Digital Communications and Networks 8 (2022) 1068–1076

Contents lists available at ScienceDirect

Digital Communications and Networks

journal homepage: www.keaipublishing.com/dcan

Design and analysis of intrusion detection systems for wireless

mesh networks
Fawaz S. Al-Anzi
P.O. Ox 5969 Safat 13060, Computer Engineering Department, Kuwait University, Kuwait

A R T I C L E I N F O A B S T R A C T

Keywords: Intrusion is any unwanted activity that can disrupt the normal functions of wired or wireless networks. Wireless
Wireless mesh networking technology has been pivotal in providing an affordable means to deploy a network and allow
Mesh network omnipresent access to users on the Internet. A multitude of emerging public services rely on the widespread, high-
Intrusion detection
speed, and inexpensive connectivity provided by such networks. The absence of a centralized network infra-
Cross-layer
Security
structure and open shared medium makes WMNs particularly susceptible to malevolent attacks, especially in
multihop networks. Hence, it is becoming increasingly important to ensure privacy, security, and resilience when
designing such networks. An effective method to detect possible internal and external attack vectors is to use an
intrusion detection system. Although many Intrusion Detection Systems (IDSs) were proposed for Wireless Mesh
Networks (WMNs), they can only detect intrusions in a particular layer. Because WMNs are vulnerable to
multilayer security attacks, a cross-layer IDS are required to detect and respond to such attacks. In this study, we
analyzed cross-layer IDS options in WMN environments. The main objective was to understand how such schemes
detect security attacks at several OSI layers. The suggested IDS is verified in many scenarios, and the experimental
results show its efficiency.

1. Introduction infrastructure-less WMNs is constrained by several factors such as limited

1.1. Wireless Mesh Networks
Wireless Mesh Network (WMN) architecture can be categorized into
infrastructure-based and infrastructure-less networks [1–3].
Infrastructure-based WMN involves mesh clients, routers, and gate-
ways. The primary function of such WMNs is to provide ubiquitous
broadband services to a widespread geographical area. They are simple
to implement and expand over a wide area because mesh routers con-
nect with one another in a multihop manner. However, the greater the
distance from the gateway is the slower the broadband services are.
Static and mobile nodes can be supported by infrastructure-based
WMNs. In contrast, infrastructure-less WMNs use ad hoc networks
that do not rely on mesh routers or gateways [2]. Nodes in such WMNs
form a multihop pathway for establishing a communication from the
source to the destination that supports routing capabilities [3].
Infrastructure-less WMNs are mostly used in dynamic and highly mo-
bile scenarios.
It is advantageous to design the properties of WMNs so that they are
lighter in weight and use lesser resources because the design of
processing, memory restrictions, small bandwidth, and small energy. The
usual WMNs are vulnerable to a multitude of network security attacks
such as the Denial of Service (DoS) and other types of active/passive
attacks. Researchers are working to address different aspects and security
flaws of multihop decentralized and heterogeneous networks such as
WMNs. A network considered secure, if it ensures integrity of data, high
availability, and provides privacy (applicable to users and data in
transit). Currently, there are many options available to safeguard WMNs.
Nevertheless, those solutions are lacking either because they are appli-
cation specific or do not cover a large range of security attacks. Corre-
spondingly, most of the resolutions proposed hitherto primarily target
the network-layer of WMNs. Network layer security mechanisms can deal
with few routing attacks; however, these mechanisms cannot tackle at-
tacks that target transport, Medium Access Control (MAC) and physical
layers.
1.2. Intrusion detection system
To detect and prevent a wide variety of security attacks, ideally using
a lightweight Intrusion Detection System (IDS) will be beneficial for

E-mail address: fawaz.alanzi@ku.edu.kw.

