A Danger Theory Inspired Protection Approach for Hierarchical Wireless Sensor Networks

Abstract

With the application of wireless sensor networks in the fields of ecological observation, defense military, architecture and urban management etc., the security problem is becoming more and more serious. Characteristics and constraint conditions of wireless sensor networks such as computing power, storage space and battery have brought huge challenges to protection research. Inspired by the danger theory in biological immune system, this paper proposes an intrusion detection model for wireless sensor networks. The model abstracts expressions of antigens and antibodies in wireless sensor networks, defines meanings and functions of danger signals and danger areas, and expounds the process of intrusion detection based on the danger theory. The model realizes the distributed deployment, and there is no need to arrange an instance at each sensor node. In addition, sensor nodes trigger danger signals according to their own environmental information, and do not need to communicate with other nodes, which saves resources. When danger is perceived, the model acquires the global knowledge through node cooperation, and can perform more accurate real-time intrusion detection. In this paper, the performance of the model is analyzed including complexity and efficiency, and experimental results show that the model has good detection performance and reduces energy consumption.

1. Introduction

As the development of sensor technology, wireless communication technology, distributed information processing technology and embedded technology, the wireless sensor network (WSN) - a network which is composed of a large number of tiny sensor nodes with microprocessing ability, arises at the historic moment. It fuses the logical information world with the objective physical world, and has changed the way people interact with nature. WSNs have gained widespread attention from academia, industry and government, and become one of the most competitive application technologies in many fields such as national military defense, environment monitoring and forecasting, health care, smart home, building structure monitoring, complex machinery monitoring, urban traffic, space exploration, large workshop and warehouse management, large industrial park safety monitoring [1-5].

To ensure the safety of WSNs is one of the bases that wireless sensor networks can be widely applied. Some defense measures such as encryption, authentication, secure routing, can prevent the invasion to some extent, but cannot completely hold back all kinds of attacks. The main challenges of WSN intrusion detection are as follows.

(1) Attack form is varied. Means and characteristics of attacks in wireless sensor networks have a bigger difference with those in traditional computer networks. For example, most of attacks in the link layer and the network layer are peculiar to wireless sensor networks. Traditional computer network resources such as network, files, system logs, processes cannot be used in wireless sensor networks, and we need to consider the feature information which can be applied to the wireless sensor network intrusion detection.

(2) The attacks of new type in wireless sensor networks are endless. How to improve the ability of intrusion detection system to detect unknown attacks is a problem that needs to be solved.

(3) Wireless sensor network resources which include storage space, computing power, bandwidth and energy are limited. Limited storage means that a large number of system logs can not be stored on sensor nodes. Intrusion detection system based on knowledge requires storing large amounts of defined intrusion patterns and detects intrusion through pattern matching. This method needs to store invasion behavior characteristics, and feature library will increase with the increase of invasion type. Limited computing power means that an intrusion detection algorithm with large amount of computing is not suitable for running on nodes. The current wireless sensor networks adopt low-speed and low-power-consumption communication technologies. the characteristics of limited energy request intrusion detection systems not to bring too much communication overhead. This is less considered in the traditional computer network.

The following is a brief introduction to the existing wireless sensor network intrusion detection technologies. Onat and Miri proposed an intrusion detection system for resource depletion attacks [8]. Roman et al. designed a framework for the application of intrusion detection system (IDS) in wireless sensor networks [9]. Martynov et al. proposed an intrusion detection model for wireless sensor network based on agents [10], and Al-Yaseen et al. put forward a real-time multi-agent based adaptive intrusion detection system [16]. Drozdastudied an intrusion detection technology based on artificial immune system - the SNS model [11], to solve problems of discarding, packets delay forwarding and wormhole attacks. Schaust et al. applied principles of the degenerate behavior of T-cell receptors from artificial immune systems to wireless sensor networks, and proposed the misuse detection model [12]. Kim et al. proposed an interest cache poisoning attack for directed diffusion (DD) routing protocol in wireless sensor networks, and presented a detection method for this attack by dendritic cell algorithm (DCA) [13]. Wazid et al. put forward a hybrid anomaly detection scheme using K-means clustering to detect black hole attack and misdirection attack in wireless sensor networks [14]. Ma et al. proposed a spectral clustering and deep neural network based intrusion detection algorithm, and verified the algorithm in the datasets of KDDCUP99 and NSL-KDD [15]. Gunasekaran et al. proposed a genetic algorithm based intrusion detection model to solve the denial-of-sleep attack in wireless sensor networks [ 20]. Shi et al. put forward a dynamic programming model for internal attack detection in wireless sensor networks through continuous time Markov chain and the epidemic model to optimize the detection rate [27]. Zeeshan et al. proposed an anomaly detection system (ADS) framework to detect Sybil attack which causes data flow anomaly in WSNs [28].

Through analysis of the existing wireless sensor network intrusion detection schemes, research on intrusion detection technology in WSNs is not very mature, and the above detection systems are mostly transplanted from traditional network intrusion detection technologies. There are three problems. Firstly, nodes are in promiscuous mode, which prevents them into sleep and force them into the idle or receiving state, which extremely consumes energy. Secondly, the intrusion detection model is deployed on a single sensor node, which greatly consumes resources. Thirdly, the intrusion detection model is aimed at specific attacks, and the universality needs to be improved.

