Table-bases intrusion detection and swarm based defense.
The main motive behind the proposed work is to use TIDSD method to predict or prevent the various DoS attacks. Figure 1 shows the flow of the proposed work. Normally, the network comprises of different devices incorporated in it. The devices are in the cluster arrangement and cluster heads are initialized by using LEACH (Low Energy Adaptive Clustering Hierarchy)Mohan &sarojadevi, 2015 is called cluster head selection. In WSN, The nodes are distributed randomly in the network area. It has its own capability to make the decision to become the cluster head based on random numbers (0, 1) for each round. The clustered head should have the number more than the threshold value. The selected node is denoted as CH. To find the threshold value, the equation is given (Mohan &sarojadevi, 2015) by
Tn=p1-prmod1p if n?G …(1) Where p = optimal percentage of CHs in each round
r = current round
G = set of nodes (which are not selected as CH)
The Cluster Head after its formation send the advertisement message to all member nodes (MNs) in WSN. The member nodes reply with the request message for joining to the cluster head based on RSS (Received signal strength) value. In large size network, the lack of update of intrusion information after cluster formation effects high energy consumption and disruptions in the security systems. The cluster head (CH) governs overall process such as sending request to packets, responding to the request and delivery of packets to the node group members.
The energy consumption of each node is estimated to compute the trust value. Trust value computation depends on energy consumption and the energy estimation. Cluster head checks the node trust value sufficiency periodically to form the routing path. If the trust value sufficiency changes periodically, then we go for swarm-based defense approach to find new routing path based on swarm particles.
Figure 1:Flow chart of proposed work
The note of attacks broadcasting and node information in the table of inter-clusters prevents the attacks of new DoS arrival.The architecture of the hierarchical system of WSN, the internet and the wireless network shown in the Figure 2. The wireless sensor network contains the internet, sensor nodes (S), base station (BS) and wireless network. The Base station communicates with the wireless ad-hoc networks through internet. The wireless ad-hoc network components are grouped in to various clusters. The intrusion detection system of WSN are shown in the Figure 3. Primary cluster head (PCH), secondary cluster head (SCH), MNs and monitor group (MG) are the components in Wireless network. The SCH and PCH monitor the MN to detect anamolies. The variation in channel behaviour due to malicious attack can also be identified. Then in the identified faulty channel, the faults is mitigated by swarm-based defence approach. The hybrid combination of table and swarm-based defence method is projected to predict the DoS attacks and channel migration. The Wireless network comprises of various devices. These devices are in cluster arrangement and the cluster heads are chosen with its maximum energy. The process of requesting the packets, responding to the packets and delivery the packets were monitored by CH. The energy consumption of each node is estimated to compute the trust value. Trust value computation depends on energy consumption, remained energy, information accuracy and hop accuracy assigned to each nodes. Cluster head checks the node trust value sufficiency periodically to form the routing path. If the trust value sufficiency changes periodically, then we go for swarm-based defence approach to find new routing path based on swarm particles.
Figure 3: Hierarchical perspective of WSN and internet.
Figure 4: Architechture of TIDS
The note of attacks broadcasting and node information in the table of inter-clusters prevents the attacks of new DoS arrival
The implementation of the proposed method is in four stages such as
Predefinition of IDS
Monitoring of MN by SCH
Monitoring of SCH and MN by PCH and finally updating the monitoring results in isolation table of BS.
The administrator in the WSN picks up the PCH and sets the category of sensing for each sensor node. The administrator fixes the threshold value and the count of member groups. The sequential processes of PCH are selecting the SCH from each member group by dividing the duty cycle of the SCH equally. Then integrates the sensing data in to the isolation table, which is under the maintenance of Base station. The parameters used in table maintenance are shown in Table 1.
The Secondary Cluster Head gets the parameter of each Member node of the member group. SCH authenticate the set of information for member nodes. It also separates and store the faulted nodes in the isolation table. Monitoring process divided into two actions such as SCH monitoring the MN and MN monitoring the PCH. In the first part, the MNs statuses were monitored by SCH. It authenticates the report information of every MN. The SCH stay isolated from WSN and record the anomalous behaviour of the MN, if its information is erroneous. Otherwise, SCH sends the PCH information to BS. The two anomalous statuses that describes erroneous information in the member nodes are as follows.
