See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/278726192

A Global Hybrid Intrusion Detection System for Wireless Sensor Networks

Article  in  Procedia Computer Science · July 2015

DOI: 10.1016/j.procs.2015.05.108

CITATIONS READS

67 832

4 authors:

Maleh Yassine Abdellah Ezzati

Université Sultan Moulay Slimane Université Hassan 1er
146 PUBLICATIONS   340 CITATIONS    114 PUBLICATIONS   705 CITATIONS   

SEE PROFILE SEE PROFILE

Qasmaoui Youssef Mbida Mohamed

Université Hassan 1er Université Hassan 1er
4 PUBLICATIONS   72 CITATIONS    14 PUBLICATIONS   76 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Wireless Communication Systems View project

Key Management for Wireless Sensor Networks View project

All content following this page was uploaded by Mbida Mohamed on 10 October 2016.

The user has requested enhancement of the downloaded file.

 Available online at www.sciencedirect.com

ScienceDirect
Procedia Computer Science 52 (2015) 1047 – 1052

The 5th International Symposium on Frontiers in Ambient and Mobile Systems (FAMS 2015)

A Global Hybrid Intrusion Detection System for

Wireless Sensor Networks
Yassine Maleh*a, Abdellah Ezzatib , Youssef Qasmaouic, Mohamed Mbidac
Faculty of Sciences and Techniques – Department of Mathematics and Computer, LAVETE Laboratory, Settat 26000, Morocco
Hassan 1st University – Faculty of Sciences and Techniques, IR2M Laboratory, Settat 26000, Morocco

Abstract

Many researchers are currently focusing on the security of wireless sensor networks (WSNs). This type of network is
associated with vulnerable characteristics such as open-air transmission and self-organizing without a fixed
infrastructure. Intrusion Detection Systems (IDSs) can play an important role in detecting and preventing security
attacks. In this paper, we propose a hybrid, lightweight intrusion detection system for sensor networks. Our intrusion
detection model takes advantage of cluster-based architecture to reduce energy consumption. This model uses
anomaly detection based on support vector machine (SVM) algorithm and a set of signature rules to detect malicious
behaviors and provide global lightweight IDS. Simulation results show that the proposed model can detect abnormal
events efficiently and has a high detection rate with lower false alarm.
©
© 2015
2015 The
The Authors.
Authors.Published
Publishedby
byElsevier
ElsevierB.V.
B.V.This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/4.0/).
Peer-review under responsibility of the Conference Program Chairs.
Peer-review under responsibility of the Conference Program Chairs
Keywords: Wireless Sensor Network, Hybrid Intrusion Detection System, Support vector machine, Signature attacks, false alarm, detection rate;

1. Introduction

Wireless sensor networks (WSNs) have become increasingly one of the most interesting research areas over the
past few years. The different characteristics of wireless sensor networks (energy limited, low-power computing, use
of radio waves, etc...) expose them to many security threats 1. Cryptography defined as a first line of defense is

*
Corresponding author. Tel.: +212-608-86-75-68; fax +212-522-78-64-03.
E-mail address: yassine.maleh@gmail.com

1877-0509 © 2015 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/4.0/).
Peer-review under responsibility of the Conference Program Chairs
doi:10.1016/j.procs.2015.05.108
1048 Yassine Maleh et al. / Procedia Computer Science 52 (2015) 1047 – 1052

ineffective when the attacker is located inside the network. Intrusion detection system (IDS) defined as the second line
of defense, allows detection and prevention of internal and external attacks. The IDSs designed for wired or ad hoc
networks cannot be implemented directly in the WSN. Therefore, there is a need to design a specific detection system
for wireless sensor network, which takes in consideration the limitations of WSNs 2. The paper is organized as follows.
In the next section, we present in related work. Section 3 proposes security architecture for WSNs. Section 4 describes
the algorithms and the defense methods against routing attacks. In the Section 5, we present performance analyses and
discussion of our scheme. Finally, the paper ends with a conclusion and future works.