Inspired by the danger theory in the biological immune system, this paper proposes an intrusion detection model based on the danger theory for wireless sensor networks, named DT-IDM. The main contributions of this model are as follows. (1) The model abstracts expressions of antigens and antibodies in wireless sensor networks, defines meanings and functions of danger signals and danger areas, and expounds the process of intrusion detection based on the danger theory. (2) The model realizes the distributed deployment, and there is no need to arrange an instance at each sensor node. In addition, sensor nodes trigger danger signals according to their own environmental information, and do not need to communicate with other node, which saves resources. When danger is perceived, the model acquires the global knowledge through node cooperation, and can perform more accurate real-time intrusion detection. The performance of the model is analyzed including scalability, robustness and complexity, and experimental results show that the model has good detection performance and reduces energy consumption.

The remainder of this paper is organized as follows. The related work which is also the background of this paper is described in Section 2. The theories of the model including description of the architecture, definitions of the model, implementation mechanisms of danger signal and danger area, and implementation mechanism of decision and response are described in Section 3. The performance is analyzed in Section 4. The effectiveness of DT-IDM is verified in Section 5. Finally, the conclusions and future works are given in the last section.

2. Related Work

2.1 Typical Attacks of WSNs

The following is a brief introduction to typical attacks of wireless sensor networks at the protocol level.

(1) Physical layer attack

Physical layer attacks mainly include jamming attacks and physical capture attacks. In the jamming attack, the attacker keeps transmitting blocking signals in the working band of wireless sensor networks, so that sensor devices in the communication radius of the attacker node cannot work properly. Sensor nodes which are deployed in harsh environments are easily captured by attackers, and attackers can obtain sensitive information in multiple ways for the captured sensor nodes.

(2) Link layer attack

The work of the data link layer focus on data frame monitoring, data flow multiplexing, media access and error control, which guarantees point-to-point or point-to-multipoint connection reliability. Typical attacks on the link layer include resource depletion attacks, collision attacks, unfair attacks, etc.

Resource depletion attacks require the attacker to be part of the network, and are primarily for wireless sensor nodes with limited energy. The attacker can modify the conflict avoidance mechanism to consume other nodes' energy. The collision attacker listens to the channel for information transmission. When there is information to transmit, the attacker launches interference signals which will collide with the legitimate information. Unfair attack is a weak form of denial of service (DOS) attack.

(3) Network layer attack

The network layer is responsible for routing the data provided by the transport layer. Typical attacks on the network layer mainly include neighbor discovery protocol attack, sybil attack, selective forwarding attack, wormhole attack, sinkhole attack, etc.

The neighbor discovery protocol attackers enable target nodes to believe that they provide network functions, so that the nodes could not obtain the correct network topology perception, and could also be overloaded. The famous hello flood attack belongs the neighbor discovery protocol attack. Sybil attack refers to that the attacker declares multiple identities and fakes multiple legal nodes, to destroy the voting mechanism, or to reduce the performance of the fault-tolerant mechanism such as multi-path routing, topology maintenance. The selective forwarding attack refers to that the attacker as the route node to forward data chooses to discard or forward packets selectively. The wormhole attackers transmit messages which are received from an area of the network through high-speed tunnel to other areas, in order to disrupt the routing or attract forwarding messages. The target of sinkhole attackers is to attract data streams in a region through broadcasting high quality routing information.

(4) Application layer attack

The application layer is responsible for implementing functions which are required for particular applications, such as integrating the data from the collection. Application layer attack is related to specific applications, such as location attack, malicious code, etc.

2.2 Intrusion Detection Characteristics of WSNs

Before the intrusion detection algorithm is implemented, it is necessary to analyze the nodes local log, communication data packet and network behavior, and extract the characteristics for intrusion detection. The detection features are the basis of wireless sensor network intrusion detection, and the detection algorithm can identify attacks by finding the abnormal characteristics. The characteristics of wireless sensor networks are briefly described below.

Physical layer features include: energy reduction rate, cache occupancy rate, and RSS. The characteristics of link layer include: packet collision rate, packet avoidance interval, packet avoidance times, RTS message frequency, data frame transmission success rate, data frame receiving rate, and data frame transmission rate. Features of network layer include: routing request message frequency, the success rate, packet retransmission rate, routing overhead change, packet receiving rate, packet type distribution, packet arrival rate, packet delay, packet forwarding rate, throughput capacity, and package integrity. The application layer characteristics mainly include: perception data change and perception data arrival rate.

2.3 Danger Theory

The danger theory proposed by biological immunologist Matzinger [17] believes that there are two death manners for cells in biological immune system which are apoptosis and necrosis. Apoptosis is a natural process, and is the result of environmental regulation in the body. Necrosis is irregular death associated with stress cells or other means. This approach of death will lead to specific biochemical reactions of the body, is different from natural rules, and will produce distinct degrees of danger signals which form the basis of the immune response. Thus, the biological system produces danger signals, then conducts the immune response according to changes in the environment. Danger signals build a danger zone around them, where immune cells will be activated to take part in immune responses. Compared with the traditional CLONALG theory, danger theory introduces environmental factors of the body, describes some important characteristics of the biological immune system, and explains some immune phenomena which the traditional theory cannot explain, such as autoimmune diseases.

Compared with the traditional Self-Nonself (SNS) model, the main difference between the two is that they have different explanations for activation conditions of antigen presenting cells. The SNS model suggests that antigen presenting cells are activated by the identification of external pathogens, and the danger theory believes that the root cause of the immune response is the danger signal issued by the damage or accidental death of organisms. Although there is still controversial about the danger theory in the traditional biological immune field, it gets rid of some limitations of the SNS model. The exogenous pathogens do not play a decisive role in triggering immune responses, but only perceiving damages of body cells will do the job. So, the danger theory is more suitable for the intrusion detection field than the SNS model [18,19].