Routing behaviour changes due to various attacks such as spoofing and alteration.
High remained energy compared to the last recorded energy
Initially, the BS receives the sense data from each SCH. Then the PCH integrates the sensed data and isolation table for SCH. The SCH senses and authenticates the reporting information whether it is correct or erroneous. The trust value from the weight values corresponding to remained energy, information accuracy and hop accuracy is calculated by SCH. The MN in the monitoring process sends the sensing data to SCH. The variables used in SCH monitoring process as shown in Table 2. The comparison between the recorded values of remaining energy (Ei) and the energy consumption of MN (El) constitutes the response of remained energy. The range of response remaining energy is described by Equation (2) as follows:
SCH determines the MN as malicious only if the range of sensing energy is outside the range of 110–90%. The SCH calculates the trust value from the remained energy. Equation (3) measures the remained energy from the hop values and their energy consumption values:
SCH compares the number of nodes with the transmission information accuracy (AI) and transmission hop accuracy (Ah). The combination of trust value from the weight values as in Equations (4) and (5) corresponds to MN in MG:
The adjustment of weight values is continued until the completion of PCH duty cycle. If the sufficient trust value is not reached, then the migration process through swarm-based defence approach is initiated.
Swarm-based defence In the table-based IDS, the malicious behaviour is identified, which affects the channel termed as a faulty channel. The faulty channel is mitigated using the swarm-based defence approach. Swarm based defence techniques focus the flexibility, strength, the direct and indirect interaction between the WSN nodes. The principles governing the swarm-based defence approach are classified as following types: The faulty channel identification is performed by the multiple interactions among the nodes. Initially, the source node and destination node changes the channel, i.e. far away from DoS attack. The shared key for the channel (Ksharec) is generated by using the pair-wise key generation (KSÞ based on the energy level (E) as in Equation (6):
The generated key is used to generate the pseudorandom channel sequence as in Equation (7)
The data fragments are obtained by breaking the packets, the source node fills the FIFO buffer with the fragments and issues the transmit command. The total time for fragment (T) is calculated by using Equation (8) with the time for hop information (ThopÞ, transmission initialisation time (Tini), time to reach the destination (Td), time for calculating the minimum hop (TminhopÞ; fragment time generation (TfrÞ is expressed as
The sender finishes the transmission, and message indicates the DoS attacks are not generated only if the fragments are short. Otherwise, the message about DoS attacks is generated. Then, the attacker transmits the DoS pulses in shortly to the PCH. The forward node (FN) explores the network to collect the DoS information. The reallocation of network and the new PCH created if the FN reaches the end node (Nth node). Now, the backward node (BN) sends the high priority queue for the new channel. The probability of the choosing channel is calculated is given by Equation (9):
Then, the heuristic value ? is calculated for each channel (i) given by using Equation (10) with the listening time, Tlistn and number of pulses Np is as follows:
The threshold value for listening time Tlistnh and the threshold value for number of pulses Npth is set and the comparison between threshold values and calculated values to determine the feedback status. The feedback provided by FN is negative reinforcement r if listening time and number of pulses greater than the threshold values and has the probability assigned to neighbours by using Equation (11),
The feedback provided by FN is positive reinforcement (rþ) for minimum values of listening time and number of pulses compared to threshold values. The probability with positive reinforcement is obtained by using Equation (12):
Hence, the fault channel probability is analysed and the channel is mitigated using swarm-based defence approach. The channel with the high positive probability is selected for packet transmission. The algorithm for implementing the proposed TIDSD approach is as follows:
Performance analysis This section presents the performance analysis of the proposed table-based intrusion detection and swarm-based defence approach for fault mitigation. We utilise the network simulator-2 (NS-2) to validate the performance of proposed TIDSD approach. The simulation configuration parameters for proposed work implementation are listed in Table 3. 4.1. Transmission accuracy The increase in monitor nodes will increase the transmission accuracy generally. The comparison of routing table intrusion detection system, isolation table-based IDS (Chen et al., 2010) with the proposed TIDSD approach regarding the transmission accuracy as in Figure 4. The accuracy of ITIDS is more compared to RTIDS. For the minimum monitor nodes, the proposed TIDSD offers 16%. But, the accuracy of ITIDS is 10%. For the maximum monitor nodes (100), the accuracy of proposed TIDSD is 98.14 and ITIDS are 95.14%. The hybrid combination of table- and swarm-based defence approaches in proposed TIDSD offers 37.15% and 3.06% improvement for a minimum and maximum number of monitor nodes compared to ITIDS, respectively. 4.2. Transmission overhead The simulation time variation increases the transmission overhead in HWSNET (Bhattasali&Chaki, 2011). But, the immediate detection and update of trust values from the table-based approaches and the defensive actions of fault channels effectively reduce the transmission overhead considerably.
