ContentslistsavailableatScienceDirect

Computers and Electrical Engineering

journalhomepage:www.elsevier.com/locate/compeleceng

Multi-agent trust-based intrusion detection scheme for wireless sensor networks R

Xianji Jin

^a

, Jianquan Liang

^b,∗

, Weiming Tong

^a

, Lei Lu

^a

, Zhongwei Li

^a

aSchool of Electrical Engineering and Automation, Harbin Institute of Technology Harbin, 150 0 01, China

bState Grid Heilongjiang Electric Power company Limited, Electric Power Research Institute, Harbin 150030, China

a r t i c l e i n f o

Article history:

Received 19 July 2015 Revised 13 April 2017 Accepted 14 April 2017 Available online xxx Keywords:

Wireless sensor networks Intrusion detection Multi-agent Node trust value

a b s t r a c t

Inordertoachievebothahigherdetectionrateandalowerfalsepositiverateofinternal nodeintrusiondetectioninlayer-clusterwirelesssensornetworks,anintrusiondetection schemebasedontheuseofbothamulti-agentsystemandanodetrustvalueisproposed.

Inthisscheme,themulti-agentmodelframeworkisestablishedinboththeclusterheads andtheordinarysensornodestoperformintrusiondetection.First,various,typicalnode trustattributes aredefined and Mahalanobis distancetheory is used tojudgewhether theseattributesarenormal.Second,thenodetrustvalueiscalculatedandupdatedbased onthe combinationofthe Betadistributionand atolerancefactor. Finally,nodeintru- siondetectionisrealized.Simulationresultsdemonstratethatthemodifiedschemehasa higherdetectionrateandalowerfalsepositiverate,evenwhenseveraltypesofintrusions arepresent.

© 2017 Elsevier Ltd. All rights reserved.

1. Introduction

Thecontinuousdevelopmentofwirelesssensornetworks(WSNs)hascontributedtotheirextensiveapplicationinvari- ousindustries,includinginkeyareassuchastheelectrical,healthcare,andmilitaryindustries.Eachoftheseareasmaintains strictsecurityrequirementsbecauseofitsunique demands.Thus,thesecurityofWSNsiscrucial[1].WSNsfacebothma- liciousexternal andmaliciousinternalnode attacksthatarecategorizedbasedontheattack source.Externalnode attacks canbepreventedwithauthenticationandencryptiontechnologies;however,internalnodeattacksaredifficulttoeliminate withtheseapproaches.Therefore,intrusiondetectionisconsideredasecondlineofdefenseforprotectingthesecurityofa WSN[2].

Agentsare important concepts in the domains of both artificial intelligence andcomputing science,and they can be realizedthrough either hardwareorsoftware programming. A multi-agent systemis composed of acertain numberand kindof agent that can perform specific tasks [3]. Agent technology features several characteristics, including autonomy, sociality,reactivity,andpro-activeness,thatmakeitanidealcarrierforintrusiondetection.Whenagenttechnologyisused inintrusion detection, itcan bothimprovethe toleranceandincrease theextensibility ofthesystem. As aresult, several studiesrelatedtointrusiondetectionforWSNshavebeencarriedoutbybothdomesticandforeignresearchers.Thamilarasu andMa proposed an autonomousmobile agentbased intrusion detectionarchitecture foraddressing security inwireless bodyareanetworks[4].In[5],Rieckeretal.proposedalightweight,energy-efficientintrusiondetectionschemethatmade

R Reviews processed and approved for publication by Editor-in-Chief.

∗ Corresponding author.

E-mail addresses: mrking@hit.edu.cn (X. Jin), ljq_hit@163.com (J. Liang), dianqi@hit.edu.cn (W. Tong), lulei@hit.edu.cn (L. Lu), lzw@hit.edu.cn (Z. Li).

http://dx.doi.org/10.1016/j.compeleceng.2017.04.013 0045-7906/© 2017 Elsevier Ltd. All rights reserved.

Pleasecite thisarticleas:X.Jinetal., Multi-agenttrust-based intrusiondetectionschemeforwireless sensornetworks,

useofmobileagentstodetectintrusionbasedonthesensornode(SN)energyconsumption.Wangetal.proposedamulti- agentmechanisminwhichthecombinationofaself-organizingmapneuralnetworkandaK-meansalgorithmfunctionedto detecttheabnormityofthenodesintheWSN,whichmadethesystemmoreflexible,moreprecise,andeasiertoimplement [6].Wangetal.discussedtheuseofamulti-agentintrusion detectionsysteminacluster-based WSNthatboth increased the extensibilityand reducedthecost of thesystem[7].The above-mentioned studies providereference pointsforWSN intrusion detectionresearch thathighlightsthe uniqueadvantagesofagenttechnologyintermsofboth systemscalability andflexibility[8].

On the other hand,the above-mentioned detection schemes are mainly aimed at detecting ifnodes are experiencing a certain type ofintrusion, which meansthat if thereis are multipletypes ofintrusion occurringatthe sametime, the detectionratemaydecrease.Thus,aneffectivemechanismisneededtosolvethisproblem.Theprevailingmethodemployed toaccomplish thiseffectivelyisthe useofa trustscheme.Trustschemes aretypicallyapplied tothefollowingaspects of WSNs[9]:securedataaggregation,securerouting,securelocalization,andintrusiondetection.