2. Related Work

In literature, there are a few works that aim to combine between anomaly-based approach and signature based
approach (hybrid model) to benefit from the advantages of both detection techniques.
Yan et al. 3 proposed hierarchical IDS based on clusters. The authors took advantage of this approach and install
on each cluster-head an IDS agent (core defense). This agent has three modules: a supervised learning module, an
anomaly detection module based on the rules and decision-making module. The simulation results show that this
model has a high detection rate and lower false positive rate. However, the main disadvantages of this scheme is: The
IDS node is static (runs only in the cluster-head), in this case the intruder uses all his strength to attack this hot spot
(hot point) and subsequently disrupts the network. The implementation of this detection mechanism requires many
calculations in cluster-heads, which can decrease the network lifetime.
Hai et al. 4 proposed a hybrid, lightweight intrusion detection system integrated for sensor networks, based on the
model proposed by Roman et al. 5. Intrusion detection scheme takes advantage of cluster-based protocol to build a
hierarchical network and provide an intrusion framework based on both anomaly model and misuse techniques. In
their scheme, IDS agent consists of two detection modules, local agent and global agent. The authors apply their model
in a process of cooperation between the two agents to detect attacks with greater accuracy (both agents are in the same
node). However, the disadvantage of this scheme is the sharp increase in signatures, which can lead to an overload of
the node memory.
In recent work, Coppolino and al. 6 presented a hybrid, lightweight, distributed IDS for wireless sensor networks.
This IDS uses both misuse-based and anomaly-based detection techniques. It is composed of a Central Agent (CA),
which performs highly accurate intrusion detection by using data mining techniques, and a number of Local Agents
(LA) running lighter anomaly-based detection techniques on the motes.
Based on these hybrid models. Our contribution in this paper is to propose an efficient and lightweight intrusion
detection system for sensor network. Our goal in this research is to study and implement a new model of intrusion
detection that combines the advantages of both techniques anomaly based model and signature based model in cluster
wireless sensor environment, and surpassing other hybrid models proposed in the literature.

3. The proposed hybrid model

The Hybrid Intrusion Detection System (HIDS) achieves the goals of high detection rate and low false
positive rate. The proposed model uses anomaly detection based on SVM technique and a set of attacks
represented by fixed rules signatures, which are designed to validate the malicious behavior of a target identified
by anomaly detection technique. The detection approach is integrated into a cluster-based topology to increase the
network lifetime. This is achieved by designating one known node as a leader of the group (cluster-head), that forwards
nodes packets (data aggregated) to the base station (BS) instead of sending their (nodes) collected data to a remote
location (base station). Cluster head acts like a local base station sensor, then clusters elect themselves to be a CH at
any given time with a certain probability, more details can be found in 7. We propose a cluster-based architecture that
divides the array of sensors into a plurality of groups, each of which comprises a cluster-head (CH). In this
architecture, every node belongs to only one of the clusters which are distributed geographically across the
whole network. Cluster head is used to reduce network energy consumption and to increase its lifetime. As shown in
Fig. 1, the architecture of proposed hybrid IDS.
 Yassine Maleh et al. / Procedia Computer Science 52 (2015) 1047 – 1052 1049

Fig. 1. IDS architecture.

