View
7
Download
0
Category
Preview:
Citation preview
Research ArticleApplying an Ontology to a Patrol Intrusion DetectionSystem for Wireless Sensor Networks
Chia-Fen Hsieh Rung-Ching Chen and Yung-Fa Huang
Chaoyang University of Technology 168 Jifeng E Road Wufeng District Taichung 41349 Taiwan
Correspondence should be addressed to Rung-Ching Chen crchingcyutedutw
Received 9 July 2013 Revised 4 November 2013 Accepted 8 November 2013 Published 6 January 2014
Academic Editor Hung-Yu Chien
Copyright copy 2014 Chia-Fen Hsieh et alThis is an open access article distributed under the Creative CommonsAttribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
With the increasing application of wireless sensor networks (WSN) the security requirements for wireless sensor networkcommunications have become critical However the detection mechanisms of such systems impact the effectiveness of the entirenetwork In this paper we propose a lightweight ontology-based wireless intrusion detection system (OWIDS)The system appliesan ontology to a patrol intrusion detection system (PIDS) A PIDS is used to detect anomalies via detection knowledgeThe systemconstructs the relationship of the sensor nodes in an ontology to enhance PIDS robustness The sensor nodes preload comparisonmethods without detection knowledgeThe system transfers a portion of the detection knowledge to detect anomaliesThememoryrequirement of a PIDS is lower than that of other methods which preload entire IDS Finally the isolation tables prevent repeateddetection of an anomaly The system adjusts detection knowledge until it converges The experimental results show that OWIDScan reduce IDS (intrusion detection system) energy consumption
1 Introduction
Recently wireless security issues have drawn the attentionof wireless network and wireless sensor network (WSN)researchers WSN is a novel technology that involves thedeployment of low-cost microhardware and resource-limitedsensor nodes Applications of WSN include battlefield super-vision disaster response and health care [1 2] After sensornodes are deployed they self-organize and establish routesautomatically and transmit their information on their sur-roundings to a base station (BS) Since each sensor node hasa limited and irreplaceable energy resource energy conser-vation is the most important performance consideration in aWSN
A WSN has two major defenses cryptography and anintrusion detection system (IDS) Cryptography protectsinformation via encryption decryption and authenticationof each node Cryptography is the first line of protectionin WSN security An IDS protects information by anomalydetection An IDS detects each node by its behavior If asensor node is misbehaving the IDS will alert its managersThis is the second line of defense in WSN security
A Sybil attack is a common method that attackers useto gather information from the WSN Intruders pretend tobe sensor nodes routes andor base stations They use theseroles to request and collect data When they have receiveddata they copy it and return it to the real and victim nodesto establish their bona fides The attackers thus obtain theinformation they need to finish their preparationsThis attacktype merely copies information without altering it It is diffi-cult for the system to detect it and to redeploy against furtherintrusion [3] If the intrusion detection system prevents Sybilattacks it can reduce the severity of attacks To counterthis attack each node must be identified and authenticatedcorrectly The authentication method requires a simplifiedalgorithm to reduce energy consumption However if it is tooeasy to decrypt it will lose efficacyThus the system combinesIDS and an ontology to construct the relationship betweeneach node providing a novel way to detect Sybil attacks Weproposed an ontology IDS method which can detect Sybilattacks to prevent further attacks by intruders
Soft computing has been widely used for wired securitydue to its high knowledge extraction capabilities Howeverlittle research has been done on using soft computing in
Hindawi Publishing CorporationInternational Journal of Distributed Sensor NetworksVolume 2014 Article ID 634748 14 pageshttpdxdoiorg1011552014634748
2 International Journal of Distributed Sensor Networks
WSN IDS Soft computing consumes resources while themodel is being trained and tested with various machinelearning tools such as SVM [4] rough set [5] and ANN[6] Unfortunately WSN IDS resources are limited Thuslightweight soft computing applications for IDS are critical[7ndash9] The IDS uses well-trained features to reduce thefeatures of the system If the training and testing of IDSWSN information use soft computing processing in the basestation it can be lightweight In this paper we will implementontology-based lightweight method technologies to improvethe effectiveness of WSN IDS
An ontology is a knowledge representation methodThe main aim of the ontology is to classify independentknowledge into concepts and to determine the relationshipbetween them The classification knowledge of the ontologyis used to infer new knowledge In our research the nodesof the WSN are constructed in the ontology in their entiretyThe relationships of the sensor nodes may then be applied todetect malicious nodes [10]
After deployment of the WSN is completed the basestation (BS) will gather position information During thepreparation stage the IDS establishes the conceptual relation-ships of each sensor node in the ontology The transmissionof each node will depend on its relationship to the ontologyThe attacker cannot then pretend that malicious nodes arevalid nodes Thus the major contribution of this paper is topropose a lightweight intrusion detection method based onthe domain knowledge
The method is divided into four steps (1) Constructthe relationship of the sensor nodes in the ontology Thepatrol nodes will use the relationships of ontology toenhance system robustness (2) Choose detection knowledgedepending on the monitoring environment The patrol nodeloads detection knowledge to perform a circuit of anomalydetection (3) Record the error information in an isolationtable And (4) repeat these steps until the detection knowl-edge has converged In fact we rename the ranger nodethe patrol node since it is more appropriate for the nodeattributes Thus in this paper we use PIDS (patrol intrusiondetection system) instead of RIDS (ranger intrusion detectionsystem) as in our previous paper [11]
The rest of this paper is organized as follows Section 2presents the literature review Section 3 introduces ourmethodology Section 4 shows the experimental results andevaluations In Section 5 conclusions and suggestions aregiven for future research
2 Related Work
21 Intrusion Detection Systems in Wireless Sensor NetworksIntrusion detection systems detect intruders based on theirattack behaviors In cryptography each node authenticatesother nodes using their encryption method which is knownas a symmetric key Authentication methods only protectagainst outsider attacks as the first line of defense If attackerspenetrate this defense they can gather cryptographic infor-mation Thus the IDS is the second line of defense which
detects user misbehaviour and alerts managers immediately[12]
Wireless sensor networks broadcast data among nodes Apotential intruder gathers such data until it is able to decryptauthentication After an intruder obtains the associated keysit can connect to neighboring nodes and attack them freelyIn some cases intruders can gather sufficient information tocrash the entire network
However intruder behavior is different from that ofnormal nodes System managers use intrusion detection sys-tems to detect anomalous behaviors An intrusion detectionsystem has two detection methods misuse detection andanomaly detection [13] The misuse detection system storesbehaviors of known attacks in an attribute database Thesystem compares user behaviors with the attribute databaseto find intrusions The anomaly detection system storesnormal behaviors of common users in the rule database Thesystem compares user behavior with normal behavior to findintruders
In a misuse detection system the attack rules are com-posed of known attack behaviors This type of system issimilar to antivirus software in which scanned data arecompared to known virus codes If the behavior is found inthe attribute database the systemdeletes the affected filesThemisuse detection system stores the known attack behaviorsin an attribute database If the attack behavior is similar tothe rules in the database an attack is detected and the systemdefends itself The main drawback of misuse detection isthat the detection is dependent on information already inthe attribute database so it is difficult to identify new attackbehaviors
Anomaly detection is different from misuse detectionIn anomaly detection the system constructs a user modelbased on the behavior of normal users When user behavioris abnormal the system notifies managers that there is apotential intruder Since intruder attack methods rapidlyevolve the anomaly detection system collects normal userbehaviors and detects intruder behavior by comparing it withnormal behavior The anomaly detection system must clearlydefine correct user behaviors Otherwise the systemwill havea high false detection rateThus the drawback of an anomalydetection system is greater likelihood of false alarms
WSN intrusion detection approaches are divided intofour types continuous event-driven observation-drivenand combination [14]
(1) Continuous the IDS records alarms but does nottransmit data to the administrator immediatelyWhen the detection process has finished its dutycycle the IDS will return alarms to the BS
(2) Event-driven this method has no duty cycle Whenattack misbehavior is detected the IDS will transmitthe information to the administrator immediatelyThe administrator then must decide how to processthe anomaly information
(3) Observation-driven the anomaly information is pro-cessed when the system detects an attack If theintrusion is serious the administrator can initiate theisolation method to limit the damage
International Journal of Distributed Sensor Networks 3
(4) Combination this method combines two or more ofthe above methods In a normal system sensor nodesreport detection data periodically If attack behavioris detected the IDS will alert the administrator
22 Ontology Methods An ontology represents the rela-tionships between the concepts of domain knowledge Inan ontology the system often assumes correct relationshipsbetween each concept A defined ontology for intrusiondetection systems was constructed by Undercoffer et al[15] According to their definitions three different compo-nents made up the construction of ontologies for intrusiondetection systems The first category reflects the networkclass including the network layers of the protocol stacksuch as TCPIP The second category is the system classrepresenting the operating systemof the hostThe last processclass defines attributes representing particular processes thatare to be monitored They use the ontology specificationlanguage DAML (DARPAAgentMarkup Language) andOIL(Ontology Inference Layer) to implement their ontology andto distribute information The ontology and the inferenceenginewere used as an event aggregation language to confirmthe existence of an attack on a wired network
Cuppens-Boulahia et al [16] presented an approach toreact to network attacks using an ontology to store policyinformation and to generate new security models The policyinformation models can be combined to prove the instan-tiation of the policies They used the ontology specifica-tion languages OWL (Web Ontology Language) and SWRL(Semantic Web Rule Language) They offer the advantage ofexisting generic tools for parsing and reasoning OWL allowsmerging distributed ontologies However the expressivityof SWRL is limited since it does not permit several logicoperators such as OR or NOT Further the SWRL rules maynot be used to alter or delete information in the ontologyThisfact reduces the potential to revoke their method Most ofthe literature on WSN focuses on constructing the rules forthe IDS onWSNThis literature lacks information on how toconstruct the relationships of nodes in the WSN [17 18]
3 Ontology-Based Wireless IntrusionDetection System (OWIDS)
When sensor nodes are taken over by an intruder the normalsensor nodes become malicious nodes The malicious nodesgather data from neighboring nodes in the preparation stageThey alter information and broadcast wrong informationto normal nodes Moreover they rapidly exhaust WSNresources In wired networks the manager detects intrudersusing a well-trained intrusion detection system working withrobust resources However the resources of a WSN arelimited and the protocols of aWSN differ from those of wirednetworks Managers cannot construct wired IDS on a WSNIn this paper we propose a lightweight intrusion detectionsystem that minimizes energy consumption in intrusiondetection for wireless sensor networks
The Sybil attack is a common attack method that is usedto gather information from a WSN It is hard to detect but
enables an intruder to attack the WSN more easily Ourmethod uses an ontology to construct relationships betweensensor nodes The constructed relationship enables the IDSto detect a Sybil attack
In this paper the wireless sensor network is a hierarchicalnetwork that has four roles namely base station cluster headpatrol nodes and sensor nodes They are defined as follows
(1) Base station (BS) the BS is controlled by the admin-istrator and has robust energy and computing poweras well as a high degree of security The base stationreceives environmental information and sensor nodedata from the cluster head The base station usesa detection module to analyze the data The patrolnodes will patrol the network and monitor it Whenthe patrol cycle is completed the base station inte-grates the new collection of the network data Theintegrated data is simplified into the database untilthe attacking pattern knowledge has converged Theadministrator analyzes information from each nodeand constructs the relationship of the WSN in theontologyThe relationship adjustment depends on theWSN environment
(2) Cluster head (CH) the CH is responsible for con-nectivity between the wireless sensor network andbase station The CH controls the work of the patrolnodes The patrol nodes return information to CHTheCHwill balance the duty cycle of the patrol nodesand then assign patrol nodes for monitoring and dataintegration The CH transmits detection knowledgeand ontology relationships to the patrol nodes
(3) Patrol nodes (PN) a patrol node is a sensor nodewhich carries knowledge of how to detect intrusionThey share the work of the CH Since the WSN envi-ronment includes general events and emergenciesthe patrol nodes collect information on their sensornodes The patrol nodes use the detection knowledgeto monitor sensor nodes integrate information andtransmit it back to a CH The node relationshipscarried by the patrol node are used to detect attacksPatrol nodes will record information into an isolationtable In normal cases the patrol nodes send theisolation table to the CH regularly However if anunexpected situation occurs the isolation table willbe transmitted to the CH immediately
(4) Sensor nodes (SN) they are responsible for the overallnetwork and sense environmental dataThey transmitthe data to patrol nodes for regular integration Thesensor nodes have no ontology information at all
The workflow of our system is shown in Figure 1 Firstthe system gathers WSN packages and attack packages tobuild an intrusion features database to enable evaluation ofanomalous transmission packages The system then appliesthe ontology to construct the relationship between thewireless sensor nodes The manager sets the threshold valueof the ontology relationship to detect attacks The patrolintrusion detection system (PIDS) is a lightweight systemthat uses the detection knowledge to monitor the nodes
4 International Journal of Distributed Sensor Networks
Deploy WSN and collect environment data
Gather package information
Construct relationship of WSN on ontology
Set relationship threshold
Simulate attack packages and protocol packages
Assign ontology to patrol node
Adjust attack knowledge until it has converged
Record anomaly information
Initialize OWIDS
Intr
usio
n de
tect
ion
stag
eO
ntol
ogy
cons
truc
tion
stag
ePr
epro
cess
ing
stage
Figure 1 The workflow of our system
in the wireless network The patrol node carries differenttypes of knowledge of how to detect intrusion dependingon the environment The ontology-based wireless intrusiondetection system (OWIDS) is divided into three stagesthe preprocessing stage ontology construction stage andintrusion detection stage
The preprocessing stage shows that each nodemust trans-late its data to base station and find the best translation routefor such dataThe ontology construction stage is divided intothe definition relationship and ontology construction phaseEach node calculates the membership value and defines therelationships between patrol nodes and sensor nodes Theintrusion detection stage compares the detection data tothe ontology pattern to find intrusions Finally the systemrecords anomaly information in an isolation table
The algorithm of the preprocessing stage is shown inAlgorithm 1 the algorithmof the ontology construction stageis shown in Algorithm 2 and the algorithm of the intrusiondetection stage is shown in Algorithm 3 The symbols of thealgorithms are as follows 119868 is information including ldquoSen-sorNodes ID energy 119864 4 hops sensed data type STrdquo arr[] isthe type of resource of the sensor nodes Patrolcandidate[]represents the candidate list of patrol nodes CH is the clusterhead 119904
119894and 119904119895represent different sensor nodes in the WSN
resource (119904119894) represents the resources of 119904
119894 such as energy
hops and sensor data type hop(119904119894 119904119895) is the number of hops
between 119904119894and 119904119895 patrolnode(119904
119894) represents the patrol node
assigned to 119904119894 119901119899119896represents the ID of the patrol nodes
119900119899119905119900119897119900119892119910[] means the ontology constructed by our methodand 119860[] represents the isolation table
31 Preprocessing Stage The system attempts to configurewireless sensor network nodes through random distribu-tion to simulate the wireless option connection When thedistribution of every node is completed the packet will becollected by the base station (BS) In addition the BS can usea routing protocol package to analyze intrusion behaviorsTo define several attacking behaviors the manager can useattack thresholds or attack featuresThe transmission packagecan be captured by the intrusion detection system The datathen need to be normalized in preprocessing followed by theconstruction of a network intrusion detection module Thealgorithm of the preprocessing stage is shown in Algorithm 1
After the WSN has been deployed the sensor nodesbroadcast to each other and construct route informationThe BS gathers data from the sensor nodes that includes thesensor node identification (number) energy (joules) hopdistance (hops) and sensing data type (ST) The system usesthe received information to construct the ontology
International Journal of Distributed Sensor Networks 5
Algorithm OWIDSInput The packages of wireless sensor networks 119901Output 119860 list of anomaly nodes 119860[]
BEGINlowastPre-processing Stagelowastlowastbroadcasting routinglowastfor each sensor node 119904 connected to 119909 do
for each sensor node y in the network doif 119863119904[119910] + 119904(119909 119904) lt 119863
119909[119910] then
lowasta better route from 119909 to 119910 through s has been foundlowast119863119909[119910] larr 119863
119904[119910] + 119904(119909 119904)
119862119909[119910] larr (119909 119904)
lowastintegrating informationlowastfor each sensor node s transmitted to base station 119887119904 do
send data of itself 119868 to base station 119887119904
return 119868
Algorithm 1 Algorithm of preprocessing stage of OWIDS
32 Construct Ontology Stage Due to the nature of a Sybilattack it is hard to use an IDS to detect it In the systemthe relationships of each sensor node in the ontology areconstructed first Then the patrol node compares the rela-tionships of the ontology conceptual nodes to the testedwireless networks to determine whether the system has beenattacked The method for constructing the ontology is givenbelow The algorithm of the ontology construction stage isshown in Algorithm 2
After the entireWSN has been deployed the informationon each sensor node is translated to the base station forthe system to construct the ontology The relationships ofthe sensor nodes are constructed in the ontology Eachsensor node transmits its connection information to the basestation This method thus is a top-down design for ontologyconstruction in which construction proceeds from the basestation to the sensor nodes The system sorts sensor nodesdepending on the energy of the sensor nodes and selects thesensor node that has the best energy to be the cluster headThe candidates for patrol nodes are the top 20 of sensornodesThe patrol nodes are chosen by the candidate of patrolnodes that are one hop from the cluster head After the systempicks the patrol nodes up it begins to construct the ontology
First the system constructs patrol nodes in the ontologyThe system calculates the similarity between the patrol nodesusing formula (1) Formula (1) is calculated between patrolnodes and patrol nodes 119901119899
119894cap 119901119899119897means that the system
compares the data of 119901119899119894with the data of 119901119899
119897to gather the
minimum number (the data is energy() hop() ST() etc)The 119901119899
119894cup119901119899119897means that the system computes the data of 119901119899
119894
with the data of119901119899119897to gather theminimumnumber Consider
119878119894119898119894119897119886119903119894119905119910 (119901119899119894 119901119899119897) =
sum119899
119897=1(1003816100381610038161003816119901119899119894 cap 119901119899
119897
1003816100381610038161003816 1003816100381610038161003816119901119899119894 cup 119901119899
119897
1003816100381610038161003816)
119899 (1)
The construction of the patrol nodes in the ontologydepends on formula (1) which indicates the relationship ofthe patrol nodes Similar patrol nodes exchange information
with each other The relationship is used to construct sensornodes in the ontologyThere are two concepts of sensor nodeequal concept and sibling concept as follows
Definition 1 (equal concept) Consider
119864119902119906119886119897 (1199041
119894 1199042
119894) = (119904
1
119894 1199042
119894) | ℎ119900119901 (119904
1
119894 1199042
119894) = 1
and (119878119890119899119904119900119903119873119900119889119890 (1199041
119894) = 119878119890119899119904119900119903119873119900119889119890 (119904
2
119894)
and 119903119890119904119900119906119903119888119890 (1199041
119894) asymp 119903119890119904119900119906119903119888119890 (119904
2
119894))
(2)
The 1199041119894and 1199042119894are two different sensor nodes in theWSN
The distance between 1199041119894and 1199042119894is equal to one hop 119904119899
119894
indicates the sensor node 119899 is managed by 119901119886119905119903119900119897119899119900119889119890 119894119878119890119899119904119900119903119873119900119889119890(119904119899
119894) and 119903119890119904119900119906119903119888119890(119904119899
119894) indicate the class name
of the 119878119890119899119904119900119903119873119900119889119890 and the resources of 119878119890119899119904119900119903119873119900119889119890 119904respectively When 119903119890119904119900119906119903119888119890(1199041
119894) asymp 119903119890119904119900119906119903119888119890(1199042
119894) it means
the resources (energy hops sense type) of 1199041119894are similar
to the resources of 1199042119894 Definition 1 defines the concepts of
sensor nodes having equivalent resources and being close toeach other For example if a pair of concepts ldquo1199041rdquo and ldquo1199042rdquohas overlapped broadcasting range and possesses equivalentresources the equal concept definition is satisfied and thesystem will construct the relationship between them Therest of concepts will be used to determine the hierarchicalrelations in the ontology concepts
Definition 2 (sibling concept) Consider
119878119894119887119897119894119899119892 (1199041
119894 1199042
119894) = (119904
1
119894 1199042
119894) | 1199041
119894= 1199042
119894
and (119878119894119887119897119894119899119892119879119890119903119898 (1199041
119894 1199042
119894)) and 2
6 International Journal of Distributed Sensor Networks
lowast Construct Ontology Stage lowastlowast sort sensor nodes lowastfor each sensor node s in the network do
for (119894 = 119899 minus 1 119894 gt 0 119894 minus minus) dofor (119895 = 0 119895 lt 119894 119895++) do
if energy(119904119895) gt energy(119904
119894) then
buffer = arr[119895]arr[119895] = arr[119895 + 1]
arr[119895 + 1] = bufferreturn arr[] lowast return sort information lowast
set CH = arr[1] lowast the system selects up best sensor node to be cluster head lowastlowastpick up patrol nodeslowast
for (119901 = 0 119901 lt 119899 lowast 02 119901++) doPatrolcandidate[119901] = arr[119901] lowast pick up top 20 of sensor nodes lowastfor each sensor node 119904 in the Patrolcadidate[] doif hop(119904
119894 CH) = 1 then
lowasta patrol node has foundlowastset patrolnode[] = 119904
119894
lowastConstruct patrol nodes in Ontologylowastfor each patrol node in the network do
for (119897 = 1 119897le 119899 119897++) do lowast119897 is the index of patrol node lowast119905119897= intersection (119901119899
119894 119901119899119897) union (119901119899
119894 119901119899119897) lowast119905119897is similarity of patrol node 119897lowast
119905 = 119905 + 119905119896lowast119905 is the similarity lowast
return 119905
similiarity(119901119899119894 119901119899119897) = 119905119896
119901119899119897[] larr 119901119899
119894
Ontology[] larr 119901119899119897[]
lowast definition sensor nodes relationship lowastfor each sensor node s in the network do
if 119904119894ltgt 119904119895and resource(119904
119894) resource(119904
119895) and hop(119904
119894 119904119895) = 1 then
lowast a equal sensor has found lowastset 119904119894and 119904