https://doi.org/10.1016/j.dcan.2022.05.013
Received 2 July 2020; Received in revised form 13 May 2022; Accepted 17 May 2022
Available online 21 May 2022
2352-8648/© 2022 Chongqing University of Posts and Telecommunications. Publishing Services by Elsevier B.V. on behalf of KeAi Communications Co. Ltd. This is an
open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).
F.S. Al-Anzi
WMNs. Regarding network security, an IDS does not provide primary
defense against security attacks; it is rather passive in nature and better
provides a secondary line of defense. As the name suggests, IDSs can only
detect ongoing security attacks by raising a specified alarm to inform the
appropriate users. Two main classes of IDSs are used in practice: one class
of IDSs, i.e., rule-based IDs (signature-based IDs) uses is acquired from a
catalog of existing attack signatures for intrusion detection. The other
class, i.e., anomaly-based IDs, tracks the network pattern and tags de-
viations from said pattern as a potential attack [4–10,11]. One may also
observe a third kind of IDS when categorized based on the proposed
detection methodology. In this case specific behavior of programs are
tagged to identify abnormal activities; known as Specification based IDS.
Whilst considering the OSI layer that an IDS impacts; a majority of most
related studies focuses on the network layer followed by MAC Layer and
therein physical layer. Therefore, they may be classified into single layer,
cross-layer, reputation-based and reputation based cross-layer IDS [7].
1.3. Single-layer vs cross-layer IDSs
Single-layer IDSs exclusively focus on a specific layer, i.e., a physical
layer, MAC layer, or network layer; however, they have some demerits. A
dedicated IDS for each layer could result in redundant deductions that
may to be inefficient, particularly if resources are constrained. Another
disadvantage is that the single-layer IDS may find it difficult to adapt
more complex attacks that trigger behaviors(recognizable patterns) on
different layers [1,8,12–16]. Although such IDSs are adept at detecting
an extensive array of security attacks on a certain layer, they cannot
detect intrusions in other layers. Therefore, a cross-layer methodology is
adopted in WMNs to detect multilayer security outbreaks for identifying
the attack and triggering an alert [17]. In the aforesaid method, different
parameters from multiple layers are considered for better decision
making. Similarly, cross-layer mechanisms are highly effective for
monitoring multiple layers, enabling them to detect anomalies and se-
curity attacks on various layers.
Single-layer IDSs can detect intrusions in a single layer. For example,
an IDS designed for network-layer can only detect network layer security
attacks, such as routing loops, packet misdirection, black-hole attack, and
gray-hole attack etc.
Although multilayer IDSs operates and exchange information on
multiple layers and can detect multilayer security attacks such as the
following:
1. MAC spoofing at the media access layer
2. Black-hole, gray-hole, routing loop attacks at the network layer
3. Session hijacking at the session layer
4. Sync flooding at transport layer
Single-layer IDSs detects anomalies in a particular layer. Because
different threats may exist in different layers, single-layer detection
model is inefficient. Therefore, we need a multilayer IDS for detecting
anomalies and intrusions in different layers. Anomalies in each layer are
detected using different parameters for different layers. The multilayer
IDSs consider all these parameters to detect anomalies in different layers.
The design and implementation of the single-layer IDS is simpler than
that of the multilayer IDS, because the former operates on a single layer
and takes and computes parameters from that layer only. However, the
design of the multilayer IDS is more complex because it takes and com-
putes parameters from multiple layers and then uses them for decision
making, which is a complex task.
In this study, we propose an intrusion detection framework based on a
cross-layer design in a wireless mesh context to improve the detection
rate of the IDS. First, it is important to comprehend how such techniques
identify security intrusions across several OSI layers. The proposed IDS
maintains a normal profile, which records typical behaviors of several
parameters on every specified interval. When it detects a deviation from
the normal behavior, it sends this information to the module in charge of
1069
Digital Communications and Networks 8 (2022) 1068–1076
classification and detection, along with the type of deviation, which is
based on an attack database; this IDS relies heavily on classification and
detection. When an intrusion is detected, all the neighboring nodes
within the transmission range are alerted. The proposed IDS was sub-
jected to various security attacks in variable scenarios. The proposed
methodology was concluded to be highly efficient in detecting countless
attacks. The rest of the paper is organized as follows. In section 2, the
related works on different IDSs are analyzed with emphasis on cross-
layer-based IDSs. Section 3 delves into the possibility of introducing a
secure routing protocol along with the proposed IDS. This protocol helps
preserve the security and privacy of the WMN. Section 4 presents a
detailed evaluation of the design and performance of the proposed IDS.
Section 5 addresses different types of attacks that are not detected by the
proposed IDS. Section 6 concludes the paper and explores future
possibilities.
2. Literature review
Network security has become one of the primary research subjects
with the emergence of multihop wireless networks emerges in the mar-
ket. IDS design has a long history, and it is one of the classic approaches
for ensuring network security. Traditionally, IDSs are intended to detect
network layer anomalies, and hence, they function at the network layer.
Multihop wireless networks can realize disseminated operations and are
susceptible to attacks at different OSI layers, such as the network,
transport, physical, data-linking, and application layers [18–25]. To
monitor and analyze security attacks at multiple layers, cross-layer IDSs
are gaining importance owing to their unique feature of multilayer-attack
detection. A wide range of IDSs has been proposed. For example, Xiao
et al. provided a cross-layer solution that catered to multihop networks
[9]. The mechanism is efficient for detecting multilayer anomalies;
however, the exchange of many parameters may lead to high resource
consumption. A real-time detection solution was proposed by Khan et al.;
Their scheme had a cross-layer design and targeted WMNs [10,26]. The
mechanism exchanges parameters between the MAC and network layers
to detect different attacks. It also maintains three profiles to categorize
the severity of an attack. Although this mechanism has a high detection
rate; it can only detect flooding attacks. Regarding distributed ad hoc
networks, the cross-layer IDS was conceived by Thamilarasu et al. [12].
In this scheme, intrusion detection is divided into two levels of detection,
namely, level 1 and level 2. Malicious activities are detected via infor-
mation exchange between the network and data-linking layers. It is a
highly efficient mechanism to detect attacks such as packet drop or
packet misdirection. However, despite the cross-layer information ex-
change, this scheme can only detect attacks in network layer. The same
authors devised another cross-layer security mechanism for detectings
jamming attacks [13]. This mechanism uses cross-layer methodology for
detecting jamming attacks only, but it is not feasible for
resource-constrained networks. An anomaly-based detection method for
WMNs is defined by Wang et al. [14]. This method can also be regarded a
cross-layer-based anomaly detection method. In this research, a proto-
type was designed, and information exchange was implemented between
the network and data-linking layers. The information exchange was
categorized as cross-layered in nature and the performance of this
method was compared to that of a single-layer IDS. The cross-layer IDS
has better detection and response rates than the single-layer IDS. An
alternative cross-layer-based IDS was suggested by Liu et al. that works in
tandem with data-mining methods. In this technique, a specific set of
features that facilitate the discovery of attacks present within a hop range
was categorized [15]. The literature reports certain mechanisms for se-
curity in the form of Watchdog/Pathrater protocols [10,27–29]. Using
such protocols, a secure path is selected. The said path is extremely
proficient in detecting attacks at the network layer. CONFIDANT [30] is
also a security solution used to spot activities and anomalous behavior of