3.1. Cluster election and strategy location of IDS

CH is elected dynamically according to his energy. The BS announces the process of CH election, the CHs calculate
residual energy by equation Vi(t) = [Initial – Ei(t)] / r, where Initial is the initial energy, Ei(t) is the residual energy
and r is the current round of CH selection 8. BS calculates the average value and average deviation, according to
obtained values. CH announces the CH election procedure for nodes. Old CH broadcasts a message about the
withdrawal of authority. New CH sends alert messages to the sensors nodes. CH is responsible for authentication of
the other members of the cluster, and the base station (BS) is responsible for CH authentication. Because of limited
battery life and resources, each agent is only active when needed.
x Local agent: Local agent module is responsible to monitor the information sent and received by the sensor.
The node stores in his internal database specific malicious network nodes attacks. When the network first
organized, the sensor nodes don’t have any knowledge about malicious nodes. After the deployment of
WSNs, the signature database is constructed gradually. The entry in the malicious node database is created
and propagated to every node by a CH.
x Global agent: Global agent monitor the communication of its neighbor nodes. Because the broadcast nature
of wireless network, every node can receive all the packets going through its radio range. Global agent
must have the information of its neighbor nodes to monitor the packets. We use local monitoring mechanism
and pre-defined rules to monitor the packets 9. If the monitor nodes discover a possible breach of security
in of their neighbor nodes, they create and send an alert to the CHs. The CHs receive the alert and
make the decision of a suspicious node through the threshold X. Both agents are built on application layer.
Fig. 2 below describes the strategy location of IDS in network.

Fig. 2. Strategy location of IDS.

1050 Yassine Maleh et al. / Procedia Computer Science 52 (2015) 1047 – 1052

3.2 Anomaly detection using SVM

Support vector machines (SVMs) are a class of machine learning algorithms, due originally to Vapnik 10, which is
sorter design method based on the small sample study, which is suitable to the classification of small sample data.
Therefore, the SVM method is suited to classify the high-dimension data in IDS. During the training phase, which
takes place offline at a system with abundant resources, data are collected from the physical, medium access control
(MAC) and network layers. Then the collected training data are pre-processed using a data reduction process, which
aims at reducing their size in order to be processed by SVM. Classification hyperplane of training data which may
be divided by linear classification plane or not via mapping the training data vector to higher dimensional space with
some function and transferring the problem to an linear classification problem in that space. After the mapping
procedure, SVM finds out a linear separating hyperplane with the maximum margin in the space. In 11, 12, Vapnik et
al. described the problem as finding a solution of convex optimization problem.
Suppose the linearly separability sample set (xi , yi)Ǥ Given the training datasets:
݅ ൌ ͳǡ ǥ ǡ ݊ǡ ‫ܴ א ݔ‬ௗ ǡ ‫ א ݕ‬ሼ൅ͳǡ െͳሽ. In our case {1} is normal, and {-1} normal is abnormal. The classify hyperplane
equation is:
‫ݓ‬Ǥ ‫ ݔ‬൅ ܾ ൌ Ͳ (1)
Where w is a normal vector and the parameter b is offset. The training samples on the hyperplane are called
Support Vectors, because they support the optimal classify hyperplane. So our problem can be formulated as follow:
ଵ ଵ
݉݅݊‫׎‬ሺ‫ݓ‬ሻ ൌ ȁȁ‫ݓ‬ȁȁଶ ൌ ሺ‫ݓ‬Ǥ ‫ݓ‬ሻ
ଶ ଶ (2)
‫݅ݕ݋ݐݐ݆ܾܿ݁ݑݏ‬ሾሺ‫݅ݔ ڄ ݓ‬ሻ ൅ ܾሿ െ ͳ ൒ Ͳ݅ ൌ ͳǡʹǡ ǥ ǡ ݊

T he classify function can be described as follow:

௡
݂ሺ‫ݔ‬ሻ ൌ ‫݊݃ݏ‬ሼሺ‫ כ ݓ‬Ǥ ‫ݔ‬ሻ ൅ ܾ ‫ כ‬ሽ ൌ ‫݊݃ݏ‬ሼ෌௜ୀଵ ߙ௜‫ݕ כ‬௜ ሺ‫ݔ‬௜ ή ‫ݔ‬ሻ ൅ ܾ ‫ כ‬ሽ (3)
T he optimal classify function as follow:
௡
݂ሺ‫ݔ‬ሻ ൌ •‰ሺ෌௜ୀଵ ߙ௜‫ݕ כ‬௜ ݇ሺ‫ݔ‬௜ ή ‫ݔ‬ሻ ൅ ܾ ‫ כ‬ሻ (4)