119895are equal sensor nodes
for each sensor node s in the network doif 119904119894ltgt 119904119895and resource(119904
119894) resource(119904
119895) and 2 ≦ hop(119904
119894 119904119895) ≦ 3 then
lowasta sibling sensor has foundlowastset 119904119894and 119904
119895are sibling sensor nodes
else if patrolnode(119904119894) cap patrolnode(119904
119895) ltgt then
lowast 119886 sibling sensor has found lowastset 119904119894and 119904
119895are sibling sensor nodes
lowast Construct Ontology lowastfor each sensor node in the network do
for (119896 = 1 119896le 119899 119896++) do lowast119896 is the index of patrol node lowast119905119896= intersection (119901119899
119896 119904119894) union (119901119899
119896 119904119894) lowast119905119896is similarity of patrol node 119896lowast
119905 = 119905 + 119905119896
lowast119905 is the similarity lowastreturn 119905
similiarity(119901119899119896 119904119894) = 119905119896
119901119899119896[] larr 119904
119894
Ontology[] larr 119901119899119896[]
Algorithm 2 Algorithm of the construct ontology stage of OWIDS
le ℎ119900119901 (1199041
119894 1199042
119894)
le 3 or (119875119886119905119903119900119897119873119900119889119890 (1199041
119894 1)
cap119875119886119905119903119900119897119873119900119889119890 (1199042
119894 1) = 0)
119903119890119904119900119906119903119888119890 (1199041
119894) asymp 119903119890119904119900119906119903119888119890 (119904
2
119894)
(3)
The 119878119894119887119897119894119899119892119879119890119903119898(1199041119894 1199042119894) indicates that 1199041
119894has a sister
term 1199042119894 In other words the sensor nodes have an identical
patrol node in the WSN and 119875119886119905119903119900119897119873119900119889119890(1199041119894 1) means that
the distance of 1199041119894from the patrol node is one hop When the
distance between 1199041119894and 1199042119894is less than or equal to 3 it will
be adjusted depending on the scale of the WSN Definition 2has two situations either a pair of concepts has sister-termrelations in the WSN or a pair of concepts has a common
International Journal of Distributed Sensor Networks 7
Situation 1 Situation 2
Pnl Pnl
Pn2 s2
s1
s2s1
(a) (b)
Figure 2 The sibling relationship
patrol node over more than one levelThe difference betweenthem is shown in Figures 2(a) and 2(b) Situation 1 andsituation 2 are the relationships of SensorNode 1199041
119894and Sen-
sorNode 1199042119894in the WSN structure Situation 1 indicates that 1199041
119894
and 1199042119894have a sister-term relationship in the WSN situation
2 indicates 1199041119894and 1199042119894are not sister terms However they
satisfy the sibling concept because they have a commonpatrol node on the upper level In this case the distancebetween 119904
1
119894and 1199042119894is 3 hops as shown in Figure 2(b)
An ontology has various elements including conceptsattributes operators instances relations and axioms Ourontology has membership values between the patrol node(119901119899) and the sensor node (119904) The set of values between thepatrol nodes and sensor nodes is called the subclass Forexample the sensor node contains attributes such as senseinformation remaining resources and route informationThe membership values between patrol nodes and sensornodes can be calculated by formula (4) [19] Suchvalues might include for example 119899
1energy(08) hop
(02) ST(09) 1199011198992energy(03) hop(08) ST(08) and
1199041energy(075) hop(02) ST(07)The subclass is (119904
1 1199011198991) =
(075 + 02 + 07) (08 + 02 + 09) = 16519 = 087 Thesubclass is (119904
1 1199011198992) = (03 + 02 + 07) (03 + 08 + 08) =
1221 = 057 The membership value consists of sensornodes such as 119901119899
1(087) and 119901119899
2(057) the numbers
represent the membership values in each patrol node Themembership value between a patrol node and a sensor nodemay then be found The 119904
1is the subclass of 119901119899
1 Consider
119904119906119887119888119897119886119904119904 (119904 119901119899) =
1003816100381610038161003816119904 cap 1199011198991003816100381610038161003816
10038161003816100381610038161199011198991003816100381610038161003816
(4)
The relations between sensor nodes can be defined ina number of ways such as Belong-to and Consist-of whilethe subclass defines the values of the relationships betweenthe sensor nodes After constructing the concept layer themembership values can be simply and directly joined tothe ontology Each concept has the membership values foreach relevant patrol node The system can then build up theconcept hierarchyThe ontology information includes sensornode identify (number) patrol node identify (number)
energy (joule) hop distance (hops) and sensing data type(ST) as shown in Figure 3
The related value of the concept should define a suitablethreshold Let 119901119899
119896be the 119896th patrol node ofWSN 119904
119894indicates
the sensor node 119894 in the WSN 119901119899119898is the patrol node that
belongs to 119901119899119896 and 119899 is the number of comparison nodes
under the patrol node 119901119899119896 The similarity formula is listed in
formula (5) Formula (5) is similar to formula (1) Formula(1) is the similarity between patrol node and patrol nodeFormula (5) is the similarity between patrol node and sensornode
119904119894119898119894119897119886119903119894119905119910 (119901119899119896 119904119894) =
sum119899
119898=119896(1003816100381610038161003816119901119899119898 cap 119904
119894
1003816100381610038161003816 1003816100381610038161003816119901119899119898 cup 119904
119894
1003816100381610038161003816)
119899 (5)
For example the system uses formula (5) to calculatethe similarity of formal concepts Each patrol node hasmany sensor nodes Figure 4 shows an example of calculationbetween 119901119899
119896and 119904119894 It is not an ontology figure An example
of the ontology is shown in Figure 5 The similarity between119901119899119896and 119904119894is calculated as follows
119904119894119898119894119897119886119903119894119905119910 (1199011198991 1199041)
= (075 + 02 + 07
08 + 02 + 09+
02 + 07
075 + 02 + 075
+075 + 06
075 + 02 + 06) times (3)
minus1= 068
119904119894119898119894119897119886119903119894119905119910 (1199011198992 1199041)
= (03 + 02 + 07
03 + 08 + 08+
03 + 07
075 + 02 + 07) times (2)
minus1
= 047
(6)
We select themaximum similarity value of the conceptualpairs between 119901119899
119896and 119904
119894to determine the sonsor node 119904
119894
belongs to which patrol nodes 119901119899 In this case 1199041is more
similar to 1199011198991 The IDS calculates the relationship between
119899119901119896and 119904
119894to define the relationship threshold The IDS
calculation threshold depends on the similarity formula indifferent environments A higher threshold makes the entireWSN more secure However a higher threshold for the IDSmeans that attacks are easily misidentified
An example of an ontology is shown in Figure 5 Thereare 10 sensor nodes in the example For practical applicationsour method supports 50 sensor nodes in the ontology Theontology has a domain layer a category layer a patrol nodelayer and a sensor node layer The domain layer representsthe ontology domain issue thatwe focus on in constructing anIDS for a WSN Next the category layer represents differentjobs on the WSN such as sensing humidity temperatureand brightness One sensor node will take on one or moretasks The patrol node layer contains the information foreach patrol node in the WSN Each patrol node has anID energy (joule (j)) sensing data type (ST) the distanceto the cluster head (Hop) and membership value betweeneach relevant object for example119901119899idEnergy(j) hop(1hop)ST(1number of sense types) The sensor node layer con-tains each sensor node ID energy (joule (j)) sense data type
8 International Journal of Distributed Sensor Networks
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Relation type
Subclass
Hops
Hops
Figure 3 The information of the concept of nodes in ontology
(ST) the distance to the cluster head (hop) and membershipvalue between each relevant object
33 Intrusion Detection Stage The attackers that intrudewireless sensor network can be divided into two stagespreparatory phase the attack and destruction phase Theattack behaviours of attack and destruction phase includesinkhole attack blackhole attack and hello flooding Inorder to obtain the required information of attack anddestruction phase the attackers apply Sybil attack to disguisevarious roles The behaviours of attack phase used differ-ent transmission technology to burn entire network evencause WSN unusable All the above behaviours are calledanomaly behaviours The assignment system will completethe information for the integration of the environmentalanalysis The ontology contains the entire relationship of theWSNThe system can preselect the knowledge based on thoseenvironmental attacks The ontology can thus detect illegalnodes in the WSNThe rules are shown in Algorithm 3
The WSN is usually deployed unequally causing it torapidly consume energy We have proposed a PIDS usingdetection knowledge to detect anomalies [11] The PIDS istransferred between patrol nodes to detect whether neighbor-ing nodes exhibit anomalies The PIDS will choose differentdetection knowledge in different environments The PIDSmerely requires a portion of the detection knowledge todetect an anomaly which reducesWSN energy consumptionThe architecture of the OWIDS combines the PIDS with theontologyTheOWIDS is transferred between the patrol nodesto detectwhether neighbouring nodes are anomalous Similar
to the PIDS the OWIDS will choose different detectionknowledge in different environments It requires merely aportion of the detection knowledge to detect anomaliesreducing WSN energy consumption The system will matchthe database and the attack pattern If there appears to benonselected detection knowledge the detection knowledgewill be added The intrusion detection mechanisms werecomputed on the base station The classification methodof detection knowledge is described in the following para-graphs
The detection knowledge is classification by supportvector machine (SVM) [21] The proposed method provideda strong argument for the improvement of WSN intrusiondetection systems The SVM uses a high dimension spaceto find a hyperplane to perform binary classification to findminimal error rate Notably the SVM is able to handle theproblem of linear inseparability The SVM uses a portion ofthe data to train the system finding several support vectorswhich represent the training data These support vectorswill be formed into a model by the SVM representing acategory According to this model the SVM will classify agiven unknown document A basic input data format and anoutput data domain are given as follows
(119909119894 119910119894) (119909
119899 119910119899) 119909 isin 119877
119898 119910 isin +1 minus1 (7)
where (119909119894 119910119894) (119909
119899 119910119899) are training data 119899 is the number
of samples119898 is the input vector and 119910 belongs to category of+1 or minus1
Regarding linear problems a hyperplane can be dividedinto two categories The hyperplane formula is
(119908 sdot 119909) + 119887 = 0 (8)
The category formula is
(119908 sdot 119909) + 119887 ge 0 if 119910119894= +1
(119908 sdot 119909) + 119887 le 0 if 119910119894= minus1
(9)
However it is not easy to find hyperplanes with which toclassify the dataThe SVMhas several kernel functions whichusers can apply to solve different problems As such selectingthe appropriate kernel function can solve the problem oflinear inseparability Also internal product operations affectthe classification function and a suitable inner product func-tion119870(119883119894 sdot 119883119895) can solve certain linear inseparable problemswithout increasing the complexity of the calculation Originaldata includes 31 features tagged with numbers from 0 to 30The system will convert the contents of the 31 features intonumeric values For instance the first element is ldquoEventrdquo andthe parameter is ldquo119904rdquo which is mapped to ldquo0 01rdquo An exampleof SVM data is shown in Figure 9 The OWIDS combinesontology with detection knowledge The patrol nodes carrypart of ontology to detect Sybil attack and the detectionknowledge is used to detect sinkhole blackhole and helloflooding
The ontology is divided into several parts depending onthe region of the patrol node The system sends detectionknowledge and the ontology to the cluster head The patrol
International Journal of Distributed Sensor Networks 9
lowast Intrusion Detection Stage lowastfor each neighbor of patrol node s doreceive (119904id 119901119899id 119904INFO 119864119894) lowast Receive 119904id 119901119899id 119904INFO and the remaining energy lowastif 119904id ltgt Ontology [] then lowast Check whether the sensor node is constructed in the Ontology lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastif Pattern (119904) = Pattern (119860119872)lowast Check whether the receive information is different from attack knowledge lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastelse if broadcast 119860[] to 119862id lowast Broadcast isolation table to CH to back up lowastend for
Algorithm 3 Algorithm of the intrusion detection stage of OWIDS
Base station
energy (08) hop (02) ST (09) energy (03)
hop (08) ST (08)
hop (02)ST (07)
energy (075) ST (06)
energy (03) ST (07)
energy (075) hop (02) ST (07)
068
047pn1
pn3
pn4
pn5
pn2
s1
Figure 4 An example of membership calculation
node is a sensor node to do detection but its energy is limitedThe OWIDS does not train detection mechanism on patrolnode and only the cluster head transmits detection rules topatrol nodes The patrol nodes detect attacks by rotation toreduce the overall WSN energy consumption and extend thelifetime of the WSN When the duty of the patrol nodes isover the CH will collect the WSN information and transmitit to the base station The BS analyzes the informationtrains the detection data and constructs the ontology againThus the detection knowledge can be adjusted accordingto the WSN environment To improve the accuracy ofthe intrusion detection the system repeats the detectionknowledge training to remove less frequently used data untilthe knowledge converges This reduces the features of thedetection knowledge and makes the detection knowledgemore lightweight
The WSN is a self-organizing network meaning that therouting table will be changed The clustering system of theWSN will change cluster heads periodically The WSN as awhole thus cannot keep isolating anomalous nodes Rede-tection of anomalous nodes consumes energy This paperthus proposes an isolation table recorded in the base station[20] If new cluster heads are assigned or the entire WSNis changed the patrol maintains isolation of anomaly nodesusing the isolation table Intruders thus cannot attack theWSN through isolated anomaly nodes reducing redetectionenergy consumption
4 Experimental Results
The system performance was evaluated by network sim-ulation (NS-2) The experimental hardware environmentsconsisted of an Intel Core 2 i5-2410M CPU 230GHzNotebook with 8GB RAM and was implemented under theWindows 7 operating system The area for the simulationof the WSN was within 10000 square meters The field isstatic and deploys 300 sensor nodes randomly each with abroadcast radius of 50m The OWIDS uses a protegee toconstruct the ontology The behaviors of the attacker weregenerated by a Java program The attacks were randomlygenerated by different kinds of attack patterns For exampleSybil attacks were generated every 20 seconds but theattackers will masquerade different kinds of roles randomlysuch as cluster head sensor node The OWIDS detects Sybilattacks using the relationship of ontology In addition theexperiment was meant to simulate transmission packages inwireless sensor networksThe communications of packets canbe captured byOWIDSThedatawas collected from theWSNpackets of NS-2 simulator The data set can be divided intotwo protocols the training data and the testing data Thepackets are randomly selected for training and testing
Before using SVM classification the system performa data scaling operation to increases the accuracy whilereducing complexity The system kernel is RBF 119870(119909 119910) =
ℓminus119892119909minus119910
2
The systemwill classify the attributes of the features
10 International Journal of Distributed Sensor Networks
WSN Domain layer
Brightness Category layerHumidity Temperature
Patrol nodes layer
Belong-to Belong-to
Sensor nodelayer
086
082
Instance of
Sensor node 2513
Humidity temperature
hop (02) ST (05)
Instance of
092
Instance of
Sensor node 3152
Temperature
hop (03) ST(1)
086
Instance of091
Instance of042
Patrol node 1
Temperature humidity
Sensor node 3241
Patrol node 4
Humidity temperature
Sensor node 0231
Patrol node 2
Brightness temperature
energy (088 ) hop (03) ST (05)
Sensor node 0092
Patrol node 3
Temperature
energy (098) hop (05) ST (1)
Sensor node 2541
Patrol node 5
Temperature
Sensor node 1576
Patrol node 2
Temperature brightness
Sensor node 4561
Sensor node 1254
Humidity temperature
hop (017) ST (05)
Patrol node 4
Patrol node 4
Sensor node 6829
Humidity temperature
hop (025) ST (05)
Patrol node 2
Patrol node 3
ST (05)energy (1) hop (1) pn1
pn2 pn3
middot middot middot
middot middot middot
057
Hop = 1
Hop = 3
Hop = 10
Hop = 6Hop = 3
Hop = 5 Hop = 4
Hop = 3
Hop = 3 Hop = 2
E = 2J E = 176J
E = 126J
E = 186J
E = 076JE = 2J
E = 094J E = 196j
E = 164J
E = 196J
energy (063) hop (03) ST (05)pn4 energy (082)
hop (03) ST (1) pn5
hop (01) ST(05) energy (093 ) S4561 energy (047) S2513 energy (098) S6829
energy (038) S1254 energy (1) S3152
pn2
pn4 pn5
Figure 5 An example of ontology construction
International Journal of Distributed Sensor Networks 11
prior to preprocessing and use the SVM to train and testprocesses The output of SVM is 1 or minus1 If the output is 1there is an intrusion behavior on the model If the outputis minus1 it is normal The distribution of training data andtesting data are shown in Table 1 Specifically the user canemploy this model to evaluate the IDS 27 feature values areused to train three SVMmodels and to compare the accuracyof the three models [21]
This experiment compared OWIDS with the PIDS basedon energy consumption transmission accuracy and per-formance The attack behaviour is camouflaged as differentroles in the WSN The implementation environment is listedin Table 2 The total simulation time was 3600 sec Theattacks were randomly executed every 20 sec with attacksbeginning at six hundred sec The experiment assumes thatthe preprocessing stage is secure for attacks The maximumconnection meaning the maximum number of connections(end-to-end connection) used in the simulation was 80The experimental IDS was intended to simulate transmissionpackages in wireless sensor networks The IDS integratescommunications of packages and analyzes them
To estimate the performance of the OWIDS system threeimportant formulas and an indicator method are used toevaluate system accuracy attack detection rate (ADR) falsepositive rate (FPR) system accuracy (SA) and live nodes(indicator) The ADR represents the number of attacks thatthe IDS has detected out of the total number of attacks TheFPR represents the number of normal processes that theIDS has misclassified The accuracy rate is the total numberof processes the IDS has classified correctly The live nodesrepresent the number of useful nodes in the entire WSNwhich tests the loading of our methods and its performance
Attack Detection Rate
=Total number of detected attacks
Total number of attackstimes 100
False Positive Rate
=Total number of misclassified processes
Total number of normal processestimes 100
Accuracy Rate
=Total number of correct classified processes
Total number of processestimes 100
(10)
In this section we present three experimental resultsfor the OWIDS The first experimental method focuses onthe percentage of patrol nodes The patrol node is a kindof sensor node The BS chooses patrol nodes to executethe IDS The percentage of sensor nodes which should bepatrol nodes is a key issue Second the energy consumptionand remaining resources are present in the live nodes Thethird experimental method focuses on the ADR FPR andSA of the OWIDS Thus two types of experiments wereimplemented comparison of the number of live nodes across
Table 1 The training data and test data
Original Train TestNormal 80641 24192 7258Sinkhole 3568 1070 321Blackhole 5368 1610 483Hello flooding 44084 13225 3968Total 133661 40098 12029
Table 2 Implementation environment
Parameter ValuesSensor nodes 50 150 300Patrol nodes (20 of sensor nodes) 10 30 60WSN size 1000 lowast 1000 (m2)Starting energy 2 JTransmission radius 50mTransmission consumption 0036wReceive consumption 0024w
the non-IDS PIDS and OWIDS and comparison of thetransmission accuracy with PIDS
41 Percentage of Patrol Nodes The patrol node is used todetect abnormal behaviours OWIDS needs to balance thenumbers of patrol nodes and the overall life cycle of wirelesssensor networks From the experiment results twenty per-centages of patrol nodes can provide better detection resultsThe percentage of patrol nodes was set between 10 and 40at intervals of 10 The experiments are divided into 50 150and 300 sensor nodes These numbers are used to calculatethe suggested percentage of patrol nodes The experimentalresults are shown in Tables 3 4 and 5
The experimental results show that 30 and 40 yieldthe highest accuracy However the lifecycle of entire WSN isshorter than that when 10 and 20 are used The lifecycleof 10 is the longest but its accuracy is the lowest WhenOWIDS sets the patrol node percentage to 10 the loading isthe lightest However for theOWIDS at 10 the patrol nodeslack sufficient data to be compared with each other meaningthat the accuracy is the lowestThe accuracy of the case of 20patrol nodes is close to that of the case of 30 or 40 patrolnodes Hence the system selected 20 of whole sensor nodesas patrol nodes to do detection to save energy
42 Live Nodes of OWIDS The first simulation is shown inFigures 6 7 and 8The number of live nodes is defined as thenumber of sensor nodes in theWSN that still work normallyThe normal IDS trains detection features and translates theentire IDS onto the sensor nodes This consumes the WSNenergymore rapidlyThe lightweight IDS trains the detectionmethod on the base station and uses filtered features to detectintrusions In this case the IDS ismore lightweight and nodesremain alive longer Since a WSN may be used in manyapplications our method is implemented in eight situations
12 International Journal of Distributed Sensor Networks
Table 3 Percentage of patrol nodes (50 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 5 9835 8520 10 9573 9330 15 8952 9440 20 8703 94
Table 4 Percentage of patrol nodes (150 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 15 9605 8120 30 9495 9630 45 8864 9640 60 8518 97
Table 5 Percentage of patrol nodes (300 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 30 9598 7920 60 9468 9630 90 8867 9740 120 8361 97
The live nodes experiment has six situations no IDS andno attack no IDS but faces attacks loads PIDS but no attacksloads PIDS and faces attacks loads OWIDS but no attacksand loads OWIDS and faces attacks The overhead for PCHmonitoring is high if the notion of collaborative monitoringis absent If the patrol nodes are too few an intruder caneasily infiltrate the network The OWIDS combines PIDSand the ontology to detect anomalies Though it consumesmore energy than the PIDS the energy expenditure is nearlyidentical We simulate 50 150 and 300 sensor nodes in thenon-IDS PIDS and OWIDS Results show that the lifetimeof a sensor node is longest using OWIDS and that the sensornodes die slowly The MN sends data to the RN but not toany MN The RN obtains information directly from the MNThe connections between the RN and the PCH are similarmeaning that the OWIDS consumes less energy in gatheringdata andmonitoring theWSNTheOWIDS takes a part of theontology from PIDS The energy consumption of PIDS andOWIDS is similar in the no attack environment In Figures 6ndash8 there are more sensor nodes in theWSN meaning that thesystem hasmore patrol nodes to detect anomalies Hence theOWIDS detects misbehaviour more effectively The results ofthe simulation show that the OWIDS can easily be loadedonto the WSN
43 ADR FPR and SA of OWIDS The second simulationaddresses the attack detection rate the false positive rateand the accuracy rate in PIDS and OWIDS as shown inTable 6The total number of simulation packages is 1065474
0
10
20
30
40
50
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 6 The case of 50 sensor nodes in alive nodes
50
100
150
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 7 The case of 150 sensor nodes in alive nodes
100140180220260300
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 8 Case of 300 sensor nodes in live nodes
which include 1697 attack packages and 1063777 normalpackages In the PIDS patrol nodes carry attack knowledgeto detect anomalies The false positive rate is higher andthe attack detection rate is lower than that of OWIDS TheOWIDS appends the relationships of ontology making iteasier to detect illegal sensor nodes in the WSN The system
International Journal of Distributed Sensor Networks 13
Table 6 Accuracy attack detection rate and false positive rate of OWIDS
IDS method Attack detection rate False positive rate AccuracyPIDS (15351697) 9045 (1414451063777) 1329 (9532871063777) 8961OWIDS (16651697) 9811 (401221063777) 377 (10253521063777) 9639
Table 7 The accuracy rate of detection classification
IDS method Sybil attack Sinkhole Blackhole Hello floodingPIDS (136150) 9067 (118130) 9077 (5562) 8871 (12261355) 9048OWIDS (145150) 9667 (128130) 9846 (5762) 9194 (13351355) 9852
Original Datas -t 1000000000 -Hs 8 -Hd -2 -Ni 8 -Nx 203200 -Ny 69300 -Nz 000 -Ne -1000000 -Nl AGT -Nw mdash -Ma 0 -Md 0-Ms 0 -Mt 0 -Is 80 -Id 40 -It cbr -Il 1000 -If 0 -Ii 0 -Iv 32 -Pn cbr -Pi 0 -Pf 0 -Po 0SVM Input Data0 01 1 1000000000 2 8 3minus2 4 8 5 203200 6 69300 7 000 8minus1000000 9 1 10 0 11 0 12 0 13 0 14 0 15 8016 40 17 1 18 1000 19 0 20 0 21 32 22 1 23 0 24 0 25 0 26 0 27 0 28 0 29 0 30 0
Figure 9 The SVM input data
accuracy of PIDS and OWIDS is higher than 8961 thetolerance value of the IDS in the WSN The results of thesecond simulation show that theOWIDSdetects attacksmoreeffectively