Liuetal.[10],proposedanimproved,reliable,trust-based,energy-efficientdata-aggregationprotocolforWSNs.Thetrust value usedin[10]wascalculatedwiththeBetareputation system.Guptaetal.alsoproposeda data-aggregationprotocol forWSNsbasedonatrustschemein[11].Zahariadisetal.proposed asecureroutingprotocolthatreliedona distributed trust modelforthe detectionandavoidanceofmalicious neighbors[12].The trustmodelproposed in[12]reliedonboth direct andindirect observationto derive the trust value ofeach neighboringnode through the Beta distribution. A new security localizationalgorithm basedon a trust mechanismwasproposed by Zhang etal.in [13].Boththeir initial trust value andtrust update weightwere set by aBeta distribution.Zhang etal.proposed a securelocalizationschemebased on trustevaluation forlocalizationinWSNs [14]. Thestudies mentioned above demonstratethat theapplication oftrust schemestoWSNsisbothachievableandhelpstosolvesecurityproblems.However,tothebestofourknowledge,research studiesperformedonintrusion-detectionbasedtrustschemesinWSNsarerare.

EbingerandBibmeyer proposedacooperativeintrusiondetectionmethodbasedonbothreputationexchangeandtrust evaluationformobilead hocnetworks[15].Theydividedthenetwork’s reputationinformationintoboth trustandconfi- denceand thenmerged thesesubcategories intothe intrusion detectioncredibility. Gerrigagoitiaet al.introduced anew intrusion detection design basedon both the reputations andthe trust values ofthe differentnodes in a WSN forboth decision-makingandanalysisofpossiblemaliciousattacksources[16].Intheirdesign,eachnodehadanintrusiondetection systemagentthatmonitoredlocalactivities, andthetrustvalue wascalculated withthe Betadistribution.Baoetal.pro- posedatrust-based intrusiondetectionschemeinwhichboth qualityofserviceandsocial trustwere consideredastrust metricsfordetectingmaliciousnodesinclusteredWSNs[17].Consequently,wenowknowthattrustschemescanidentify bothmalicious andnon-collaborativenodes,resistcyber-attacks,andimprovethesecurity, confidentiality,andintegrityof WSNs[18,19].

Inexistingschemes,such asthoseproposedin[10–13],and[16],trustvaluesarecalculatedusingtheBetadistribution.

However,withrespecttothestatisticsofsuccessful/failedinteractions,specificmethodsforjudginginteractionresultswere not presented. Moreover, there was no regard for abnormal physical states of the SNs in the trust metrics utilized. An abnormalphysicalstatecanrefertoeitheranabnormalmeasuredvalueorabnormalenergyconsumptionofanode.

As aresult, inthispaper,wepropose amulti-agent intrusiondetectionschemebased onanode trustvalue forlayer- cluster WSNs.The schemeisrealized basedona multi-agentmodelinwhich theagentscollaboratewithone anotherto manage the trustvalue. We adoptthe Mahalanobis distanceto discriminatebetweenthe successful/failedinteractions of eachnode,whichhelpstoimprovetheaccuracyofthetrustvalue.Inaddition,thetrust valueiscalculatedbasedonboth beta distributiontheory and a tolerancefactor. The tolerance factorincreases both theveracity andthe flexibility ofthe trustvaluecomputation.

The remainder ofthis paperisorganized asfollows.In Section 2,we establishan intrusion detection framework and discussamulti-agentmodelforboththeclusterheads(CHs)andtheSNs.Later,inSection3,wepresentanimplementation ofthis intrusiondetection schemethat includesthe trust valuecalculation andthe intrusion detectionforboth CHsand SNs.Section4describestheperformanceanalysesoftheproposedscheme,withsimulationresultsprovidedtocharacterize thescheme.InSection 5,wesetup anexperimental platformtoverifythefeasibilityofthe proposedintrusion detection scheme.Finally,wedrawconclusionsinSection6.

2. Intrusiondetectionframeworkmodeling 2.1. Networktopology

The implementation of a layer-cluster topology achieves an improved scalabilitywhile, atthe same time, effectively reducing both themanagement complexityandcommunicationcost ofanetwork. Hence, formostpracticalapplications, thetopologyofWSNsiscluster-based.AsshowninFig.1,thelayer-cluster networkconsideredinthispaperiscomposed ofordinarySNs,CHs,andabasestation(BS).Thepowersupply,computing,storage,communication,andother capabilities oftheSNsareconstrained.ThecommunicationsbetweentheSNsandtheCHscanbeaccomplishedwithsinglehops,while thecommunicationsbetweentheSNsandtheBScanbeperformedthroughtheCHs.ThecommunicationsbetweentheCHs andtheBScanbeaccomplishedineitherasingle-hoporamulti-hopmanner.TheCHsareresponsibleforthemanagement Please citethisarticleas:X.Jinetal.,Multi-agent trust-basedintrusion detectionschemeforwirelesssensornetworks,

Fig. 1. Network topology structure.

Table 1

Common network attacks in WSNs.

Attack type Attack behavior

Selective forwarding attack Subjectives refuse to forward specific packets and discarded packets.

Black hole attack Neighboring nodes send all packets to malicious nodes, which are then discarded by these nodes.

Spoofing and tampering attack Subjectives forge and modify message content.

Sinkhole attack Similar to the black hole attack but with malicious nodes located closer to the sink node.

Denial of Service (DoS) attack A malicious node forces the node that provides services to produce an error or deplete resources via either deception or camouflage.

Wormhole attack A malicious node has a strong transceiver ability, causing the physical nodes on multi-hop neighboring nodes to be mistaken for one another.

