN

RSC

HS

SCH

RRa

nkDAT

AS

DAT

AR

DataSent

ToBS

Dist

CHTo

BSSend

code

Con

sumed

energy

Attack

type

106079

303

1106079

01

30

751

00

01350

7108.34705

01.6

4035

Grayhole

107033

353

1107033

01

30

711

00

01349

9162.5505

02.03296

Grayhole

115021

753

1115

021

01

50

591

00

01298

00

00.00721

Blackh

ole

11704

4853

1117

044

01

40

5454

00

00

00

00.00723

Schedu

ling

103043

153

1103043

01

40

471

00

01269

14145.0

8942

01.8

8023

Grayhole

105005

253

1105005

01

90

471

00

0117

07

137.59248

00.92063

Grayhole

110024

503

1110024

01

90

351

00

01200

15113.27654

02.0577

Grayhole

101041

531

101041

01

00

341

00

01258

00

00.00225

Blackh

ole

102040

103

1102040

01

20

311

00

01240

00

00.00728

Blackh

ole

201061

1003

1201061

01

70

311

00

01240

00

00.00719

Blackh

ole

118058

903

1118058

01

50

2727

00

00

00

00.00724

Schedu

ling

103003

153

1103003

01

40

221

00

0116

629

85.19

787

02.06959

Grayhole

111050

553

0111

093

15.1740

60

21

00

110

220

00

10.04156

Normal

111057

553

0111

093

15.91573

02

10

01

322

00

01

0.04

172

Normal

402054

1253

1402054

06

220

00

00

00

13142.10787

00.24255

Floo

ding

402063

1253

1402063

06

280

00

00

00

13123.96292

00.23082

Floo

ding

402069

1253

1402069

06

220

00

00

00

1393.93772

00.21998

Floo

ding

118046

903

1118046

01

50

2121

00

00

00

00.00722

Schedu

ling

11004

4503

1110

044

01

90

201

00

01087

23121.4

0806

01.9

2349

Grayhole

117061

853

1117

061

01

90

201

00

0113

10

00

0.00728

Blackh

ole

201021

1003

1201021

01

70

201

00

0114

00

00

0.0072

Blackh

ole

101021

531

101021

01

00

171

00

0110

50

00

0.00225

Blackh

ole

117039

853

1117

039

01

40

1414

00

00

00

00.00723

Schedu

ling

117095

853

1117

095

01

40

1414

00

00

00

00.00722

Schedu

ling

103029

153

1103029

01

30

101

00

0960

00

00.00724

Blackh

ole

118031

903

1118

031

01

50

55

00

00

00

00.00736

Schedu

ling

111053

553

0111

028

19.42763

02

10

01

3732

00

02

0.1789

Normal

111051

553

0111

028

21.35118

02

10

01

3332

00

02

0.057

Normal

111055

553

0111

028

36.99519

02

10

01

3132

00

02

0.0582

Normal

111054

553

0111

028

43.03687

02

10

01

2432

00

02

0.05904

Normal

11106

0553

0111

028

40.20187

02

10

01

2032

00

02

0.05894

Normal


Table 5: Ns-2 simulation parameters.

Parameter ValueNumber of nodes 100 nodesNumber of clusters 5Network area 100m × 100mBase station location (50, 175)Size of data packet 500 bytesSize of packet header 25 bytesMaximum transmission range 200mRouting protocol LEACHMAC protocol CSMA/TDMASimulation time 3600 sInitial energy (in joule) 5, 50Attackers’ intensities 10%, 30%, 50%

In order to gather the required data, NS-2 was used [45].Simulation parameters are summarized in Table 5.

This section shows the results obtained from the datasetcollected as described in Section 4. Waikato Environmentfor Knowledge Analysis (WEKA) Toolbox was used in thesimulation experiments to evaluate the proposed dataset.WEKA is an open source data mining software suite builtusing Java programming language and developed at the Uni-versity of Waikato in New Zealand. Data mining algorithmsin WEKA could be applied to datasets and be called usingeitherWEKA’s interface or user customized Java code.WEKAcontains a lot of algorithms for data preprocessing, clustering,classification, association rules, regression, and visualization[46, 47].