Table 1 lists the concepts mapping of danger theory and the intrusion detection system in wireless sensor networks.

Table 1. Mapping of danger theory and the intrusion detection system

 

3. Model Description

3.1 Architecture of Intrusion Detection System

A typical wireless sensor network consists of sink nodes and sensor nodes [1-5]. Sensor nodes can be distributed in the monitored area by means of artificial placement or may be spread by aircraft, and so on. And they can form a network through self-organization routing protocols such as clustering-based protocols, data-centered protocols. Each sensor node can collect data independently, and the collected data is sent to the sink node through single hop or multi hop relay. Sink node has numerous resources, and deals with data sent by sensor nodes. In the, clustering-based routing protocol is adopted, and sensor nodes are divided into cluster heads and cluster members [24-26].

If each sensor node runs a complete testing instance at the same time, it will cost a lot of resources for the node. It is not proper. Therefore, the intrusion detection system proposed in this paper adopts the distributed structure. The system is divided into three levels, the application layer, the immune layer and the wireless sensor network layer. The detection model is scattered on the immune layer, including the danger perception module, antigen presentation module, decision module and intrusion response module. The danger perceiving module and the antigen presenting module are deployed on the sensor nodes, including cluster heads and cluster members. Decision module and intrusion response module are deployed on the sink node. As shown in Fig. 1.

 

Fig. 1. The architecture of proposed intrusion detection system

The detection process of the model is described as follows, and Table 2 shows the process. Firstly, cluster heads and cluster members detect changes of their own properties, extract the key data, and obtain the signal information of the current environment to perceive the risk.

When danger is perceived, cluster member transmits the danger signal to cluster head, cluster head integrates multiple danger signals and finally passes to the sink node. Then, sink node computes the degree of risk and the range of the risk domain, and demands presenting antigens. Sensor nodes within the danger area work together to collect the network traffic information for forming antigens. After that, the sink node generates antibodies to carry out immune responses, and decides whether an intrusion occurs. If an intrusion occurs, the response is taken, and the feedback information are sent to the network.

Table 2. The detection process of the model

 

 

Fig. 2. Intrusion detection process

3.2 Model Definition

In wireless sensor networks, all the information in the end can be reduced to a binary string. In fact, intrusion detection is classification of the binary string according to certain rules and priori knowledge. Define the problem state space \(\Omega=\mathrm{U}_{i=1}^{\infty}\{0,1\}^{i}\). Based on the biological immunity, wireless sensor networks are defined as organisms, and sensor nodes are defined as immune tissues. Define the antigen set AG ⊂ Ω.

Definition 1. An antigen is the structured characteristic vector in the solution space of the artificial immune system domain [21]. In this model, the antigen ag consists of multiple genes, and is represented by a binary string. Genes are extracted from key fields of packets broadcasted by neighbor nodes, and include attributes of the MAC layer and the network layer. Specifically, the gene contains the node address, the next-hop destination address, the packet source address, the packet destination address, the packet size, the MAC frame type, etc. Packets from the same node will be abstracted as the same kind of antigens. Define the antigen \(a g=\left\{\left(g_{1}, g_{2}, \ldots, g_{m}\right) | g_{i} \in\{0,1\}^{l i}, i=1,2, \ldots, m, l_{i}\right.\) is the length of \(\left.g_{i}\right\}\). The set of all antigens in the space is expressed as \(A G=\cup_{i=1}^{\infty}\left\{A g_{i}\right\}\).

It is assumed that normal strings that can be recognized by the model are defined as self set S, all the unknown strings are defined as N, abnormal strings that produce danger signals are defined as D, and strings that are judged as invasions are defined as I.

Then, \(S \cap N=\emptyset, S \cup N=A G\). Danger theory does not distinguish between self and non-self, only recognizes intrusion set \(I=D \cap N\) which triggers immune responses, and does not respond to harmless set \(D \cap S\).

Definition 2. Antibodies have the same structure with antigens, and are protein molecules which are secreted by antigen-stimulated B lymphocytes. They can be combined with specific antigens, and are used to detect and match antigens. In the model, antibodies are generated by sink node, and can perform immune responses after immune tolerance. Define antibody \(a b=\left\{\left(g_{l}, g_{2}, \ldots, g_{m}\right) | g_{i} \in\{0, l\}^{l l}, i=l, 2, \ldots, m, l_{i}\right.\) is the length of \(\left.g_{i}\right\}\). The set of antibodies is expressed as \(A B=\cup_{i=1}^{\infty}\left\{A b_{i}\right\}\).

Definition 3. The affinity between an antibody and an antigen is expressed as Affinity (ag, ab), and represents the binding strength of the antibody and antigen. In this paper, an improved r-continuous bit matching method is adopted.

\(\text {Affinity(ag, ab)}=\left\{\begin{array}{cc} 1, & \left.\sum_{i=1}^{m} f\left(a b . g_{i}, a g\right) / m \geq \theta\right\} \\ 0, & \text {others} \end{array}\right\}\)       (1)

Where \(\theta\) is the matching threshold, and f(x, y) is the r-continuous bit matching method for antibody ’s gene segment g_i and antigen ag.