The attack packages include four types of attacks Sybilattack sinkhole attack blackhole attack and hello floodingthe detailed detection classification is shown in Table 7 Thesystem simulates 150 Sybil attacks 130 sinkhole attacks 62blackhole and 1355 hello flooding attacks The results ofaccuracy rate are shown in Table 7 The accuracy rate ofdetection classification is better than 90 and OWIDS isbetter than PIDS The results of the second simulation showthat the OWIDS detects attacks more effectively
5 Conclusions and Future Work
In this paper a preliminary research of intrusion detectionsystems based on domain ontology is proposed and therelevance of a lightweight patrol intrusion detection systemis explored A major finding is that the effect of ontology canbe observed in attack detection at all levels of the wirelesssensor network The results indicated that the constructedontology relationship between the WSNs can detect attackseffectively This implies that an ontology indicating each roleand its membership in the WSN could be constructed forother attack types This research leads to an ontology-basedintrusion detection system which allows us to study the rela-tionship mechanism involving patrol node status and sensornodes Such ontologies can also be applied to reduce theburden of lightweight intrusion detection systems onwirelesssensor networks In general they will be useful in improvingthe lifecycle of wireless sensor networks and particularly theusability of intrusion detection systems for wireless sensornetworks This research can also serve to reinforce the useof soft computing technology for intrusion detection systemsand to systematize preprocessing technology to reduce thefeatures of the intrusion detection system The attacker may
intrude network in preprocessing stage The preprocessingsecurity issuewill be solved in the future workThis ontology-based intrusion detection system remains experimental onlyand much work remains to be done More must be knownabout constructing ontologies to detect different types ofattacks in wireless sensor networks There is a continuingneed for an adequate theoretical basis for the practicalapplication of ontology-based intrusion detection systems
Conflict of Interests
In this paper the specifications and brand of CPUdo not haveany financial relationship with the commercial identities
Acknowledgments
This work is partially supported by the National ScienceCouncil (NSC) Taiwan with Project no NSC-99-2221-E-324-021 The authors also express many thanks for thecomments from the reviewers that improved the paper
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] T P Hong and C H Wu ldquoAn improved weighted clusteringalgorithm for determination of application nodes in hetero-geneous sensor networksrdquo Journal of Information Hiding andMultimedia Signal Processing vol 2 no 2 pp 173ndash184 2011
[3] J Newsome E Shi D Song and A Perrig ldquoThe Sybil attack insensor networks analysis amp defensesrdquo in Proceedings of the 3rdInternational Symposium on Information Processing in SensorNetworks (IPSN rsquo04) pp 259ndash268 April 2004
[4] W-H Chen S-H Hsu and H-P Shen ldquoApplication of SVMand ANN for intrusion detectionrdquo Computers and OperationsResearch vol 32 no 10 pp 2617ndash2634 2005
14 International Journal of Distributed Sensor Networks
[5] Z Pawlak ldquoRough setsrdquo International Journal of Computer ampInformation Sciences vol 11 no 5 pp 341ndash356 1982
[6] A N Toosi and M Kahani ldquoA new approach to intrusiondetection based on an evolutionary soft computingmodel usingneuro-fuzzy classifiersrdquoComputer Communications vol 30 no10 pp 2201ndash2212 2007
[7] A Patwardhan J Parker M Iorga A Joshi T Karygiannisand Y Yesha ldquoThreshold-based intrusion detection in ad hocnetworks and secure AODVrdquoAdHoc Networks vol 6 no 4 pp578ndash599 2008
[8] R-C Chen and C-H Hsieh ldquoWeb page classification based ona support vectormachine using aweighted vote schemardquoExpertSystems with Applications vol 31 no 2 pp 427ndash435 2006
[9] G Song J Zhang and Z Sun ldquoThe research of dynamic changelearning rate strategy in BP neural network and applicationin network intrusion detectionrdquo in Proceedings of the 3rdInternational Conference on Innovative Computing Informationand Control (ICICIC rsquo08) pp 514ndash517 June 2008
[10] RCChenC J Yeh andC T Bau ldquoMerging domain ontologiesbased on the WordNet system and Fuzzy Formal ConceptAnalysis techniquesrdquoApplied SoftComputing Journal vol 11 no2 pp 1908ndash1923 2011
[11] R C Chen Y F Haung and C F Hsieh ldquoRanger intrusiondetection system for wireless sensor networks with sybil attackbased on ontologyrdquo in Proceedings of the 10th WSEAS Interna-tional Conference on Applied Informatics and Communications2010
[12] M A Simplıcio Jr P S L M Barreto C B Margi and T CM B Carvalho ldquoA survey on key management mechanisms fordistributedWireless SensorNetworksrdquoComputerNetworks vol54 no 15 pp 2591ndash2612 2010
[13] M Depren E Topallar andM Kemal ldquoAn intelligent intrusiondetection system (IDS) for anomaly and misuse detection incomputer networksrdquo Expert Systems with Applications vol 29no 4 pp 713ndash722 2005
[14] S Tilak B Abu-Ghazaleh and W A Heinzelman ldquoTaxonomyof wireless micro-sensor network modelsrdquo Mobile Computingand Communications Review vol 6 no 2 pp 28ndash36 2002
[15] J Undercoffer A Joshi and J Pinkston ldquoModeling computerattacks an ontology for intrusion detectionrdquo Computer Sciencevol 2820 pp 113ndash135 2003
[16] N Cuppens-Boulahia F Cuppens F Autrel and H DebarldquoAn ontology-based approach to react to network attacksrdquoInternational Journal of Information and Computer Security vol3 no 3-4 pp 280ndash305 2009
[17] H-C Hsieh J-S Leu and W-K Shih ldquoReaching consensusunderlying an autonomous local wireless sensor networkrdquoInternational Journal of Innovative Computing Information andControl vol 6 no 4 pp 1905ndash1914 2010
[18] W K Lai C-S Fan and C-S Shieh ldquoOptimal cluster sizefor balanced power consumption in wireless sensor networksrdquoICIC Express Letters vol 6 no 2 pp 1471ndash1476 2012
[19] T T Quan S C Hui A C M Fong and T H CaoldquoAutomatic Fuzzy ontology generation for semanticWebrdquo IEEETransactions on Knowledge and Data Engineering vol 18 no 6pp 842ndash856 2006
[20] R-C Chen C-F Hsieh and Y-F Huang ldquoAn isolation intru-sion detection system for hierarchical wireless sensor networksrdquoJournal of Networks vol 5 no 3 pp 335ndash342 2010
[21] C F -Hsieh K F Cheng Y F Huang and R C Chen ldquoAnintrusion detection system for Ad Hoc networks with multi-attacks based on a support vector machine and rough settheoryrdquo Journal of Convergence Information Technology vol 8no 2 pp 767ndash776 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
2 International Journal of Distributed Sensor Networks
WSN IDS Soft computing consumes resources while themodel is being trained and tested with various machinelearning tools such as SVM [4] rough set [5] and ANN[6] Unfortunately WSN IDS resources are limited Thuslightweight soft computing applications for IDS are critical[7ndash9] The IDS uses well-trained features to reduce thefeatures of the system If the training and testing of IDSWSN information use soft computing processing in the basestation it can be lightweight In this paper we will implementontology-based lightweight method technologies to improvethe effectiveness of WSN IDS
An ontology is a knowledge representation methodThe main aim of the ontology is to classify independentknowledge into concepts and to determine the relationshipbetween them The classification knowledge of the ontologyis used to infer new knowledge In our research the nodesof the WSN are constructed in the ontology in their entiretyThe relationships of the sensor nodes may then be applied todetect malicious nodes [10]
After deployment of the WSN is completed the basestation (BS) will gather position information During thepreparation stage the IDS establishes the conceptual relation-ships of each sensor node in the ontology The transmissionof each node will depend on its relationship to the ontologyThe attacker cannot then pretend that malicious nodes arevalid nodes Thus the major contribution of this paper is topropose a lightweight intrusion detection method based onthe domain knowledge
The method is divided into four steps (1) Constructthe relationship of the sensor nodes in the ontology Thepatrol nodes will use the relationships of ontology toenhance system robustness (2) Choose detection knowledgedepending on the monitoring environment The patrol nodeloads detection knowledge to perform a circuit of anomalydetection (3) Record the error information in an isolationtable And (4) repeat these steps until the detection knowl-edge has converged In fact we rename the ranger nodethe patrol node since it is more appropriate for the nodeattributes Thus in this paper we use PIDS (patrol intrusiondetection system) instead of RIDS (ranger intrusion detectionsystem) as in our previous paper [11]
The rest of this paper is organized as follows Section 2presents the literature review Section 3 introduces ourmethodology Section 4 shows the experimental results andevaluations In Section 5 conclusions and suggestions aregiven for future research
2 Related Work
21 Intrusion Detection Systems in Wireless Sensor NetworksIntrusion detection systems detect intruders based on theirattack behaviors In cryptography each node authenticatesother nodes using their encryption method which is knownas a symmetric key Authentication methods only protectagainst outsider attacks as the first line of defense If attackerspenetrate this defense they can gather cryptographic infor-mation Thus the IDS is the second line of defense which
detects user misbehaviour and alerts managers immediately[12]
Wireless sensor networks broadcast data among nodes Apotential intruder gathers such data until it is able to decryptauthentication After an intruder obtains the associated keysit can connect to neighboring nodes and attack them freelyIn some cases intruders can gather sufficient information tocrash the entire network
However intruder behavior is different from that ofnormal nodes System managers use intrusion detection sys-tems to detect anomalous behaviors An intrusion detectionsystem has two detection methods misuse detection andanomaly detection [13] The misuse detection system storesbehaviors of known attacks in an attribute database Thesystem compares user behaviors with the attribute databaseto find intrusions The anomaly detection system storesnormal behaviors of common users in the rule database Thesystem compares user behavior with normal behavior to findintruders
In a misuse detection system the attack rules are com-posed of known attack behaviors This type of system issimilar to antivirus software in which scanned data arecompared to known virus codes If the behavior is found inthe attribute database the systemdeletes the affected filesThemisuse detection system stores the known attack behaviorsin an attribute database If the attack behavior is similar tothe rules in the database an attack is detected and the systemdefends itself The main drawback of misuse detection isthat the detection is dependent on information already inthe attribute database so it is difficult to identify new attackbehaviors
Anomaly detection is different from misuse detectionIn anomaly detection the system constructs a user modelbased on the behavior of normal users When user behavioris abnormal the system notifies managers that there is apotential intruder Since intruder attack methods rapidlyevolve the anomaly detection system collects normal userbehaviors and detects intruder behavior by comparing it withnormal behavior The anomaly detection system must clearlydefine correct user behaviors Otherwise the systemwill havea high false detection rateThus the drawback of an anomalydetection system is greater likelihood of false alarms
WSN intrusion detection approaches are divided intofour types continuous event-driven observation-drivenand combination [14]
(1) Continuous the IDS records alarms but does nottransmit data to the administrator immediatelyWhen the detection process has finished its dutycycle the IDS will return alarms to the BS
(2) Event-driven this method has no duty cycle Whenattack misbehavior is detected the IDS will transmitthe information to the administrator immediatelyThe administrator then must decide how to processthe anomaly information
(3) Observation-driven the anomaly information is pro-cessed when the system detects an attack If theintrusion is serious the administrator can initiate theisolation method to limit the damage
International Journal of Distributed Sensor Networks 3
(4) Combination this method combines two or more ofthe above methods In a normal system sensor nodesreport detection data periodically If attack behavioris detected the IDS will alert the administrator
22 Ontology Methods An ontology represents the rela-tionships between the concepts of domain knowledge Inan ontology the system often assumes correct relationshipsbetween each concept A defined ontology for intrusiondetection systems was constructed by Undercoffer et al[15] According to their definitions three different compo-nents made up the construction of ontologies for intrusiondetection systems The first category reflects the networkclass including the network layers of the protocol stacksuch as TCPIP The second category is the system classrepresenting the operating systemof the hostThe last processclass defines attributes representing particular processes thatare to be monitored They use the ontology specificationlanguage DAML (DARPAAgentMarkup Language) andOIL(Ontology Inference Layer) to implement their ontology andto distribute information The ontology and the inferenceenginewere used as an event aggregation language to confirmthe existence of an attack on a wired network
Cuppens-Boulahia et al [16] presented an approach toreact to network attacks using an ontology to store policyinformation and to generate new security models The policyinformation models can be combined to prove the instan-tiation of the policies They used the ontology specifica-tion languages OWL (Web Ontology Language) and SWRL(Semantic Web Rule Language) They offer the advantage ofexisting generic tools for parsing and reasoning OWL allowsmerging distributed ontologies However the expressivityof SWRL is limited since it does not permit several logicoperators such as OR or NOT Further the SWRL rules maynot be used to alter or delete information in the ontologyThisfact reduces the potential to revoke their method Most ofthe literature on WSN focuses on constructing the rules forthe IDS onWSNThis literature lacks information on how toconstruct the relationships of nodes in the WSN [17 18]
3 Ontology-Based Wireless IntrusionDetection System (OWIDS)
When sensor nodes are taken over by an intruder the normalsensor nodes become malicious nodes The malicious nodesgather data from neighboring nodes in the preparation stageThey alter information and broadcast wrong informationto normal nodes Moreover they rapidly exhaust WSNresources In wired networks the manager detects intrudersusing a well-trained intrusion detection system working withrobust resources However the resources of a WSN arelimited and the protocols of aWSN differ from those of wirednetworks Managers cannot construct wired IDS on a WSNIn this paper we propose a lightweight intrusion detectionsystem that minimizes energy consumption in intrusiondetection for wireless sensor networks
The Sybil attack is a common attack method that is usedto gather information from a WSN It is hard to detect but
enables an intruder to attack the WSN more easily Ourmethod uses an ontology to construct relationships betweensensor nodes The constructed relationship enables the IDSto detect a Sybil attack
In this paper the wireless sensor network is a hierarchicalnetwork that has four roles namely base station cluster headpatrol nodes and sensor nodes They are defined as follows
(1) Base station (BS) the BS is controlled by the admin-istrator and has robust energy and computing poweras well as a high degree of security The base stationreceives environmental information and sensor nodedata from the cluster head The base station usesa detection module to analyze the data The patrolnodes will patrol the network and monitor it Whenthe patrol cycle is completed the base station inte-grates the new collection of the network data Theintegrated data is simplified into the database untilthe attacking pattern knowledge has converged Theadministrator analyzes information from each nodeand constructs the relationship of the WSN in theontologyThe relationship adjustment depends on theWSN environment
(2) Cluster head (CH) the CH is responsible for con-nectivity between the wireless sensor network andbase station The CH controls the work of the patrolnodes The patrol nodes return information to CHTheCHwill balance the duty cycle of the patrol nodesand then assign patrol nodes for monitoring and dataintegration The CH transmits detection knowledgeand ontology relationships to the patrol nodes
(3) Patrol nodes (PN) a patrol node is a sensor nodewhich carries knowledge of how to detect intrusionThey share the work of the CH Since the WSN envi-ronment includes general events and emergenciesthe patrol nodes collect information on their sensornodes The patrol nodes use the detection knowledgeto monitor sensor nodes integrate information andtransmit it back to a CH The node relationshipscarried by the patrol node are used to detect attacksPatrol nodes will record information into an isolationtable In normal cases the patrol nodes send theisolation table to the CH regularly However if anunexpected situation occurs the isolation table willbe transmitted to the CH immediately
(4) Sensor nodes (SN) they are responsible for the overallnetwork and sense environmental dataThey transmitthe data to patrol nodes for regular integration Thesensor nodes have no ontology information at all
The workflow of our system is shown in Figure 1 Firstthe system gathers WSN packages and attack packages tobuild an intrusion features database to enable evaluation ofanomalous transmission packages The system then appliesthe ontology to construct the relationship between thewireless sensor nodes The manager sets the threshold valueof the ontology relationship to detect attacks The patrolintrusion detection system (PIDS) is a lightweight systemthat uses the detection knowledge to monitor the nodes
4 International Journal of Distributed Sensor Networks
Deploy WSN and collect environment data
Gather package information
Construct relationship of WSN on ontology
Set relationship threshold
Simulate attack packages and protocol packages
Assign ontology to patrol node
Adjust attack knowledge until it has converged
Record anomaly information
Initialize OWIDS
Intr
usio
n de
tect
ion
stag
eO
ntol
ogy
cons
truc
tion
stag
ePr
epro
cess
ing
stage
Figure 1 The workflow of our system
in the wireless network The patrol node carries differenttypes of knowledge of how to detect intrusion dependingon the environment The ontology-based wireless intrusiondetection system (OWIDS) is divided into three stagesthe preprocessing stage ontology construction stage andintrusion detection stage
The preprocessing stage shows that each nodemust trans-late its data to base station and find the best translation routefor such dataThe ontology construction stage is divided intothe definition relationship and ontology construction phaseEach node calculates the membership value and defines therelationships between patrol nodes and sensor nodes Theintrusion detection stage compares the detection data tothe ontology pattern to find intrusions Finally the systemrecords anomaly information in an isolation table
The algorithm of the preprocessing stage is shown inAlgorithm 1 the algorithmof the ontology construction stageis shown in Algorithm 2 and the algorithm of the intrusiondetection stage is shown in Algorithm 3 The symbols of thealgorithms are as follows 119868 is information including ldquoSen-sorNodes ID energy 119864 4 hops sensed data type STrdquo arr[] isthe type of resource of the sensor nodes Patrolcandidate[]represents the candidate list of patrol nodes CH is the clusterhead 119904
119894and 119904119895represent different sensor nodes in the WSN
resource (119904119894) represents the resources of 119904
119894 such as energy
hops and sensor data type hop(119904119894 119904119895) is the number of hops
between 119904119894and 119904119895 patrolnode(119904
119894) represents the patrol node
assigned to 119904119894 119901119899119896represents the ID of the patrol nodes
119900119899119905119900119897119900119892119910[] means the ontology constructed by our methodand 119860[] represents the isolation table
31 Preprocessing Stage The system attempts to configurewireless sensor network nodes through random distribu-tion to simulate the wireless option connection When thedistribution of every node is completed the packet will becollected by the base station (BS) In addition the BS can usea routing protocol package to analyze intrusion behaviorsTo define several attacking behaviors the manager can useattack thresholds or attack featuresThe transmission packagecan be captured by the intrusion detection system The datathen need to be normalized in preprocessing followed by theconstruction of a network intrusion detection module Thealgorithm of the preprocessing stage is shown in Algorithm 1
After the WSN has been deployed the sensor nodesbroadcast to each other and construct route informationThe BS gathers data from the sensor nodes that includes thesensor node identification (number) energy (joules) hopdistance (hops) and sensing data type (ST) The system usesthe received information to construct the ontology
International Journal of Distributed Sensor Networks 5
Algorithm OWIDSInput The packages of wireless sensor networks 119901Output 119860 list of anomaly nodes 119860[]
BEGINlowastPre-processing Stagelowastlowastbroadcasting routinglowastfor each sensor node 119904 connected to 119909 do
for each sensor node y in the network doif 119863119904[119910] + 119904(119909 119904) lt 119863
119909[119910] then
lowasta better route from 119909 to 119910 through s has been foundlowast119863119909[119910] larr 119863
119904[119910] + 119904(119909 119904)
119862119909[119910] larr (119909 119904)
lowastintegrating informationlowastfor each sensor node s transmitted to base station 119887119904 do
send data of itself 119868 to base station 119887119904
return 119868
Algorithm 1 Algorithm of preprocessing stage of OWIDS
32 Construct Ontology Stage Due to the nature of a Sybilattack it is hard to use an IDS to detect it In the systemthe relationships of each sensor node in the ontology areconstructed first Then the patrol node compares the rela-tionships of the ontology conceptual nodes to the testedwireless networks to determine whether the system has beenattacked The method for constructing the ontology is givenbelow The algorithm of the ontology construction stage isshown in Algorithm 2
After the entireWSN has been deployed the informationon each sensor node is translated to the base station forthe system to construct the ontology The relationships ofthe sensor nodes are constructed in the ontology Eachsensor node transmits its connection information to the basestation This method thus is a top-down design for ontologyconstruction in which construction proceeds from the basestation to the sensor nodes The system sorts sensor nodesdepending on the energy of the sensor nodes and selects thesensor node that has the best energy to be the cluster headThe candidates for patrol nodes are the top 20 of sensornodesThe patrol nodes are chosen by the candidate of patrolnodes that are one hop from the cluster head After the systempicks the patrol nodes up it begins to construct the ontology
First the system constructs patrol nodes in the ontologyThe system calculates the similarity between the patrol nodesusing formula (1) Formula (1) is calculated between patrolnodes and patrol nodes 119901119899
119894cap 119901119899119897means that the system
compares the data of 119901119899119894with the data of 119901119899
119897to gather the
minimum number (the data is energy() hop() ST() etc)The 119901119899
119894cup119901119899119897means that the system computes the data of 119901119899
119894
with the data of119901119899119897to gather theminimumnumber Consider
119878119894119898119894119897119886119903119894119905119910 (119901119899119894 119901119899119897) =
sum119899
119897=1(1003816100381610038161003816119901119899119894 cap 119901119899
119897
1003816100381610038161003816 1003816100381610038161003816119901119899119894 cup 119901119899
119897
1003816100381610038161003816)
119899 (1)
The construction of the patrol nodes in the ontologydepends on formula (1) which indicates the relationship ofthe patrol nodes Similar patrol nodes exchange information
with each other The relationship is used to construct sensornodes in the ontologyThere are two concepts of sensor nodeequal concept and sibling concept as follows
Definition 1 (equal concept) Consider
119864119902119906119886119897 (1199041
119894 1199042
119894) = (119904
1
119894 1199042
119894) | ℎ119900119901 (119904
1
119894 1199042
119894) = 1
and (119878119890119899119904119900119903119873119900119889119890 (1199041
119894) = 119878119890119899119904119900119903119873119900119889119890 (119904
2
119894)
and 119903119890119904119900119906119903119888119890 (1199041
119894) asymp 119903119890119904119900119906119903119888119890 (119904
2
119894))
(2)
The 1199041119894and 1199042119894are two different sensor nodes in theWSN
The distance between 1199041119894and 1199042119894is equal to one hop 119904119899
119894
indicates the sensor node 119899 is managed by 119901119886119905119903119900119897119899119900119889119890 119894119878119890119899119904119900119903119873119900119889119890(119904119899
119894) and 119903119890119904119900119906119903119888119890(119904119899
119894) indicate the class name
of the 119878119890119899119904119900119903119873119900119889119890 and the resources of 119878119890119899119904119900119903119873119900119889119890 119904respectively When 119903119890119904119900119906119903119888119890(1199041