Flooding attack Malicious nodes communicate with and query other nodes for replies constantly, exhausting these nodes’ energies.

Sibyl attack Malicious nodes disguise a node using multiple identities.

ofthenodesineachcluster,andbecausetheyarerequiredtoaccomplishmoretasks,theyneedmoreenergy,memory,and computingresourcesthantheSNsdo.

2.2.Trustfeaturedefinition

WSNsemployawirelesschannelthathaslimitedresources andisunabletoadoptcomplexcommunicationnodetech- nologies, which makes it more likely forthem to encounter various kinds of attack. The main characteristics of typical networkattacksareshowninTable1.

BasedontheanalysisoftypicalattacksonWSNs,wecanconcludethatmostattacksarecharacterizedbydiscardingor rejectingmessages, forwardingpackets, ordrainingnode energies. Therefore,inordertocalculate thetrustvalue ofeach node easily andaccurately,we refer tothe featuremodeling utilized in[20] andcombinethe characteristics ofdifferent typesofnetworkattacks.Thetrustfeature(TF)isthendefinedasfollows:

Definition1. Packetlossrate

WithrespecttothecommunicationbetweennodeAandtheothernodes,theratioofA’slostpacketstoitstotaltrans- mittedpacketsisdefinedasthepacketlossrateofnodeA,anditsvaluecanbeobtainedby

TF1=P1

Pa

(1)

whereTF₁ isthepacketlossrate,P₁ isthenumberofA’spacketslost,andPaisthenumberofpacketssentoutofnodeA.

Packetlossratecanreflectthequalityofanode’sdatatransmission.Ifthevalue ofTF₁isalways large,thisindicates that thenodeislikelytoexperienceaninvasionsuchasaselectiveforwardingattack,blackholeattack,orsinkholeattack.

Definition2. Packettransmissionfrequency

Packettransmissionfrequencydescribesthenumberofmessagestransmittedoveracertain periodoftime.It isrepre- sentedby

TF2= P_b

^{t (2)}

whereTF₂ isthepackettransmissionfrequencyandP_b isthenumberofpacketstransmittedsuccessfullyintimeperiod^t. Ifthe value ofTF₂ is always large, thisindicates that the node is likelyto experience an invasion such asa DoS attack, wormholeattack,orfloodingattack.

Definition3. Packetreceiverfrequency

Packetreceiverfrequencyisthenumberofpacketsreceived successfullyina certainperiodoftime, whichcanbe ob- tainedby

TF3= Nr

^{t (3)}

whereTF₃ isthepacketreceiverfrequencyandNr isthenumberofpackets receivedsuccessfullyintimeperiod^t.Ifthe value of TF₃ is always large, thisindicates that thenode islikely to experience an invasionsuch asa blackhole attack, sinkholeattack,wormholeattack,orsibylattack.

Definition4. Energyconsumptionrate

Energyconsumptionrateistheamountofenergyconsumedbyanodeenergyinacertainperiodoftime.Thisvaluecan beobtainedby

TF4=

|

^Et+t−Et

|

^{t (4)}

whereTF₄istheenergyconsumptionrate,E_t+tistheresidualenergyattime(t+^t),andEtistheresidualenergyattime t.IfthevalueofTF₄ isalways large,thisindicatesthatthenodeislikelytoexperienceaninvasionsuchasaDoSattackor Floodingattack.

Definition5. Sensormeasurementvalue

Somekindsofmaliciousintrusiontamperwithorforgesensordatainsuch awaythat thenetworktransmissiondoes not show any abnormalities. Thiskind attack seriously affects the executionof normalfunctions inthe physical system.

Undernormalcircumstances,TF₅ isa stationaryseries,butitdeviatessignificantly fromits usualstate whenattackssuch asspoofingortamperingoccur.

2.3. Multi-agentmodeling

In thispaper, an intrusion detectionscheme is proposed based ona multi-agent model established forCHs andSNs.

FunctionssuchasTFcollection,trustvaluecalculation,intrusionjudgment,andintrusionresponseareachievedviatheco- operationofmultipleagents.Forthisreason,agentsettingsareimplementedwithrespecttoCHandSNintrusiondetection.

2.3.1. Multi-agentmodelofCH

Themulti-agentmodeloftheCHconsistsofthefollowingtypesofagent,showninFig.2.

Clustertrust collectionagent(CTCA): Thefunction ofthisagentis tocalculatetheTF oftheCH accordingto boththe communicationstatusandthedefinitionofTF.However,thereisnoTF₅ intheCH.Then,theCTCAsendsthecalculatedTF totheCCA.

Clustercommunicationagent(CCA): Thefunctionsofthisagentareasfollows: receivingthe TFfromitsadjacent CHs andSNsinitscluster, sendingitsownTFtoits adjacentCHs, anduploadingthesecuritystatuses oftheSNsinitscluster andoftheadjacentCHstotheBS.

Trustcalculation agent(TCaA):Thisagentusescorrespondingrules tocalculatethetrustvalue ofitsadjacentCHsand SNsinitsclusteraccordingtothetrustpropertiesreceivedfromtheCCA.

Intrusionjudgmentagent(IJA):ThisagentmakestheintrusionjudgmentaccordingtotheTCaAcalculationvalueofthe SNsinitscluster.

Intrusionresponseagent(IRA):ThisagenttakesactionsonthenodescorrespondingtothejudgmentoftheIJA,suchas cuttingoff theircommunications,updatingtheircommunicationkeys,andperformingnewauthentications.

Clustermanagementagent(CMA):Thisagentmonitorsandcoordinatestheotheragents.