Experiments were conducted on an Intel� Core� i5-4210U CPU @ 1.70GHz 2.40GHz, 8.00GB RAM with Win-dows 8.1 64-bit Operating System.

Because different performance metrics are appropriate indifferent settings, in this paper seven performancemetrics areused: True Positive Rate (TPR), True Negative Rate (TNR),False Positive Rate (FPR), False Negative Rate (FNR), OverallAccuracy (𝐴), Precision (𝑃), and Root Mean Square Error(RMSE).

TPR represents the rate of attack cases identified correctly,TNR represents the rate of normal (no-attack) cases iden-tified correctly, FPR represents the rate of no-attack casesidentified as attacks by the system, and FNR represents therate of attack cases identified as normal ones.𝐴 is the total rateof correct decisions whether identifying an attack correctlyor deciding there is no attack when really there is no attack.𝑃 represents the predicted positive cases that were correctlyclassified; RMSE provides information on the efficiency thatindicates the difference between the outputs and the targets.Lower values of RMSE indicates more accurate evaluation.Zero means no error:

TPR = TPTP + FN

, (2)

TNR = TNFN + TP

, (3)

FPR = FPFP + TN

, (4)

Table 6: Dataset separated 60% training set and 40 testing sets usingholdout method.

The attack type Training set (60%) Testing set (40%)Blackhole 6029 4020Grayhole 8758 5838Flooding 1988 1324Scheduling 3982 2656Normal 204039 136027Sum 224796 149865

FNR = FNFN + TP

, (5)

𝐴 = TP + TNTP + TN + FP + FN

, (6)

𝑃 = TPTP + FP

, (7)

RMSE = √∑𝑛𝑖=1

(𝑂𝑖− 𝑇𝑖)2

𝑛 , (8)

where TP is the number of attack cases classified correctlyas attacks. TN is the number of normal (no-attack) casesclassified correctly as normal (no-attack). FP is the numberof normal (no-attack) cases classified incorrectly as attacks.FN is the number of attack cases classified incorrectly asnormal (no-attack).𝑂𝑖 and𝑇𝑖 are the output and target values,respectively, and 𝑛 is the total number of data points.

The classification results of this dataset were obtainedthrough a number of test cases applied using Artificial NeuralNetworks (ANNs), which can be built in several ways. ANNis used as a classifier were the 23 attributes extracted fromthe simulation experiments are used as inputs and the typeof attack, including the normal case, is used as output. ANNtraining algorithm includes a built-in procedure to helpminimizing the error between the neural network output andthe desired output. Its iterative training procedure terminateswhen that error reaches a value below a predeterminedthreshold. After the training phase, the trained neural net-work is used on the test dataset to check its generalizationaccuracy.

We are extracting different results with two ANNs testoptions. The first one is by using holdout method where thedataset is separated to 60% training data and 40% testing data.Table 6 shows data separation using holdout method.

The second option is by using 10-Fold Cross Validationwhich separates the training dataset into 10 equal parts. Thismethod trains ANN using nine of the 10 parts and evaluatesit with the remaining part. The same process is repeatedfor all 10 parts using a sliding window to determine thetest set and the remaining parts are used for training theANN. After the completion of the 10 iterations, the results arecompiled and averages are computed. The main advantage ofthe 10-Fold Cross Validation is using all records in the datasetalternately for both training and testing. On the other hand,it is computationally expensive.


Table 7: Parameters for MLP neural network classifier.

Parameter Explanation Used value

LLearning rate: used for weight adjustmenton each iteration. (The value should bebetween 0 and 1.)

0.3

M

Momentum: used for weight adjustmentduring backpropagation, in order tospeed up convergence and avoid localminima. (The value should be between 0and 1.)