neighbors. TIARA [31] reports any broken paths and ensures the
encryption of key packets. The above [27–31] security mechanisms were
F.S. Al-Anzi
devised only for routing attacks. In this study, a cross-layer-detection
system is defined. The key to this mechanism lies in the exchange of
parameters between the network and MAC layers, thus providing a
multilayer and broad-spectrum defense to counter multiple attacks for
ensuring security. Experimental results of the proposed scheme demon-
strated the detection of multilayer attacks.
Eavesdropping is a common passive threat in wireless Ad Hoc Net-
works (AHNets), that constitute the Internet of Vehicles (IOVs). While
many malicious attacks commonly track eavesdropping actions, the
AHNets’ eavesdropping protection has attracted attention. However,
several recent investigations solely focused on employing encryption
methods to either mitigate eavesdropping operations or safeguard com-
munications between a sender and receiver (also known as good nodes).
Surprisingly, few studies explored the eavesdropping activities of rogue
nodes. Li et al. [32] presented an analytical framework for modeling
eavesdropping threats in wireless networks that considers channel cir-
cumstances and antenna designs. The analytical and experimental results
agree well, implying that the eavesdropping actions of eavesdroppers can
be effectively approximated using the proposed analytical techniques.
Furthermore, their findings suggest that whenever the impact of route
attenuation is small, aiming at directional antennas targeting eaves-
droppers may increase the possibility of eavesdropping attacks.
Furthermore, when the influence of such route loss grows significantly,
employing directional antennas at eavesdroppers can minimize the
chance of eavesdropping attempts. They discovered that the unpredict-
ability introduced by the shadow-fading effect can increase the likeli-
hood of eavesdropping attempts. The research presented in this paper
prepares the ground for future attempts at avoiding eavesdropping.
An innovative strategy against eavesdropping attacks is to divide the
traffic packets from one stream into different network pathways. This
approach can make successful eavesdropping more challenging. How-
ever, because of the varied network parameters, routing traffic packets
across various networks generates a severe out-of-order issue. Further-
more, the issue creates a hurdle for aggregating bandwidth across several
network paths. It causes inefficient use of the bandwidth resources of
several network pathways. Zhou et al. [33] proposed an Adaptive
Multipath Scheduling (AMS) method that not only increases eavesdrop-
ping challenges but also properly aggregates network bandwidths across
several channels. The network-path-selection block and
packet-scheduling block are the two basic forwarding blocks in AMS. To
protect against eavesdropping attacks, the network-path-selection block
estimates the networking properties for various possible routes, selects
three network paths with similar features, and spreads the traffic packets
among the selected tracks. Compared to the baseline method, the AMS
reduces the out-of-order ratio by 48% and enhances transmission
throughput by 74%.
Recently, many Internet users have been seeking WMNs. All the
participating nodes, naively, do not allow malevolent routing protocol.
Malicious attackers can take the advantage of the open design, multishop
connectivity, diverse management approaches, and wireless connection
of the WMNs. Intruders can use hidden weaknesses in the multiway mesh
routing algorithm to implement an assault such as the black-hole attack.
With ping mesh nodes configured with multiradios set to non-
overlapping channels, the WMN significantly enhances. Therefore,
several data exchange connection ranges exist between a pair of nodes,
and the bandwidth between them varies constantly. A mesh node in this
scenario employs machine learning to choose a smart data bandwidth. A
new heterogeneous key management system that coupled logical key
hierarchies with localized threshold mechanism has been proposed.
WMNs are becoming more heterogeneous. Rao et al. [34] introduced a
cross-layer diagnosis methodology that uses machine learning techniques
to leverage linked routing properties to distinguish profiles and in-
cursions. They tackle the wireless network automatic intrusion response
challenge using a generic response architecture to create systems and
resource-dependent services. Based on the research technique, they
provide a dispersion estimation depending on machine that allows
1070
Digital Communications and Networks 8 (2022) 1068–1076
transmission nodes to dynamically choose the next stage with the largest
bandwidth available to resume communication.
Bluetooth Low Energy (BLE) mesh networks are gaining attraction as
a revolutionary short-burst communication protocol. While typical
cryptographic techniques ensure communication security, little work has
been done to effectively secure the entire network in the event of attacks
aimed at compromising its integrity. Although numerous network risk-
assessment and mitigation approaches are now available, they
frequently require a large volume of information from authorized and
malicious situations to distinguish between the two situations, thereby
often necessitating a complete explanation of the traffic passing across
the network. In addition, freely accessible datasets are not available for
BLE mesh networks at this level due to the standard's infancy and lack of
particular implementation tools. To generate a secure wireless assess-
ment mechanism suitable for BLE, Lacava et al. [35] recommended an
IDS based on machine learning techniques such as pattern recognition
and classification of the most common DoS attacks negatively impacting
this type of network. Their IDS works on a single internal node and thus
requires a limited amount of information for operation. Furthermore,
they described their data collecting system based on ESP32, which en-
ables the gathering of packets from the network and model levels of the
BLE mesh stack and performed a set of tests to gather the data needed to
train the IDS.
Xu et al. [36] conducted a study on a QoS-aware safe routing archi-
tecture for a multihop wireless network with authentic nodes, malevolent
eavesdroppers, and selfish jammers associated with physical layer secu-
rity technologies. They first performed theoretical modeling for a specific
path to show the effects of the transmission power of authentic nodes
along the route and the jamming strength of jammers in the network on
the end-to-end security/QoS effectiveness. Subsequently, they devised a
noncooperative game framework to address the problem of jamming
power setting and an incentive mechanism to encourage jammers to
generate artificial jamming for security purposes. Xu et al. [37] investi-
gated a common decentralized IoT situation with peer genuine gadgets,
eavesdroppers, and selfish jammers and presented a unique incentivized
jamming-based secure routing mechanism. They employed a two-stage
Stackelberg game framework for establishing the optimum source in-
centives and jamming power by designing an incentive scheme, wherein
the source provides certain incentives to drive artificial jamming among
selfish jammers.
3. Preserving privacy in wireless mesh networks
IDSs actively address various types of attacks on a network. Although
this is the primary functionality, it is increasingly crucial to ensure that
the implemented security measures are reliable and preserve privacy.
With advancing security features in networks, privacy was often
neglected or not prioritized. With the emergence of several attacks that
specifically threatens privacy, it is of great importance to include this
functionality while designing the security of a network. The mobile and
open nature of WMNs makes it crucial to consider measures that safe-
guard the security and privacy of internal network nodes. Meghanathan
and Palanichamy proposed a Privacy Preserved and Secured Reliable
Routing Protocol (PSRR) for WMNs that meet these requirements [38].
Their methodology is an amalgamation of the Cross-layer and Subject
Logic based Dynamic Reputation (CLSL-DR) technology that can be
implemented during the route discovery phase.
3.1. Design scheme and premise
An infrastructure-based WMN was considered for their (Meghanathan
and Palanichamy [38] experiment that includes mesh clients and routers.
Such a combination of routers forms the pillar of the WMN [39,40]. The
study assumes the flow of traffic from the source to the destination node
via this router backbone. The design is fundamentally a combination of
ID-based and scheme encryption systems [41–45]. The design scheme
F.S. Al-Anzi Digital Communications and Networks 8 (2022) 1068–1076