2.3.2. Multi-agentmodelofSN

In orderto reduce the network overhead,in thispaper, themulti-agent model of SNperforms the functionsof trust collectionandcommunication. The structureoftheSNs, whichconsistsofthe trustcollecting, communication, andman- agementagents,isshowninFig.3.

SNtrustcollectionagent(STCA):ThefunctionofthisagentistocollecttheTFoftheSNitself.

SNcommunicationagent(SCA):ThisagentisresponsibleforsendingtheTFfromtheSTCAtotheCHs.

SN managementagent(SMA): Thisagentmainlyperforms management andcoordinationwithboth theSTCAandthe SCA.

Please citethisarticleas:X.Jinetal.,Multi-agent trust-basedintrusion detectionschemeforwirelesssensornetworks,

Fig. 2. Multi-agent model of cluster header.

Fig. 3. Multi-agent model of SN.

3. Implementationofintrusiondetectionscheme 3.1. Basictheory

3.1.1. TrustvaluecalculationbasedBetadistribution

Trustmanagementdistributionssuchasbinomialdistributions andtheBeta,Poisson, andGaussiandistributionscanbe usedtodescribethereputationdistributionofanode.TheBetadistributionischaracterizedbyitssimplicity,flexibility,and strongtheoreticalstatisticalbasis [21].Thus,itissuitable forbuildingatrust systemforresource-constrainedWSNs.This distributioncanbeexpressedbybeta(

α

^,

β

^),andtheprobabilitydensityfunctionoftheBetadistributionisasfollows:

f

(

^x

| α

^,

β )

⁼

( α

⁺

β )

( α ) ( β )

^xα−1

(

^1−x

)

^{β−1 (5)}

where

α

^and

β

^{representtheratingsofthe}cooperationandnon-cooperationofanevent,respectively.TheBetadistribution satisfies0≤x≤1,0≤

α

^,and0≤

β

^{,andstatesthatif}

α

<1,thenx=0,andif

β

<1,thenx=1.

TheexpectedvalueoftheBetadistributioncanbeobtainedby E

(

^beta

( α

,

β ) )

=

α

α

+

β

^{. (6)}

TheBRSNmodelproposedin[22] performedafittinganalysisontheBetaandreputationdistributions.Theresearchers concludedthattheBetadistributioncaneasilydescribethereputationdistribution,andthatthetrustvalueofanodeisthe statisticalexpectationofitsreputationdistribution.Therefore,from(6),wecanobtain

TR=E

(

^beta

(

^S+1,L+1

) )

⁼_S+^S+_L+¹₂ ⁽⁷⁾

whereSisthenumberofnormalbehaviorsandListhenumberofabnormalbehaviorsofthenode.

Inthispaper,thecalculationofthetrustvalueisbasedonconceptofcalculatingthestatisticalexpectation oftheBeta distribution.

3.1.2. JudgmentofabnormalnodebehaviorsbasedonMahalanobisdistance

The Mahalanobis distance,which considers the relationshipsamongvarious features, isan importanttool forjudging thesimilaritiespresentinthemulti-sample.Therefore,itisreasonableusethisdistancetojudgetheanomaliesofthetrust feature,anditisdefinedasfollows[23].

Gisanm-dimensionalset(withm beingtheindex)withasamplemeanvectorof

μ

= (

μ

1,

μ

2,...,

μ

m)^Tandacovariance matrixof=(

σ

ij),andtheMahalanobisdistancebetweenthesampleX=(x₁,x₂,...,xm)^TandthesetGis

d

(

^X,G

)

⁼

(

^X−

μ )

^T−1

(

^X−

μ )

. (8)

Inthisscheme,we firstsampleevery type ofTF_j(with j=1,2,3,4,5)n₁ timesonthepremises ofboththe security networkandthenormalTFatthenetwork’sentrance.ThesetofsamplesdenotedbyGisgivenasfollows:

G=

Gj

T

j=1,2,...,5 G_j=

TF_j

(

¹

)

^,TFj

(

²

)

^,...,TFj

(

ⁿ¹

)

(9)

whereTF

j isthesamplevalueofTF_jandjrepresentsthetypeofTF.Here,j∈[1,5],whileiisthesamplenumberforeach typeofTF,wherei∈[1,n₁].

Thesampleaveragevector

μ

^{canbecalculatedby}

⎧ ⎨

⎩ μ

=

μ

j

T

j=1,2,...,5

μ

j=_n¹₁ⁿ¹

i=1

TF_j

(

ⁱ

)

^{. (10)}

Thecovariancematrix^{canbecalculatedbycombiningthesampleaveragevector}

μ

^{withtheTFsample.Therefore,the}

MahalanobisdistancebetweenTF_j(ⁱ)^{andGiscalculatedby}

dⁱ_j

2

=d²

TF

j

(

ⁱ

)

,G

=

TF

j

(

ⁱ

)

−

μ

T

⁻¹

TF

j

(

ⁱ

)

−

μ

(11)

wheredⁱ_jistheMahalanobisdistancebetweenTF_j(ⁱ)^andG.

As a result, we can calculate all of the Mahalanobis distances for each TF by executing Eq. (11), and the maximum Mahalanobisdistancecanbedenotedasd^M=max

{

^dij

|

^j=1,2,...,5;i=1,2,...,n₁

}

^.