119894) asymp 119903119890119904119900119906119903119888119890(1199042
119894) it means
the resources (energy hops sense type) of 1199041119894are similar
to the resources of 1199042119894 Definition 1 defines the concepts of
sensor nodes having equivalent resources and being close toeach other For example if a pair of concepts ldquo1199041rdquo and ldquo1199042rdquohas overlapped broadcasting range and possesses equivalentresources the equal concept definition is satisfied and thesystem will construct the relationship between them Therest of concepts will be used to determine the hierarchicalrelations in the ontology concepts
Definition 2 (sibling concept) Consider
119878119894119887119897119894119899119892 (1199041
119894 1199042
119894) = (119904
1
119894 1199042
119894) | 1199041
119894= 1199042
119894
and (119878119894119887119897119894119899119892119879119890119903119898 (1199041
119894 1199042
119894)) and 2
6 International Journal of Distributed Sensor Networks
lowast Construct Ontology Stage lowastlowast sort sensor nodes lowastfor each sensor node s in the network do
for (119894 = 119899 minus 1 119894 gt 0 119894 minus minus) dofor (119895 = 0 119895 lt 119894 119895++) do
if energy(119904119895) gt energy(119904
119894) then
buffer = arr[119895]arr[119895] = arr[119895 + 1]
arr[119895 + 1] = bufferreturn arr[] lowast return sort information lowast
set CH = arr[1] lowast the system selects up best sensor node to be cluster head lowastlowastpick up patrol nodeslowast
for (119901 = 0 119901 lt 119899 lowast 02 119901++) doPatrolcandidate[119901] = arr[119901] lowast pick up top 20 of sensor nodes lowastfor each sensor node 119904 in the Patrolcadidate[] doif hop(119904
119894 CH) = 1 then
lowasta patrol node has foundlowastset patrolnode[] = 119904
119894
lowastConstruct patrol nodes in Ontologylowastfor each patrol node in the network do
for (119897 = 1 119897le 119899 119897++) do lowast119897 is the index of patrol node lowast119905119897= intersection (119901119899
119894 119901119899119897) union (119901119899
119894 119901119899119897) lowast119905119897is similarity of patrol node 119897lowast
119905 = 119905 + 119905119896lowast119905 is the similarity lowast
return 119905
similiarity(119901119899119894 119901119899119897) = 119905119896
119901119899119897[] larr 119901119899
119894
Ontology[] larr 119901119899119897[]
lowast definition sensor nodes relationship lowastfor each sensor node s in the network do
if 119904119894ltgt 119904119895and resource(119904
119894) resource(119904
119895) and hop(119904
119894 119904119895) = 1 then
lowast a equal sensor has found lowastset 119904119894and 119904
119895are equal sensor nodes
for each sensor node s in the network doif 119904119894ltgt 119904119895and resource(119904
119894) resource(119904
119895) and 2 ≦ hop(119904
119894 119904119895) ≦ 3 then
lowasta sibling sensor has foundlowastset 119904119894and 119904
119895are sibling sensor nodes
else if patrolnode(119904119894) cap patrolnode(119904
119895) ltgt then
lowast 119886 sibling sensor has found lowastset 119904119894and 119904
119895are sibling sensor nodes
lowast Construct Ontology lowastfor each sensor node in the network do
for (119896 = 1 119896le 119899 119896++) do lowast119896 is the index of patrol node lowast119905119896= intersection (119901119899
119896 119904119894) union (119901119899
119896 119904119894) lowast119905119896is similarity of patrol node 119896lowast
119905 = 119905 + 119905119896
lowast119905 is the similarity lowastreturn 119905
similiarity(119901119899119896 119904119894) = 119905119896
119901119899119896[] larr 119904
119894
Ontology[] larr 119901119899119896[]
Algorithm 2 Algorithm of the construct ontology stage of OWIDS
le ℎ119900119901 (1199041
119894 1199042
119894)
le 3 or (119875119886119905119903119900119897119873119900119889119890 (1199041
119894 1)
cap119875119886119905119903119900119897119873119900119889119890 (1199042
119894 1) = 0)
119903119890119904119900119906119903119888119890 (1199041
119894) asymp 119903119890119904119900119906119903119888119890 (119904
2
119894)
(3)
The 119878119894119887119897119894119899119892119879119890119903119898(1199041119894 1199042119894) indicates that 1199041
119894has a sister
term 1199042119894 In other words the sensor nodes have an identical
patrol node in the WSN and 119875119886119905119903119900119897119873119900119889119890(1199041119894 1) means that
the distance of 1199041119894from the patrol node is one hop When the
distance between 1199041119894and 1199042119894is less than or equal to 3 it will
be adjusted depending on the scale of the WSN Definition 2has two situations either a pair of concepts has sister-termrelations in the WSN or a pair of concepts has a common
International Journal of Distributed Sensor Networks 7
Situation 1 Situation 2
Pnl Pnl
Pn2 s2
s1
s2s1
(a) (b)
Figure 2 The sibling relationship
patrol node over more than one levelThe difference betweenthem is shown in Figures 2(a) and 2(b) Situation 1 andsituation 2 are the relationships of SensorNode 1199041
119894and Sen-
sorNode 1199042119894in the WSN structure Situation 1 indicates that 1199041
119894
and 1199042119894have a sister-term relationship in the WSN situation
2 indicates 1199041119894and 1199042119894are not sister terms However they
satisfy the sibling concept because they have a commonpatrol node on the upper level In this case the distancebetween 119904
1
119894and 1199042119894is 3 hops as shown in Figure 2(b)
An ontology has various elements including conceptsattributes operators instances relations and axioms Ourontology has membership values between the patrol node(119901119899) and the sensor node (119904) The set of values between thepatrol nodes and sensor nodes is called the subclass Forexample the sensor node contains attributes such as senseinformation remaining resources and route informationThe membership values between patrol nodes and sensornodes can be calculated by formula (4) [19] Suchvalues might include for example 119899
1energy(08) hop
(02) ST(09) 1199011198992energy(03) hop(08) ST(08) and
1199041energy(075) hop(02) ST(07)The subclass is (119904
1 1199011198991) =
(075 + 02 + 07) (08 + 02 + 09) = 16519 = 087 Thesubclass is (119904
1 1199011198992) = (03 + 02 + 07) (03 + 08 + 08) =
1221 = 057 The membership value consists of sensornodes such as 119901119899
1(087) and 119901119899
2(057) the numbers
represent the membership values in each patrol node Themembership value between a patrol node and a sensor nodemay then be found The 119904
1is the subclass of 119901119899
1 Consider
119904119906119887119888119897119886119904119904 (119904 119901119899) =
1003816100381610038161003816119904 cap 1199011198991003816100381610038161003816
10038161003816100381610038161199011198991003816100381610038161003816
(4)
The relations between sensor nodes can be defined ina number of ways such as Belong-to and Consist-of whilethe subclass defines the values of the relationships betweenthe sensor nodes After constructing the concept layer themembership values can be simply and directly joined tothe ontology Each concept has the membership values foreach relevant patrol node The system can then build up theconcept hierarchyThe ontology information includes sensornode identify (number) patrol node identify (number)
energy (joule) hop distance (hops) and sensing data type(ST) as shown in Figure 3
The related value of the concept should define a suitablethreshold Let 119901119899
119896be the 119896th patrol node ofWSN 119904
119894indicates
the sensor node 119894 in the WSN 119901119899119898is the patrol node that
belongs to 119901119899119896 and 119899 is the number of comparison nodes
under the patrol node 119901119899119896 The similarity formula is listed in
formula (5) Formula (5) is similar to formula (1) Formula(1) is the similarity between patrol node and patrol nodeFormula (5) is the similarity between patrol node and sensornode
119904119894119898119894119897119886119903119894119905119910 (119901119899119896 119904119894) =
sum119899
119898=119896(1003816100381610038161003816119901119899119898 cap 119904
119894
1003816100381610038161003816 1003816100381610038161003816119901119899119898 cup 119904
119894
1003816100381610038161003816)
119899 (5)
For example the system uses formula (5) to calculatethe similarity of formal concepts Each patrol node hasmany sensor nodes Figure 4 shows an example of calculationbetween 119901119899
119896and 119904119894 It is not an ontology figure An example
of the ontology is shown in Figure 5 The similarity between119901119899119896and 119904119894is calculated as follows
119904119894119898119894119897119886119903119894119905119910 (1199011198991 1199041)
= (075 + 02 + 07
08 + 02 + 09+
02 + 07
075 + 02 + 075
+075 + 06
075 + 02 + 06) times (3)
minus1= 068
119904119894119898119894119897119886119903119894119905119910 (1199011198992 1199041)
= (03 + 02 + 07
03 + 08 + 08+
03 + 07
075 + 02 + 07) times (2)
minus1
= 047
(6)
We select themaximum similarity value of the conceptualpairs between 119901119899
119896and 119904
119894to determine the sonsor node 119904
119894
belongs to which patrol nodes 119901119899 In this case 1199041is more
similar to 1199011198991 The IDS calculates the relationship between
119899119901119896and 119904
119894to define the relationship threshold The IDS
calculation threshold depends on the similarity formula indifferent environments A higher threshold makes the entireWSN more secure However a higher threshold for the IDSmeans that attacks are easily misidentified
An example of an ontology is shown in Figure 5 Thereare 10 sensor nodes in the example For practical applicationsour method supports 50 sensor nodes in the ontology Theontology has a domain layer a category layer a patrol nodelayer and a sensor node layer The domain layer representsthe ontology domain issue thatwe focus on in constructing anIDS for a WSN Next the category layer represents differentjobs on the WSN such as sensing humidity temperatureand brightness One sensor node will take on one or moretasks The patrol node layer contains the information foreach patrol node in the WSN Each patrol node has anID energy (joule (j)) sensing data type (ST) the distanceto the cluster head (Hop) and membership value betweeneach relevant object for example119901119899idEnergy(j) hop(1hop)ST(1number of sense types) The sensor node layer con-tains each sensor node ID energy (joule (j)) sense data type
8 International Journal of Distributed Sensor Networks
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Relation type
Subclass
Hops
Hops
Figure 3 The information of the concept of nodes in ontology
(ST) the distance to the cluster head (hop) and membershipvalue between each relevant object
33 Intrusion Detection Stage The attackers that intrudewireless sensor network can be divided into two stagespreparatory phase the attack and destruction phase Theattack behaviours of attack and destruction phase includesinkhole attack blackhole attack and hello flooding Inorder to obtain the required information of attack anddestruction phase the attackers apply Sybil attack to disguisevarious roles The behaviours of attack phase used differ-ent transmission technology to burn entire network evencause WSN unusable All the above behaviours are calledanomaly behaviours The assignment system will completethe information for the integration of the environmentalanalysis The ontology contains the entire relationship of theWSNThe system can preselect the knowledge based on thoseenvironmental attacks The ontology can thus detect illegalnodes in the WSNThe rules are shown in Algorithm 3
The WSN is usually deployed unequally causing it torapidly consume energy We have proposed a PIDS usingdetection knowledge to detect anomalies [11] The PIDS istransferred between patrol nodes to detect whether neighbor-ing nodes exhibit anomalies The PIDS will choose differentdetection knowledge in different environments The PIDSmerely requires a portion of the detection knowledge todetect an anomaly which reducesWSN energy consumptionThe architecture of the OWIDS combines the PIDS with theontologyTheOWIDS is transferred between the patrol nodesto detectwhether neighbouring nodes are anomalous Similar
to the PIDS the OWIDS will choose different detectionknowledge in different environments It requires merely aportion of the detection knowledge to detect anomaliesreducing WSN energy consumption The system will matchthe database and the attack pattern If there appears to benonselected detection knowledge the detection knowledgewill be added The intrusion detection mechanisms werecomputed on the base station The classification methodof detection knowledge is described in the following para-graphs
The detection knowledge is classification by supportvector machine (SVM) [21] The proposed method provideda strong argument for the improvement of WSN intrusiondetection systems The SVM uses a high dimension spaceto find a hyperplane to perform binary classification to findminimal error rate Notably the SVM is able to handle theproblem of linear inseparability The SVM uses a portion ofthe data to train the system finding several support vectorswhich represent the training data These support vectorswill be formed into a model by the SVM representing acategory According to this model the SVM will classify agiven unknown document A basic input data format and anoutput data domain are given as follows
(119909119894 119910119894) (119909
119899 119910119899) 119909 isin 119877
119898 119910 isin +1 minus1 (7)
where (119909119894 119910119894) (119909
119899 119910119899) are training data 119899 is the number
of samples119898 is the input vector and 119910 belongs to category of+1 or minus1
Regarding linear problems a hyperplane can be dividedinto two categories The hyperplane formula is
(119908 sdot 119909) + 119887 = 0 (8)
The category formula is
(119908 sdot 119909) + 119887 ge 0 if 119910119894= +1
(119908 sdot 119909) + 119887 le 0 if 119910119894= minus1
(9)
However it is not easy to find hyperplanes with which toclassify the dataThe SVMhas several kernel functions whichusers can apply to solve different problems As such selectingthe appropriate kernel function can solve the problem oflinear inseparability Also internal product operations affectthe classification function and a suitable inner product func-tion119870(119883119894 sdot 119883119895) can solve certain linear inseparable problemswithout increasing the complexity of the calculation Originaldata includes 31 features tagged with numbers from 0 to 30The system will convert the contents of the 31 features intonumeric values For instance the first element is ldquoEventrdquo andthe parameter is ldquo119904rdquo which is mapped to ldquo0 01rdquo An exampleof SVM data is shown in Figure 9 The OWIDS combinesontology with detection knowledge The patrol nodes carrypart of ontology to detect Sybil attack and the detectionknowledge is used to detect sinkhole blackhole and helloflooding
The ontology is divided into several parts depending onthe region of the patrol node The system sends detectionknowledge and the ontology to the cluster head The patrol
International Journal of Distributed Sensor Networks 9
lowast Intrusion Detection Stage lowastfor each neighbor of patrol node s doreceive (119904id 119901119899id 119904INFO 119864119894) lowast Receive 119904id 119901119899id 119904INFO and the remaining energy lowastif 119904id ltgt Ontology [] then lowast Check whether the sensor node is constructed in the Ontology lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastif Pattern (119904) = Pattern (119860119872)lowast Check whether the receive information is different from attack knowledge lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastelse if broadcast 119860[] to 119862id lowast Broadcast isolation table to CH to back up lowastend for
Algorithm 3 Algorithm of the intrusion detection stage of OWIDS
Base station
energy (08) hop (02) ST (09) energy (03)
hop (08) ST (08)
hop (02)ST (07)
energy (075) ST (06)
energy (03) ST (07)
energy (075) hop (02) ST (07)
068
047pn1
pn3
pn4
pn5
pn2
s1
Figure 4 An example of membership calculation
node is a sensor node to do detection but its energy is limitedThe OWIDS does not train detection mechanism on patrolnode and only the cluster head transmits detection rules topatrol nodes The patrol nodes detect attacks by rotation toreduce the overall WSN energy consumption and extend thelifetime of the WSN When the duty of the patrol nodes isover the CH will collect the WSN information and transmitit to the base station The BS analyzes the informationtrains the detection data and constructs the ontology againThus the detection knowledge can be adjusted accordingto the WSN environment To improve the accuracy ofthe intrusion detection the system repeats the detectionknowledge training to remove less frequently used data untilthe knowledge converges This reduces the features of thedetection knowledge and makes the detection knowledgemore lightweight
The WSN is a self-organizing network meaning that therouting table will be changed The clustering system of theWSN will change cluster heads periodically The WSN as awhole thus cannot keep isolating anomalous nodes Rede-tection of anomalous nodes consumes energy This paperthus proposes an isolation table recorded in the base station[20] If new cluster heads are assigned or the entire WSNis changed the patrol maintains isolation of anomaly nodesusing the isolation table Intruders thus cannot attack theWSN through isolated anomaly nodes reducing redetectionenergy consumption
4 Experimental Results
The system performance was evaluated by network sim-ulation (NS-2) The experimental hardware environmentsconsisted of an Intel Core 2 i5-2410M CPU 230GHzNotebook with 8GB RAM and was implemented under theWindows 7 operating system The area for the simulationof the WSN was within 10000 square meters The field isstatic and deploys 300 sensor nodes randomly each with abroadcast radius of 50m The OWIDS uses a protegee toconstruct the ontology The behaviors of the attacker weregenerated by a Java program The attacks were randomlygenerated by different kinds of attack patterns For exampleSybil attacks were generated every 20 seconds but theattackers will masquerade different kinds of roles randomlysuch as cluster head sensor node The OWIDS detects Sybilattacks using the relationship of ontology In addition theexperiment was meant to simulate transmission packages inwireless sensor networksThe communications of packets canbe captured byOWIDSThedatawas collected from theWSNpackets of NS-2 simulator The data set can be divided intotwo protocols the training data and the testing data Thepackets are randomly selected for training and testing
Before using SVM classification the system performa data scaling operation to increases the accuracy whilereducing complexity The system kernel is RBF 119870(119909 119910) =
ℓminus119892119909minus119910
2
The systemwill classify the attributes of the features
10 International Journal of Distributed Sensor Networks
WSN Domain layer
Brightness Category layerHumidity Temperature
Patrol nodes layer
Belong-to Belong-to
Sensor nodelayer
086
082
Instance of
Sensor node 2513
Humidity temperature
hop (02) ST (05)
Instance of
092
Instance of
Sensor node 3152
Temperature
hop (03) ST(1)
086
Instance of091
Instance of042
Patrol node 1
Temperature humidity
Sensor node 3241
Patrol node 4
Humidity temperature
Sensor node 0231
Patrol node 2
Brightness temperature
energy (088 ) hop (03) ST (05)
Sensor node 0092
Patrol node 3
Temperature
energy (098) hop (05) ST (1)
Sensor node 2541
Patrol node 5
Temperature
Sensor node 1576
Patrol node 2
Temperature brightness
Sensor node 4561
Sensor node 1254
Humidity temperature
hop (017) ST (05)
Patrol node 4
Patrol node 4
Sensor node 6829
Humidity temperature
hop (025) ST (05)
Patrol node 2
Patrol node 3
ST (05)energy (1) hop (1) pn1
pn2 pn3
middot middot middot
middot middot middot
057
Hop = 1
Hop = 3
Hop = 10
Hop = 6Hop = 3
Hop = 5 Hop = 4
Hop = 3
Hop = 3 Hop = 2
E = 2J E = 176J
E = 126J
E = 186J
E = 076JE = 2J
E = 094J E = 196j
E = 164J
E = 196J
energy (063) hop (03) ST (05)pn4 energy (082)
hop (03) ST (1) pn5
hop (01) ST(05) energy (093 ) S4561 energy (047) S2513 energy (098) S6829
energy (038) S1254 energy (1) S3152
pn2
pn4 pn5
Figure 5 An example of ontology construction
International Journal of Distributed Sensor Networks 11
prior to preprocessing and use the SVM to train and testprocesses The output of SVM is 1 or minus1 If the output is 1there is an intrusion behavior on the model If the outputis minus1 it is normal The distribution of training data andtesting data are shown in Table 1 Specifically the user canemploy this model to evaluate the IDS 27 feature values areused to train three SVMmodels and to compare the accuracyof the three models [21]
This experiment compared OWIDS with the PIDS basedon energy consumption transmission accuracy and per-formance The attack behaviour is camouflaged as differentroles in the WSN The implementation environment is listedin Table 2 The total simulation time was 3600 sec Theattacks were randomly executed every 20 sec with attacksbeginning at six hundred sec The experiment assumes thatthe preprocessing stage is secure for attacks The maximumconnection meaning the maximum number of connections(end-to-end connection) used in the simulation was 80The experimental IDS was intended to simulate transmissionpackages in wireless sensor networks The IDS integratescommunications of packages and analyzes them
To estimate the performance of the OWIDS system threeimportant formulas and an indicator method are used toevaluate system accuracy attack detection rate (ADR) falsepositive rate (FPR) system accuracy (SA) and live nodes(indicator) The ADR represents the number of attacks thatthe IDS has detected out of the total number of attacks TheFPR represents the number of normal processes that theIDS has misclassified The accuracy rate is the total numberof processes the IDS has classified correctly The live nodesrepresent the number of useful nodes in the entire WSNwhich tests the loading of our methods and its performance
Attack Detection Rate
=Total number of detected attacks
Total number of attackstimes 100
False Positive Rate
=Total number of misclassified processes
Total number of normal processestimes 100
Accuracy Rate
=Total number of correct classified processes
Total number of processestimes 100
(10)
In this section we present three experimental resultsfor the OWIDS The first experimental method focuses onthe percentage of patrol nodes The patrol node is a kindof sensor node The BS chooses patrol nodes to executethe IDS The percentage of sensor nodes which should bepatrol nodes is a key issue Second the energy consumptionand remaining resources are present in the live nodes Thethird experimental method focuses on the ADR FPR andSA of the OWIDS Thus two types of experiments wereimplemented comparison of the number of live nodes across
Table 1 The training data and test data
Original Train TestNormal 80641 24192 7258Sinkhole 3568 1070 321Blackhole 5368 1610 483Hello flooding 44084 13225 3968Total 133661 40098 12029
Table 2 Implementation environment
Parameter ValuesSensor nodes 50 150 300Patrol nodes (20 of sensor nodes) 10 30 60WSN size 1000 lowast 1000 (m2)Starting energy 2 JTransmission radius 50mTransmission consumption 0036wReceive consumption 0024w
the non-IDS PIDS and OWIDS and comparison of thetransmission accuracy with PIDS
41 Percentage of Patrol Nodes The patrol node is used todetect abnormal behaviours OWIDS needs to balance thenumbers of patrol nodes and the overall life cycle of wirelesssensor networks From the experiment results twenty per-centages of patrol nodes can provide better detection resultsThe percentage of patrol nodes was set between 10 and 40at intervals of 10 The experiments are divided into 50 150and 300 sensor nodes These numbers are used to calculatethe suggested percentage of patrol nodes The experimentalresults are shown in Tables 3 4 and 5
The experimental results show that 30 and 40 yieldthe highest accuracy However the lifecycle of entire WSN isshorter than that when 10 and 20 are used The lifecycleof 10 is the longest but its accuracy is the lowest WhenOWIDS sets the patrol node percentage to 10 the loading isthe lightest However for theOWIDS at 10 the patrol nodeslack sufficient data to be compared with each other meaningthat the accuracy is the lowestThe accuracy of the case of 20patrol nodes is close to that of the case of 30 or 40 patrolnodes Hence the system selected 20 of whole sensor nodesas patrol nodes to do detection to save energy
42 Live Nodes of OWIDS The first simulation is shown inFigures 6 7 and 8The number of live nodes is defined as thenumber of sensor nodes in theWSN that still work normallyThe normal IDS trains detection features and translates theentire IDS onto the sensor nodes This consumes the WSNenergymore rapidlyThe lightweight IDS trains the detectionmethod on the base station and uses filtered features to detectintrusions In this case the IDS ismore lightweight and nodesremain alive longer Since a WSN may be used in manyapplications our method is implemented in eight situations
12 International Journal of Distributed Sensor Networks
Table 3 Percentage of patrol nodes (50 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 5 9835 8520 10 9573 9330 15 8952 9440 20 8703 94
Table 4 Percentage of patrol nodes (150 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 15 9605 8120 30 9495 9630 45 8864 9640 60 8518 97
Table 5 Percentage of patrol nodes (300 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 30 9598 7920 60 9468 9630 90 8867 9740 120 8361 97
The live nodes experiment has six situations no IDS andno attack no IDS but faces attacks loads PIDS but no attacksloads PIDS and faces attacks loads OWIDS but no attacksand loads OWIDS and faces attacks The overhead for PCHmonitoring is high if the notion of collaborative monitoringis absent If the patrol nodes are too few an intruder caneasily infiltrate the network The OWIDS combines PIDSand the ontology to detect anomalies Though it consumesmore energy than the PIDS the energy expenditure is nearlyidentical We simulate 50 150 and 300 sensor nodes in thenon-IDS PIDS and OWIDS Results show that the lifetimeof a sensor node is longest using OWIDS and that the sensornodes die slowly The MN sends data to the RN but not toany MN The RN obtains information directly from the MNThe connections between the RN and the PCH are similarmeaning that the OWIDS consumes less energy in gatheringdata andmonitoring theWSNTheOWIDS takes a part of theontology from PIDS The energy consumption of PIDS andOWIDS is similar in the no attack environment In Figures 6ndash8 there are more sensor nodes in theWSN meaning that thesystem hasmore patrol nodes to detect anomalies Hence theOWIDS detects misbehaviour more effectively The results ofthe simulation show that the OWIDS can easily be loadedonto the WSN