\(f(x,y)=\left\{\begin{array}{c} 1, \exists i, j, j-i \geq|x|, 0<i \leq j \leq m \cdot(l+1), x_{i}=y_{j}, x_{i+1}=y_{j+1}, \ldots, x_{|x|}=y_{j+|x|-1} \\ 0, \text { others } \end{array}\right\}\)       (2) 

The purpose of intrusion detection is to distinguish patterns: for an input schema \(x, x \in A G\), the system detects and determines this schema belongs to self or non-self. The detection system can be expressed as IDS = (F, M). F is the classification function, and M is a collection of detector information patterns extracted from \(\Omega\). The system may have two errors in the detection process: false negative, sorting non-self to be self, \(\varphi_{-}=\{x \in N \cap F(x, M)=anomalous \}\); false positive, sorting self to be non-self, \(\varphi_{+}=\{x \in S \cap F(x, M)=normal\}\).

3.3 Danger Signals

Danger theory emphasizes that danger signals which are produced by environmental changes are used to guide different levels of immune responses, and zones around danger signals are regarded as danger areas. Because the danger signal is related to the environment, changes of sensor nodes’ attributes reflect the environmental status in wireless sensor networks. Nodes do not need to communicate with surrounding nodes, only use local knowledge for statistics. This reduces the amount of data and network traffic, and will not generate additional communication overhead. Nodes only collect information in their own work time, and do not need additional wake-up operation, which will not bring too much energy consumption.

When nodes are under attack or network is abnormal, characteristics of the physical layerand link layer change more obviously. The energy decline rate of sensor node \(D S_{i 1}(t)\), the packet avoidance frequency \(D S_{i 2}(t)\), the average packet avoidance duration \(D S_{i 3}(t)\), the receiving frequency of frames \(D S_{i 4}(t)\) and the transmission frequency of frames \(D S_{i 5}(t)\), these characteristics' values vary greatly. And nodes can get these attributes’ values in the local. Therefore, we select statistical values of these attributes to reflect the danger signal DS.

The energy decline rate of sensor node \(D S_{i 1}(t)\) is express as follows. When the DOS attack occurs, the value of this property changes greatly.

\(D S_{i 1}(t)=\sum_{t}^{t+\Delta t} P / \Delta t\)       (3) 

Where, \(\sum_{t}^{t+\Delta t} P\) is the normalized value of energy changes in the time interval \(\Delta t\).

The packet avoidance frequency \(D S_{i 2}(t)\) is expressed as follows. In wireless sensor networks, the protocols used in the link layer are mostly based on competing MAC protocols. This property is more sensitive when packet jamming attack occurs.

\(D S_{i 2}(t)=\Sigma_{t}^{t+\Delta t} N d / \Delta t\)       (4) 

Where, \(\sum_{t}^{t+\Delta t} {Nd}\) is the normalized value of the escape times of frames in the time interval \(\Delta t\).

The average packet avoidance duration \(D S_{i 3}(t)\)) is expressed as follows. This property changes greatly when the blocking attack occurs.

\(D S_{i 3}(t)=\Sigma_{t}^{t+\Delta t} T d / \Delta t\)       (5)

Where, \(\sum_{t}^{t+\Delta t} {Td}\) is the normalized value of fallback duration of frames in the time interval \(\Delta t\).

The receiving frequency of frames \(D S_{i 4}(t)\) is expressed as follows. The abnormal change of the receiving frequency of frames implies the danger. For example, when the node is the attack target, the number of the received data frames increases and the value of the receiving frequency increases.

\(D S_{i 4}(t)=\sum_{t}^{t+\Delta t} N r / \Delta t\)       (6) 

Where, \(\sum_{t}^{t+\Delta t} {Nr}\) is the normalized value of the number of received data frames in the time interval \(\Delta t\).

The transmission frequency of frames \(D S_{i 5}(t)\) is expressed as follows. Abnormal change of the transmission frequency of frames also implies the risk. For example, when large-scale worm attacks or blocking attacks occur, nodes usually need to forward these malicious packets, which results in the number of transmission frames increasing and the transmission frequency increasing. While sinkhole attacks occur, routing nodes which are originally normal will no longer transmit data, which leads to the number of transmission frames plummeting and the transmission frequency dropping.

\(D S_{i 5}(t)=\Sigma_{t}^{t+\Delta t} N s / \Delta t\)       (7) 

Where, \(\sum_{t}^{t+\Delta t} {Ns}\) is the normalized value of the number of transmission frames in the time interval \(\Delta t\).

Suppose that \(S_{i j}(t)=\left|D S_{i j}(t)-D S_{i j}(t-1)\right|\) is the changed amount of the property\(D S_{i j}\) in the time t.

Definition 4. danger signal \(D S_{i}(t)\) is expressed as follows.

\(D S_{i}(t)=<N d_{i}, t,\left\{S_{i j}(t) | j=1,2, \ldots, 5\right\}>\)       (8)

Where, \(N d_{i}\) is the sensor node i. \(\left|D S_{i}(t)\right|\) is the value of danger signal in the time t, and is expressed as follows.

\(\left|D S_{i}(t)\right|=\left(\sum_{j=1}^{5} w_{j} \cdot\left(D S_{i}(t) \cdot S_{i j}(t)\right)\right) / \sum_{j=1}^{5} w_{j}\)       (9) 

w_j is the weights of danger signal attributes. Because \(0 \leq D S_{i}(t) \cdot S_{i j}(t) \leq 1,0 \leq \left|D S_{i}(t)\right| \leq 1\). When the value of \(\left|D S_{i}(t)\right|\) is greater than the danger threshold \(\epsilon\), the sensor node will route danger signals to the sink node.

3.4 Danger Areas

According to the danger theory, if an antigen \(A g_{i}\) is in necrosis, the surrounding area around \(A g_{i}\) will become the danger area \(D\left(A g_{i}\right)\). For the intrusion detection, when a node is attacked or the network is abnormal, we take the area near the node Nd_i as the danger area D(Nd_i). The range of the risk region defines the extent of the immune response, and immune cells in this range will be activated and involved in the immune response.