Fig. 1. Design scheme indication functional components of PSRR.

PSRR was determined to be high, leading to long delays as the protocol

Table 1
picked the most efficient route. Therefore, this proposed approach needs
Simulation parameters.
to be factored in when using CLSL-DR that utilizes the PSRR.
Parameter Value According to Ref. [15], although the routing protocol lags according
Area size 1000 m  1000 m to the message overhead, average end-to-end delays [27,38] route
MAC protocol 802.11n acquisition. It is clearly the better option from the perspective of the
Packet size 1000 bytes reduced false positive rate and the strong privacy entropy, which are the
Radio Transmission Range 250, 550 m
Total simulation time 50–250 s
strengths of this system and result in the optimum data transmission
Number of Nodes 25 while ensuring security and privacy.
Protocol PSRR, PA-SHWMO, HWMP
PSRR Privacy Preserved Secured Reliable Routing 4. Proposed cross-layer IDS for wireless mesh network
Protocol
PA-SHWMO Privacy Aware Secure Hybrid Wireless Mesh
Protocol The projected IDS is proficient in detecting multilayer security out-
HWMP Hybrid Wireless Mesh Protocol breaks in WMNs. We used a cross-layer methodology to exchange pa-
rameters between different layers to increase the detection rate of the
IDS. The specifications of the proposed IDS arrangement are discussed in
involving the different functional components of the protocol utilized by
this section.
the CLSL-DR is shown in the following Fig. 1.

4.1. Design scheme and premise

3.2. Attack model
One needs to observe multiple constraints pertaining to
According to Ref. [38], the model was designed to solve the problem
infrastructure-less WMNs: energy, memory, processing, mobility, and
of an enemy eavesdropping on all the network traffic. Moreover, in-
data rates. There are few important facts that need to be considered
truders should be able to target user information and packet information.
before designing any IDS for such networks. An ideally intrusion detec-
Active attacks can start with the dropping of packets within the network
tion system for WMNs should have the following properties:
and are not limited to injection, modification. It can also be extended to
attack internal nodes leading to the DoS of the network. Table 1 indicates
● Ability to detect multilayer attacks
the simulation parameters used in the experiment [38].
● Lightweight and ability to preserve resources

3.3. Performance analysis
Initially a packet delivery ratio analysis was conducted depending on
the number of malevolent nodes [15]. Successful receipt of the packets
was considered. Thus, the computation time required for the proposed
The algorithm relies on the premise that mobile and static nodes are
present within this WMN. The infrastructure-less network has no support
of mesh routers or gateways [1]. Altogether, the nodes possess routing
capabilities to communicate with one another, forming a communication
model (i.e., multihop).