0.2

N The number of epochs or passes throughtraining data. 500

V The percentage of the validation set fromthe training data. 20%

S

Seed for random number generator.Random numbers are used for settinginitial weights for the connectionsbetween nodes. (The value should be ≥0.)

0

E

Threshold for consecutive errors allowedduring validation testing before theneural network terminates. (The valueshould be >0.)

20

H

Number of nodes in the hidden layerwhich is represented as follows:number of hidden layers (number ofneurons in each layer).

1 (11)2 (11, 5)3 (11, 5, 2)

An important parameter of ANNs is the used transferfunction. In this study themost common activation (transfer)functionwhich is the logistic sigmoid functionwas used.Thisfunction is also called log-sigmoid.The function is defined as

𝑎 = 11 + 𝑒−𝑛 . (9)

The logistic sigmoid function accepts any value andreturns a value between 0 and 1. Because of the nonlinearcharacteristics of this function, it allows ANNs to modelcomplex data with possible built-in nonlinearities.

Table 7 shows the parameters and the values used inthis paper for WEKA toolbox Multilayer Perceptron (MLP)ANN classifier configuration. MLP is the most popular ANNvariation that allows configuration of multilayer ANN whichis able to model complex relations between the input andoutput parameters.

Several ANN architectures were attempted in this paper,an ANN with one hidden layer and 11 neurons is used.Moreover, an ANNwith two hidden layers with 11 neurons inthe first layer and 5 neurons in the second hidden layer wasused. Finally, ANN with three hidden layers with 11 neuronsin the first layer, 5 neurons in the second hidden layer, andtwo neurons in the third hidden layer was also attempted.

By using the holdout method to train the ANN with onehidden layer, an overall classification accuracy of 97.5431%was achieved.This corresponds to correctly classifying 146184out of 149865 in the testing set as can be noticed fromTable 6.

Table 8 shows the Confusion matrix for this method.For example, there are 2656 records in the testing set forScheduling attack as shown in Table 6. 2620 records wereclassified correctly as Scheduling attack, 23 records were

00.20.40.60.8

11.2

Normal Flooding Scheduling Grayhole Blackhole

True positive rate

H1 (1 hidden layer)H2 (2 hidden layers)H3 (3 hidden layers)CV1 (Cross Validation with 1 hidden layer)CV2 (Cross Validation with 2 hidden layers)CV3 (Cross Validation with 3 hidden layers)

Figure 3: True positive results.

classified as no-attack, 3 records were classified as Grayholeattacks, and 10 records were classified as Blackhole attack.This means that the percentage of positive classification ofScheduling attack is 98.6%. The percentage of samples thatwere incorrectly classified as positive while they are normalis 0.4%.

Table 9 shows the results of the remaining metrics for theholdout method. RMSE as calculated in (8) is 0.073 which isan acceptable value.

From Table 9, it can be concluded that the accuracyof detecting Blackhole attack was (34.3%), which is a lowpercentage. For that reason, an ANN architecture that hastwo hidden layers was attempted. In this case, 98% (avg. ofTPR) of DoS cases were correctly classified with an error of0.0817. Table 10 shows summary of the metrics of using thisarchitecture. FromTable 10, it can be shown that the accuracyrate decreased for Grayhole attack and significantly increasedfor Blackhole attacks.

When the ANN was trained on the dataset with threehidden layers, 97.8% of DoS cases were correctly classifiedwith an error of 0.0791. Table 11 shows summary of resultsof using holdout method with three hidden layers.

More decrease in the accuracy rate of Grayhole attack canbe seen in Table 11.

An ANN was trained on the WSN-DS dataset using 10-Fold Cross Validation method with one hidden layer. In thiscase, 98.52% of DoS attacks were correctly classified with anerror of 0.0636. Table 12 shows the summary results of usingthis method with one hidden layer.

Table 12 shows an improvement in the results for all typesof attacks. We have trained the ANN using 10-Fold CrossValidation with two hidden layers. Having two hidden layers,98.53% of the DoS cases were classified correctly with anerror of 0.0643. Table 13 summarizes the results of using thismethod.