Definition 5. Danger area D(Nd_i) is defined as follows.

\(D\left(N d_{i}\right)=\left\{N d_{j} | D I S\left(N d_{i}, N d_{j}\right)<\text { Rdanger } \cap\left(N d_{j} \text { is cluster head } \cup j=i\right)\right\}\)       (10) 

Where, DIS(Nd_i, Nd_j) is the distance between node i and node j, and is expressed as (11). Rdanger_i is the radius of the danger zone of node i, and is expressed as (12). Then, D(Nd_i) represents the set of the node i and the head nodes of clusters whose distances from node i are smaller than the radius of the danger zone.

\(\operatorname{DIS}\left(N d_{i}, N d\right)=\left\{\begin{array}{c} 0 \quad \text { if } i=j \\ 1 /\left(N_{\text {leapmax}}+1\right) \text { if } i \neq j \cap i \text { and } j \text { are in the same cluster } \\ N_{\text {leap}} /\left(N_{\text {leapmax}}+1\right) \text { if } i \text { and } j \text { are in different cluster } \end{array}\right.\)       (11) 

N_leapmax is the maximum number of hops between clusters in wireless sensor networks. If i = j, N_leap is 0; if the node i and node j are different and in the same cluster, N_leap is 1; if the node i and node j are not in the same cluster, N_leap is the number of hops between the cluster where the node i is and the cluster where the node j is plus 1. Therefore, \(0 \leq D I S\left(N d_{i}, N d_{j}\right) \leq 1\). 

\(\text {Rdanger}_{i}=\sum_{j=0}^{N_{\text {ds }}} \frac{1}{\text { DIS }\left(N d_{i} N d_{j}\right)+1} \cdot\left|D S_{j}(t)\right| / w_{d s}\)       (12) 

N_ds is the number of danger signals received by the sink node in the time t. w_ds is the d danger radius coefficient, and is used to adjust the size of the risk radius.

Obviously, the radius of the danger area is related to the strength of danger signal and the surrounding environment of the node. When the node’s danger signal is stronger, it indicates that the node’s environment is damaged or the probability of being damaged is larger, and the range of danger area is larger. The danger signals emitted by surrounding nodes will also affect the range of the risk area of the node. The more the number of nodes which send out danger signals is, the greater the changes of the surrounding environment are, and the bigger the range of risk area of the node is. The smaller the distance between the node and other nodes that send out danger signals is, the greater the impact on the risk area of the node is.

3.5 Decisions and Responses

When the sink node receives the antigen information, the immune response will be carried out. The process of immune response uses the traditional self-non-self identification, and the system calculates the affinity between antigens and antibodies to determine whether an invasion has occurred. The antibody corresponds to the mature detector in the intrusion detection algorithm, and the antigen corresponds to the network information that needs to be detected.

Definition 6. Detector set is expressed as \(B=\{<a b, a g e>| a b \in A B \text { ก age } \leq\left.a g e_{\max }\right\}\). Where, ab is the antibody of detector, age is the age of detector, and age_max is the max age.

 

Detectors are divided into immature ones and mature ones. We use Fig. 3 to represent the model's immune mechanism. The model first produces a new immature detector through genetic coding. The immature detector evolves into a mature detector through the negation selection. If it matches the self in the tolerance period, it will die. The mature detector has a fixed length of life cycle. If it is activated by the danger signal during the life cycle, the clone selection operation is carried out. Otherwise it would be killed.

 

Fig. 3. The model’s immune mechanism

Set of Immature detectors are expressed as \(U=\{x | x \in B \cap x . a g e<\gamma\}\). Where \(\gamma\) simulates the tolerance period. The following is the evolution model of the immature detector set.

\(U(t)=\left\{\begin{array}{c} \emptyset, \quad t=0 \\ \left.f_{a g e}\left(U(t-1)-U_{u n t o l e r a n c e}(t) \cup U_{m a t u r e d}(t)\right) \cup U_{n e w}(t), \quad t>0\right\} \end{array}\right.\)      (13)

\(U_{u n t o l e r a n c e}(t)=\left\{x | x \in f_{a g e}(U(t-1)) \cap \exists y \in S(t-1)(a f f i n i t y(x . a b, y)=1)\right\}\)       (14)

\(U_{\text {matured}}(t)=\left\{x | x \in f_{\text {age}}\left(U(t-1)-U_{\text {untolerance}}(t)\right) \cap x . a g e>\gamma\right\}\)       (15) 

Where, \(U(t), U(t-1) \subset U\) represent the immature detector sets in the time t and t-1 respectively. \(f_{a g e}(X)(X \subset B)\) is the adding 1 operation to the age of each detector in X. \(U_{u n t o l e r a n c e}(t)\) is the set of immature detectors which do not pass the self-tolerance. \(U_{\text {matured}}(t)\) is the set of immature detectors which pass the self-tolerance. \(U_{n e w}(t)\) the set of immature detectors which are newly generated in the time t. S(t) is the self set in the time t. Set of mature detectors are expressed as \(T=\left\{x | x \in B \cap \gamma \leq x . \text { age }<\text {age}_{\max } \text { n } \forall a g \in\right.S(\text {Affinity}(\text {ag}, x . a b)>\theta)\}\). The following is the evolution model of the mature detector set.