The calculation above is performedoffline with the aidof auxiliary equipment because ofthe limited computingre- sourcesavailableinWSNs.Inaddition,theparametersusedforcalculatingtheMahalanobisdistancesaresavedintheCHs tobeusedundernormalWSNoperation.UndernormalWSNoperation,theCHsacquiretheTF_joftheSNsintheirclusters aswell asfromadjacentCHsduringevery timeperiod^t.IftheMahalanobis distancebetweenTF_jandGislessthand^M, thenthenode’snumberofnormalbehaviorsincreasesbyonewhileitsnumberofabnormalbehaviorsdecreasesbyone.

However,undernormalWSNoperation,thevariationsinthevalueofTF_jcanbeaffectedbymanyunpredictablefactors, includingbothinvasiveandnon-invasivefactors(i.e.,environmentalfactors).Asaresult,ifnomeasurementsaretaken,the false positive rateincreasesandaffects the performance ofthe system. Hence,it is ofgreat significanceto learn howto reduce theoccurrenceofsuchsituations. Thispaperintroduces a tolerancefactor,q,andutilizesit inthetrustvalue cal- culation.Specifically, the numberofabnormal behaviorsused inthe trust calculationsisobtained by dividingthe actual numberofabnormalbehaviorsbythetolerancefactorq,andthisactual numberisobtainedviatheMahalanobisdistance judgment.However,whenthevalueofqistoolarge,itdecreasestheintrusiondetectionrate.Thus,inpracticalimplemen- tation,dynamicadjustmentisperformedaccordingtotheactualsecuritysituationofthenetwork.

3.2. SNintrusiondetection

WedenoteaparticularCHasc,andnode nistheSNinthesameclusterasc,sotheintrusiondetectionofnodencan berealizedbycasfollows.

Step1:TheSTCAofnodencollectsitsownTF_jasTF_jⁿ,whichissenttocthroughtheSCAofnoden.

Step2:TheCCAofcreceivesTF_jⁿ,andtheTCaAofcisactivatedbytheCMAofctocalculatethetrustvalueofnoden. Please citethisarticleas:X.Jinetal.,Multi-agent trust-basedintrusion detectionschemeforwirelesssensornetworks,

Step3:TheTCaAofccalculatesthetrustvalueofnodenasfollows:

TRcn

(

^t

)

= Sn

(

^t

)

+1

Sn

(

^t

)

+Ln

(

^t

)

/q+2 (12)

whereSn(t)isthenumberofnormalbehaviorsofnodenattime t,Ln(t)isthenumberofabnormalbehaviorofnodenat timet,andqisthetolerancefactor.S_n(t)andL_n(t)canbecalculatedbyaccumulatingthenumbersofnormalandabnormal behaviorsofnoden,respectively,usingtheMahalanobisdistanceintheabovementionedway.

Step4: The IJA of c judges whetheror not node n has been intruded on according to the trust value of node n as calculatedinStep3.IfTR_cn<TR_th1,nodenwasintrudedon.Otherwise,nodeniscredible.TR_th1isthethresholdtrustvalue selectedaccordingtobothitspracticalapplicationaswellasthetrustvalueofalloftheSNs.

Step5:IfnodenisjudgedamaliciousnodeinStep4,thentheIRAofcadoptssecuritymeasures,suchasupdatingthe communicationkey,performingre-authentication,andcuttingoff communicationswithnoden.

Step6:TheCMAofcbroadcaststheidentityofnodentoothernodesintheclusterandreportsc’shandleinformation totheBSthroughc’sCCA.

3.3.CHintrusiondetection

Intheschemeintroducedinthispaper,CHintrusiondetectionisimplementedbytheBS.WedenotetheBSasb,theCH tobedetectedasc,andtheCHadjacenttocask.Thus,theintrusiondetectionofccanberealizedbybasfollows:

Step1:TheCTCAofccollectsitsownTFasTF_j^c,whichissenttokbytheCCAofc.

Step2:TheCCAofkreceivesTF_j^c,andtheTCaAofkisactivatedbytheCMAofktocalculatethetrustvalueofc. Step3:TheTCaAofkcalculatesthetrustvalueofcwithan equationsimilarto(12),andthisvalue isdenotedasTR_kc. Consequently,bcalculatesthetrustvalueofcby:

TR_bc

(

^t

)

^=a

v

g

{

^TRkc

(

^t

) }

⁽¹³⁾

whereTR_bc(t)isthetrustvalueofccalculatedbyb attimet,whichisanaveragevalue,andTR_kc(t)isthetrustvalueofc calculatedbyk(onlywhenkiscredible)attimet.

Step4:Theintrusionjudgmentevidencebprovidestocismainlycomposedoftwoaspects.Ontheonehand,thetrust valueTR_bc(t)iscompared withthethresholdtrust value,whichistheminimal trustvalue ofalloftheCHs. Onthe other hand,the proportion of SNs judged malicious by c to the total number of SNs in its cluster is compared with another thresholdvalue relatedtotheproportionof maliciousSNs. Therefore,theintrusion judgmentofc canbe realizedby the followinglogicalexpression:

⁼

(

^TRbc

(

^t

)

^<TRth2

) |

N_c^mali>N_th

(14) whereTR_th2 is the thresholdtrust value, which isthe minimal trust value of all ofthe CHs, N^mali_c is theproportion SNs judgedmalicious by c to the totalnumber ofSNs inits cluster, and N_th isthe maximum proportionofmalicious nodes withinacluster.If^{is1,thencisabnormal.Otherwise,cisnormal.}

Step5: Ifc wasjudgedabnormalinStep4,then bcutsoff communicationswithc,recoverstheSNsthat werejudged maliciousbyc,andbroadcaststheidentityofctoalloftheothernodes.