Using 10-Fold Cross Validation to train an ANN architec-ture that has three hidden layers on WSN-DS dataset, 97.18%of the cases were correctly classified with an error of 0.0914.Table 14 summarizes the results of using this method.

Figures 3, 4, and 5 summarize the previous results.Figure 3 shows the True positive rate. On average the best


Table 8: Confusion matrix of holdout method with one hidden layer.

Normal Flooding Scheduling Grayhole BlackholeNormal 135483 350 32 152 10Flooding 0 1325 0 0 0Scheduling 23 0 2620 3 10Grayhole 29 0 9 5379 421Blackhole 0 0 3 2640 1377

Table 9: Summary results of holdoutmethodwith one hidden layer.

TPR FPR FNR TNR PNormal 0.996 0.004 0.004 0.996 1.000Flooding 1.000 0.002 0 0.998 0.791Scheduling 0.986 0.000 0.014 1 0.983Grayhole 0.921 0.003 0.079 0.997 0.658Blackhole 0.343 0.004 0.657 0.996 0.757Avg. 0.975 0.021 0.025 0.979 0.978

Table 10: Summary results of holdout method with two hiddenlayers.

TPR FPR FNR TNR 𝑃Normal 0.996 0.008 0.004 0.992 0.999Flooding 1 0.003 0 0.997 0.753Scheduling 0.984 0 0.016 1 0.991Grayhole 0.714 0.006 0.286 0.994 0.838Blackhole 0.818 0.011 0.182 0.989 0.669Avg. 0.98 0.008 0.02 0.992 0.982

Table 11: Summary results of holdout method with three hiddenlayers.

TPR FPR FNR TNR 𝑃Normal 0.995 0.016 0.005 0.984 0.998Flooding 0.989 0.003 0.011 0.997 0.734Scheduling 0.973 0.001 0.027 0.999 0.954Grayhole 0.576 0.001 0.424 0.999 0.965Blackhole 0.989 0.016 0.011 0.984 0.631Avg. 0.978 0.015 0.022 0.985 0.984

Table 12: Summary results of 10-Fold Cross Validation with onehidden layer.

TPR FPR FNR TNR 𝑃Normal 0.998 0.018 0.002 0.982 0.998Flooding 0.994 0.001 0.006 0.999 0.904Scheduling 0.922 0 0.078 1 0.995Grayhole 0.756 0.003 0.244 0.997 0.911Blackhole 0.928 0.009 0.072 0.991 0.730Avg. 0.985 0.017 0.015 0.983 0.987

method for classifying the attacks is Cross Validation withone hidden layer (CV1). It was the best in classifying allattacks except for Scheduling and Grayhole attack where it

Table 13: Summary results of 10-Fold Cross Validation with twohidden layers.

TPR FPR FNR TNR 𝑃Normal 0.998 0.02 0.002 0.98 0.998Flooding 0.985 0.001 0.015 0.999 0.900Scheduling 0.915 0 0.085 1 0.992Grayhole 0.867 0.007 0.133 0.993 0.832Blackhole 0.778 0.005 0.222 0.995 0.810Avg. 0.985 0.019 0.015 0.981 0.985

Table 14: Summary results of 10-Fold Cross Validation with threehidden layers.

TPR FPR FNR TNR 𝑃Normal 0.994 0.045 0.006 0.955 0.995Flooding 0.754 0.001 0.246 0.999 0.855Scheduling 0.761 0.001 0.239 0.999 0.946Grayhole 0.689 0.01 0.311 0.99 0.743Blackhole 0.843 0.013 0.157 0.987 0.638Avg. 0.972 0.041 0.028 0.959 0.974

was slightly more accurate to use holdout method with onehidden layer (H1).

Figure 4 shows FPR. In FPR the smaller the rate, the betterthe performance. On average H1 was the best method; it isslightly better than CV1; however, CV1 was better than H1in classifying Flooding, Scheduling, and Grayhole attacks.H1 was better in classifying the normal behavior and theBlackhole attack.

