Distributed Intrusion Detection Model in Wireless Sensor Network

—The security issues of Wireless Sensor Network (WSN) are significant, among which intrusion detection can improve the defense detection performance of WSN, and also balance the security and energy-saving accurately and efficiently. In this paper, we focus on the intrusion detection problem in WSN. Specifically, we propose a cluster-based collaborative detection structure, and the detection algorithm is based on immunity system and Ant Colony Optimization (ACO). The basic idea is to formulate intrusion detection as an optimization problem and introduce immune mechanism into ACO during iterations. Finally, the experiment shows that proposed algorithm outperforms other methods.


INTRODUCTION I.
As a new generation sensor network, Wireless Sensor Network (WSN) is an information acquisition system composed of many wireless sensor nodes distributed in a given region. The wireless sensor nodes are typically limited in energy, bandwidth, and storage and computing. Compared with traditional wireless networks, WSN is self-organized, highly fault tolerant and reliable, low-cost, and easy to deploy, and has been applied to many areas, such as environment monitoring, disaster response, intelligent building, health care, housekeeping, business and industry [1].
However, the security issues of WSN have drawn significant attentions [2]. For example, the WSN equipment is typically exposed in severe environment, uninhabited areas or enemy positions; besides, wireless network is inherently vulnerable.
Currently there are many works on the security of WSN, including firewalls, data encryption and access control. However, works on intrusion detection among WSN nodes is not sufficient. WSN nodes are independent, and the behavior abnormal based on neighbor nodes can help to detect possible intrusions. Indeed, intrusion detection provides protection against internal and external attacks by properly distributing nodes in networks for important data, resources and networks in key fields. Intrusion detection can improve the defense detection performance of WSN, and also balance the security and energy-saving accurately and efficiently. Specifically, intrusion detection technology can discover and report unauthorized and abnormal behaviors of the system, and actively provide dynamic monitoring and protection as a part of the security mechanism.
In this paper, we propose a distributed intrusion detection model based on immunity principle [3] and Ant Colony Optimization (ACO) [4] for intrusion detection in WSN. The basic idea is to combine the variety of immune system and the fast detection algorithm based on ACO to deal with different types of intrusions in WSN. Accordingly, the security of WSN can be ensured, and also the energy consumption can be reduced, so that the lifetime of WSN can be improved. Besides, to improve the performance of ACO based intrusion detection, we employ K-Nearest Neighbor (KNN) algorithm [5] to eliminate the redundancy of data set at the initialization step. Our experiments show that proposed method exhibits good performance in intrusion detection in WSN.

RELATED WORK II.
Intrusion detection problem has been well studied. For example, Chen et al. [6] proposed an intrusion detection algorithm based on kernel Fisher discriminant analysis in WSN. Salmon et al. [7] designed an intrusion detection model using Danger Theory (DT), which utilized distributed collaborative mechanism and therefore improves the detection performance and reduces the energy cost. Sommer et al. [8] proposed an intrusion detection model with context using environmental context, weakness context, feedback context and abnormal context, etc. Zhang et al. [9] used statistics method for intrusion detection based on threshold. Misra et al. [10] detected intrusion with the objective of balancing energy cost. Huang et al. [11] designed a cluster-based model to deploy detectors onto nodes. Bao et al. [12] proposed a cluster-based hierarchical trust management protocol for WSN to detect malicious nodes. Butun et al. [13] provide a survey of intrusion detection systems in WSN.
Another category of related work is the improvement efforts of ACO. For example, Akay et al. [14] combined honeybee colonies with ACO to efficiently solve optimization problems. Tuba et al. [15] improved ACO with pheromone correction strategy for TSP problem. Yoo et al. [16] designed a new cooperation mechanism between ants and provided a new definition of pheromone. Ciornei et al. [17] combined Genetic Algorithm (GA) with ACO for global continuous optimization. Hao et al. [18] designed an immune ACO algorithm for path planning. In this work, we introduce immunity system into ACO for intrusion detection in WSN.

PRELIMINARIES III.
In this section, we briefly introduce the background on some algorithms that are employed in this paper.

Immunity system A.
Immunity system is a self-organized, distributed, selfadapted, self-learning and diversified system. Immunity system has been widely employed in information security [19]. Indeed, the characteristics of WSN such as dynamic topology structure, easy failure of nodes, and diversity of intrusions, make immunity system perfect fit for WSN. Generally, immunity system simulates the antigen process in biological immunity. As shown in Figure 1, the process of immunity algorithm can be described as follows: where s is the set of self.
(2)Antibody population initialization: the set of antibody corresponds to the solution of problem, and the affinity between antigen and antibody corresponds to the evaluation of solution. The lower the affinity is, the poorer the solution is.
(3)Immune matching: generate the detection component, and differentiate between self and non-self. Typically, immune matching can be evaluated by Euclidean distance, Manhattan distance, etc. The larger the distance is, the lower the affinity is.
(4)Clonal selection: various immune operators such as immune selection, cloning, mutation, clone suppression and population refresh are employed in this step.
(5)Antibody population update: if the termination condition is satisfied, the algorithm ends; otherwise, return to Step 3 until the current antibody population is the best solution.