Transmission overhead: Figure 5 shows the comparison of proposed TIDSD with HWSNET regarding the overhead. The conventional HWSNET overhead is 18 for the minimum simulation period and for proposed TIDSD is 5. For the maximum value of simulation period (800), the overhead values for proposed TIDSD and HWSNET are 67 and 64, respectively. The comparison shows that the prevention of broadcast of DoS attack information into another cluster and the immediate migration of fault channel into the normal channel in proposed TIDSD reduces the overhead by 22.22 and 4.48% compared to HWSNET.
Energy consumption: The variation of energy consumed by the nodes in proposed TIDSD is compared with the conventional game theory + FQL (Shamshirband et al., 2014). The utilisation of Fuzzy-Q-learning consumes more computational steps and energy. But, the optimal way of intrusion detection in proposed TIDSD offers the significant reduction in energy consumption. Figure 6 shows the comparative analysis of proposed TIDSD and the existing game + FQL. The increase in a number of deployed nodes increased the energy consumption drastically in traditional game + FQL. But, the table-based IDS and swarm-based defence in proposed TIDSD reduces the energy consumption.
False positive analysis
For the minimum nodes (40), the energy consumed by game + FQL is 200 J and TIDSD is 165 J. The energy consumption of TIDSD and game + FQL for more nodes are 1150 and 1200 J, respectively. The comparison yields that the proposed TIDSD offers 17.5% and 41.67% less energy consumption in DoS prediction.
False positive (FP)/false negative (FN): If the BS selects for defending, then the selected attackers do not attack the system refers FP. Alternatively, if the BS is not elected for defending during the attacks termed as FN. The increase in the percentage of attacks linearly increases the level of FP and FN values. The minimum values of FP and FN depict the algorithm effectiveness. Figures 7 and 8 show the comparison between the proposed TIDSD with the existing game theory + FQL (Shamshirband et al., 2014) regarding the FP and FN values, respectively. The percentage of attacks to validate the FP/FN are varied within the ranges of 10–60 %. The hybrid table-based and swarm-based defence approaches reduce the FP and FN values by 13.51% and 11.43% for the maximum percentage of attacks.
False negative analysis.
5. Conclusion This article addressed the issues in energy constraint-based cluster operative WSN. The excessive energy consumption caused the battery power draining that reduced the network lifetime. The introduction of DoS attacks in WSN affects the low-operating mode for lifetime maximisation. The conventional ID approaches such as rule-based and anomaly-based methods that detected the DoS attacks effectively. But, the energy consumption and false detection rate were more. The unaware of attack information and its broadcasting of impact to the other CH led to an easy DoS attacks arrival and disruption in packets transmission. This article combined the isolation and routing tables to detect the attack in the specific cluster and broadcast the information to other CH. The intercommunication between the CHs immediately prevented the DoS attacks effectively. In addition, the swarm-based defence approach offered migration of fault channel to normal operating channel through frequency hop approaches that offered multi-hop modality. The comparative analysis between the proposed TIDSD approaches with the traditional IDS regarding the parameters transmission overhead, transmission efficiency, energy consumption and the rate of false positive /negative proves the effectiveness of TIDSD-based DoS prediction capability in WSN.