 

\(T(t)=\left\{\begin{array}{c} \emptyset, \quad t=0 \\ \left.\left(f_{a g e}(T(t-1))-\left(T_{\text {dead}}(t) \cup T_{\text {cloned}}(t)\right)\right) \cup U_{\text {matured}}(t) \cup T_{\text {permutation}}(t), \quad t>0\right\} \end{array}\right.\)      (16)

\(T_{\text {dead}}(t)=\left\{x | x \in f_{\text {age}}(T(t-1)) \cap x . a g e=a g e_{\max } \cap \exists y \in N(t-1)(x \in D(y))\right\}\)       (17)

\(T_{\text {cloned}}(t)=\left\{x | x \in\left(f_{\text {age}}(T(t-1))-T_{\text {dead}}(t)\right) \cap \exists y \in N(t-1)(x \in D(y))\right\}\)       (18)

\(T_{\text {permutation}}(t)=f_{\text {clone_} \text {mutation}}\left(T_{\text {cloned}}(t) \cup M_{\text {cloned}}(t)\right)\)       (19) 

Where, \(T(t), T(t-1) \subset T\) represent the mature detector sets in the time t and t-1 respectively. \(T_{\text {dead}}(t)\) is the set of mature detectors which are not activated when the life cycle ends. \(T_{\text {cloned}}(t)\) is the set of mature detectors which are activated by danger signals. \(U_{\text {matured}}(t)\) the set of mature detectors which are newly matured. \(T_{\text {permutation}}(t)\) is the set of mature detectors which are newly generated by clone and mutation operations. \(f_{\text {clone}_{\text {- mutation }}(X)(X \subset T)}\) is the clone selection function, and performs clone and mutation operations on each detector in X.

In the process of antibody tolerance, if \(\text {Affinity}(a g, x . a b)=1\), the immature detector can describe self which triggers immune self-reaction, and must be removed; after the generation process, remaining detectors only describe elements in the non-self collection. In the process of intrusion detection, if \(\text {Affinity}(a g, x . a b)=1\), the antigen ag can be described by the detector x, which means ag belongs to the non-self space, and intrusion occurs. In the event of an invasion, response measures, including speed limit, isolation, and human intervention etc., are taken.

4. Performance Analysis

4.1 Complexity Analysis

This section analyzes the resource consumptions of the model from three aspects, the computational complexity, storage and communication traffic.

In this model, the computational complexity of sensor nodes obtaining danger signals from current environment is \(O(|L|)\), the complexity of the sink node calculating values of d anger signals and the radiuses of danger zones is \(O(|L|)\), the complexity of sensor nodes performing antigen presenting is \(O(|L|)\), and the complexity of the sink node conducting immune response is \(O(|L|^{2})\). So the computational complexity of this algorithm is \(\mathrm{O}\left(3|L|+|L|^{2}\right)\), and \(|L|\) is the number of nodes in the system.

For sensor nodes, only the values of danger signal attributes need to be stored, and the storage complexity is \(O(|DS|)\). For the sink node, it is required to maintain and store the antibody set, and the storage complexity is \(O(|B|)\).

In the process of intrusion detection, communications between sensor nodes do not take special data transmission channel, and run only in the node working time. The communication data contains the three tuple of sensor nodes’ danger signals \(<N d_{i}, t,\left\{S_{i j}(t) | j=1,2, \ldots, 5\right\}>\) and the three tuple of antigen presenting \(<N d_{i}, t,\left\{\left(g_{l}, g_{2}, \ldots, g_{m}\right)\right\}>\).

4.2 Detection Efficiency Analysis

The number of all antigens in the problem space is N_Ag, the number of selves is N_Self, the number of training selves is N_s, and the number of detectors is N_d. The matching probability between any given detector and any antigen is P^’, which is related to the specific matching rule[6,7]. P(A) is defined as the probability of event A occurring.

Theorem 1. For any detector which passes the self-tolerance, the probability of matching an undescribed self is \(P_{d}=\left(1-P^{\prime}\right)^{N_{s}} \cdot\left(1-\left(1-P^{\prime}\right)^{N_{S e l f}-N_{s}}\right)\). For any given non-self, the probability of correct identification is \(P_{t p}=1-\left(1-P^{\prime}\right)^{N_{d} \cdot\left(1-P_{d}\right)}\), the probability of wrong identification is \(P_{f n}=\left(1-P^{\prime}\right)^{N_{d} \cdot\left(1-P_{d}\right)}\). For any given self, the probability of correct identification is \(P_{t n}=\left(1-P^{\prime}\right)^{N_{d} \cdot P_{d}}\), the probability of wrong identification is \(P_{f p}=1-\left(1-P^{\prime}\right)^{N_{d} \cdot P_{d}}\).

Prove. It is known from the proposition that a given detector passes the self-tolerance, which indicates that the detector does not match any self in the self training set. Set event A is "the given detector does not match any self in the self set,” and event B is “the given detector matches at least one undescribed self”. P_d=P(A)P(B). In the event A, the times of detectors matching with selves satisfy the binomial distribution, \(X \sim b\left(N_{s}, P^{\prime}\right)\). Then, \(P(A)=P(X=0)=\left(1-P^{\prime}\right)^{N_{s}}\). In the event B, the times of detectors matching with undescribed selves satisfy the binomial distribution, \(Y \sim b\left(N_{\text {Self}}-N_{S}, P\right)\). Then, \(P(B)=1-P(Y=0)=1-\left(1-P^{\prime}\right)^{N_{S e l f}-N_{S}}\). Therefore, \(P_{d}=P(A) P(B)=\left(1-P^{\prime}\right)^{N_{S}} \cdot\left(1-\left(1-P^{\prime}\right)^{N_{S e l f}-N_{S}}\right)\).