43 ADR FPR and SA of OWIDS The second simulationaddresses the attack detection rate the false positive rateand the accuracy rate in PIDS and OWIDS as shown inTable 6The total number of simulation packages is 1065474
0
10
20
30
40
50
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 6 The case of 50 sensor nodes in alive nodes
50
100
150
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 7 The case of 150 sensor nodes in alive nodes
100140180220260300
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 8 Case of 300 sensor nodes in live nodes
which include 1697 attack packages and 1063777 normalpackages In the PIDS patrol nodes carry attack knowledgeto detect anomalies The false positive rate is higher andthe attack detection rate is lower than that of OWIDS TheOWIDS appends the relationships of ontology making iteasier to detect illegal sensor nodes in the WSN The system
International Journal of Distributed Sensor Networks 13
Table 6 Accuracy attack detection rate and false positive rate of OWIDS
IDS method Attack detection rate False positive rate AccuracyPIDS (15351697) 9045 (1414451063777) 1329 (9532871063777) 8961OWIDS (16651697) 9811 (401221063777) 377 (10253521063777) 9639
Table 7 The accuracy rate of detection classification
IDS method Sybil attack Sinkhole Blackhole Hello floodingPIDS (136150) 9067 (118130) 9077 (5562) 8871 (12261355) 9048OWIDS (145150) 9667 (128130) 9846 (5762) 9194 (13351355) 9852
Original Datas -t 1000000000 -Hs 8 -Hd -2 -Ni 8 -Nx 203200 -Ny 69300 -Nz 000 -Ne -1000000 -Nl AGT -Nw mdash -Ma 0 -Md 0-Ms 0 -Mt 0 -Is 80 -Id 40 -It cbr -Il 1000 -If 0 -Ii 0 -Iv 32 -Pn cbr -Pi 0 -Pf 0 -Po 0SVM Input Data0 01 1 1000000000 2 8 3minus2 4 8 5 203200 6 69300 7 000 8minus1000000 9 1 10 0 11 0 12 0 13 0 14 0 15 8016 40 17 1 18 1000 19 0 20 0 21 32 22 1 23 0 24 0 25 0 26 0 27 0 28 0 29 0 30 0
Figure 9 The SVM input data
accuracy of PIDS and OWIDS is higher than 8961 thetolerance value of the IDS in the WSN The results of thesecond simulation show that theOWIDSdetects attacksmoreeffectively
The attack packages include four types of attacks Sybilattack sinkhole attack blackhole attack and hello floodingthe detailed detection classification is shown in Table 7 Thesystem simulates 150 Sybil attacks 130 sinkhole attacks 62blackhole and 1355 hello flooding attacks The results ofaccuracy rate are shown in Table 7 The accuracy rate ofdetection classification is better than 90 and OWIDS isbetter than PIDS The results of the second simulation showthat the OWIDS detects attacks more effectively
5 Conclusions and Future Work
In this paper a preliminary research of intrusion detectionsystems based on domain ontology is proposed and therelevance of a lightweight patrol intrusion detection systemis explored A major finding is that the effect of ontology canbe observed in attack detection at all levels of the wirelesssensor network The results indicated that the constructedontology relationship between the WSNs can detect attackseffectively This implies that an ontology indicating each roleand its membership in the WSN could be constructed forother attack types This research leads to an ontology-basedintrusion detection system which allows us to study the rela-tionship mechanism involving patrol node status and sensornodes Such ontologies can also be applied to reduce theburden of lightweight intrusion detection systems onwirelesssensor networks In general they will be useful in improvingthe lifecycle of wireless sensor networks and particularly theusability of intrusion detection systems for wireless sensornetworks This research can also serve to reinforce the useof soft computing technology for intrusion detection systemsand to systematize preprocessing technology to reduce thefeatures of the intrusion detection system The attacker may
intrude network in preprocessing stage The preprocessingsecurity issuewill be solved in the future workThis ontology-based intrusion detection system remains experimental onlyand much work remains to be done More must be knownabout constructing ontologies to detect different types ofattacks in wireless sensor networks There is a continuingneed for an adequate theoretical basis for the practicalapplication of ontology-based intrusion detection systems
Conflict of Interests
In this paper the specifications and brand of CPUdo not haveany financial relationship with the commercial identities
Acknowledgments
This work is partially supported by the National ScienceCouncil (NSC) Taiwan with Project no NSC-99-2221-E-324-021 The authors also express many thanks for thecomments from the reviewers that improved the paper
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] T P Hong and C H Wu ldquoAn improved weighted clusteringalgorithm for determination of application nodes in hetero-geneous sensor networksrdquo Journal of Information Hiding andMultimedia Signal Processing vol 2 no 2 pp 173ndash184 2011
[3] J Newsome E Shi D Song and A Perrig ldquoThe Sybil attack insensor networks analysis amp defensesrdquo in Proceedings of the 3rdInternational Symposium on Information Processing in SensorNetworks (IPSN rsquo04) pp 259ndash268 April 2004
[4] W-H Chen S-H Hsu and H-P Shen ldquoApplication of SVMand ANN for intrusion detectionrdquo Computers and OperationsResearch vol 32 no 10 pp 2617ndash2634 2005
14 International Journal of Distributed Sensor Networks
[5] Z Pawlak ldquoRough setsrdquo International Journal of Computer ampInformation Sciences vol 11 no 5 pp 341ndash356 1982
[6] A N Toosi and M Kahani ldquoA new approach to intrusiondetection based on an evolutionary soft computingmodel usingneuro-fuzzy classifiersrdquoComputer Communications vol 30 no10 pp 2201ndash2212 2007
[7] A Patwardhan J Parker M Iorga A Joshi T Karygiannisand Y Yesha ldquoThreshold-based intrusion detection in ad hocnetworks and secure AODVrdquoAdHoc Networks vol 6 no 4 pp578ndash599 2008
[8] R-C Chen and C-H Hsieh ldquoWeb page classification based ona support vectormachine using aweighted vote schemardquoExpertSystems with Applications vol 31 no 2 pp 427ndash435 2006
[9] G Song J Zhang and Z Sun ldquoThe research of dynamic changelearning rate strategy in BP neural network and applicationin network intrusion detectionrdquo in Proceedings of the 3rdInternational Conference on Innovative Computing Informationand Control (ICICIC rsquo08) pp 514ndash517 June 2008
[10] RCChenC J Yeh andC T Bau ldquoMerging domain ontologiesbased on the WordNet system and Fuzzy Formal ConceptAnalysis techniquesrdquoApplied SoftComputing Journal vol 11 no2 pp 1908ndash1923 2011
[11] R C Chen Y F Haung and C F Hsieh ldquoRanger intrusiondetection system for wireless sensor networks with sybil attackbased on ontologyrdquo in Proceedings of the 10th WSEAS Interna-tional Conference on Applied Informatics and Communications2010
[12] M A Simplıcio Jr P S L M Barreto C B Margi and T CM B Carvalho ldquoA survey on key management mechanisms fordistributedWireless SensorNetworksrdquoComputerNetworks vol54 no 15 pp 2591ndash2612 2010
[13] M Depren E Topallar andM Kemal ldquoAn intelligent intrusiondetection system (IDS) for anomaly and misuse detection incomputer networksrdquo Expert Systems with Applications vol 29no 4 pp 713ndash722 2005
[14] S Tilak B Abu-Ghazaleh and W A Heinzelman ldquoTaxonomyof wireless micro-sensor network modelsrdquo Mobile Computingand Communications Review vol 6 no 2 pp 28ndash36 2002
[15] J Undercoffer A Joshi and J Pinkston ldquoModeling computerattacks an ontology for intrusion detectionrdquo Computer Sciencevol 2820 pp 113ndash135 2003
[16] N Cuppens-Boulahia F Cuppens F Autrel and H DebarldquoAn ontology-based approach to react to network attacksrdquoInternational Journal of Information and Computer Security vol3 no 3-4 pp 280ndash305 2009
[17] H-C Hsieh J-S Leu and W-K Shih ldquoReaching consensusunderlying an autonomous local wireless sensor networkrdquoInternational Journal of Innovative Computing Information andControl vol 6 no 4 pp 1905ndash1914 2010
[18] W K Lai C-S Fan and C-S Shieh ldquoOptimal cluster sizefor balanced power consumption in wireless sensor networksrdquoICIC Express Letters vol 6 no 2 pp 1471ndash1476 2012
[19] T T Quan S C Hui A C M Fong and T H CaoldquoAutomatic Fuzzy ontology generation for semanticWebrdquo IEEETransactions on Knowledge and Data Engineering vol 18 no 6pp 842ndash856 2006
[20] R-C Chen C-F Hsieh and Y-F Huang ldquoAn isolation intru-sion detection system for hierarchical wireless sensor networksrdquoJournal of Networks vol 5 no 3 pp 335ndash342 2010
[21] C F -Hsieh K F Cheng Y F Huang and R C Chen ldquoAnintrusion detection system for Ad Hoc networks with multi-attacks based on a support vector machine and rough settheoryrdquo Journal of Convergence Information Technology vol 8no 2 pp 767ndash776 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 3
(4) Combination this method combines two or more ofthe above methods In a normal system sensor nodesreport detection data periodically If attack behavioris detected the IDS will alert the administrator
22 Ontology Methods An ontology represents the rela-tionships between the concepts of domain knowledge Inan ontology the system often assumes correct relationshipsbetween each concept A defined ontology for intrusiondetection systems was constructed by Undercoffer et al[15] According to their definitions three different compo-nents made up the construction of ontologies for intrusiondetection systems The first category reflects the networkclass including the network layers of the protocol stacksuch as TCPIP The second category is the system classrepresenting the operating systemof the hostThe last processclass defines attributes representing particular processes thatare to be monitored They use the ontology specificationlanguage DAML (DARPAAgentMarkup Language) andOIL(Ontology Inference Layer) to implement their ontology andto distribute information The ontology and the inferenceenginewere used as an event aggregation language to confirmthe existence of an attack on a wired network
Cuppens-Boulahia et al [16] presented an approach toreact to network attacks using an ontology to store policyinformation and to generate new security models The policyinformation models can be combined to prove the instan-tiation of the policies They used the ontology specifica-tion languages OWL (Web Ontology Language) and SWRL(Semantic Web Rule Language) They offer the advantage ofexisting generic tools for parsing and reasoning OWL allowsmerging distributed ontologies However the expressivityof SWRL is limited since it does not permit several logicoperators such as OR or NOT Further the SWRL rules maynot be used to alter or delete information in the ontologyThisfact reduces the potential to revoke their method Most ofthe literature on WSN focuses on constructing the rules forthe IDS onWSNThis literature lacks information on how toconstruct the relationships of nodes in the WSN [17 18]
3 Ontology-Based Wireless IntrusionDetection System (OWIDS)
When sensor nodes are taken over by an intruder the normalsensor nodes become malicious nodes The malicious nodesgather data from neighboring nodes in the preparation stageThey alter information and broadcast wrong informationto normal nodes Moreover they rapidly exhaust WSNresources In wired networks the manager detects intrudersusing a well-trained intrusion detection system working withrobust resources However the resources of a WSN arelimited and the protocols of aWSN differ from those of wirednetworks Managers cannot construct wired IDS on a WSNIn this paper we propose a lightweight intrusion detectionsystem that minimizes energy consumption in intrusiondetection for wireless sensor networks
The Sybil attack is a common attack method that is usedto gather information from a WSN It is hard to detect but
enables an intruder to attack the WSN more easily Ourmethod uses an ontology to construct relationships betweensensor nodes The constructed relationship enables the IDSto detect a Sybil attack
In this paper the wireless sensor network is a hierarchicalnetwork that has four roles namely base station cluster headpatrol nodes and sensor nodes They are defined as follows
(1) Base station (BS) the BS is controlled by the admin-istrator and has robust energy and computing poweras well as a high degree of security The base stationreceives environmental information and sensor nodedata from the cluster head The base station usesa detection module to analyze the data The patrolnodes will patrol the network and monitor it Whenthe patrol cycle is completed the base station inte-grates the new collection of the network data Theintegrated data is simplified into the database untilthe attacking pattern knowledge has converged Theadministrator analyzes information from each nodeand constructs the relationship of the WSN in theontologyThe relationship adjustment depends on theWSN environment
(2) Cluster head (CH) the CH is responsible for con-nectivity between the wireless sensor network andbase station The CH controls the work of the patrolnodes The patrol nodes return information to CHTheCHwill balance the duty cycle of the patrol nodesand then assign patrol nodes for monitoring and dataintegration The CH transmits detection knowledgeand ontology relationships to the patrol nodes
(3) Patrol nodes (PN) a patrol node is a sensor nodewhich carries knowledge of how to detect intrusionThey share the work of the CH Since the WSN envi-ronment includes general events and emergenciesthe patrol nodes collect information on their sensornodes The patrol nodes use the detection knowledgeto monitor sensor nodes integrate information andtransmit it back to a CH The node relationshipscarried by the patrol node are used to detect attacksPatrol nodes will record information into an isolationtable In normal cases the patrol nodes send theisolation table to the CH regularly However if anunexpected situation occurs the isolation table willbe transmitted to the CH immediately
(4) Sensor nodes (SN) they are responsible for the overallnetwork and sense environmental dataThey transmitthe data to patrol nodes for regular integration Thesensor nodes have no ontology information at all
The workflow of our system is shown in Figure 1 Firstthe system gathers WSN packages and attack packages tobuild an intrusion features database to enable evaluation ofanomalous transmission packages The system then appliesthe ontology to construct the relationship between thewireless sensor nodes The manager sets the threshold valueof the ontology relationship to detect attacks The patrolintrusion detection system (PIDS) is a lightweight systemthat uses the detection knowledge to monitor the nodes
4 International Journal of Distributed Sensor Networks
Deploy WSN and collect environment data
Gather package information
Construct relationship of WSN on ontology
Set relationship threshold
Simulate attack packages and protocol packages
Assign ontology to patrol node
Adjust attack knowledge until it has converged
Record anomaly information
Initialize OWIDS
Intr
usio
n de
tect
ion
stag
eO
ntol
ogy
cons
truc
tion
stag
ePr
epro
cess
ing
stage
Figure 1 The workflow of our system
in the wireless network The patrol node carries differenttypes of knowledge of how to detect intrusion dependingon the environment The ontology-based wireless intrusiondetection system (OWIDS) is divided into three stagesthe preprocessing stage ontology construction stage andintrusion detection stage
The preprocessing stage shows that each nodemust trans-late its data to base station and find the best translation routefor such dataThe ontology construction stage is divided intothe definition relationship and ontology construction phaseEach node calculates the membership value and defines therelationships between patrol nodes and sensor nodes Theintrusion detection stage compares the detection data tothe ontology pattern to find intrusions Finally the systemrecords anomaly information in an isolation table
The algorithm of the preprocessing stage is shown inAlgorithm 1 the algorithmof the ontology construction stageis shown in Algorithm 2 and the algorithm of the intrusiondetection stage is shown in Algorithm 3 The symbols of thealgorithms are as follows 119868 is information including ldquoSen-sorNodes ID energy 119864 4 hops sensed data type STrdquo arr[] isthe type of resource of the sensor nodes Patrolcandidate[]represents the candidate list of patrol nodes CH is the clusterhead 119904
119894and 119904119895represent different sensor nodes in the WSN
resource (119904119894) represents the resources of 119904
119894 such as energy
hops and sensor data type hop(119904119894 119904119895) is the number of hops
between 119904119894and 119904119895 patrolnode(119904
119894) represents the patrol node
assigned to 119904119894 119901119899119896represents the ID of the patrol nodes
119900119899119905119900119897119900119892119910[] means the ontology constructed by our methodand 119860[] represents the isolation table
31 Preprocessing Stage The system attempts to configurewireless sensor network nodes through random distribu-tion to simulate the wireless option connection When thedistribution of every node is completed the packet will becollected by the base station (BS) In addition the BS can usea routing protocol package to analyze intrusion behaviorsTo define several attacking behaviors the manager can useattack thresholds or attack featuresThe transmission packagecan be captured by the intrusion detection system The datathen need to be normalized in preprocessing followed by theconstruction of a network intrusion detection module Thealgorithm of the preprocessing stage is shown in Algorithm 1
After the WSN has been deployed the sensor nodesbroadcast to each other and construct route informationThe BS gathers data from the sensor nodes that includes thesensor node identification (number) energy (joules) hopdistance (hops) and sensing data type (ST) The system usesthe received information to construct the ontology
International Journal of Distributed Sensor Networks 5
Algorithm OWIDSInput The packages of wireless sensor networks 119901Output 119860 list of anomaly nodes 119860[]
BEGINlowastPre-processing Stagelowastlowastbroadcasting routinglowastfor each sensor node 119904 connected to 119909 do
for each sensor node y in the network doif 119863119904[119910] + 119904(119909 119904) lt 119863
119909[119910] then
lowasta better route from 119909 to 119910 through s has been foundlowast119863119909[119910] larr 119863
119904[119910] + 119904(119909 119904)
119862119909[119910] larr (119909 119904)
lowastintegrating informationlowastfor each sensor node s transmitted to base station 119887119904 do
send data of itself 119868 to base station 119887119904
return 119868
Algorithm 1 Algorithm of preprocessing stage of OWIDS
32 Construct Ontology Stage Due to the nature of a Sybilattack it is hard to use an IDS to detect it In the systemthe relationships of each sensor node in the ontology areconstructed first Then the patrol node compares the rela-tionships of the ontology conceptual nodes to the testedwireless networks to determine whether the system has beenattacked The method for constructing the ontology is givenbelow The algorithm of the ontology construction stage isshown in Algorithm 2
After the entireWSN has been deployed the informationon each sensor node is translated to the base station forthe system to construct the ontology The relationships ofthe sensor nodes are constructed in the ontology Eachsensor node transmits its connection information to the basestation This method thus is a top-down design for ontologyconstruction in which construction proceeds from the basestation to the sensor nodes The system sorts sensor nodesdepending on the energy of the sensor nodes and selects thesensor node that has the best energy to be the cluster headThe candidates for patrol nodes are the top 20 of sensornodesThe patrol nodes are chosen by the candidate of patrolnodes that are one hop from the cluster head After the systempicks the patrol nodes up it begins to construct the ontology
First the system constructs patrol nodes in the ontologyThe system calculates the similarity between the patrol nodesusing formula (1) Formula (1) is calculated between patrolnodes and patrol nodes 119901119899
119894cap 119901119899119897means that the system
compares the data of 119901119899119894with the data of 119901119899
119897to gather the
minimum number (the data is energy() hop() ST() etc)The 119901119899
119894cup119901119899119897means that the system computes the data of 119901119899
119894
with the data of119901119899119897to gather theminimumnumber Consider
119878119894119898119894119897119886119903119894119905119910 (119901119899119894 119901119899119897) =
sum119899
119897=1(1003816100381610038161003816119901119899119894 cap 119901119899
119897
1003816100381610038161003816 1003816100381610038161003816119901119899119894 cup 119901119899
119897
1003816100381610038161003816)
119899 (1)
The construction of the patrol nodes in the ontologydepends on formula (1) which indicates the relationship ofthe patrol nodes Similar patrol nodes exchange information
with each other The relationship is used to construct sensornodes in the ontologyThere are two concepts of sensor nodeequal concept and sibling concept as follows
Definition 1 (equal concept) Consider
119864119902119906119886119897 (1199041
119894 1199042
119894) = (119904
1
119894 1199042
119894) | ℎ119900119901 (119904
1
119894 1199042
119894) = 1
and (119878119890119899119904119900119903119873119900119889119890 (1199041
119894) = 119878119890119899119904119900119903119873119900119889119890 (119904
2
119894)
and 119903119890119904119900119906119903119888119890 (1199041
119894) asymp 119903119890119904119900119906119903119888119890 (119904
2
119894))
(2)
The 1199041119894and 1199042119894are two different sensor nodes in theWSN
The distance between 1199041119894and 1199042119894is equal to one hop 119904119899
119894
indicates the sensor node 119899 is managed by 119901119886119905119903119900119897119899119900119889119890 119894119878119890119899119904119900119903119873119900119889119890(119904119899
119894) and 119903119890119904119900119906119903119888119890(119904119899
119894) indicate the class name
of the 119878119890119899119904119900119903119873119900119889119890 and the resources of 119878119890119899119904119900119903119873119900119889119890 119904respectively When 119903119890119904119900119906119903119888119890(1199041
119894) asymp 119903119890119904119900119906119903119888119890(1199042
119894) it means
the resources (energy hops sense type) of 1199041119894are similar
to the resources of 1199042119894 Definition 1 defines the concepts of
sensor nodes having equivalent resources and being close toeach other For example if a pair of concepts ldquo1199041rdquo and ldquo1199042rdquohas overlapped broadcasting range and possesses equivalentresources the equal concept definition is satisfied and thesystem will construct the relationship between them Therest of concepts will be used to determine the hierarchicalrelations in the ontology concepts
Definition 2 (sibling concept) Consider
119878119894119887119897119894119899119892 (1199041
119894 1199042
119894) = (119904
1
119894 1199042
119894) | 1199041
119894= 1199042
119894
and (119878119894119887119897119894119899119892119879119890119903119898 (1199041
119894 1199042
119894)) and 2
6 International Journal of Distributed Sensor Networks
lowast Construct Ontology Stage lowastlowast sort sensor nodes lowastfor each sensor node s in the network do
for (119894 = 119899 minus 1 119894 gt 0 119894 minus minus) dofor (119895 = 0 119895 lt 119894 119895++) do
if energy(119904119895) gt energy(119904
119894) then
buffer = arr[119895]arr[119895] = arr[119895 + 1]
arr[119895 + 1] = bufferreturn arr[] lowast return sort information lowast
set CH = arr[1] lowast the system selects up best sensor node to be cluster head lowastlowastpick up patrol nodeslowast
for (119901 = 0 119901 lt 119899 lowast 02 119901++) doPatrolcandidate[119901] = arr[119901] lowast pick up top 20 of sensor nodes lowastfor each sensor node 119904 in the Patrolcadidate[] doif hop(119904
119894 CH) = 1 then
lowasta patrol node has foundlowastset patrolnode[] = 119904
119894
lowastConstruct patrol nodes in Ontologylowastfor each patrol node in the network do
for (119897 = 1 119897le 119899 119897++) do lowast119897 is the index of patrol node lowast119905119897= intersection (119901119899
119894 119901119899119897) union (119901119899
119894 119901119899119897) lowast119905119897is similarity of patrol node 119897lowast
119905 = 119905 + 119905119896lowast119905 is the similarity lowast
return 119905
similiarity(119901119899119894 119901119899119897) = 119905119896
119901119899119897[] larr 119901119899
119894
Ontology[] larr 119901119899119897[]
lowast definition sensor nodes relationship lowastfor each sensor node s in the network do
if 119904119894ltgt 119904119895and resource(119904
119894) resource(119904
119895) and hop(119904
119894 119904119895) = 1 then
lowast a equal sensor has found lowastset 119904119894and 119904
119895are equal sensor nodes
for each sensor node s in the network doif 119904119894ltgt 119904119895and resource(119904
119894) resource(119904
119895) and 2 ≦ hop(119904
119894 119904119895) ≦ 3 then
lowasta sibling sensor has foundlowastset 119904119894and 119904
119895are sibling sensor nodes
else if patrolnode(119904119894) cap patrolnode(119904
119895) ltgt then
lowast 119886 sibling sensor has found lowastset 119904119894and 119904
119895are sibling sensor nodes
lowast Construct Ontology lowastfor each sensor node in the network do
for (119896 = 1 119896le 119899 119896++) do lowast119896 is the index of patrol node lowast119905119896= intersection (119901119899