Figure 5 shows the error rate of all methods using RootMean Squared Error (RMSE).

Figure 5 shows that CV1 was the best in terms of RMSE.From the results of TPR, FPR, and RMSE in Figures 3–5, it isconcluded that the use of CV1 architecture outperforms otherANN architectures in classifying DoS attacks in WSN.

From the previous results obtained from applying ANNto WSN-DS dataset, high accuracy was achieved in the taskof classifying four DoS attacks to determine whether theprotocol is in its normal mode or exposed to any type ofattack.

7. Conclusions and Future Work

The aim of this paper is to design an intelligent intrusiondetection and prevention mechanism that could work effi-ciently to limit DoS attacks with reasonable cost in terms


00.005

0.010.015

0.020.025

0.030.035

0.040.045

0.05

Normal Flooding Scheduling Grayhole Blackhole

False positive rate

H1 (1 hidden layer)H2 (2 hidden layers)H3 (3 hidden layers)CV1 (Cross Validation with 1 hidden layer)CV2 (Cross Validation with 2 hidden layers)CV3 (Cross Validation with 3 hidden layers)

Figure 4: False positive results.

00.010.020.030.040.050.060.070.080.09

0.1

H1

(1 h

idde

nla

yer)

H2

(2 h

idde

nla

yers

)

H3

(3 h

idde

nla

yers

)

CV1

(Cro

ssVa

lidat

ion

with

1hi

dden

laye

r)

CV2

(Cro

ssVa

lidat

ion

with

2hi

dden

laye

rs)

CV3

(Cro

ssVa

lidat

ion

with

3hi

dden

laye

rs)

RMSE

Figure 5: Root Mean Squared Error (RMSE) in each method.

of processing and energy. To achieve this aim, a specializeddataset for WSN was constructed to classify four types ofDoS attacks. The considered attacks are Blackhole, Grayhole,Flooding, and Scheduling attacks. The data were collectedusing NS-2. In addition to including normal behavior, it wasalso able to collect 374661 records containing the signaturesof these four attacks. The dataset containing normal andmalicious network trafficwas used to obtain the experimentalresults shown. In this paper, mathematical validation of thecreated dataset has been provided to ensure its correctness.The constructed dataset is called WSN-DS.

ANN-MLPmodel usingWEKA toolboxwas built; attackswere classified using twomethods, holdout and 10-Fold CrossValidation, with one, two, and three hidden layers used ineach case.We have found that, using 10-Fold Cross Validationwith one hidden layer, the percentages of classification accu-racies of attacks were 92.8%, 99.4%, 92.2%, 75.6%, and 99.8in Blackhole, Flooding, Scheduling, and Grayhole attacks, inaddition to the normal case (without attacks), respectively.From these results, it can be concluded that ANN trainedusing WSN-DS dataset is very useful in classifying DoSattacks as it was able to achieve high classification accuracyin the presence of more than one attack.

This work, which compares a number of distinct DoSattacking models, provides additional insights. Specifically,

it would draw conclusions in terms of selecting the bestprotocol to be employed in a precisely predefined real-time application in WSN. This research reemphasizes theimportance of considering security early in the networkprotocol development process. Without this, inherited vul-nerabilities in these network protocols and other softwarewillincreasingly become targets for malicious attacks.

In future, this work can be extended to include othertypes of DoS attacks in data link layer such as Wormhole orSybil. In addition, attacks on protocols other than LEACHand in different layers of WSN can be considered. It is alsopossible to attempt the use of other classifiers and dataminingapproaches. The current and future versions of WSN-DS willbe posted to the researchers.

Competing Interests

The authors declare that they have no competing interests.

References

[1] N. Marriwala and P. Rathee, “An approach to increase thewireless sensor network lifetime,” in Proceedings of the WorldCongress on Information and Communication Technologies(WICT ’12), pp. 495–499, IEEE, Trivandrum, India, October-November 2012.