Set event E is “the given non-self matches at least one detector in the set of detectors”. In the event E, the times of non-selves matching with detectors satisfies the binomial distribution \(Z \sim b\left(N_{d} \cdot\left(1-P_{d}\right), P^{\prime}\right)\). Then, \(P_{t p}=P(E)=1-P(Z=0)=1-\left(1-P^{\prime}\right)^{N_{d}\left(1-P_{d}\right)}\),\(P_{f n}=1-P_{t p}=\left(1-P^{\prime}\right)^{N_{d} \cdot\left(1-P_{d}\right)}\).

Set event F is “the given self does not match any detector in the set of detectors”. In the event F, the times of selves matching with detectors satisfies the binomial distribution \(W \sim b\left(N_{d} \cdot P_{d}, P^{\prime}\right)\). Then, \(P_{t n}=P(F)=P(W=0)=\left(1-P^{\prime}\right)^{N_{d} \cdot P_{d}}\), \(P_{f p}=1-P_{t n}=1-\left(1-P^{\prime}\right)^{N_{d} \cdot P_{d}}\). Proved.

Fig. 4 and Fig. 5 is the matlab simulations of Theorem 1. The detector rate DR=P_tp and the false alarm rate FAR=P_fp are related to the detector self-reaction rate P^’, the number of mature detectors N_d, the number of training selves N_s and the number of selves N_self. For specific matching rules, P^’ is a constant [29]. In particular, for r-continuous bit matching rule, \(P^{\prime}\) = 0.025625 [29,30]. For the identified problem space, N_self can be viewed as a fixed value. So, we mainly consider influences of Ns and Nd on Ptp and Pfp. As can be seen from the figures, when N_s and N_d are smaller, P_tp is smaller and tends to 0, and P_fp is larger. With the increases of N_s and N_d, P_tp gradually increases and P_fp gradually decreases.

 

Fig. 4. The influences of N_s and N_d on P_tp

 

Fig. 5. The influences of N_s and N_d on P_fp

5. Experimental Results and Analysis

This section verifies the validity of the model through simulation experiments. Experiments use TOSSIM as the simulator for tests. It is a component-based and modular discrete event simulation tool, which is from TinyOS and suitable for the simulation of wireless sensor networks [22,23]. Sensor nodes are randomly distributed in the network and the network parameters are shown in Table 3.

Table 3. Experimental network parameters

 

Attacks on the wireless sensor network are mostly one or several-mixed types. We choose several common attacks for the experiments, including resource depletion attack, sybil attack, selective forwarding attack, wormhole attack, sinkhole attack, etc. Experiments are performed under the above five kinds of attacks, each attack runs 10 times for simulations, changes of the network within 2 hours are collected, and averaged results were acquired.

Experiments use the detection rate DR, the false positive rate FAR and the system energy consumption index EC to measure the performance of the model, and compare with the SNS model. The SNS model [14] is a wireless sensor network intrusion detection model based on the artificial immune, which adopts the traditional theory of self-nonself, and runs an intrusion detection system on each node. The SNS model judges whether the invasion occurs through the clone selection algorithm, and each node judges separately. SNS model’s parameters are set as follows. The matching length r=7, the size of self-library is 256, the size of detector collection is 128, the initial value of matching threshold is 8, and the initial value of detector survival is 2.

5.1 Deployment of the Proposed Model on 802.15.4

IEEE 802.15.4 is a wireless communication network with low energy consumption, simple structure and easy implementation [29]. It provides a detailed description of the physical layer and MAC layer of wireless sensor networks. In this network, according to the communication capability and hardware condition of the device, it can be divided into full-function device (FFD) and reduced-function device (RFD). Compared with RFD, FFD is much better than RFD in terms of hardware. For example, FFD uses direct power, while RFD uses battery power; in terms of communication, FFD can communicate with all other FFD and RFD, while RFD can only communicate with FFD associated with it. In general, we call this FFD a coordinator for the RFD device. Throughout the network, an FFD acts as the network coordinator.

It can be seen that there is a natural stratified structure in IEEE 802.15.4. We can use the point-to-point topological structure to cluster the network. RFD can be regarded as the cluster member, FFD can be regarded as the cluster head, and the PAN coordinator can be regarded as the sink node. According to the proposed model architecture, the risk perceiving module and antigen presenting module can be deployed on RFD and FFD, and decision and response modules can be deployed on the PAN coordinator.

IEEE 802.15.4 includes the following requirements. Four different transmission rates are realized at different carrier frequencies. The CSMA/CA mechanism is used to solve the channel collision problem, and the ACK feedback mechanism is used to ensure reliable transmission of data. Therefore, the environmental status required to extract the danger signals and the data packets used for presenting antigens can be obtained locally by RFD and FFD.

ZigBee technology is based on the IEEE 802.15.4 [30]. According to the specifications of ZigBee alliance, ZigBee extended the network layer and application layer on the basis of IEEE 802.15.4. Therefore, the proposed model can also be conveniently deployed on the ZigBee  network.