1071
F.S. Al-Anzi Digital Communications and Networks 8 (2022) 1068–1076

4.2. Framework

The proposed cross-layer IDS operates independently at each

respective node. Upon detecting an attack, all the neighboring nodes
within the communication range are notified. Five modules in the pro-
posed cross-layer IDS are as follows: alarm, analysis, data collection,
classification, and detection modules. The framework of the proposed
IDS is indicated in Fig. 2. The data collection module collects data and
parameters from different layers [14]:

● Network layer: TTL, sent and received packets, and route failure in-
formation frequency
● Transport layer: Transmission control information, and Congestion
control information
● Physical layer: Battery power, and signal strength
● MAC Layer: Throughput information, and link parameters

The collected information is forwarded to the analysis module for

observing [44] and checking deviations. The analysis module analyzes
the information and observes deviations from the normal behavior. The
proposed IDS maintains a normal profile in which the normal behavior of
Fig. 2. Proposed IDS framework.
different parameters is recorded. The profile is updated after a specific
time interval. When any deviation from the normal behavior is observed
[45], the information is forwarded to the module responsible for classi-
fication and detection; moreover information on the type of deviation,
i.e. smaller deviation or higher deviation is sent. Classification as well as
detection are the crucial components of the proposed IDS, which is based
on an attack database. This module detects and classifies the type of
attack or the concerned layer at which the attack happened. The attack
database contains signatures of different security attacks. The database is
updated at specific time intervals. Upon the detection of an attack, the
next module raises a signal to inform the operators. The algorithm for the
proposed IDS is presented in Fig. 3 and Algorithm 1.

Fig. 3. Proposed IDS algorithm.

Fig. 4. Cross layer exchange.

1072
F.S. Al-Anzi
Fig. 5. Traffic generation: normal vs abnormal.
4.3. Cross-layer information exchange
In traditional protocols stack, information or parameters cannot be
exchanged among different layers. All the layers are independent and
cannot instruct each other. In cross-layer methodology, parameters and
information are exchanged for the joint optimization of processes or
systems. The proposed IDS can successfully exchange parameters for
detecting a variety of attacks. Fig. 4 shows the cross-layered information
exchange mechanism of the IDS proposed in the paper. Algorithm 2
shows the algorithm of this layered information exchange. Physical layer
parameters cannot be exchanged directly with the network layer; thus
the proposed IDS first records the physical layer parameters. This initial
transaction is conducted at the application layer. Once the parameter is
recorded, the information is passed on to the network layer.
The proposed multilayer IDS considers different parameters, such as
data rates, link strengths, hop count, packet freshness, and total sessions
created and terminated from different layers and takes few parameters
from three-way handshaking at the transport layer.
4.4. Multilayer attack correlation
In WMNs, any threat of an attack to a layer significantly affects the
operations and parameters of further alternate layer(s). For example,
flooding [26] can be categorized as a type of network attack in which the
adversary transmits hundreds of unnecessary packets toward the target
1073
Digital Communications and Networks 8 (2022) 1068–1076
node(s). In addition to targeting battery exhaustion, i.e., to consume the
battery power of the target node(s), flooding attacks can also create
network congestion. Note that battery exhaustion is a physical layer
attack. Similarly, packet dropping or misdirecting [1] is a network layer
attack. One must be vigilant to observe a delay from one end to another at
the data-linking layer. Hence, there is emphasis on cross-layer security
mechanisms are emphasized because the operational performance of one
layer can possibly degrade the execution of the other. Cross-layer security
mechanisms provide a platform to counter multilayer security attacks.
4.5. Attack model
In this section, few results are generated using Network Simulator-2
(NS-2) to demonstrate a network layer flooding attack to serve conse-
quences at other layers such as:
● Impact on the battery power of the target nodes (at the physical layer)
● Impact on delay (end to end) at the data link layer
● Impact on congestion at the transport layer
Fig. 5(a) shows the normal traffic transmission at both nodes. Node 1
generates less traffic because it is located at the edge of the scenario,
whereas node 2 generates more traffic owing to its location such that it
not only sends its own traffic but also relays traffic for its neighboring
nodes. Fig. 5(b) presents a scenario wherein node 1 is malicious and
sends hundreds of unnecessary packets towards the target node(s). This
type of abnormal traffic flow creates congestion at the transport layer,
increasing the end-to-end delay at the MAC layer. However, such
abnormal traffic flow significantly affects the battery power at the
physical layer. Energy consumption heavily depends on the location of a
node in the network. As node 1 is located at the edge, it consumes less
energy than node 2 in a normal scenario.
Fig. 6(a) presents the energy consumption of nodes in a normal sce-
nario. Fig. 6(b) presents a scenario, where node 1 is experiencing normal
traffic flow, while node 2 is the target of abnormal or malicious traffic
flow. Node 2 is found to deplete the battery power soon.
4.6. Performance evaluation
NS-2 simulator was used with the same parameters as discussed in
Table 2 to evaluate the performance of the proposed IDS. A few malicious
scenarios were created to test the efficiency of this cross-layer IDS. First,
the network and data-linking layer flooding attacks were implemented
and launched [26]. Network layer flooding attacks are used to transmit
hundreds of packets toward the destination to create congestion and
F.S. Al-Anzi Digital Communications and Networks 8 (2022) 1068–1076

Fig. 6. Energy Consumed: normal vs abnormal.