[2] V. C. Gungor, B. Lu, and G. P. Hancke, “Opportunities andchallenges of wireless sensor networks in smart grid,” IEEETransactions on Industrial Electronics, vol. 57, no. 10, pp. 3557–3564, 2010.

[3] M. A. Rassam, M. A. Maarof, and A. Zainal, “A surveyof intrusion detection schemes in wireless sensor networks,”American Journal of Applied Sciences, vol. 9, no. 10, pp. 1636–1652, 2012.

[4] I. Butun, S. D. Morgera, and R. Sankar, “A survey of intrusiondetection systems in wireless sensor networks,” IEEE Commu-nications Surveys & Tutorials, vol. 16, no. 1, pp. 266–282, 2014.

[5] H. Modares, R. Salleh, and A. Moravejosharieh, “Overview ofsecurity issues in wireless sensor networks,” in Proceedings ofthe 2nd International Conference on Computational Intelligence,Modelling and Simulation (CIMSim ’11), pp. 308–311, September2011.

[6] J. Sen, “Security in wireless sensor networks,” inWireless SensorNetworks: Current Status and Future Trends, S. Khan, A.-S. K.Pathan, andN.A.Alrajeh, Eds., CRCPress,NewYork,NY,USA,2012.

[7] N. Farooq, I. Zahoor, S. Mandal, and T. Gulzar, “Systematicanalysis of DoS attacks in wireless sensor networks withwormhole injection,” International Journal of Information andComputation Technology, vol. 4, no. 2, pp. 173–182, 2014.

[8] A. Mitrokotsa and T. Karygiannis, “Intrusion detection tech-niques in sensor networks,” inWireless Sensor Network Security,Cryptology and Information Security Series, pp. 251–272, IOSPress, 2008.

[9] W. R. Heinzelman, A. Chandrakasan, and H. Balakrish-nan, “Energy-efficient communication protocol for wirelessmicrosensor networks,” in Proceedings of the 33rd IEEE AnnualHawaii International Conference on System Sciences, pp. 1–10,Maui, Hawaii, USA, January 2000.


[10] H. Liu, L. Li, and S. Jin, “Cluster number variability problemin LEACH,” inUbiquitous Intelligence and Computing, pp. 429–437, Springer, Berlin, Germany, 2006.

[11] W. B. Heinzelman, A. P. Chandrakasan, and H. Balakrish-nan, “An application-specific protocol architecture for wirelessmicrosensor networks,” IEEE Transactions onWireless Commu-nications, vol. 1, no. 4, pp. 660–670, 2002.

[12] S. B. Alla, A. Ezzati, and A.Mohsen, “Hierarchical adaptive bal-anced routing protocol for energy efficiency in heterogeneouswireless sensor networks,” in Energy Efficiency—The InnovativeWays for Smart Energy, the Future Towards Modern Utilities,InTech, 2012.

[13] S. Tyagi and N. Kumar, “A systematic review on clustering androuting techniques based upon LEACH protocol for wirelesssensor networks,” Journal of Network and Computer Applica-tions, vol. 36, no. 2, pp. 623–645, 2013.

[14] A. Braman and G. R. Umapathi, “A comparative study onadvances in LEACH Routing protocol for wireless sensornetworks: a survey,” International Journal of Advanced Researchin Computer and Communication Engineering, vol. 3, no. 2, pp.5883–5890, 2014.

[15] H. Dhawan and S. Waraich, “A comparative study on LEACHrouting protocol and its variants in wireless sensor networks: asurvey,” International Journal of Computer Applications, vol. 95,no. 8, pp. 21–27, 2014.

[16] D. Kumar, “Performance analysis of energy efficient clusteringprotocols for maximizing lifetime of wireless sensor networks,”IET Wireless Sensor Systems, vol. 4, no. 1, pp. 9–16, 2014.

[17] Y.M.Miao, “Cluster-head election algorithm forwireless sensornetworks based on LEACH protocol,” Applied Mechanics andMaterials, vol. 738-739, pp. 19–22, 2015.