5.2 Parameter Settings

Table 4 lists comparisons of detection rates and false alarm rates of the model under different danger thresholds when a node is attacked in the network. Table 5 lists the performance comparisons of the model when 16 nodes in the network are attacked. The comparison here isto obtain a reasonable parameter value, and the system is in the learning stage. We examine the system status in the cases of fewer nodes under attacks and more nodes under attacks, and the system can get better results with parameters in a certain interval. 16 is not an absolute number, but to show more nodes being attacked. In the real network, a case of more than 10 attack   nodes can be seen more. It is shown that when the danger threshold is small, the model has a high detection rate and the false alarm rate is basically zero. At this time, the sink node receives more danger signals, and sensor nodes and the sink node communicate frequently, which increases the system’s energy consumption. When the danger threshold is large, the detection rate of the model decreases. At this time, when the number of attacked nodes is less, the false alarm rate is nearly zero, and when the number of attacked nodes is more, the false alarm rate increases. Danger signals from each sensor node have been accumulated over a long period of time. Although it can reduce energy consumption, it affects the real-time of the system. Therefore, the danger threshold is more appropriate between 0.3 and 0.5.

Table 4. Effects on the model of different danger threshold 1

 

Table 5. Effects on the model of different danger threshold 2

 

5.3 Comparisons of Detection Rates

Fig. 6 shows DR contrasts of the DT-IDM model and the SNS model under the selective forwarding attack and the sybil attack. The short vertical lines are standard variations. As can be seen from the figure, the DT-IDM model has better detection performance. When the number of attacker nodes is small, the DT-IDM model and the SNS model can accurately detect the invasion. While the number of attacker nodes increases, two models’ DRs decline. But in the DT-IDM model, multiple nodes within the scope of the danger zone work together to present antigens, and can accurately capture the invasion flow. So, it has better detection rate in the massive invasion.

 

Fig. 6. Comparisons of detection rates of DT-IDM and SNS

5.4 Comparisons of False Alarm Rates

Fig. 7 shows FAR contrasts of the DT-IDM model and the SNS model under the sinkhole attack and the resource depletion attack. The short vertical lines are standard variations. As can be seen from the figure, the DT-IDM model has better detection performance. When the number of attacker nodes is small, FARs of the DT-IDM model and the SNS model are low. While the number of attacker nodes increases, two models’ FARs increase. In the intrusion detection process, sensor nodes of the DT-IDM model send danger signals, and then sink node gathers comprehensive global information to make decisions and calculate the danger zone, and finally antigen presenting is implemented. Before the antigen presenting, the sink node performs the global investigation. So, the false alarm rate of the DT-IDM model is lower.

 

Fig. 7. Comparisons of false alarm rates of DT-IDM and SNS

5.5 Comparisons of Energy Consumptions

In the SNS model, sensor nodes need to monitor network traffic constantly, so they are set in promiscuous mode and the energy is consumed all the time. In the DT-IDM model, danger  perceiving module and antigen presenting module do not take up the special data transmission, only run in the normal working time. Research shows that the energy consumption of implementing commands for the sensor is far less than the energy consumption of transmitting data [1-5]. So, we mainly consider the energy consumptions of sending and receiving data, which can be calculated by the following equation.

\(\text {Energy Comsumputation}=N_{\text {byte}}^{*} V^{*}\left(N_{\text {send}}^{*} I_{\text {send}}+N_{\text {recv}} * I_{\text {recv}}\right) / \text {Rate}\)       (20)

N_byte is the number of bits of each packet, V is the voltage of sensors, I_send is the sending current, I_recv is the receiving current, Rate is the network transmission rate, and N_send and N_recv are the numbers of packets which the node sends and recives.

Fig. 8 describes the energy consumption contrasts with or without a detection system in the wireless sensor networks. The first column shows the value of the energy consumption without invasion and without the detection system, the second shows the value under the intrusion detection system and without invasion, the third shows the value under the invasion and without the intrusion detection system, and the fourth shows the value under the invasion and the intrusion detection system. The invasion of the network is the resource depletion attack on a node. As can be seen from the figure, a 147% increase is shown when IDS is applied in the network which is from a low base and nearly does not affect the system, whereas when an attack is initiated the whole network increases with 2195% energy consumption. Finally, applying the proposed IDS saves an energy consumption of more than 1902%. When the network is deployed the DT-IDM model, the system energy consumption increases slightly with no invasion, and the consumption is greatly reduced under invasion.

 

Fig. 8. The energy consumption contracts

Fig. 9 describes the energy consumption contrasts of the DT-IDM model and the SNS model under the resource depletion attack. The short vertical lines are standard variations. As can be seen from the figure, while the number of attacker nodes increases, the energy consumptions of two models increase. When an attack is initiated, a 78% decrease is shown when DT-IDM is applied in the network compared with SNS. When 9 nodes are attacked, energy consumption of DT-IDM is decreased by 32% compared with SNS. And this value is 22% when 20 nodes are attacked. So, the DT-IDM model has obvious advantages.

 

Fig. 9. The energy consumption contracts of DT-IDM and SNS

6. Conclusions and Future Works

To ensure the safety of WSNs is one of the bases that wireless sensor networks can be widely applied. This paper first analyzes the typical attacks, intrusion detection characteristics and the security research status of wireless sensor networks. Existing research on intrusion detection technology in WSNs is not very mature, and most detection systems are transplanted from traditional networks. Then, the paper proposes a distributed intrusion detection model based on danger theory for wireless sensor networks. The model simulate immune processes to eliminate external invasions. When the network perceives abnormity, the model produces danger signals. Danger signals build a danger area around them, where immune cells will be activated to participate in immune responses. At last, the performance of the model is analyzed and experimental results show that the model has good detection performance and reduces energy consumption.

The intrusion detection technology in wireless sensor networks is an important research subject, and there are many practical problems. In this paper, the next step is to apply the model to the real wireless sensor networks and to perform further validation and improvement, in order to make the model more meaningful.