119896 119904119894) union (119901119899
119896 119904119894) lowast119905119896is similarity of patrol node 119896lowast
119905 = 119905 + 119905119896
lowast119905 is the similarity lowastreturn 119905
similiarity(119901119899119896 119904119894) = 119905119896
119901119899119896[] larr 119904
119894
Ontology[] larr 119901119899119896[]
Algorithm 2 Algorithm of the construct ontology stage of OWIDS
le ℎ119900119901 (1199041
119894 1199042
119894)
le 3 or (119875119886119905119903119900119897119873119900119889119890 (1199041
119894 1)
cap119875119886119905119903119900119897119873119900119889119890 (1199042
119894 1) = 0)
119903119890119904119900119906119903119888119890 (1199041
119894) asymp 119903119890119904119900119906119903119888119890 (119904
2
119894)
(3)
The 119878119894119887119897119894119899119892119879119890119903119898(1199041119894 1199042119894) indicates that 1199041
119894has a sister
term 1199042119894 In other words the sensor nodes have an identical
patrol node in the WSN and 119875119886119905119903119900119897119873119900119889119890(1199041119894 1) means that
the distance of 1199041119894from the patrol node is one hop When the
distance between 1199041119894and 1199042119894is less than or equal to 3 it will
be adjusted depending on the scale of the WSN Definition 2has two situations either a pair of concepts has sister-termrelations in the WSN or a pair of concepts has a common
International Journal of Distributed Sensor Networks 7
Situation 1 Situation 2
Pnl Pnl
Pn2 s2
s1
s2s1
(a) (b)
Figure 2 The sibling relationship
patrol node over more than one levelThe difference betweenthem is shown in Figures 2(a) and 2(b) Situation 1 andsituation 2 are the relationships of SensorNode 1199041
119894and Sen-
sorNode 1199042119894in the WSN structure Situation 1 indicates that 1199041
119894
and 1199042119894have a sister-term relationship in the WSN situation
2 indicates 1199041119894and 1199042119894are not sister terms However they
satisfy the sibling concept because they have a commonpatrol node on the upper level In this case the distancebetween 119904
1
119894and 1199042119894is 3 hops as shown in Figure 2(b)
An ontology has various elements including conceptsattributes operators instances relations and axioms Ourontology has membership values between the patrol node(119901119899) and the sensor node (119904) The set of values between thepatrol nodes and sensor nodes is called the subclass Forexample the sensor node contains attributes such as senseinformation remaining resources and route informationThe membership values between patrol nodes and sensornodes can be calculated by formula (4) [19] Suchvalues might include for example 119899
1energy(08) hop
(02) ST(09) 1199011198992energy(03) hop(08) ST(08) and
1199041energy(075) hop(02) ST(07)The subclass is (119904
1 1199011198991) =
(075 + 02 + 07) (08 + 02 + 09) = 16519 = 087 Thesubclass is (119904
1 1199011198992) = (03 + 02 + 07) (03 + 08 + 08) =
1221 = 057 The membership value consists of sensornodes such as 119901119899
1(087) and 119901119899
2(057) the numbers
represent the membership values in each patrol node Themembership value between a patrol node and a sensor nodemay then be found The 119904
1is the subclass of 119901119899
1 Consider
119904119906119887119888119897119886119904119904 (119904 119901119899) =
1003816100381610038161003816119904 cap 1199011198991003816100381610038161003816
10038161003816100381610038161199011198991003816100381610038161003816
(4)
The relations between sensor nodes can be defined ina number of ways such as Belong-to and Consist-of whilethe subclass defines the values of the relationships betweenthe sensor nodes After constructing the concept layer themembership values can be simply and directly joined tothe ontology Each concept has the membership values foreach relevant patrol node The system can then build up theconcept hierarchyThe ontology information includes sensornode identify (number) patrol node identify (number)
energy (joule) hop distance (hops) and sensing data type(ST) as shown in Figure 3
The related value of the concept should define a suitablethreshold Let 119901119899
119896be the 119896th patrol node ofWSN 119904
119894indicates
the sensor node 119894 in the WSN 119901119899119898is the patrol node that
belongs to 119901119899119896 and 119899 is the number of comparison nodes
under the patrol node 119901119899119896 The similarity formula is listed in
formula (5) Formula (5) is similar to formula (1) Formula(1) is the similarity between patrol node and patrol nodeFormula (5) is the similarity between patrol node and sensornode
119904119894119898119894119897119886119903119894119905119910 (119901119899119896 119904119894) =
sum119899
119898=119896(1003816100381610038161003816119901119899119898 cap 119904
119894
1003816100381610038161003816 1003816100381610038161003816119901119899119898 cup 119904
119894
1003816100381610038161003816)
119899 (5)
For example the system uses formula (5) to calculatethe similarity of formal concepts Each patrol node hasmany sensor nodes Figure 4 shows an example of calculationbetween 119901119899
119896and 119904119894 It is not an ontology figure An example
of the ontology is shown in Figure 5 The similarity between119901119899119896and 119904119894is calculated as follows
119904119894119898119894119897119886119903119894119905119910 (1199011198991 1199041)
= (075 + 02 + 07
08 + 02 + 09+
02 + 07
075 + 02 + 075
+075 + 06
075 + 02 + 06) times (3)
minus1= 068
119904119894119898119894119897119886119903119894119905119910 (1199011198992 1199041)
= (03 + 02 + 07
03 + 08 + 08+
03 + 07
075 + 02 + 07) times (2)
minus1
= 047
(6)
We select themaximum similarity value of the conceptualpairs between 119901119899
119896and 119904
119894to determine the sonsor node 119904
119894
belongs to which patrol nodes 119901119899 In this case 1199041is more
similar to 1199011198991 The IDS calculates the relationship between
119899119901119896and 119904
119894to define the relationship threshold The IDS
calculation threshold depends on the similarity formula indifferent environments A higher threshold makes the entireWSN more secure However a higher threshold for the IDSmeans that attacks are easily misidentified
An example of an ontology is shown in Figure 5 Thereare 10 sensor nodes in the example For practical applicationsour method supports 50 sensor nodes in the ontology Theontology has a domain layer a category layer a patrol nodelayer and a sensor node layer The domain layer representsthe ontology domain issue thatwe focus on in constructing anIDS for a WSN Next the category layer represents differentjobs on the WSN such as sensing humidity temperatureand brightness One sensor node will take on one or moretasks The patrol node layer contains the information foreach patrol node in the WSN Each patrol node has anID energy (joule (j)) sensing data type (ST) the distanceto the cluster head (Hop) and membership value betweeneach relevant object for example119901119899idEnergy(j) hop(1hop)ST(1number of sense types) The sensor node layer con-tains each sensor node ID energy (joule (j)) sense data type
8 International Journal of Distributed Sensor Networks
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Relation type
Subclass
Hops
Hops
Figure 3 The information of the concept of nodes in ontology
(ST) the distance to the cluster head (hop) and membershipvalue between each relevant object
33 Intrusion Detection Stage The attackers that intrudewireless sensor network can be divided into two stagespreparatory phase the attack and destruction phase Theattack behaviours of attack and destruction phase includesinkhole attack blackhole attack and hello flooding Inorder to obtain the required information of attack anddestruction phase the attackers apply Sybil attack to disguisevarious roles The behaviours of attack phase used differ-ent transmission technology to burn entire network evencause WSN unusable All the above behaviours are calledanomaly behaviours The assignment system will completethe information for the integration of the environmentalanalysis The ontology contains the entire relationship of theWSNThe system can preselect the knowledge based on thoseenvironmental attacks The ontology can thus detect illegalnodes in the WSNThe rules are shown in Algorithm 3
The WSN is usually deployed unequally causing it torapidly consume energy We have proposed a PIDS usingdetection knowledge to detect anomalies [11] The PIDS istransferred between patrol nodes to detect whether neighbor-ing nodes exhibit anomalies The PIDS will choose differentdetection knowledge in different environments The PIDSmerely requires a portion of the detection knowledge todetect an anomaly which reducesWSN energy consumptionThe architecture of the OWIDS combines the PIDS with theontologyTheOWIDS is transferred between the patrol nodesto detectwhether neighbouring nodes are anomalous Similar
to the PIDS the OWIDS will choose different detectionknowledge in different environments It requires merely aportion of the detection knowledge to detect anomaliesreducing WSN energy consumption The system will matchthe database and the attack pattern If there appears to benonselected detection knowledge the detection knowledgewill be added The intrusion detection mechanisms werecomputed on the base station The classification methodof detection knowledge is described in the following para-graphs
The detection knowledge is classification by supportvector machine (SVM) [21] The proposed method provideda strong argument for the improvement of WSN intrusiondetection systems The SVM uses a high dimension spaceto find a hyperplane to perform binary classification to findminimal error rate Notably the SVM is able to handle theproblem of linear inseparability The SVM uses a portion ofthe data to train the system finding several support vectorswhich represent the training data These support vectorswill be formed into a model by the SVM representing acategory According to this model the SVM will classify agiven unknown document A basic input data format and anoutput data domain are given as follows
(119909119894 119910119894) (119909
119899 119910119899) 119909 isin 119877
119898 119910 isin +1 minus1 (7)
where (119909119894 119910119894) (119909
119899 119910119899) are training data 119899 is the number
of samples119898 is the input vector and 119910 belongs to category of+1 or minus1
Regarding linear problems a hyperplane can be dividedinto two categories The hyperplane formula is
(119908 sdot 119909) + 119887 = 0 (8)
The category formula is
(119908 sdot 119909) + 119887 ge 0 if 119910119894= +1
(119908 sdot 119909) + 119887 le 0 if 119910119894= minus1
(9)
However it is not easy to find hyperplanes with which toclassify the dataThe SVMhas several kernel functions whichusers can apply to solve different problems As such selectingthe appropriate kernel function can solve the problem oflinear inseparability Also internal product operations affectthe classification function and a suitable inner product func-tion119870(119883119894 sdot 119883119895) can solve certain linear inseparable problemswithout increasing the complexity of the calculation Originaldata includes 31 features tagged with numbers from 0 to 30The system will convert the contents of the 31 features intonumeric values For instance the first element is ldquoEventrdquo andthe parameter is ldquo119904rdquo which is mapped to ldquo0 01rdquo An exampleof SVM data is shown in Figure 9 The OWIDS combinesontology with detection knowledge The patrol nodes carrypart of ontology to detect Sybil attack and the detectionknowledge is used to detect sinkhole blackhole and helloflooding
The ontology is divided into several parts depending onthe region of the patrol node The system sends detectionknowledge and the ontology to the cluster head The patrol
International Journal of Distributed Sensor Networks 9
lowast Intrusion Detection Stage lowastfor each neighbor of patrol node s doreceive (119904id 119901119899id 119904INFO 119864119894) lowast Receive 119904id 119901119899id 119904INFO and the remaining energy lowastif 119904id ltgt Ontology [] then lowast Check whether the sensor node is constructed in the Ontology lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastif Pattern (119904) = Pattern (119860119872)lowast Check whether the receive information is different from attack knowledge lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastelse if broadcast 119860[] to 119862id lowast Broadcast isolation table to CH to back up lowastend for
Algorithm 3 Algorithm of the intrusion detection stage of OWIDS
Base station
energy (08) hop (02) ST (09) energy (03)
hop (08) ST (08)
hop (02)ST (07)
energy (075) ST (06)
energy (03) ST (07)
energy (075) hop (02) ST (07)
068
047pn1
pn3
pn4
pn5
pn2
s1
Figure 4 An example of membership calculation
node is a sensor node to do detection but its energy is limitedThe OWIDS does not train detection mechanism on patrolnode and only the cluster head transmits detection rules topatrol nodes The patrol nodes detect attacks by rotation toreduce the overall WSN energy consumption and extend thelifetime of the WSN When the duty of the patrol nodes isover the CH will collect the WSN information and transmitit to the base station The BS analyzes the informationtrains the detection data and constructs the ontology againThus the detection knowledge can be adjusted accordingto the WSN environment To improve the accuracy ofthe intrusion detection the system repeats the detectionknowledge training to remove less frequently used data untilthe knowledge converges This reduces the features of thedetection knowledge and makes the detection knowledgemore lightweight
The WSN is a self-organizing network meaning that therouting table will be changed The clustering system of theWSN will change cluster heads periodically The WSN as awhole thus cannot keep isolating anomalous nodes Rede-tection of anomalous nodes consumes energy This paperthus proposes an isolation table recorded in the base station[20] If new cluster heads are assigned or the entire WSNis changed the patrol maintains isolation of anomaly nodesusing the isolation table Intruders thus cannot attack theWSN through isolated anomaly nodes reducing redetectionenergy consumption
4 Experimental Results
The system performance was evaluated by network sim-ulation (NS-2) The experimental hardware environmentsconsisted of an Intel Core 2 i5-2410M CPU 230GHzNotebook with 8GB RAM and was implemented under theWindows 7 operating system The area for the simulationof the WSN was within 10000 square meters The field isstatic and deploys 300 sensor nodes randomly each with abroadcast radius of 50m The OWIDS uses a protegee toconstruct the ontology The behaviors of the attacker weregenerated by a Java program The attacks were randomlygenerated by different kinds of attack patterns For exampleSybil attacks were generated every 20 seconds but theattackers will masquerade different kinds of roles randomlysuch as cluster head sensor node The OWIDS detects Sybilattacks using the relationship of ontology In addition theexperiment was meant to simulate transmission packages inwireless sensor networksThe communications of packets canbe captured byOWIDSThedatawas collected from theWSNpackets of NS-2 simulator The data set can be divided intotwo protocols the training data and the testing data Thepackets are randomly selected for training and testing
Before using SVM classification the system performa data scaling operation to increases the accuracy whilereducing complexity The system kernel is RBF 119870(119909 119910) =
ℓminus119892119909minus119910
2
The systemwill classify the attributes of the features
10 International Journal of Distributed Sensor Networks
WSN Domain layer
Brightness Category layerHumidity Temperature
Patrol nodes layer
Belong-to Belong-to
Sensor nodelayer
086
082
Instance of
Sensor node 2513
Humidity temperature
hop (02) ST (05)
Instance of
092
Instance of
Sensor node 3152
Temperature
hop (03) ST(1)
086
Instance of091
Instance of042
Patrol node 1
Temperature humidity
Sensor node 3241
Patrol node 4
Humidity temperature
Sensor node 0231
Patrol node 2
Brightness temperature
energy (088 ) hop (03) ST (05)
Sensor node 0092
Patrol node 3
Temperature
energy (098) hop (05) ST (1)
Sensor node 2541
Patrol node 5
Temperature
Sensor node 1576
Patrol node 2
Temperature brightness
Sensor node 4561
Sensor node 1254
Humidity temperature
hop (017) ST (05)
Patrol node 4
Patrol node 4
Sensor node 6829
Humidity temperature
hop (025) ST (05)
Patrol node 2
Patrol node 3
ST (05)energy (1) hop (1) pn1
pn2 pn3
middot middot middot
middot middot middot
057
Hop = 1
Hop = 3
Hop = 10
Hop = 6Hop = 3
Hop = 5 Hop = 4
Hop = 3
Hop = 3 Hop = 2
E = 2J E = 176J
E = 126J
E = 186J
E = 076JE = 2J
E = 094J E = 196j
E = 164J
E = 196J
energy (063) hop (03) ST (05)pn4 energy (082)
hop (03) ST (1) pn5
hop (01) ST(05) energy (093 ) S4561 energy (047) S2513 energy (098) S6829
energy (038) S1254 energy (1) S3152
pn2
pn4 pn5
Figure 5 An example of ontology construction
International Journal of Distributed Sensor Networks 11
prior to preprocessing and use the SVM to train and testprocesses The output of SVM is 1 or minus1 If the output is 1there is an intrusion behavior on the model If the outputis minus1 it is normal The distribution of training data andtesting data are shown in Table 1 Specifically the user canemploy this model to evaluate the IDS 27 feature values areused to train three SVMmodels and to compare the accuracyof the three models [21]
This experiment compared OWIDS with the PIDS basedon energy consumption transmission accuracy and per-formance The attack behaviour is camouflaged as differentroles in the WSN The implementation environment is listedin Table 2 The total simulation time was 3600 sec Theattacks were randomly executed every 20 sec with attacksbeginning at six hundred sec The experiment assumes thatthe preprocessing stage is secure for attacks The maximumconnection meaning the maximum number of connections(end-to-end connection) used in the simulation was 80The experimental IDS was intended to simulate transmissionpackages in wireless sensor networks The IDS integratescommunications of packages and analyzes them
To estimate the performance of the OWIDS system threeimportant formulas and an indicator method are used toevaluate system accuracy attack detection rate (ADR) falsepositive rate (FPR) system accuracy (SA) and live nodes(indicator) The ADR represents the number of attacks thatthe IDS has detected out of the total number of attacks TheFPR represents the number of normal processes that theIDS has misclassified The accuracy rate is the total numberof processes the IDS has classified correctly The live nodesrepresent the number of useful nodes in the entire WSNwhich tests the loading of our methods and its performance
Attack Detection Rate
=Total number of detected attacks
Total number of attackstimes 100
False Positive Rate
=Total number of misclassified processes
Total number of normal processestimes 100
Accuracy Rate
=Total number of correct classified processes
Total number of processestimes 100
(10)
In this section we present three experimental resultsfor the OWIDS The first experimental method focuses onthe percentage of patrol nodes The patrol node is a kindof sensor node The BS chooses patrol nodes to executethe IDS The percentage of sensor nodes which should bepatrol nodes is a key issue Second the energy consumptionand remaining resources are present in the live nodes Thethird experimental method focuses on the ADR FPR andSA of the OWIDS Thus two types of experiments wereimplemented comparison of the number of live nodes across
Table 1 The training data and test data
Original Train TestNormal 80641 24192 7258Sinkhole 3568 1070 321Blackhole 5368 1610 483Hello flooding 44084 13225 3968Total 133661 40098 12029
Table 2 Implementation environment
Parameter ValuesSensor nodes 50 150 300Patrol nodes (20 of sensor nodes) 10 30 60WSN size 1000 lowast 1000 (m2)Starting energy 2 JTransmission radius 50mTransmission consumption 0036wReceive consumption 0024w
the non-IDS PIDS and OWIDS and comparison of thetransmission accuracy with PIDS
41 Percentage of Patrol Nodes The patrol node is used todetect abnormal behaviours OWIDS needs to balance thenumbers of patrol nodes and the overall life cycle of wirelesssensor networks From the experiment results twenty per-centages of patrol nodes can provide better detection resultsThe percentage of patrol nodes was set between 10 and 40at intervals of 10 The experiments are divided into 50 150and 300 sensor nodes These numbers are used to calculatethe suggested percentage of patrol nodes The experimentalresults are shown in Tables 3 4 and 5
The experimental results show that 30 and 40 yieldthe highest accuracy However the lifecycle of entire WSN isshorter than that when 10 and 20 are used The lifecycleof 10 is the longest but its accuracy is the lowest WhenOWIDS sets the patrol node percentage to 10 the loading isthe lightest However for theOWIDS at 10 the patrol nodeslack sufficient data to be compared with each other meaningthat the accuracy is the lowestThe accuracy of the case of 20patrol nodes is close to that of the case of 30 or 40 patrolnodes Hence the system selected 20 of whole sensor nodesas patrol nodes to do detection to save energy
42 Live Nodes of OWIDS The first simulation is shown inFigures 6 7 and 8The number of live nodes is defined as thenumber of sensor nodes in theWSN that still work normallyThe normal IDS trains detection features and translates theentire IDS onto the sensor nodes This consumes the WSNenergymore rapidlyThe lightweight IDS trains the detectionmethod on the base station and uses filtered features to detectintrusions In this case the IDS ismore lightweight and nodesremain alive longer Since a WSN may be used in manyapplications our method is implemented in eight situations
12 International Journal of Distributed Sensor Networks
Table 3 Percentage of patrol nodes (50 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 5 9835 8520 10 9573 9330 15 8952 9440 20 8703 94
Table 4 Percentage of patrol nodes (150 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 15 9605 8120 30 9495 9630 45 8864 9640 60 8518 97
Table 5 Percentage of patrol nodes (300 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 30 9598 7920 60 9468 9630 90 8867 9740 120 8361 97
The live nodes experiment has six situations no IDS andno attack no IDS but faces attacks loads PIDS but no attacksloads PIDS and faces attacks loads OWIDS but no attacksand loads OWIDS and faces attacks The overhead for PCHmonitoring is high if the notion of collaborative monitoringis absent If the patrol nodes are too few an intruder caneasily infiltrate the network The OWIDS combines PIDSand the ontology to detect anomalies Though it consumesmore energy than the PIDS the energy expenditure is nearlyidentical We simulate 50 150 and 300 sensor nodes in thenon-IDS PIDS and OWIDS Results show that the lifetimeof a sensor node is longest using OWIDS and that the sensornodes die slowly The MN sends data to the RN but not toany MN The RN obtains information directly from the MNThe connections between the RN and the PCH are similarmeaning that the OWIDS consumes less energy in gatheringdata andmonitoring theWSNTheOWIDS takes a part of theontology from PIDS The energy consumption of PIDS andOWIDS is similar in the no attack environment In Figures 6ndash8 there are more sensor nodes in theWSN meaning that thesystem hasmore patrol nodes to detect anomalies Hence theOWIDS detects misbehaviour more effectively The results ofthe simulation show that the OWIDS can easily be loadedonto the WSN
43 ADR FPR and SA of OWIDS The second simulationaddresses the attack detection rate the false positive rateand the accuracy rate in PIDS and OWIDS as shown inTable 6The total number of simulation packages is 1065474
0
10
20
30
40
50
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 6 The case of 50 sensor nodes in alive nodes
50
100
150
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 7 The case of 150 sensor nodes in alive nodes
100140180220260300
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 8 Case of 300 sensor nodes in live nodes
which include 1697 attack packages and 1063777 normalpackages In the PIDS patrol nodes carry attack knowledgeto detect anomalies The false positive rate is higher andthe attack detection rate is lower than that of OWIDS TheOWIDS appends the relationships of ontology making iteasier to detect illegal sensor nodes in the WSN The system
International Journal of Distributed Sensor Networks 13
Table 6 Accuracy attack detection rate and false positive rate of OWIDS
IDS method Attack detection rate False positive rate AccuracyPIDS (15351697) 9045 (1414451063777) 1329 (9532871063777) 8961OWIDS (16651697) 9811 (401221063777) 377 (10253521063777) 9639
Table 7 The accuracy rate of detection classification
IDS method Sybil attack Sinkhole Blackhole Hello floodingPIDS (136150) 9067 (118130) 9077 (5562) 8871 (12261355) 9048OWIDS (145150) 9667 (128130) 9846 (5762) 9194 (13351355) 9852
Original Datas -t 1000000000 -Hs 8 -Hd -2 -Ni 8 -Nx 203200 -Ny 69300 -Nz 000 -Ne -1000000 -Nl AGT -Nw mdash -Ma 0 -Md 0-Ms 0 -Mt 0 -Is 80 -Id 40 -It cbr -Il 1000 -If 0 -Ii 0 -Iv 32 -Pn cbr -Pi 0 -Pf 0 -Po 0SVM Input Data0 01 1 1000000000 2 8 3minus2 4 8 5 203200 6 69300 7 000 8minus1000000 9 1 10 0 11 0 12 0 13 0 14 0 15 8016 40 17 1 18 1000 19 0 20 0 21 32 22 1 23 0 24 0 25 0 26 0 27 0 28 0 29 0 30 0
Figure 9 The SVM input data
accuracy of PIDS and OWIDS is higher than 8961 thetolerance value of the IDS in the WSN The results of thesecond simulation show that theOWIDSdetects attacksmoreeffectively
The attack packages include four types of attacks Sybilattack sinkhole attack blackhole attack and hello floodingthe detailed detection classification is shown in Table 7 Thesystem simulates 150 Sybil attacks 130 sinkhole attacks 62blackhole and 1355 hello flooding attacks The results ofaccuracy rate are shown in Table 7 The accuracy rate ofdetection classification is better than 90 and OWIDS isbetter than PIDS The results of the second simulation showthat the OWIDS detects attacks more effectively
5 Conclusions and Future Work