[18] S. Taneja, “An energy efficient approach using load distributionthrough LEACH-TLCH protocol,” Journal of Network Commu-nications and Emerging Technologies (JNCET), vol. 5, no. 3, pp.20–23, 2015.

[19] S. Peng, T. Wang, and C. P. Low, “Energy neutral clustering forenergy harvesting wireless sensors networks,”AdHoc Networks,vol. 28, pp. 1–16, 2015.

[20] G. Padmavathi and D. Shanmugapriya, “A survey of attacks,security mechanisms and challenges in wireless sensor net-works,” International Journal of Computer Science and Informa-tion Security, vol. 4, no. 1-2, 2009.

[21] D. Mansouri, L. Mokdad, J. Ben-Othman, and M. Ioualalen,“Detecting DoS attacks inWSN based on clustering technique,”in Proceedings of the IEEE Wireless Communications and Net-workingConference (WCNC ’13), pp. 2214–2219, IEEE, Shanghai,China, April 2013.

[22] A. Garofalo, C. Di Sarno, and V. Formicola, “Enhancing intru-sion detection in wireless sensor networks through decisiontrees,” in Dependable Computing, pp. 1–15, Springer, Berlin,Germany, 2013.

[23] S.-S. Wang, K.-Q. Yan, S.-C. Wang, and C.-W. Liu, “An inte-grated intrusion detection system for cluster-based wirelesssensor networks,” Expert Systems with Applications, vol. 38, no.12, pp. 15234–15243, 2011.

[24] D. Wu, G. Hu, and G. Ni, “Research and improve on securerouting protocols in wireless sensor networks,” in Proceedingsof the 4th IEEE International Conference on Circuits and Systemsfor Communications (ICCSC ’08), pp. 853–856, IEEE, Shanghai,China, May 2008.

[25] G. Wang, J. Hao, J. Mab, and L. Huang, “A new approach tointrusion detection using Artificial Neural Networks and fuzzy

clustering,” Expert Systems with Applications, vol. 37, no. 9, pp.6225–6232, 2010.

[26] M. Xie, S. Han, B. Tian, and S. Parvin, “Anomaly detectionin wireless sensor networks: a survey,” Journal of Network andComputer Applications, vol. 34, no. 4, pp. 1302–1325, 2011.

[27] R. Bace and P. Mell, NIST Special Publication on IntrusionDetection Systems, Booz-Allen and Hamilton, McLean, Va,USA, 2001.

[28] J. Xu, J. Wang, S. Xie, W. Chen, and J.-U. Kim, “Study onintrusion detection policy for wireless sensor networks,” Inter-national Journal of Security and Its Applications, vol. 7, no. 1, pp.1–6, 2013.

[29] S. Khan andK.-K. Loo, “Real-time cross-layer design for a large-scale flood detection and attack trace-back mechanism in IEEE802.11 wireless mesh networks,” Network Security, vol. 2009, no.5, pp. 9–16, 2009.

[30] N. A. Alrajeh, S. Khan, and B. Shams, “Intrusion detectionsystems in wireless sensor networks: a review,” InternationalJournal of Distributed Sensor Networks, vol. 9, no. 5, pp. 1–7, 2013.

[31] A. Abid, A. Kachouri, and A. Mahfoudhi, “Anomaly detectionin WSN: critical study with new vision,” in Proceedings of theInternational Conference on Automation, Control, Engineeringand Computer Science (ACECS ’14), pp. 37–46, 2014.

[32] H. Jadidoleslamy, “A high-level architecture for intrusion detec-tion on heterogeneous wireless sensor networks: hierarchical,scalable and dynamic reconfigurable,”Wireless Sensor Network,vol. 3, no. 7, pp. 241–261, 2011.

[33] KDD, https://kdd.ics.uci.edu.[34] J. Stolfo,W. Fan,W. Lee, A. Prodromidis, and P. K. Chan, “Cost-

basedmodeling and evaluation for dataminingwith applicationto fraud and intrusion detection,” Results from the JAM Projectby Salvatore, 2000.