݇ሺ‫݅ݔ‬ǡ ‫ )ݔ‬Here is the kernel function and Di are the Lagrange multipliers. According to the condition of Kuhn-
Tucker (KKT), the xi that corresponding to Di > 0 are called support vectors (SVs). In our context, each node
communicates its vectors with its neighbor in one hope (one-hop neighbor), once this process is complete, the final
hyperplane is calculated and all nodes have the same discriminant plan to separate the data into two classes (normal,
abnormal). Therefore, the SVM method is suited to classify the high-dimension data in IDS. Maintaining the Integrity
of the Specifications. SVM method provides very good results with less training time compared to neural networks.
Another advantage of SVM is the low expected probability of generalization errors.

3.3 Signature based model

This module uses a discovery protocol based on signatures to detect malicious nodes and prevent network
disruptions by these nodes. The purpose of this protocol is to classify the behavior of a target as normal or abnormal
based on a set of rules. In our case, there is four rules for each attack. The rule for detecting the Selective forwarding
attack is defined by the number of packets dropped (PDR) and a node that is above a certain threshold δ sf). The rule
for detecting the Hello flood attack is the received signal strength (ISSR) at the IDS agent, if it is greater than a certain
threshold (δissrh). The rule for detecting the Black hole attack is defined by the number of RDP (greater than threshold
δissrbh) and excess of the signal power (above the threshold δissrbh). Finally, the rule for detecting the wormholes attack
is the power signal (above the threshold δissrhwh) and none of the neighboring nodes malicious node makes the
retransmission of packets received from this opponent (PDR bypass the threshold δwh).

3.4 Decision making model

 Yassine Maleh et al. / Procedia Computer Science 52 (2015) 1047 – 1052 1051

In the collaborative process, the cluster-head applies a simple rules mechanism. In case there is no correspondence
between intrusions detected by the anomaly detection technique and predefined signatures attackers, the IDS agent
sends a report to CH, then it uses a fast rules mechanism to take a final decision about the suspect node. The CH report
the results to the administrator to help them manage the network and make further corrections. Finally, CH sends a
message to all IDSs, so they proceed to update their table of signatures. Fig. 3 illustrates the rules used in decision-
making model

If anomaly detection (SVM) If anomaly detection (SVM)

detects an attack and signature detects an attack and signature
model does not detect attack model detects attack
then it is not an attack and it is then it is an attack and
erroneous classification. determine the class of attack.

Fig .3. Rules for decision-making model.

4. Performance of the hybrid detection model

In this section, we evaluate the performance of our intrusion detection model using KDDcup'99 database 13. We
study the variations in detection rate and false positive, when the number of IDS increases in the network. Finally, we
compare the performance of our model with other hybrid models. To evaluate the effectiveness of the proposed model,
a set of metrics have been adopted to determine the most efficient intrusion detection model.

x Detection Rate: Represents the percentage of attacks detected on the total number of attacks.
x False positive rate (false alarms): This is the ratio between the number classified as an anomaly on the total
number of normal connections.
The combination of anomaly detection based on SVM and detection based on attack signatures allows the
intrusion detection model to achieve a high rate of intrusion detection (almost 98%) with a number very reduces false
alarms (near 2%) as shown in Table 1 below.

Table 1. Detection and false positive rate under four attacks.

Attack Detection rate False positive
Selective forwarding attack 98,40% 5,13%
Hello flood attack 97,20% 2,24%
Black Hole attack 96,80% 3,50%
Worm Hole attack 98,20% 4,54%

To determine the effectiveness of our approach, we compared our model with others hybrids models proposed by
authors Bin et al. 14, Khanum et al. 15, Yuan et al. 16 and Hai et al. 4, analyzing in particular the detection rate and false
alarms and generated by IDS agents. Fig. 4 below present a performance comparison of some existing intrusion
detection models for WSN.
1052 Yassine Maleh et al. / Procedia Computer Science 52 (2015) 1047 – 1052

a b

Fig. 4. (a) Detection rate; (b) False positive rate.