Table 2 exhaustion attacks. We conducted six battery exhaustion attacks after

Simulation parameters. every 100s. The proposed IDS could not detect the initial three attacks;
Parameter Value however, the last three attacks were successfully detected. This is because
battery exhaustion is a physical layer attack, and the parameters cannot
Malicious packet size 256 bytes
Mobility Random way point be directly passed on to the network layer [10]. The parameters at the
Normal Packet size 256 bytes physical layer are first recorded at the application layer and later for-
Processor Speed Standard warded to the network layer. The exchange of parameters takes some
Radio range 20 m time, and the proposed IDS missed detecting the first three battery
Type of Battery Standard
exhaustion attacks [10].
Deployment area 600  400 m
Additionally, the proposed IDS was compared to a single-layer
network IDS. In Fig. 8(a), the detection rates of IDSs are evaluated in
deplete the target node(s) resources. Similarly the data link layer is the presence of network and data-linking layer flooding attacks. The
vulnerable to probe-request flooding. Fig. 7 presents the detection rate of figure shows some interesting results. In this experiment, the network
the proposed IDS against multitude attacks [10]. In the case of network layer flooding attack was launched during the initial 300s, while data-
and data-linking layer flooding, the proposed IDS seems highly accurate linking layer flooding attack in the remaining 300s. Both IDSs per-
in detecting network layer flooding attacks. However, because the pro- formed well in the detection of network layer flooding attacks. However,
posed IDS operates at the network layer, the exchange of cross-layer when the data-linking layer flooding attack is introduced, the proposed
parameters takes up processing time and therefore, at the start of the IDS performs with a higher detection rate. The single-layer IDS is inca-
simulation, the proposed IDS is inefficient to detect data-linking layer pable of detecting data-linking layer flooding attacks. Fig. 8(b) presents a
flooding attacks. However, once the parameters are successfully performance comparison of both IDSs in the presence of a black-hole,
exchanged, the proposed IDS consistently detects the data-linking layer. gray-hole, and routing loop attacks. In this figure the proposed IDS per-
In the second scenario, three network layer attacks, namely, black-hole, forms well as compared to single-layer IDS. The single-layer IDS perfor-
gray-hole, and routing loop, were launched [10,43]. mance is better in the detection of routing loop and black-hole attacks;
In the third scenario, a huge number of probe messages were however, it is inefficient in the detection of gray-hole attack. Fig. 8(c)
launched against the target node to detect battery exhaustion attacks at explores the performance comparison of both IDSs in the presence of the
the physical layer. Fig. 7 presents the detection rate of the battery probe-flood-based energy exhaustion attack against the target node. In

Fig. 7. Detection rate for the Proposed IDS in different attack scenarios.