[35] A. Ananthakumar, T. Ganediwal, and A. Kunte, “Intrusiondetection system inwireless sensor networks: a review,” Interna-tional Journal of Advanced Computer Science and Applications,vol. 6, no. 12, pp. 131–139, 2015.

[36] A. Alsadhan and N. Khan, “A proposed optimized and efficientintrusion detection system for wireless sensor network,” Inter-national Journal of Electrical, Computer, Energetic, Electronicand Communication Engineering, vol. 7, no. 12, pp. 1621–1624,2013.

[37] Y. ElMourabit, A. Bouirden, A. Toumanari, andN. E.Moussaid,“Intrusion detection techniques in wireless sensor networkusing datamining algorithms: comparative evaluation based onattacks detection,” International Journal of Advanced ComputerScience and Applications (IJACSA), vol. 6, no. 9, pp. 164–172,2015.

[38] S. Sumitha Pandit and B. Kalpana, “Hybrid technique fordetection of denial of service (DOS) attack in wireless sensornetwork,” International Journal of Advanced Networking andApplications, vol. 7, no. 2, pp. 2674–2681, 2015.

[39] S. Athmani, D. E. Boubiche, andA. Bilami, “Hierarchical energyefficient intrusion detection system for black hole attacks inWSNs,” in Proceedings of the World Congress on Computer andInformation Technology (WCCIT ’13), pp. 1–5, IEEE, Sousse,Tunisia, June 2013.

[40] C. Karlof and D. Wagner, “Secure routing in wireless sensornetworks: attacks and countermeasures,” Ad Hoc Networks, vol.1, no. 2-3, pp. 293–315, 2003.

[41] M. Tripathi, M. S. Gaur, and V. Laxmi, “Comparing the impactof black hole and gray hole attack on LEACH inWSN,” ProcediaComputer Science, vol. 19, pp. 1101–1107, 2013.


[42] A. P. Renold, R. Poongothai, and R. Parthasarathy, “Perfor-mance analysis of LEACH with gray hole attack in WirelessSensorNetworks,” in Proceedings of the International Conferenceon Computer Communication and Informatics (ICCCI ’12), pp.1–4, January 2012.

[43] S.Magotra and K. Kumar, “Detection of HELLO flood attack onLEACH protocol,” in Proceedings of the 4th IEEE InternationalAdvance Computing Conference (IACC ’14), pp. 193–198, IEEE,Gurgaon, India, February 2014.

[44] I. Almomani and B. Al-Kasasbeh, “Performance analysis ofLEACH protocol under Denial of Service attacks,” in Proceed-ings of the 6th IEEE International Conference on Informationand Communication Systems (ICICS ’15), pp. 292–297, Amman,Jordan, April 2015.

[45] The Network Simulator—ns-2, http://www.isi.edu/nsnam/ns/.[46] M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann, and

I. H. Witten, “The WEKA data mining software: an update,”ACM SIGKDD Explorations Newsletter, vol. 11, no. 1, pp. 10–18,2009.

[47] R. R. Bouckaert, E. Frank, M. A. Hall et al., “WEKA—experi-ences with a Java open-source project,”The Journal of MachineLearning Research, vol. 11, pp. 2533–2541, 2010.

International Journal of

AerospaceEngineeringHindawi Publishing Corporationhttp://www.hindawi.com Volume 2014

RoboticsJournal of

Hindawi Publishing Corporationhttp://www.hindawi.com Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of



RotatingMachinery


Hindawi Publishing Corporation http://www.hindawi.com

Journal ofEngineeringVolume 2014

Submit your manuscripts athttp://www.hindawi.com

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawi Publishing Corporation http://www.hindawi.com

Volume 2014

The Scientific World JournalHindawi Publishing Corporation http://www.hindawi.com Volume 2014

SensorsJournal of


Modelling & Simulation in EngineeringHindawi Publishing Corporation http://www.hindawi.com Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks


research article wsn-ds: a dataset for intrusion...

Documents