4. Simulationandanalysis

4.1. Analysisoftrustvaluecalculationalgorithmrealization

Trustvaluecalculationisthefundamentalconceptofthescheme,andwhetheritcanberealizedreliablyornotiscrucial tothesuccessfulfunctioningofthealgorithm.Anode’sphysicalandMAClayerfeaturescaneasilybelocallyobtained.Inthis paper,TF₁–TF₄ couldbecalculatedwiththeresultsofthetwolayers.TF₅waseasilyobtainedthroughsensormeasurement and, hence,the trust feature valueswere attained easily.Furthermore,all of the trust informationwasobtained directly fromboth the SNs andthe nearby CHs. Therefore, noBad-mouth attack existed,resulting in a morereliable trust value calculation.

TheMahalanobisdistancewasusedtojudgewhetherthetrustfeatureswerenormalornot,whichalsoresultedinmore reliabletrustvalue calculation.Asforthetrustvalue calculationforresource-constrainedWSNs,theBetadistributionwas deemedsuitableforthetaskduetoitssimplicityaswellasitsadvancedandreliableimplementation.

4.2.Reliabilityandscalabilityanalysis

Ourschemeadoptedmultipletrustfeaturestocalculatethetrustvalueand,moresignificantly,introducedthephysical stateofthetrustfeature.Theintrusionbehaviorfeatures coveredacomprehensiverange,enablingboth moreintrusion to bedetectedandahigherreliabilityofdetection.

Theframeworkoftheintrusiondetectionschemewasdesignedbasedonmulti-agentfunctioning,andalloftheagents’

configurationsweredeterminedbytheintrusiondetectionfunctionsofeachnode.Eachagentwasanautonomouslyrunning programentity,whichmadethesystemeasytoconfiguredynamically,improvingitsscalability.

Table 2

Simulation parameter settings.

Parameter Default value

Network deployment area 300 m × 300 m

Number of nodes 100

Communication speed (Kbps) 250 MAC layer protocol IEEE 802.15.4

Routing protocol LEACH

Detection time interval ( t / s ) 60 Data packet length (B) 128 Transmission power (mW) 1

Tolerance factor q 3

1 2 3 4 5 6 7

0 0.2 0.4 0.6 0.8 1

q

security performance

detection rate false positive rate

Fig. 4. Simulation of effects of tolerance factor q on security performance.

4.3. Simulation

This paper adopted OMNeT++ 4.3.1 as simulation software. The MAC layer protocol used was IEEE802.15.4, and the routing protocol used was LEACH [24]. For this simulation, the threshold trust value TR_th1 was 0.8, TR_th2 was 0.6, and N_thwas0.5.TheothersimulationparametersareshowninTable2.

Theperformanceoftheschemewasanalyzedviatwoindicators:thedetectionandfalsepositiveratesobtainedfromthe simulationresults.Thedetectionrateisthenumberofnodesdetectedasmaliciousnodescomparedtothetotalnumberof maliciousnodesinanetwork.Thefalsepositiverateistheproportionofthenumberofnodesthataremistakenlyidentified asmaliciousnodestothetotalnumberofnodesdetected.

4.3.1. Tolerancefactorselection

Inthissimulation,20 nodeswereselected randomly,andthe tolerancefactorq wasselectedfromtheset {1,3,5,7}.

Eachq value ran 10times inindependentsimulations, andtheaverage detectionandfalse positive rateswere extracted.

ThesimulationresultsareshowninFig.4.

AsshowninFig.4,asqincreases,thedetectionandfalsepositiveratesdecrease.However,thedetectionratedecreases fasterthanthefalsepositiveratedoes.Anexcellent detectionperformance producesbothahighdetectionrateandalow falsepositiverate.Thesimulationresultsindicatethatthebestperformanceisachievedwhenqis3,becausethedetection rateishighandthefalsepositiverateislow.

4.3.2. Securityperformanceanalysis

Thesimulation includedtwosituations: (a)the presenceofasingleflooding attack,and(b)thepresenceofthree dif- ferentkindsofattack:aselectiveforwardingattack,aDoSattack,andafloodingattack. Acertaintype ofattack nodewas randomlychosen duringeachsimulation,andthenumberofnodesforeach simulationwasselectedfromtheset{1,3,6, 10,15,20}.Eachnumberofnodesran 10timesinindependent simulations,andtheaveragevalue ofdetectionandfalse positiverateswasextracted.Thesimulationresultswerecomparedwiththeschemeusedin[5]thatwasbasedonasingle networkfeature:energyconsumption.ThesimulationresultsareshowninFigs.5and6.

Fig.5 comparesthe false positiverateof ourschemewiththat ofthe singlefeaturescheme basedon twosituations.

The simulationresultsindicatethat thefalsepositive ratesofthetwoschemes increasedasthe numbersofattacknodes Please citethisarticleas:X.Jinetal.,Multi-agent trust-basedintrusion detectionschemeforwirelesssensornetworks,

(a) single attack (b) multiple attacks

0 5 10 15 20

0.05 0.1 0.15 0.2 0.25 0.3

the number of attacking nodes

false positive rate

scheme of this paper scheme of single feature

0 5 10 15 20

0 0.05 0.1 0.15 0.2 0.25 0.3

the number of attacking nodes

false positive rate

scheme of this paper scheme of single feature

Fig. 5. Comparison of simulated false positive rates.