1074
F.S. Al-Anzi
Fig. 8. Performance comparison: Single vs Cross-Layer.
the case of energy exhaustion attack, the proposed IDS completely out-
performed the single-layer IDS.
The detection and false positive rates of the IDS proposed is sum-
marized in Table 3. The highly efficient and effective nature of the pro-
posed IDS can be deduced from the results of the experiment.
There is a limitless possibility to extend and expand the proposed
mechanism, which includes:
1075
Digital Communications and Networks 8 (2022) 1068–1076
Table 3
Detection and false positive rates.
Attack Type Detection Rate (%) False Positive Rate (%)
Flooding (Network) 95 0.5
Flooding (Data Link) 86 0.8
Black-hole 97 0.3
Greyhole 97 0.3
Routing Loop 97 0.3
Battery Exhaustion 84 0.9
Rushing Attack 92 0.11
● Devising an intelligent scheme that includes other unknown attacks
● Detecting attacks at the physical layer, for instance, jamming attacks
● Detecting types of alternating attacks, such as worm-hole attacks
5. Addressing alternating attacks
The proposed IDS is not an all-encompassing solution to identify at-
tacks. For instance, worm-hole attacks can be very damaging to an ad hoc
network, which is not addressed above. In this case, the attacker is
tactically located inside the network to record information (packets, bits)
conveyed within, which is later transmitted via a tunnel. Reddy and
Thilagam addressed the use of a reputation-based cross-layer IDS that can
address wormhole attacks [46]. Such a system utilizes a reputation-based
cross-layer IDS with the inclusive ability to single out worm-hole attacks
within the network [38,46,47]. The experiment conducted concluded
that using this particular IDS leads to improved detection and lower
false-positive rates, which is more optimal when considering long dis-
tance wireless links in WMNs. In comparison to the existing cross-layer
IDS, this better detects colluded attacks because it relies on the reputa-
tion property of the nodes.
6. Conclusion and future work
The study of detecting intrusions can be considered an active research
area, particularly when connected to wireless networks. Multihop and
decentralized wireless networks can have its security targeted making it
vulnerable to attacks at different layers. The single-layer IDSs can detect
security attacks at the network layer only. To detect security attacks at
multiple layers, cross-layer methodology is used. In this study, we pro-
posed a cross-layer IDS for infrastructure-less WMNs. We have proposed a
mechanism and provided several alternates that cover functionality not
addressed by the current model. The proposed mechanism is capable for
detecting security attacks at multiple layers. The response time of the
proposed IDS is very quick in the case of network layer attacks. It can be
further enhanced to reduce the delay in the cases of data-linking or
physical layer attacks. The primary drawback is that there are several
unknown attacks that need to be addressed. The current model is not all
inclusive.
In future, the proposed model can also include the use of PSRR as a
part of a more comprehensive and inclusive identification model that
provides privacy in addition to security. Various cryptographic tech-
niques and game theory mechanisms can be used to supplement the
protocol. Another possibility would be a cohesive integration of the
intrusion detection system with intrusion prevention properties as well.
This could lead to the employment of a more wide-ranging all-inclusive
security solution. In addition, we aim to extend our proposed IDS model
for detecting the attacks on application layer to enable this model to
identify and detect the attacks on every layer of the OSI model.
Declaration of competing interest
We declare that our manuscript has no conflict of interest of any kind.
F.S. Al-Anzi
Acknowledgment
The authors would like to thank the Research Administration at
Kuwait University for their sponsorship. This paper is part of the research
project number EO 05/11.
References
[1] K.L.S. Khan, Denial of service attacks and challenges in broadband wireless
networks, Int. J. Computer Sci. Network. Security. 8 (7) (July 2008) 1–6.
[2] S. Shah, B. Shams, S. Khan, A survey on secure routing in wireless sensor networks,
Int. J. Sensor. Wireless Commun. Control 3 (12) (2013).
[3] D. Boubiche, A. Bilami, Cross layer intrusion detection system for wireless sensor
network, Int. J. Netw. Secur. Appl. 4 (3) (2012) 35–52.
[4] S. Northcutt, J. Novak, Network Intrusion Detection, third ed., SAMS, 2002.
[5] S. Khan, J. Loo, Z. Ziauddin, Framework for intrusion detection in ieee 802.11
wireless mesh networks, Int. Arab J. Inf. Technol. 7 (12) (2010) 435–440.
[6] S. Khan, N. Alrajeh, J. Loo, Secure route selection in wireless mesh networks,
Comput. Network. 56 (2012) 491–503, 02.
[7] K. Reddy, V.P. Raju, P. Thilagam, An effective analysis on intrusion detection
systems in wireless mesh, Networks (09 2017) 2213–2220, https://doi.org/
10.1109/ICACCI.2017.8126174.
[8] S. Halder, A. Ghosal, Cross layer–based intrusion detection techniques in wireless,
Networks 1 (2014) 361–390.
[9] M. Xiao, X. Wang, G. Yang, Cross-layer design for the security of wireless sensor,
Networks (2006) 104–108, https://doi.org/10.1109/WCICA.2006.1712371.8.
[10] F. Al-Anzi, S. Khan, Wireless mesh network cross-layer intrusion detection,
J. Comput. Sci. 10 (12) (2014) 2366–2373.
[11] A. Drewek-Ossowicka, M. Pietrołaj, J. Rumi nski, A survey of neural networks usage
for intrusion detection systems, J. Ambient Intell. Hum. Comput. 12 (2021)
497–514.
[12] G. Thamilarasu, A. Balasubramanian, S. Mishra, R. Sridhar, A cross-layer based
intrusion detection approach for wireless ad, hoc networks, in (2005) 7, https://
doi.org/10.1109/MAHSS.2005.1542882.12.
[13] G. Thamilarasu, S. Mishra, R. Sridhar, A cross-layer approach to detect jamming
attacks in wireless ad hoc networks, MILCOM (10) (2006) 1–7, 0.
[14] X. Wang, J.S. Wong, F. Stanley, S. Basu, Cross-layer based anomaly detection in
wireless mesh networks, in: Ninth Annual International Symposium on Applications
and the Internet, July 2009, 2009, pp. 9–15.
[15] Y. Liu, Y. Li H. Man, A distributed cross-layer intrusion detection system forad hoc