From Fig. 4, the proposed hybrid model has a better efficiency in terms of detecting attacks and false positives
rates compared to other models.

5. Conclusion and future works

In this article, we proposed a hybrid intrusion detection model for WSN. Our IDS uses a learning algorithm based
on the SVM and a detection technique based on the attack signatures. Indeed, the combination of these two techniques
to offers an intrusion detection system with a high detection rate and low false positive rate. Our detection approach
is integrated in a cluster-based topology, to reduce communication costs, which leads to improving the lifetime of the
network. For our future work, more research on this topic needs to be undertaken with detail simulation of different
attack scenarios to test the performance of proposed IDS. We expect the result to be available soon in the future.

References

1. Y. Maleh, A. Ezzati, “A review of security attacks and intrusion detection schemes in wireless sensor network”, International Journal of Wireless
& Mobile Networks (IJWMN) Vol. 5, No. 6, December 2013.
2. H. Sedjelmaci, S.M Senouci“A Lightweight Hybrid Security Framework for Wireless Sensor Networks”, IEEE ICC, Sydney, 2014.
3. K. Q. Yan, S. C. Wang, S. S. Wang, C. W. Liu, “Hybrid intrusion detection system for enhancing the security of a cluster-based wireless sensor
network”, Proceedings of 3rd IEEE International Conference on Computer Science and Information Technology, China, pp. 114-118, 2010.
4. T. H. Hai, E. N. Huh and M. Jo, “A lightweight intrusion detection framework for wireless sensor networks”, Wireless Communications and
Mobile Computing, 10(4): 559-572, 2010.
5. R. Roman, J. Zhou, J. Lopez, “Applying intrusion detection systems to wireless sensor networks “, in: 3rd IEEE Consumer Communications and
Networking Conference, pp.640-644, 2006.
6. L. Coppolino, S. D’Antonio, A. Gafalo, L. Romano, “Applying Data Mining Techniques to Intrusion Detection in Wireless Sensor Networks”,
Eighth IEEE International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), 2013.
7. A. Abduvaliyev, S. Lee, Y.K Lee, “Energy Efficient Hybrid Intrusion Detection System for Wireless Sensor Networks”, IEEE International
Conference on Electronics and Information Engineering, 2010.
8. C. Haiguang, W. Huafeng, X. Zhou , G. Chuanshan, “Key Feature and Rule-based Intrusion Detection for Wireless Sensor Networks”, IFIP
International Conference on Network and Parallel Computing – Workshops, 2007.
9. Da Silva, A. Loureiro, M.H.T Martins, L.B Ruiz, H.Wong, “Decentralized Intrusion Detection in Wireless Sensor Networks”. International
Workshop on Modeling Analysis and Simulation of Wireless and Mobile Systems, October 2005.
10. Vapnik, “Statistical study theory essential”, Qinghua University publishing press, Beijing 1995.
11. B. Boser and V. Vapnik, “A training algorithm for optimal margin classifiers”, 4th Annual Workshop on Computational Learning Theory, 1992.
12. C. Cortes and V. Vapnik, “Support-vector network, Machine Learning 20”, pp. 273–297, 1995.
13. KDD Cup 1999 Data, http://kdd.ics.uci.edu/databases/kddcup99/task.html; 1999.
14. W. H. Bin, Y. Zheng, W. C. Dong, “Intrusion detection for wireless sensor networks based on multi-agent and refined clustering”, International
Conference on Communications and Mobile Computing, IEEE, Yunnan, China, pp. 450-454, 2009.
15. S. Khanum, M. Usman, K. Hussain. “Energy-efficient intrusion detection system for wireless sensor network based on MUSK architecture”,
Second International Conference on High Performance Computing and Applications, Springer, Shanghai, China, pp.212-217, 2009.
16. L. Yuan, L.E Parker, “Intruder detection using a wireless sensor network with an intelligent mobile robot response”, IEEE Southeastcon, 2008.

View publication stats