(a) single attack (b) multiple attacks

0 5 10 15 20

0.4 0.6 0.8 1 1.2

the number of attacking nodes

detection rate

scheme of this paper scheme of single feature

0 5 10 15 20

0 0.2 0.4 0.6 0.8 1 1.2

the number of attacking nodes

detection rate

scheme of this paper scheme of single feature

Fig. 6. Comparison of simulated detection rates.

increased.Thefalsepositiveratesofbothschemeswerelow.However,ourschemeemployedatolerancefactor,q,andsome oftheabnormaltrustfeatures producedbynon-invasive factorswereexcluded,greatlyreducing thefalsepositiverate.As showninFig.5,thefalsepositiverateofourschemeincreasedmoreslowlythanthatofthesinglefeaturescheme,andour schemeproducedabetterperformance.

InFig.6,the detectionrateofourscheme iscomparedwiththat ofthe singlefeaturescheme.The detectionratesof bothschemesdecreasedasthenumbersofattacksnodesincreased. Thedifferencebetweenthedetectionratesofthetwo schemeswaslowinsituation(a)buthighinsituation(b).Thiswasbecausetheintrusiondetectionmechanismutilizedby theschemein [5]wasbasedona singlenetworkfeature. Thedetection mechanismfailedtodetect some attacks,which causedthedetectionratetodeclinemorerapidlyinsituation(b).

Figs.5and6indicatethat thedetectionrateisinfluencedby detectionfailuresandthatthefalse positiveratecan be greatlyreducedby theschemeproposed inthispaper.Theschemecanachievebothahighdetectionrateandalow false positiveratewithadjustmentsofitsqvalue.

Fig. 7. Experimental platform.

Table 3

The detection rate and false positive rate according to experiment.

Interference absent Interference present

Detection rate (%) 98.6 97.5

False positive rate (%) 3.13 5.04

5. Experiment

Inordertoverifythefeasibilityofimplementingtheproposed intrusiondetectionschemeinbothembeddedplatforms andrealenvironments,we constructedthe experimentalplatformshowninFig. 7.Thenetworkconsistedofeight ZigBee nodes,including:(1)one CH,(2)five SNs,(3)two attack nodes(onesimulatingDoSattacksandonesimulating sinkhole attacks),and(4)onewirelessrouter(usedasaninterferencesource).

The SNs periodically transmitted data for 5 seconds. The CH stored the received data and calculated the node trust values.One ofthetwo attack nodesactedasaDoSattack node, andtheother actedasa sinkholeattack node.The DoS attack node performed uninterruptedtransmission, andofthe sinkhole attack node enticedother nodesto send itdata, whichitdiscarded.

Theexperimentwasperformedfortwocases:thepresenceofinterferenceandtheabsenceofinterference.Theinterfer- encesourcewas2.4-GHzwirelessrouter.Thetwocasesweresimulated100timeseach,theresultsofeachsimulationwere recorded,andtheaveragedetectionandfalsepositiverateswereobtainedforeachcase,asshowninTable3.

Table3showsthatthedetectionandfalsepositive ratesaresimilartothose inthesimulationresults,whichconfirms thattheproposedintrusiondetectionschemeispracticallyachievableandhasahighdetectionperformance.

6. Conclusion

In thispaper,we proposed an intrusion detectionscheme basedon bothmulti-agent functioningandtrust values for layer-clusterWSNs.Thecharacteristicsoftheschemeareasfollows:

(1) ThenodetrustfeatureabnormalitiesarejudgedbytheMahalanobisdistance,whichmakesthejudgmentmoreaccurate andimprovestheaccuracyofthetrustvalue.

(2) Atolerancefactorqthatreducesthefalsepositiverateoftheschemewasintroducedinthetrustvaluecalculation.The dynamicadjustmentofqcorrespondingtotheenvironment’ssecuritysituationcanimprovethesystem’sflexibility.

(3) Thescheme wasimplemented basedona multi-agent frameworkthat enhancesthesystem’sscalabilityandimproves itsfaulttolerance.

The simulationresultsshowedthat themodifiedschemedemonstrated botha higherdetectionrateandalower false positive rateforboth asingleattackanda varietyofattacksoccurringatthesametime.Thisconfirmsthat itcandetect commonintrusionsaccurately.Infuturestudies,theschemewillbeimprovedthroughtheimplementationofanevaluation Please citethisarticleas:X.Jinetal.,Multi-agent trust-basedintrusion detectionschemeforwirelesssensornetworks,

strategyforthetolerancefactorq,anassessmentofthetrustthresholdvalue’sboundarybehavior,andfurtherreductionof detectionfailure.

Acknowledgments

ThisresearchstudywasfundedbyFundamentalResearchFundsfortheCentralUniversitiesofChina(HIT.NSRIF.2015017) andtheNationalNaturalScienceFoundationofChina(51077015,50907014).

References

[1] Sedjelmaci H , Senouci SM . Efficient and lightweight intrusion detection based on nodes’ behaviors in wireless sensor networks. In: Proc. of IEEE conf.

on global information infrastructure symposium, october 28–31 ; 2013. p. 1–6 .

[2] Bao F , Chen R , Chang MJ , Cho JH . Trust-based intrusion detection in wireless sensor networks. In: Proc. of IEEE conf. on communications june 5–9;

2011. p. 1–6 .

[3] Jennings NR . Commitments and conventions: the foundation of coordination in multi-agent systems. Knowl Eng Rev 1993;8(3):223–50 .