In this paper a preliminary research of intrusion detectionsystems based on domain ontology is proposed and therelevance of a lightweight patrol intrusion detection systemis explored A major finding is that the effect of ontology canbe observed in attack detection at all levels of the wirelesssensor network The results indicated that the constructedontology relationship between the WSNs can detect attackseffectively This implies that an ontology indicating each roleand its membership in the WSN could be constructed forother attack types This research leads to an ontology-basedintrusion detection system which allows us to study the rela-tionship mechanism involving patrol node status and sensornodes Such ontologies can also be applied to reduce theburden of lightweight intrusion detection systems onwirelesssensor networks In general they will be useful in improvingthe lifecycle of wireless sensor networks and particularly theusability of intrusion detection systems for wireless sensornetworks This research can also serve to reinforce the useof soft computing technology for intrusion detection systemsand to systematize preprocessing technology to reduce thefeatures of the intrusion detection system The attacker may
intrude network in preprocessing stage The preprocessingsecurity issuewill be solved in the future workThis ontology-based intrusion detection system remains experimental onlyand much work remains to be done More must be knownabout constructing ontologies to detect different types ofattacks in wireless sensor networks There is a continuingneed for an adequate theoretical basis for the practicalapplication of ontology-based intrusion detection systems
Conflict of Interests
In this paper the specifications and brand of CPUdo not haveany financial relationship with the commercial identities
Acknowledgments
This work is partially supported by the National ScienceCouncil (NSC) Taiwan with Project no NSC-99-2221-E-324-021 The authors also express many thanks for thecomments from the reviewers that improved the paper
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] T P Hong and C H Wu ldquoAn improved weighted clusteringalgorithm for determination of application nodes in hetero-geneous sensor networksrdquo Journal of Information Hiding andMultimedia Signal Processing vol 2 no 2 pp 173ndash184 2011
[3] J Newsome E Shi D Song and A Perrig ldquoThe Sybil attack insensor networks analysis amp defensesrdquo in Proceedings of the 3rdInternational Symposium on Information Processing in SensorNetworks (IPSN rsquo04) pp 259ndash268 April 2004
[4] W-H Chen S-H Hsu and H-P Shen ldquoApplication of SVMand ANN for intrusion detectionrdquo Computers and OperationsResearch vol 32 no 10 pp 2617ndash2634 2005
14 International Journal of Distributed Sensor Networks
[5] Z Pawlak ldquoRough setsrdquo International Journal of Computer ampInformation Sciences vol 11 no 5 pp 341ndash356 1982
[6] A N Toosi and M Kahani ldquoA new approach to intrusiondetection based on an evolutionary soft computingmodel usingneuro-fuzzy classifiersrdquoComputer Communications vol 30 no10 pp 2201ndash2212 2007
[7] A Patwardhan J Parker M Iorga A Joshi T Karygiannisand Y Yesha ldquoThreshold-based intrusion detection in ad hocnetworks and secure AODVrdquoAdHoc Networks vol 6 no 4 pp578ndash599 2008
[8] R-C Chen and C-H Hsieh ldquoWeb page classification based ona support vectormachine using aweighted vote schemardquoExpertSystems with Applications vol 31 no 2 pp 427ndash435 2006
[9] G Song J Zhang and Z Sun ldquoThe research of dynamic changelearning rate strategy in BP neural network and applicationin network intrusion detectionrdquo in Proceedings of the 3rdInternational Conference on Innovative Computing Informationand Control (ICICIC rsquo08) pp 514ndash517 June 2008
[10] RCChenC J Yeh andC T Bau ldquoMerging domain ontologiesbased on the WordNet system and Fuzzy Formal ConceptAnalysis techniquesrdquoApplied SoftComputing Journal vol 11 no2 pp 1908ndash1923 2011
[11] R C Chen Y F Haung and C F Hsieh ldquoRanger intrusiondetection system for wireless sensor networks with sybil attackbased on ontologyrdquo in Proceedings of the 10th WSEAS Interna-tional Conference on Applied Informatics and Communications2010
[12] M A Simplıcio Jr P S L M Barreto C B Margi and T CM B Carvalho ldquoA survey on key management mechanisms fordistributedWireless SensorNetworksrdquoComputerNetworks vol54 no 15 pp 2591ndash2612 2010
[13] M Depren E Topallar andM Kemal ldquoAn intelligent intrusiondetection system (IDS) for anomaly and misuse detection incomputer networksrdquo Expert Systems with Applications vol 29no 4 pp 713ndash722 2005
[14] S Tilak B Abu-Ghazaleh and W A Heinzelman ldquoTaxonomyof wireless micro-sensor network modelsrdquo Mobile Computingand Communications Review vol 6 no 2 pp 28ndash36 2002
[15] J Undercoffer A Joshi and J Pinkston ldquoModeling computerattacks an ontology for intrusion detectionrdquo Computer Sciencevol 2820 pp 113ndash135 2003
[16] N Cuppens-Boulahia F Cuppens F Autrel and H DebarldquoAn ontology-based approach to react to network attacksrdquoInternational Journal of Information and Computer Security vol3 no 3-4 pp 280ndash305 2009
[17] H-C Hsieh J-S Leu and W-K Shih ldquoReaching consensusunderlying an autonomous local wireless sensor networkrdquoInternational Journal of Innovative Computing Information andControl vol 6 no 4 pp 1905ndash1914 2010
[18] W K Lai C-S Fan and C-S Shieh ldquoOptimal cluster sizefor balanced power consumption in wireless sensor networksrdquoICIC Express Letters vol 6 no 2 pp 1471ndash1476 2012
[19] T T Quan S C Hui A C M Fong and T H CaoldquoAutomatic Fuzzy ontology generation for semanticWebrdquo IEEETransactions on Knowledge and Data Engineering vol 18 no 6pp 842ndash856 2006
[20] R-C Chen C-F Hsieh and Y-F Huang ldquoAn isolation intru-sion detection system for hierarchical wireless sensor networksrdquoJournal of Networks vol 5 no 3 pp 335ndash342 2010
[21] C F -Hsieh K F Cheng Y F Huang and R C Chen ldquoAnintrusion detection system for Ad Hoc networks with multi-attacks based on a support vector machine and rough settheoryrdquo Journal of Convergence Information Technology vol 8no 2 pp 767ndash776 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
4 International Journal of Distributed Sensor Networks
Deploy WSN and collect environment data
Gather package information
Construct relationship of WSN on ontology
Set relationship threshold
Simulate attack packages and protocol packages
Assign ontology to patrol node
Adjust attack knowledge until it has converged
Record anomaly information
Initialize OWIDS
Intr
usio
n de
tect
ion
stag
eO
ntol
ogy
cons
truc
tion
stag
ePr
epro
cess
ing
stage
Figure 1 The workflow of our system
in the wireless network The patrol node carries differenttypes of knowledge of how to detect intrusion dependingon the environment The ontology-based wireless intrusiondetection system (OWIDS) is divided into three stagesthe preprocessing stage ontology construction stage andintrusion detection stage
The preprocessing stage shows that each nodemust trans-late its data to base station and find the best translation routefor such dataThe ontology construction stage is divided intothe definition relationship and ontology construction phaseEach node calculates the membership value and defines therelationships between patrol nodes and sensor nodes Theintrusion detection stage compares the detection data tothe ontology pattern to find intrusions Finally the systemrecords anomaly information in an isolation table
The algorithm of the preprocessing stage is shown inAlgorithm 1 the algorithmof the ontology construction stageis shown in Algorithm 2 and the algorithm of the intrusiondetection stage is shown in Algorithm 3 The symbols of thealgorithms are as follows 119868 is information including ldquoSen-sorNodes ID energy 119864 4 hops sensed data type STrdquo arr[] isthe type of resource of the sensor nodes Patrolcandidate[]represents the candidate list of patrol nodes CH is the clusterhead 119904
119894and 119904119895represent different sensor nodes in the WSN
resource (119904119894) represents the resources of 119904
119894 such as energy
hops and sensor data type hop(119904119894 119904119895) is the number of hops
between 119904119894and 119904119895 patrolnode(119904
119894) represents the patrol node
assigned to 119904119894 119901119899119896represents the ID of the patrol nodes
119900119899119905119900119897119900119892119910[] means the ontology constructed by our methodand 119860[] represents the isolation table
31 Preprocessing Stage The system attempts to configurewireless sensor network nodes through random distribu-tion to simulate the wireless option connection When thedistribution of every node is completed the packet will becollected by the base station (BS) In addition the BS can usea routing protocol package to analyze intrusion behaviorsTo define several attacking behaviors the manager can useattack thresholds or attack featuresThe transmission packagecan be captured by the intrusion detection system The datathen need to be normalized in preprocessing followed by theconstruction of a network intrusion detection module Thealgorithm of the preprocessing stage is shown in Algorithm 1
After the WSN has been deployed the sensor nodesbroadcast to each other and construct route informationThe BS gathers data from the sensor nodes that includes thesensor node identification (number) energy (joules) hopdistance (hops) and sensing data type (ST) The system usesthe received information to construct the ontology
International Journal of Distributed Sensor Networks 5
Algorithm OWIDSInput The packages of wireless sensor networks 119901Output 119860 list of anomaly nodes 119860[]
BEGINlowastPre-processing Stagelowastlowastbroadcasting routinglowastfor each sensor node 119904 connected to 119909 do
for each sensor node y in the network doif 119863119904[119910] + 119904(119909 119904) lt 119863
119909[119910] then
lowasta better route from 119909 to 119910 through s has been foundlowast119863119909[119910] larr 119863
119904[119910] + 119904(119909 119904)
119862119909[119910] larr (119909 119904)
lowastintegrating informationlowastfor each sensor node s transmitted to base station 119887119904 do
send data of itself 119868 to base station 119887119904
return 119868
Algorithm 1 Algorithm of preprocessing stage of OWIDS
32 Construct Ontology Stage Due to the nature of a Sybilattack it is hard to use an IDS to detect it In the systemthe relationships of each sensor node in the ontology areconstructed first Then the patrol node compares the rela-tionships of the ontology conceptual nodes to the testedwireless networks to determine whether the system has beenattacked The method for constructing the ontology is givenbelow The algorithm of the ontology construction stage isshown in Algorithm 2
After the entireWSN has been deployed the informationon each sensor node is translated to the base station forthe system to construct the ontology The relationships ofthe sensor nodes are constructed in the ontology Eachsensor node transmits its connection information to the basestation This method thus is a top-down design for ontologyconstruction in which construction proceeds from the basestation to the sensor nodes The system sorts sensor nodesdepending on the energy of the sensor nodes and selects thesensor node that has the best energy to be the cluster headThe candidates for patrol nodes are the top 20 of sensornodesThe patrol nodes are chosen by the candidate of patrolnodes that are one hop from the cluster head After the systempicks the patrol nodes up it begins to construct the ontology
First the system constructs patrol nodes in the ontologyThe system calculates the similarity between the patrol nodesusing formula (1) Formula (1) is calculated between patrolnodes and patrol nodes 119901119899
119894cap 119901119899119897means that the system
compares the data of 119901119899119894with the data of 119901119899
119897to gather the
minimum number (the data is energy() hop() ST() etc)The 119901119899
119894cup119901119899119897means that the system computes the data of 119901119899
119894
with the data of119901119899119897to gather theminimumnumber Consider
119878119894119898119894119897119886119903119894119905119910 (119901119899119894 119901119899119897) =
sum119899
119897=1(1003816100381610038161003816119901119899119894 cap 119901119899
119897
1003816100381610038161003816 1003816100381610038161003816119901119899119894 cup 119901119899
119897
1003816100381610038161003816)
119899 (1)
The construction of the patrol nodes in the ontologydepends on formula (1) which indicates the relationship ofthe patrol nodes Similar patrol nodes exchange information
with each other The relationship is used to construct sensornodes in the ontologyThere are two concepts of sensor nodeequal concept and sibling concept as follows
Definition 1 (equal concept) Consider
119864119902119906119886119897 (1199041
119894 1199042
119894) = (119904
1
119894 1199042
119894) | ℎ119900119901 (119904
1
119894 1199042
119894) = 1
and (119878119890119899119904119900119903119873119900119889119890 (1199041
119894) = 119878119890119899119904119900119903119873119900119889119890 (119904
2
119894)
and 119903119890119904119900119906119903119888119890 (1199041
119894) asymp 119903119890119904119900119906119903119888119890 (119904
2
119894))
(2)
The 1199041119894and 1199042119894are two different sensor nodes in theWSN
The distance between 1199041119894and 1199042119894is equal to one hop 119904119899
119894
indicates the sensor node 119899 is managed by 119901119886119905119903119900119897119899119900119889119890 119894119878119890119899119904119900119903119873119900119889119890(119904119899
119894) and 119903119890119904119900119906119903119888119890(119904119899
119894) indicate the class name
of the 119878119890119899119904119900119903119873119900119889119890 and the resources of 119878119890119899119904119900119903119873119900119889119890 119904respectively When 119903119890119904119900119906119903119888119890(1199041
119894) asymp 119903119890119904119900119906119903119888119890(1199042
119894) it means
the resources (energy hops sense type) of 1199041119894are similar
to the resources of 1199042119894 Definition 1 defines the concepts of
sensor nodes having equivalent resources and being close toeach other For example if a pair of concepts ldquo1199041rdquo and ldquo1199042rdquohas overlapped broadcasting range and possesses equivalentresources the equal concept definition is satisfied and thesystem will construct the relationship between them Therest of concepts will be used to determine the hierarchicalrelations in the ontology concepts
Definition 2 (sibling concept) Consider
119878119894119887119897119894119899119892 (1199041
119894 1199042
119894) = (119904
1
119894 1199042
119894) | 1199041
119894= 1199042
119894
and (119878119894119887119897119894119899119892119879119890119903119898 (1199041
119894 1199042
119894)) and 2
6 International Journal of Distributed Sensor Networks
lowast Construct Ontology Stage lowastlowast sort sensor nodes lowastfor each sensor node s in the network do
for (119894 = 119899 minus 1 119894 gt 0 119894 minus minus) dofor (119895 = 0 119895 lt 119894 119895++) do
if energy(119904119895) gt energy(119904
119894) then
buffer = arr[119895]arr[119895] = arr[119895 + 1]
arr[119895 + 1] = bufferreturn arr[] lowast return sort information lowast
set CH = arr[1] lowast the system selects up best sensor node to be cluster head lowastlowastpick up patrol nodeslowast
for (119901 = 0 119901 lt 119899 lowast 02 119901++) doPatrolcandidate[119901] = arr[119901] lowast pick up top 20 of sensor nodes lowastfor each sensor node 119904 in the Patrolcadidate[] doif hop(119904
119894 CH) = 1 then
lowasta patrol node has foundlowastset patrolnode[] = 119904
119894
lowastConstruct patrol nodes in Ontologylowastfor each patrol node in the network do
for (119897 = 1 119897le 119899 119897++) do lowast119897 is the index of patrol node lowast119905119897= intersection (119901119899
119894 119901119899119897) union (119901119899
119894 119901119899119897) lowast119905119897is similarity of patrol node 119897lowast
119905 = 119905 + 119905119896lowast119905 is the similarity lowast
return 119905
similiarity(119901119899119894 119901119899119897) = 119905119896
119901119899119897[] larr 119901119899
119894
Ontology[] larr 119901119899119897[]
lowast definition sensor nodes relationship lowastfor each sensor node s in the network do
if 119904119894ltgt 119904119895and resource(119904
119894) resource(119904
119895) and hop(119904
119894 119904119895) = 1 then
lowast a equal sensor has found lowastset 119904119894and 119904
119895are equal sensor nodes
for each sensor node s in the network doif 119904119894ltgt 119904119895and resource(119904
119894) resource(119904
119895) and 2 ≦ hop(119904
119894 119904119895) ≦ 3 then
lowasta sibling sensor has foundlowastset 119904119894and 119904
119895are sibling sensor nodes
else if patrolnode(119904119894) cap patrolnode(119904
119895) ltgt then
lowast 119886 sibling sensor has found lowastset 119904119894and 119904
119895are sibling sensor nodes
lowast Construct Ontology lowastfor each sensor node in the network do
for (119896 = 1 119896le 119899 119896++) do lowast119896 is the index of patrol node lowast119905119896= intersection (119901119899
119896 119904119894) union (119901119899
119896 119904119894) lowast119905119896is similarity of patrol node 119896lowast
119905 = 119905 + 119905119896
lowast119905 is the similarity lowastreturn 119905
similiarity(119901119899119896 119904119894) = 119905119896
119901119899119896[] larr 119904
119894
Ontology[] larr 119901119899119896[]
Algorithm 2 Algorithm of the construct ontology stage of OWIDS
le ℎ119900119901 (1199041
119894 1199042
119894)
le 3 or (119875119886119905119903119900119897119873119900119889119890 (1199041
119894 1)
cap119875119886119905119903119900119897119873119900119889119890 (1199042
119894 1) = 0)
119903119890119904119900119906119903119888119890 (1199041
119894) asymp 119903119890119904119900119906119903119888119890 (119904
2
119894)
(3)
The 119878119894119887119897119894119899119892119879119890119903119898(1199041119894 1199042119894) indicates that 1199041
119894has a sister
term 1199042119894 In other words the sensor nodes have an identical
patrol node in the WSN and 119875119886119905119903119900119897119873119900119889119890(1199041119894 1) means that
the distance of 1199041119894from the patrol node is one hop When the
distance between 1199041119894and 1199042119894is less than or equal to 3 it will
be adjusted depending on the scale of the WSN Definition 2has two situations either a pair of concepts has sister-termrelations in the WSN or a pair of concepts has a common
International Journal of Distributed Sensor Networks 7
Situation 1 Situation 2
Pnl Pnl
Pn2 s2
s1
s2s1
(a) (b)
Figure 2 The sibling relationship
patrol node over more than one levelThe difference betweenthem is shown in Figures 2(a) and 2(b) Situation 1 andsituation 2 are the relationships of SensorNode 1199041
119894and Sen-
sorNode 1199042119894in the WSN structure Situation 1 indicates that 1199041
119894
and 1199042119894have a sister-term relationship in the WSN situation
2 indicates 1199041119894and 1199042119894are not sister terms However they
satisfy the sibling concept because they have a commonpatrol node on the upper level In this case the distancebetween 119904
1
119894and 1199042119894is 3 hops as shown in Figure 2(b)
An ontology has various elements including conceptsattributes operators instances relations and axioms Ourontology has membership values between the patrol node(119901119899) and the sensor node (119904) The set of values between thepatrol nodes and sensor nodes is called the subclass Forexample the sensor node contains attributes such as senseinformation remaining resources and route informationThe membership values between patrol nodes and sensornodes can be calculated by formula (4) [19] Suchvalues might include for example 119899
1energy(08) hop
(02) ST(09) 1199011198992energy(03) hop(08) ST(08) and
1199041energy(075) hop(02) ST(07)The subclass is (119904
1 1199011198991) =
(075 + 02 + 07) (08 + 02 + 09) = 16519 = 087 Thesubclass is (119904
1 1199011198992) = (03 + 02 + 07) (03 + 08 + 08) =
1221 = 057 The membership value consists of sensornodes such as 119901119899
1(087) and 119901119899
2(057) the numbers
represent the membership values in each patrol node Themembership value between a patrol node and a sensor nodemay then be found The 119904
1is the subclass of 119901119899
1 Consider
119904119906119887119888119897119886119904119904 (119904 119901119899) =
1003816100381610038161003816119904 cap 1199011198991003816100381610038161003816
10038161003816100381610038161199011198991003816100381610038161003816
(4)
The relations between sensor nodes can be defined ina number of ways such as Belong-to and Consist-of whilethe subclass defines the values of the relationships betweenthe sensor nodes After constructing the concept layer themembership values can be simply and directly joined tothe ontology Each concept has the membership values foreach relevant patrol node The system can then build up theconcept hierarchyThe ontology information includes sensornode identify (number) patrol node identify (number)
energy (joule) hop distance (hops) and sensing data type(ST) as shown in Figure 3
The related value of the concept should define a suitablethreshold Let 119901119899
119896be the 119896th patrol node ofWSN 119904
119894indicates
the sensor node 119894 in the WSN 119901119899119898is the patrol node that
belongs to 119901119899119896 and 119899 is the number of comparison nodes
under the patrol node 119901119899119896 The similarity formula is listed in
formula (5) Formula (5) is similar to formula (1) Formula(1) is the similarity between patrol node and patrol nodeFormula (5) is the similarity between patrol node and sensornode
119904119894119898119894119897119886119903119894119905119910 (119901119899119896 119904119894) =
sum119899
119898=119896(1003816100381610038161003816119901119899119898 cap 119904
119894
1003816100381610038161003816 1003816100381610038161003816119901119899119898 cup 119904
119894
1003816100381610038161003816)
119899 (5)
For example the system uses formula (5) to calculatethe similarity of formal concepts Each patrol node hasmany sensor nodes Figure 4 shows an example of calculationbetween 119901119899
119896and 119904119894 It is not an ontology figure An example
of the ontology is shown in Figure 5 The similarity between119901119899119896and 119904119894is calculated as follows
119904119894119898119894119897119886119903119894119905119910 (1199011198991 1199041)
= (075 + 02 + 07
08 + 02 + 09+
02 + 07
075 + 02 + 075
+075 + 06
075 + 02 + 06) times (3)
minus1= 068
119904119894119898119894119897119886119903119894119905119910 (1199011198992 1199041)
= (03 + 02 + 07
03 + 08 + 08+
03 + 07
075 + 02 + 07) times (2)
minus1
= 047
(6)
We select themaximum similarity value of the conceptualpairs between 119901119899
119896and 119904
119894to determine the sonsor node 119904
119894
belongs to which patrol nodes 119901119899 In this case 1199041is more
similar to 1199011198991 The IDS calculates the relationship between
119899119901119896and 119904
119894to define the relationship threshold The IDS
calculation threshold depends on the similarity formula indifferent environments A higher threshold makes the entireWSN more secure However a higher threshold for the IDSmeans that attacks are easily misidentified
An example of an ontology is shown in Figure 5 Thereare 10 sensor nodes in the example For practical applicationsour method supports 50 sensor nodes in the ontology Theontology has a domain layer a category layer a patrol nodelayer and a sensor node layer The domain layer representsthe ontology domain issue thatwe focus on in constructing anIDS for a WSN Next the category layer represents differentjobs on the WSN such as sensing humidity temperatureand brightness One sensor node will take on one or moretasks The patrol node layer contains the information foreach patrol node in the WSN Each patrol node has anID energy (joule (j)) sensing data type (ST) the distanceto the cluster head (Hop) and membership value betweeneach relevant object for example119901119899idEnergy(j) hop(1hop)ST(1number of sense types) The sensor node layer con-tains each sensor node ID energy (joule (j)) sense data type
8 International Journal of Distributed Sensor Networks
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Relation type
Subclass
Hops
Hops
Figure 3 The information of the concept of nodes in ontology
(ST) the distance to the cluster head (hop) and membershipvalue between each relevant object
33 Intrusion Detection Stage The attackers that intrudewireless sensor network can be divided into two stagespreparatory phase the attack and destruction phase Theattack behaviours of attack and destruction phase includesinkhole attack blackhole attack and hello flooding Inorder to obtain the required information of attack anddestruction phase the attackers apply Sybil attack to disguisevarious roles The behaviours of attack phase used differ-ent transmission technology to burn entire network evencause WSN unusable All the above behaviours are calledanomaly behaviours The assignment system will completethe information for the integration of the environmentalanalysis The ontology contains the entire relationship of theWSNThe system can preselect the knowledge based on thoseenvironmental attacks The ontology can thus detect illegalnodes in the WSNThe rules are shown in Algorithm 3
The WSN is usually deployed unequally causing it torapidly consume energy We have proposed a PIDS usingdetection knowledge to detect anomalies [11] The PIDS istransferred between patrol nodes to detect whether neighbor-ing nodes exhibit anomalies The PIDS will choose differentdetection knowledge in different environments The PIDSmerely requires a portion of the detection knowledge todetect an anomaly which reducesWSN energy consumptionThe architecture of the OWIDS combines the PIDS with theontologyTheOWIDS is transferred between the patrol nodesto detectwhether neighbouring nodes are anomalous Similar
to the PIDS the OWIDS will choose different detectionknowledge in different environments It requires merely aportion of the detection knowledge to detect anomaliesreducing WSN energy consumption The system will matchthe database and the attack pattern If there appears to benonselected detection knowledge the detection knowledgewill be added The intrusion detection mechanisms werecomputed on the base station The classification methodof detection knowledge is described in the following para-graphs