ACO algorithm B.
ACO is one of the most popular swarm intelligence algorithms for optimization problems. Basically, ACO includes: (1) next step selection and (2) pheromone update.
Suppose ij ! is the amount of pheromone between nodes i and j , which is initialized as At iteration t , the transfer probability of ant k from i to j can be calculated as: where k allowed denotes the set of qualified nodes for next step, ! is the heuristic of pheromone indicating the importance of path, and ! is the heuristic of path. After each ant moves a step or finishes the traversal of all n nodes, the pheromone is updated as follows: In this section, we present the overall framework and data preprocessing procedure. The details of intrusion detection algorithm will be discussed in the next section.
We employ the cluster-based WSN structure [11] in this work, which is composed of sink node, cluster head nodes and cluster member nodes, as shown in Figure 2. This cluster-based structure helps to concentrate the communication control within a smaller range (i.e. cluster), and reduce the communication cost between aggregation nodes. The intrusion detection process utilizes the collaborative detection mechanism. First, as the global control node of the whole structure, sink node globally determines if intrusion is detected based on its detector. Then, detectors on cluster head nodes are wake up for collaborative detection. If the intrusion cannot be determined, collaborative detection on cluster member nodes is later wake up. Based on above detailed information, sink node can accurately justify the intrusion detected. (1) data collection, (2) data process, (3) intrusion detection, and (4) response. Data collection in WSN intrusion detection is typically achieved by gathering data from various sensors and nodes. Data process includes feature selection and data preprocess.
In the process of intrusion detection, feature selection directly influences the performance of intrusion detection in terms of accuracy and speed. Typically, the original WSN dataset includes lots of redundant and useless information, and therefore brings issues such as curse of dimensionality. Besides, the dynamic and massive characteristics of WSN dataset also make it more difficult for intrusion detection. Therefore, before applying intrusion detection algorithm, we first eliminate redundant information using KNN algorithm, and then the ACO based algorithm is employed on the cleaned dataset.
Suppose the original number of features is m , and the feature set is represented as O = {F i ,i = 1,2,..., m} . The feature set after redundancy elimination is R . Let !(F i , F j ) denote the correlation between features F i , F j , and r i k denote the correlation between feature F i and the k -th nearest neighbor in reduced feature set R . The process of dataset initialization based on KNN is as follows.
(1)Initialize R = O and k . (4)If k > card(R) ! 1, then set k = card(R) ! 1. If k = 1 , it indicates that there is no feature or its neighbor whose value is smaller than ! to delete, and the process stops.
the process stops.
Now we have the cleaned dataset without data redundancy. Then, we perform data normalization as follows.
Calculate the mean for each feature: where n is the scale of dataset, and x i denotes each value of specific feature. Calculate the standard deviation for each feature: Normalize data based on mean and standard deviation: Then, the preprocessed data is fed into the intrusion detection algorithm, which will be discussed in the next section. Once an intrusion is detected, corresponding response measure is made by sink node. For example, broadcast the intrusion to the whole network to remind other nodes to reduce or avoid connections with the intrusion node.
In order to formulate the intrusion detection as optimization problem, we need to define the objective function. There are two objectives of intrusion detection: (1) the accuracy of detection should be as high as possible; and (2) the number of features selected should be as small as possible. Therefore, the objective function is defined as: where d is the number of selected features, D is the number of features of the original dataset, P a is the accuracy of intrusion detection, and ! is the weights of above two components. Therefore, the objective of ACO is to maximize Equation (8).
In this paper, we combine ACO with immunity principle. Figure 3 shows the workflow of proposed (2)Each ant chooses to transfer to the next node by Equation (2), and then update the pheromone on path by Equation (3).
(3)If all ants complete the iteration, go to Step 4. Otherwise, return to Step 2.
(4)Set the current solution of ACO as the initial antibody population, and calculate the affinity between antigen and antibody.
(5)Perform immunity operators such as immune matching, clonal selection and then update the antibody population.
(6)If the maximum number of immune iterations is achieved, go to Step 7. Otherwise, return to Step 5.
is a constant, and is the affinity value between antigen and antibody.
If the maximum number of ACO iterations is achieved, the algorithm ends. Otherwise, return to Step 2.
We simulate the experiment using Matlab software. The dataset used in this experiment is obtained from KDD CUP99, which includes four types of intrusions: DOS (denial of service), Probe (surveillance or probe), U2R (user to root) and R2L (remote to local). The training data includes 23 attacks in total, and the test data includes 38 attacks in total.
In order to measure the performance of intrusion detection, we employ two metrics, i.e., detection rate DR and error rate ER : the number of detected abnormal total number of abnormal in sample data DR = (10) the number of normal error reported as abnormal total number of normal in sample data ER = (11) We compare the performance of proposed algorithm with ACO [20] and BP network [21] based intrusion detection method. Figures 4 and 5 give the results of detection rate and error rate respectively. We can observe that our method outperforms other two for all four types of attacks in terms of detection rate and error rate. Specifically, for DOS, Probe and R2L attacks, all three methods can detect intrusions efficiently and the error rate is relatively low. However, the performance of U2R attack is relatively poor. But still, our method can improve the detection compared to other methods. In this paper, we design a cluster-based intrusion detection structure in WSN, and introduce immunity principle and ACO algorithm for intrusion detection. Experimentally, proposed method exhibits high accuracy in intrusion detection. However, in this work, we simplify the problem by ignoring the communication cost between sensor nodes in intrusion detection. In future works, we would like to extend the intrusion detection to deal with various scenarios and conditions.