networks, Annal Telecommun. 61 (2006) 357–378, 04.
[16] J. Sharma, C. Giri, O.C. Granmo, et al., Multilayer intrusion detection system with
ExtraTrees feature selection, extreme learning machine ensemble softmax
aggregation, EURASIP J. Inf. Secur. 15 (2019).
[17] J. Granjal, A. Pedroso, An Intrusion Detection and Prevention Framework for
Internet-Integrated CoAP WSN, Security and Communication Networks, 2018,
pp. 1–14.
[18] A. Karygiannis, E. Antonakakis A. Apostolopoulos, Detecting Critical Nodes for
Manet Intrusion Detection Systems, Second International Workshop on Security,
Privacy and Trust in Pervasive and Ubiquitous Computing, SecPerU’06), 2006,
pp. 9–15.
[19] G. Vigna, S. Gwalani, K. Srinivasan, E.M. Belding-Royer R.A. Kemmerer, An
Intrusion Detection Tool for Aodv-Based Ad Hoc Wireless Networks, 20th Annual
Computer Security Applications Conference, 2004, pp. 16–27.
[20] J. Parker, A. Patwardhan, A. Joshi, Cross-layer analysis for detecting wireless
misbehavior, in: IEEE Consumer Communications and Networking Conference
Special Sessions, 2, 2006, pp. 6–9.
[21] F. Kargl, S. Schlott, M. Weber, Sensors for detection of misbehaving nodes in
manets, in: Praxis der Informationsverarbeitung und Kommunikation, 2004.
[22] Y. Zhang, Y. Fang, Arsa: an attack-resilient security architecture for multihop
wireless mesh networks, IEEE J. Sel. Area. Commun. 24 (10) (10 2006) 1916–1928.
[23] N.B. Salem, J.P. Hubaux, Securing wireless mesh networks, IEEE Wireless Commun.
13 (2006) 50–55.
[24] I.G. Askoxylakis, B. Bencsath, L. Buttyan, L. Dora, V.A. Siris, A. Traganitis, Cross-
layer security and resilience in wireless mesh networks, in: Future Wireless
Networks and Information Systems, 2010.
1076
Digital Communications and Networks 8 (2022) 1068–1076
[25] R. Kaur, Role of cross layer based intrusion detection system for wireless domain,
Int. J. Communications, Network and System Sciences 5 (01 2012) 81–85.
[26] S. Khan, J. Loo, Real-time Cross-Layer Design for Large-Scale Flood Detection and
Attack Trace-Back Mechanism in Ieee 802.11 Wireless Mesh Networks, Network
Security, 05 2009, pp. 9–16.
[27] E.J. Caballero, Vulnerabilities of intrusion detection systems in mobile ad-hoc
networks - the routing problem, in: TKK T110.5290, 2006. Seminar on
Networksecurity12-11/12.
[28] T.M. Chen, G.-S. Kuo, Z.-P. Li, G.-M. Zhu, Intrusion detection in wireless mesh
networks, in: Intrusion Detection in Wireless Mesh Networks, 2008.
[29] M. Kuchaki Rafsanjani, A. Movaghar F. Koroupi, Investigating intrusion detection
systems in manet and comparing idss for detecting misbehaving, nodes, in x (2008)
8.
[30] A.J. Rocke, R.F. Demara, Confidant: collaborative object notification framework for
insider defense using autonomous network transactions, Aut. Agents Multi-Agent
Syst. 12 (2005) 93–114.
[31] H.E. Shrobe, T. Knight A, D. Hon, Tiara: trust management, intrusion-tolerance,
accountability reconstitution architecture, in: Computer Science and Artificial
Intelligence Lab, CSAIL), 2007.
[32] X. Li, J. Xu, H.N. Dai, Q. Zhao, C.F.C.Q. Wang, On modeling eavesdropping attacks
in wireless networks, J. Comput. Sci. 11 (2015) 196–204.
[33] C. Zhou, et al., Adaptive Multipath Scheduling Mechanism against Eavesdropping
Attacks with Programmable Data Planes, 2021 IEEE 5th Advanced Information
Technology, Electronic and Automation Control Conference, (IAEAC) (2021)
2357–2361, https://doi.org/10.1109/IAEAC50856.2021.9390985.
[34] A. Narayana Rao, P. Ramesh Babu, A. Rajasekhar Reddy, Analysis of Wireless Mesh
Networks in Machine Learning Approaches, 20, Springer, Singapore, 2021. https
://doi.org/10.1007/978-981-15-9293-5_28.
[35] A. Lacava, E. Giacomini, F. D’Alterio, F. Cuomo, Intrusion Detection System for
Bluetooth Mesh Networks: Data Gathering and Experimental Evaluations, 2021
IEEE International Conference on Pervasive Computing and Communications
Workshops and other Affiliated Events (PerCom Workshops) (2021) 661–666,
https://doi.org/10.1109/PerComWorkshops51409.2021.9430966.
[36] Y. Xu, J. Liu, Y. Shen, X. Jiang, Y. Ji, N. Shiratori, QoS-Aware Secure Routing Design
for Wireless Networks With Selfish Jammers, IEEE Transactions on Wireless
Communications 20 (8) (2021) 4902–4916, https://doi.org/10.1109/
TWC.2021.3062885.
[37] Y. Xu, J. Liu, Y. Shen, J. Liu, X. Jiang, T. Taleb, Incentive Jamming-Based Secure
Routing in Decentralized Internet of Things, IEEE Internet of Things Journal 8 (4)
(2021) 3000–3013, https://doi.org/10.1109/JIOT.2020.3025151.
[38] N. T M, Y. Palanichamy, Privacy preserved and secured reliable routing protocol for
wireless mesh networks, Sci. World J. 9 (2015).
[39] E. Stai, S. Papavassiliou, J.S. Baras, Performance-aware cross-layer design in
wireless multihop networks via a weighted backpressure approach, IEEE/ACM
Trans. Netw. 24 (2016) 245–258.
[40] H.A. Mogaibel, M. Othman, Review of Routing Protocols and It’s Metrics for
Wireless Mesh Networks, International Association of Computer Science and
Information Technology - Spring Conference, 2009, pp. 62–70.
[41] Z. Wan, K. Ren M. Gu, Usor: an unobservable secure on-demand routing protocol for
mobile ad-hoc networks, IEEE Trans. Wireless Commun. 11 (05 2012) 1922–1932.
[42] S. Paris, C. Nita-Rotaru, F. Martignon A. Capone, Cross-layer metrics for reliable
routing in wireless mesh networks, IEEE/ACM Trans. Netw. 21 (06 2013)
1003–1016.
[43] S. Khan, J. Loo, N. Mast N. Tahir, Srpm: secure routing protocol for ieee 802.11
infrastructure based wireless mesh networks, J. Netw. Syst. Manag. 18 (1) (2011)
190–209.
[44] S. Khan, N. Mast, J. Loo A. Salahuddin, Passive security threats and consequences in
ieee 802.11 wireless mesh networks, JDCTA (2008) 4–8, 201.
[45] Y. Rebahi, V. Mujica, V.D. Sisalem, A reputation-based trust mechanism for ad hoc,
Networks 7 (2005) 37–42, https://doi.org/10.1109/ISCC.2005.17.
[46] K. Reddy, P. Thilagam, Reputation-based cross-layer intrusion detection system for
wormhole attacks in wireless mesh networks, Secur. Commun. Network. 7 (12)
(2014).
[47] X. Wang, J.S. Wong, An end-to-end detection of wormhole attack in wireless ad-hoc
networks, 31st Annual International Computer Software and Applications
Conference, COMPSAC 2007) 1 (2007) 39–48.