[4] Thamilarasu G , Ma Z . Autonomous mobile agent based intrusion detection framework in wireless body area networks. In: Proc. of 16th international symposium on world of wireless, mobile and multimedia networks, june 14–17; 2015. p. 1–3 .

[5] Riecker M , Biedermann S , Hollick M . Lightweight energy consumption-based intrusion detection system for wireless sensor networks. Int J Inf Secur 2015;14(2):155–67 .

[6] Wang H , Yuan Z , Wang C . Intrusion detection for wireless sensor networks based on multi-agent and refined clustering. In: Proc. of WRI international conference on communications and mobile computing, january 6–8; 2009. p. 450–4 .

[7] Wang P , Zhou XW , Qin BP , Zhao P , Zheng LC . Multi-agent based intrusion detection system for wireless sensor networks. Chin J Sensors Actuators 2007;20(3):677–81 .

[8] Vinyals M , Rodriguez-Aguilar JA , Cerquides J . A survey on sensor networks from a multi-agent perspective. Comput J 2010;1:455–70 .

[9] Han GJ , Jiang JF , Shu L , Niu JW , Chao HC . Management and applications of trust in wireless sensor networks: a survey. J Compu Syst Sci 2014;80(3):602–17 .

[10] Liu C , Liu Y , Zhang Z . Improved reliable trust-based and energy-efficient data aggregation for wireless sensor networks. Int J Distrib Sensor Netw 2013;2013:1–11 .

[11] Gupta GP , Misra M , Garg K . Energy and trust aware mobile agent migration protocol for data aggregation in wireless sensor networks. J Netw Comput Appl 2014;41:300–11 .

[12] Zahariadis T , Trakadas P , Leligou HC , Maniatis S , Karkazis P . A novel trust-aware geographical routing scheme for wireless sensor networks. Wireless Pers Commun 2013;69(2):805–26 .

[13] Zhang Y , Jin Z , Luo Y , Xiujuan DU . Node secure localization algorithm in underwater sensor network based on trust mechanism. J Comput Appl 2013;33(5):1208–11 .

[14] Zhang T , He J , Zhang Y . Trust based secure localization in wireless sensor networks. In: Proc. of 2nd international symposium on intelligence informa- tion processing and trusted computing, oct. 22–23; 2011. p. 55–8 .

[15] Ebinger P , Bibmeyer N . TEREC: trust evaluation and reputation exchange for cooperative intrusion detection in MANETs. In: Proc. of 7th annual comm.

networks and services research, may 11–13 ; 2009. p. 378–85 .

[16] Gerrigagoitia K , Uribeetxeberria R , Zurutuza U , Arenaza I . Reputation-based intrusion detection system for wireless sensor networks. In: Proc. of IEEE Conf. on Complexity in Engineering, j une 11–13; 2012. p. 1–5 .

[17] Bao F , Chen R , Chang MJ , Cho JH . Hierarchical trust management for wireless sensor networks and its applications to trust-based routing and intrusion detection. IEEE Trans Netw Serv Manage 2012;9(2):169–83 .

[18] Chang KD , Chen JL . A survey of trust management in WSNs, internet of things and future internet. KSII Trans Internet Inf Syst 2012;5(1):5–23 . [19] Lopez J , Roman R , Agudo I , Fernandez-Gago C . Trust management system for wireless sensor networks: best practices. Comput Commun

2010;33(9):1086–93 .

[20] Huabo L , Jianming C , Hongjun D . Multivariate classification-based malicious node detection for wireless sensor network. Chin J Sensors Actuators 2011;24(5):771–7 .

[21] Jsang A , Ismail R . The beta reputation system. In: Proc. of the 15th bled electronic commerce conference, june; 2002. p. 41–55 .

[22] Ganeriwal S , Balzano LK , Srivastava MB . Reputation-based framework for high integrity sensor networks. ACM Trans Sensor Netw 2008;4(3):66–77 . [23] De Maesschalck R , Jouan-Rimbaud D , Massart DL . The Mahalanobis distance. Chemom Intell Lab Syst 20 0 0;50(1):1–18 .

[24] Heinzelman WB , Chandrakasan AP , Balakrishnan H . An application-specific protocol architecture for wireless microsensor networks. IEEE Trans Wire- less Commun 2002;1(2):660–70 .

Xianji Jin is currently working as an assistant professor at the Harbin Institute of Technology, China. He received his Ph.D. in Electrical Engineering from the Harbin Institute of Technology in 2013. His research interests include power system information and communications technology, wireless network security, and intrusion detection.

Jianquan Liang is currently working as a research fellow at Heilongjiang Electric Power Research Institute. He received his Ph.D. in Electrical Engineering from the Harbin Institute of Technology in 2016. His research interests include wireless sensor network security, key management, and intrusion detection.

Weiming Tong is currently a professor at the Harbin Institute of Technology. He got his PhD. title from the Harbin Institute of Technology, China, in 1999.

His research interests include electrical intelligent technology, distribution and substation automation, and wireless network security. He has published more than 200 peer reviewed research papers.

Lei Lu is currently a Ph.D. candidate at the Harbin Institute of Technology in China. He obtained his M.S. in electrical engineering at the same university in 2009. His main research interest is power system information security.

Li Zhongwei is currently working as an associate professor at the Harbin Institute of Technology, China. He received his Ph.D. in Electrical Engineering from the Harbin Institute of Technology in 2006. His research interests include smart grid communications, information security, and intelligent power management.

Please citethisarticleas:X.Jinetal.,Multi-agent trust-basedintrusion detectionschemeforwirelesssensornetworks,