The detection knowledge is classification by supportvector machine (SVM) [21] The proposed method provideda strong argument for the improvement of WSN intrusiondetection systems The SVM uses a high dimension spaceto find a hyperplane to perform binary classification to findminimal error rate Notably the SVM is able to handle theproblem of linear inseparability The SVM uses a portion ofthe data to train the system finding several support vectorswhich represent the training data These support vectorswill be formed into a model by the SVM representing acategory According to this model the SVM will classify agiven unknown document A basic input data format and anoutput data domain are given as follows
(119909119894 119910119894) (119909
119899 119910119899) 119909 isin 119877
119898 119910 isin +1 minus1 (7)
where (119909119894 119910119894) (119909
119899 119910119899) are training data 119899 is the number
of samples119898 is the input vector and 119910 belongs to category of+1 or minus1
Regarding linear problems a hyperplane can be dividedinto two categories The hyperplane formula is
(119908 sdot 119909) + 119887 = 0 (8)
The category formula is
(119908 sdot 119909) + 119887 ge 0 if 119910119894= +1
(119908 sdot 119909) + 119887 le 0 if 119910119894= minus1
(9)
However it is not easy to find hyperplanes with which toclassify the dataThe SVMhas several kernel functions whichusers can apply to solve different problems As such selectingthe appropriate kernel function can solve the problem oflinear inseparability Also internal product operations affectthe classification function and a suitable inner product func-tion119870(119883119894 sdot 119883119895) can solve certain linear inseparable problemswithout increasing the complexity of the calculation Originaldata includes 31 features tagged with numbers from 0 to 30The system will convert the contents of the 31 features intonumeric values For instance the first element is ldquoEventrdquo andthe parameter is ldquo119904rdquo which is mapped to ldquo0 01rdquo An exampleof SVM data is shown in Figure 9 The OWIDS combinesontology with detection knowledge The patrol nodes carrypart of ontology to detect Sybil attack and the detectionknowledge is used to detect sinkhole blackhole and helloflooding
The ontology is divided into several parts depending onthe region of the patrol node The system sends detectionknowledge and the ontology to the cluster head The patrol
International Journal of Distributed Sensor Networks 9
lowast Intrusion Detection Stage lowastfor each neighbor of patrol node s doreceive (119904id 119901119899id 119904INFO 119864119894) lowast Receive 119904id 119901119899id 119904INFO and the remaining energy lowastif 119904id ltgt Ontology [] then lowast Check whether the sensor node is constructed in the Ontology lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastif Pattern (119904) = Pattern (119860119872)lowast Check whether the receive information is different from attack knowledge lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastelse if broadcast 119860[] to 119862id lowast Broadcast isolation table to CH to back up lowastend for
Algorithm 3 Algorithm of the intrusion detection stage of OWIDS
Base station
energy (08) hop (02) ST (09) energy (03)
hop (08) ST (08)
hop (02)ST (07)
energy (075) ST (06)
energy (03) ST (07)
energy (075) hop (02) ST (07)
068
047pn1
pn3
pn4
pn5
pn2
s1
Figure 4 An example of membership calculation
node is a sensor node to do detection but its energy is limitedThe OWIDS does not train detection mechanism on patrolnode and only the cluster head transmits detection rules topatrol nodes The patrol nodes detect attacks by rotation toreduce the overall WSN energy consumption and extend thelifetime of the WSN When the duty of the patrol nodes isover the CH will collect the WSN information and transmitit to the base station The BS analyzes the informationtrains the detection data and constructs the ontology againThus the detection knowledge can be adjusted accordingto the WSN environment To improve the accuracy ofthe intrusion detection the system repeats the detectionknowledge training to remove less frequently used data untilthe knowledge converges This reduces the features of thedetection knowledge and makes the detection knowledgemore lightweight
The WSN is a self-organizing network meaning that therouting table will be changed The clustering system of theWSN will change cluster heads periodically The WSN as awhole thus cannot keep isolating anomalous nodes Rede-tection of anomalous nodes consumes energy This paperthus proposes an isolation table recorded in the base station[20] If new cluster heads are assigned or the entire WSNis changed the patrol maintains isolation of anomaly nodesusing the isolation table Intruders thus cannot attack theWSN through isolated anomaly nodes reducing redetectionenergy consumption
4 Experimental Results
The system performance was evaluated by network sim-ulation (NS-2) The experimental hardware environmentsconsisted of an Intel Core 2 i5-2410M CPU 230GHzNotebook with 8GB RAM and was implemented under theWindows 7 operating system The area for the simulationof the WSN was within 10000 square meters The field isstatic and deploys 300 sensor nodes randomly each with abroadcast radius of 50m The OWIDS uses a protegee toconstruct the ontology The behaviors of the attacker weregenerated by a Java program The attacks were randomlygenerated by different kinds of attack patterns For exampleSybil attacks were generated every 20 seconds but theattackers will masquerade different kinds of roles randomlysuch as cluster head sensor node The OWIDS detects Sybilattacks using the relationship of ontology In addition theexperiment was meant to simulate transmission packages inwireless sensor networksThe communications of packets canbe captured byOWIDSThedatawas collected from theWSNpackets of NS-2 simulator The data set can be divided intotwo protocols the training data and the testing data Thepackets are randomly selected for training and testing
Before using SVM classification the system performa data scaling operation to increases the accuracy whilereducing complexity The system kernel is RBF 119870(119909 119910) =
ℓminus119892119909minus119910
2
The systemwill classify the attributes of the features
10 International Journal of Distributed Sensor Networks
WSN Domain layer
Brightness Category layerHumidity Temperature
Patrol nodes layer
Belong-to Belong-to
Sensor nodelayer
086
082
Instance of
Sensor node 2513
Humidity temperature
hop (02) ST (05)
Instance of
092
Instance of
Sensor node 3152
Temperature
hop (03) ST(1)
086
Instance of091
Instance of042
Patrol node 1
Temperature humidity
Sensor node 3241
Patrol node 4
Humidity temperature
Sensor node 0231
Patrol node 2
Brightness temperature
energy (088 ) hop (03) ST (05)
Sensor node 0092
Patrol node 3
Temperature
energy (098) hop (05) ST (1)
Sensor node 2541
Patrol node 5
Temperature
Sensor node 1576
Patrol node 2
Temperature brightness
Sensor node 4561
Sensor node 1254
Humidity temperature
hop (017) ST (05)
Patrol node 4
Patrol node 4
Sensor node 6829
Humidity temperature
hop (025) ST (05)
Patrol node 2
Patrol node 3
ST (05)energy (1) hop (1) pn1
pn2 pn3
middot middot middot
middot middot middot
057
Hop = 1
Hop = 3
Hop = 10
Hop = 6Hop = 3
Hop = 5 Hop = 4
Hop = 3
Hop = 3 Hop = 2
E = 2J E = 176J
E = 126J
E = 186J
E = 076JE = 2J
E = 094J E = 196j
E = 164J
E = 196J
energy (063) hop (03) ST (05)pn4 energy (082)
hop (03) ST (1) pn5
hop (01) ST(05) energy (093 ) S4561 energy (047) S2513 energy (098) S6829
energy (038) S1254 energy (1) S3152
pn2
pn4 pn5
Figure 5 An example of ontology construction
International Journal of Distributed Sensor Networks 11
prior to preprocessing and use the SVM to train and testprocesses The output of SVM is 1 or minus1 If the output is 1there is an intrusion behavior on the model If the outputis minus1 it is normal The distribution of training data andtesting data are shown in Table 1 Specifically the user canemploy this model to evaluate the IDS 27 feature values areused to train three SVMmodels and to compare the accuracyof the three models [21]
This experiment compared OWIDS with the PIDS basedon energy consumption transmission accuracy and per-formance The attack behaviour is camouflaged as differentroles in the WSN The implementation environment is listedin Table 2 The total simulation time was 3600 sec Theattacks were randomly executed every 20 sec with attacksbeginning at six hundred sec The experiment assumes thatthe preprocessing stage is secure for attacks The maximumconnection meaning the maximum number of connections(end-to-end connection) used in the simulation was 80The experimental IDS was intended to simulate transmissionpackages in wireless sensor networks The IDS integratescommunications of packages and analyzes them
To estimate the performance of the OWIDS system threeimportant formulas and an indicator method are used toevaluate system accuracy attack detection rate (ADR) falsepositive rate (FPR) system accuracy (SA) and live nodes(indicator) The ADR represents the number of attacks thatthe IDS has detected out of the total number of attacks TheFPR represents the number of normal processes that theIDS has misclassified The accuracy rate is the total numberof processes the IDS has classified correctly The live nodesrepresent the number of useful nodes in the entire WSNwhich tests the loading of our methods and its performance
Attack Detection Rate
=Total number of detected attacks
Total number of attackstimes 100
False Positive Rate
=Total number of misclassified processes
Total number of normal processestimes 100
Accuracy Rate
=Total number of correct classified processes
Total number of processestimes 100
(10)
In this section we present three experimental resultsfor the OWIDS The first experimental method focuses onthe percentage of patrol nodes The patrol node is a kindof sensor node The BS chooses patrol nodes to executethe IDS The percentage of sensor nodes which should bepatrol nodes is a key issue Second the energy consumptionand remaining resources are present in the live nodes Thethird experimental method focuses on the ADR FPR andSA of the OWIDS Thus two types of experiments wereimplemented comparison of the number of live nodes across
Table 1 The training data and test data
Original Train TestNormal 80641 24192 7258Sinkhole 3568 1070 321Blackhole 5368 1610 483Hello flooding 44084 13225 3968Total 133661 40098 12029
Table 2 Implementation environment
Parameter ValuesSensor nodes 50 150 300Patrol nodes (20 of sensor nodes) 10 30 60WSN size 1000 lowast 1000 (m2)Starting energy 2 JTransmission radius 50mTransmission consumption 0036wReceive consumption 0024w
the non-IDS PIDS and OWIDS and comparison of thetransmission accuracy with PIDS
41 Percentage of Patrol Nodes The patrol node is used todetect abnormal behaviours OWIDS needs to balance thenumbers of patrol nodes and the overall life cycle of wirelesssensor networks From the experiment results twenty per-centages of patrol nodes can provide better detection resultsThe percentage of patrol nodes was set between 10 and 40at intervals of 10 The experiments are divided into 50 150and 300 sensor nodes These numbers are used to calculatethe suggested percentage of patrol nodes The experimentalresults are shown in Tables 3 4 and 5
The experimental results show that 30 and 40 yieldthe highest accuracy However the lifecycle of entire WSN isshorter than that when 10 and 20 are used The lifecycleof 10 is the longest but its accuracy is the lowest WhenOWIDS sets the patrol node percentage to 10 the loading isthe lightest However for theOWIDS at 10 the patrol nodeslack sufficient data to be compared with each other meaningthat the accuracy is the lowestThe accuracy of the case of 20patrol nodes is close to that of the case of 30 or 40 patrolnodes Hence the system selected 20 of whole sensor nodesas patrol nodes to do detection to save energy
42 Live Nodes of OWIDS The first simulation is shown inFigures 6 7 and 8The number of live nodes is defined as thenumber of sensor nodes in theWSN that still work normallyThe normal IDS trains detection features and translates theentire IDS onto the sensor nodes This consumes the WSNenergymore rapidlyThe lightweight IDS trains the detectionmethod on the base station and uses filtered features to detectintrusions In this case the IDS ismore lightweight and nodesremain alive longer Since a WSN may be used in manyapplications our method is implemented in eight situations
12 International Journal of Distributed Sensor Networks
Table 3 Percentage of patrol nodes (50 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 5 9835 8520 10 9573 9330 15 8952 9440 20 8703 94
Table 4 Percentage of patrol nodes (150 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 15 9605 8120 30 9495 9630 45 8864 9640 60 8518 97
Table 5 Percentage of patrol nodes (300 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 30 9598 7920 60 9468 9630 90 8867 9740 120 8361 97
The live nodes experiment has six situations no IDS andno attack no IDS but faces attacks loads PIDS but no attacksloads PIDS and faces attacks loads OWIDS but no attacksand loads OWIDS and faces attacks The overhead for PCHmonitoring is high if the notion of collaborative monitoringis absent If the patrol nodes are too few an intruder caneasily infiltrate the network The OWIDS combines PIDSand the ontology to detect anomalies Though it consumesmore energy than the PIDS the energy expenditure is nearlyidentical We simulate 50 150 and 300 sensor nodes in thenon-IDS PIDS and OWIDS Results show that the lifetimeof a sensor node is longest using OWIDS and that the sensornodes die slowly The MN sends data to the RN but not toany MN The RN obtains information directly from the MNThe connections between the RN and the PCH are similarmeaning that the OWIDS consumes less energy in gatheringdata andmonitoring theWSNTheOWIDS takes a part of theontology from PIDS The energy consumption of PIDS andOWIDS is similar in the no attack environment In Figures 6ndash8 there are more sensor nodes in theWSN meaning that thesystem hasmore patrol nodes to detect anomalies Hence theOWIDS detects misbehaviour more effectively The results ofthe simulation show that the OWIDS can easily be loadedonto the WSN
43 ADR FPR and SA of OWIDS The second simulationaddresses the attack detection rate the false positive rateand the accuracy rate in PIDS and OWIDS as shown inTable 6The total number of simulation packages is 1065474
0
10
20
30
40
50
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 6 The case of 50 sensor nodes in alive nodes
50
100
150
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 7 The case of 150 sensor nodes in alive nodes
100140180220260300
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 8 Case of 300 sensor nodes in live nodes
which include 1697 attack packages and 1063777 normalpackages In the PIDS patrol nodes carry attack knowledgeto detect anomalies The false positive rate is higher andthe attack detection rate is lower than that of OWIDS TheOWIDS appends the relationships of ontology making iteasier to detect illegal sensor nodes in the WSN The system
International Journal of Distributed Sensor Networks 13
Table 6 Accuracy attack detection rate and false positive rate of OWIDS
IDS method Attack detection rate False positive rate AccuracyPIDS (15351697) 9045 (1414451063777) 1329 (9532871063777) 8961OWIDS (16651697) 9811 (401221063777) 377 (10253521063777) 9639
Table 7 The accuracy rate of detection classification
IDS method Sybil attack Sinkhole Blackhole Hello floodingPIDS (136150) 9067 (118130) 9077 (5562) 8871 (12261355) 9048OWIDS (145150) 9667 (128130) 9846 (5762) 9194 (13351355) 9852
Original Datas -t 1000000000 -Hs 8 -Hd -2 -Ni 8 -Nx 203200 -Ny 69300 -Nz 000 -Ne -1000000 -Nl AGT -Nw mdash -Ma 0 -Md 0-Ms 0 -Mt 0 -Is 80 -Id 40 -It cbr -Il 1000 -If 0 -Ii 0 -Iv 32 -Pn cbr -Pi 0 -Pf 0 -Po 0SVM Input Data0 01 1 1000000000 2 8 3minus2 4 8 5 203200 6 69300 7 000 8minus1000000 9 1 10 0 11 0 12 0 13 0 14 0 15 8016 40 17 1 18 1000 19 0 20 0 21 32 22 1 23 0 24 0 25 0 26 0 27 0 28 0 29 0 30 0
Figure 9 The SVM input data
accuracy of PIDS and OWIDS is higher than 8961 thetolerance value of the IDS in the WSN The results of thesecond simulation show that theOWIDSdetects attacksmoreeffectively
The attack packages include four types of attacks Sybilattack sinkhole attack blackhole attack and hello floodingthe detailed detection classification is shown in Table 7 Thesystem simulates 150 Sybil attacks 130 sinkhole attacks 62blackhole and 1355 hello flooding attacks The results ofaccuracy rate are shown in Table 7 The accuracy rate ofdetection classification is better than 90 and OWIDS isbetter than PIDS The results of the second simulation showthat the OWIDS detects attacks more effectively
5 Conclusions and Future Work
In this paper a preliminary research of intrusion detectionsystems based on domain ontology is proposed and therelevance of a lightweight patrol intrusion detection systemis explored A major finding is that the effect of ontology canbe observed in attack detection at all levels of the wirelesssensor network The results indicated that the constructedontology relationship between the WSNs can detect attackseffectively This implies that an ontology indicating each roleand its membership in the WSN could be constructed forother attack types This research leads to an ontology-basedintrusion detection system which allows us to study the rela-tionship mechanism involving patrol node status and sensornodes Such ontologies can also be applied to reduce theburden of lightweight intrusion detection systems onwirelesssensor networks In general they will be useful in improvingthe lifecycle of wireless sensor networks and particularly theusability of intrusion detection systems for wireless sensornetworks This research can also serve to reinforce the useof soft computing technology for intrusion detection systemsand to systematize preprocessing technology to reduce thefeatures of the intrusion detection system The attacker may
intrude network in preprocessing stage The preprocessingsecurity issuewill be solved in the future workThis ontology-based intrusion detection system remains experimental onlyand much work remains to be done More must be knownabout constructing ontologies to detect different types ofattacks in wireless sensor networks There is a continuingneed for an adequate theoretical basis for the practicalapplication of ontology-based intrusion detection systems
Conflict of Interests
In this paper the specifications and brand of CPUdo not haveany financial relationship with the commercial identities
Acknowledgments
This work is partially supported by the National ScienceCouncil (NSC) Taiwan with Project no NSC-99-2221-E-324-021 The authors also express many thanks for thecomments from the reviewers that improved the paper
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] T P Hong and C H Wu ldquoAn improved weighted clusteringalgorithm for determination of application nodes in hetero-geneous sensor networksrdquo Journal of Information Hiding andMultimedia Signal Processing vol 2 no 2 pp 173ndash184 2011
[3] J Newsome E Shi D Song and A Perrig ldquoThe Sybil attack insensor networks analysis amp defensesrdquo in Proceedings of the 3rdInternational Symposium on Information Processing in SensorNetworks (IPSN rsquo04) pp 259ndash268 April 2004
[4] W-H Chen S-H Hsu and H-P Shen ldquoApplication of SVMand ANN for intrusion detectionrdquo Computers and OperationsResearch vol 32 no 10 pp 2617ndash2634 2005
14 International Journal of Distributed Sensor Networks
[5] Z Pawlak ldquoRough setsrdquo International Journal of Computer ampInformation Sciences vol 11 no 5 pp 341ndash356 1982
[6] A N Toosi and M Kahani ldquoA new approach to intrusiondetection based on an evolutionary soft computingmodel usingneuro-fuzzy classifiersrdquoComputer Communications vol 30 no10 pp 2201ndash2212 2007
[7] A Patwardhan J Parker M Iorga A Joshi T Karygiannisand Y Yesha ldquoThreshold-based intrusion detection in ad hocnetworks and secure AODVrdquoAdHoc Networks vol 6 no 4 pp578ndash599 2008
[8] R-C Chen and C-H Hsieh ldquoWeb page classification based ona support vectormachine using aweighted vote schemardquoExpertSystems with Applications vol 31 no 2 pp 427ndash435 2006
[9] G Song J Zhang and Z Sun ldquoThe research of dynamic changelearning rate strategy in BP neural network and applicationin network intrusion detectionrdquo in Proceedings of the 3rdInternational Conference on Innovative Computing Informationand Control (ICICIC rsquo08) pp 514ndash517 June 2008
[10] RCChenC J Yeh andC T Bau ldquoMerging domain ontologiesbased on the WordNet system and Fuzzy Formal ConceptAnalysis techniquesrdquoApplied SoftComputing Journal vol 11 no2 pp 1908ndash1923 2011
[11] R C Chen Y F Haung and C F Hsieh ldquoRanger intrusiondetection system for wireless sensor networks with sybil attackbased on ontologyrdquo in Proceedings of the 10th WSEAS Interna-tional Conference on Applied Informatics and Communications2010
[12] M A Simplıcio Jr P S L M Barreto C B Margi and T CM B Carvalho ldquoA survey on key management mechanisms fordistributedWireless SensorNetworksrdquoComputerNetworks vol54 no 15 pp 2591ndash2612 2010
[13] M Depren E Topallar andM Kemal ldquoAn intelligent intrusiondetection system (IDS) for anomaly and misuse detection incomputer networksrdquo Expert Systems with Applications vol 29no 4 pp 713ndash722 2005
[14] S Tilak B Abu-Ghazaleh and W A Heinzelman ldquoTaxonomyof wireless micro-sensor network modelsrdquo Mobile Computingand Communications Review vol 6 no 2 pp 28ndash36 2002
[15] J Undercoffer A Joshi and J Pinkston ldquoModeling computerattacks an ontology for intrusion detectionrdquo Computer Sciencevol 2820 pp 113ndash135 2003
[16] N Cuppens-Boulahia F Cuppens F Autrel and H DebarldquoAn ontology-based approach to react to network attacksrdquoInternational Journal of Information and Computer Security vol3 no 3-4 pp 280ndash305 2009
[17] H-C Hsieh J-S Leu and W-K Shih ldquoReaching consensusunderlying an autonomous local wireless sensor networkrdquoInternational Journal of Innovative Computing Information andControl vol 6 no 4 pp 1905ndash1914 2010
[18] W K Lai C-S Fan and C-S Shieh ldquoOptimal cluster sizefor balanced power consumption in wireless sensor networksrdquoICIC Express Letters vol 6 no 2 pp 1471ndash1476 2012
[19] T T Quan S C Hui A C M Fong and T H CaoldquoAutomatic Fuzzy ontology generation for semanticWebrdquo IEEETransactions on Knowledge and Data Engineering vol 18 no 6pp 842ndash856 2006
[20] R-C Chen C-F Hsieh and Y-F Huang ldquoAn isolation intru-sion detection system for hierarchical wireless sensor networksrdquoJournal of Networks vol 5 no 3 pp 335ndash342 2010
[21] C F -Hsieh K F Cheng Y F Huang and R C Chen ldquoAnintrusion detection system for Ad Hoc networks with multi-attacks based on a support vector machine and rough settheoryrdquo Journal of Convergence Information Technology vol 8no 2 pp 767ndash776 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 5
Algorithm OWIDSInput The packages of wireless sensor networks 119901Output 119860 list of anomaly nodes 119860[]
BEGINlowastPre-processing Stagelowastlowastbroadcasting routinglowastfor each sensor node 119904 connected to 119909 do
for each sensor node y in the network doif 119863119904[119910] + 119904(119909 119904) lt 119863
119909[119910] then
lowasta better route from 119909 to 119910 through s has been foundlowast119863119909[119910] larr 119863
119904[119910] + 119904(119909 119904)
119862119909[119910] larr (119909 119904)
lowastintegrating informationlowastfor each sensor node s transmitted to base station 119887119904 do
send data of itself 119868 to base station 119887119904
return 119868
Algorithm 1 Algorithm of preprocessing stage of OWIDS
32 Construct Ontology Stage Due to the nature of a Sybilattack it is hard to use an IDS to detect it In the systemthe relationships of each sensor node in the ontology areconstructed first Then the patrol node compares the rela-tionships of the ontology conceptual nodes to the testedwireless networks to determine whether the system has beenattacked The method for constructing the ontology is givenbelow The algorithm of the ontology construction stage isshown in Algorithm 2
After the entireWSN has been deployed the informationon each sensor node is translated to the base station forthe system to construct the ontology The relationships ofthe sensor nodes are constructed in the ontology Eachsensor node transmits its connection information to the basestation This method thus is a top-down design for ontologyconstruction in which construction proceeds from the basestation to the sensor nodes The system sorts sensor nodesdepending on the energy of the sensor nodes and selects thesensor node that has the best energy to be the cluster headThe candidates for patrol nodes are the top 20 of sensornodesThe patrol nodes are chosen by the candidate of patrolnodes that are one hop from the cluster head After the systempicks the patrol nodes up it begins to construct the ontology
First the system constructs patrol nodes in the ontologyThe system calculates the similarity between the patrol nodesusing formula (1) Formula (1) is calculated between patrolnodes and patrol nodes 119901119899
119894cap 119901119899119897means that the system
compares the data of 119901119899119894with the data of 119901119899
119897to gather the
minimum number (the data is energy() hop() ST() etc)The 119901119899
119894cup119901119899119897means that the system computes the data of 119901119899
119894
with the data of119901119899119897to gather theminimumnumber Consider
119878119894119898119894119897119886119903119894119905119910 (119901119899119894 119901119899119897) =
sum119899
119897=1(1003816100381610038161003816119901119899119894 cap 119901119899
119897
1003816100381610038161003816 1003816100381610038161003816119901119899119894 cup 119901119899
119897
1003816100381610038161003816)
119899 (1)
The construction of the patrol nodes in the ontologydepends on formula (1) which indicates the relationship ofthe patrol nodes Similar patrol nodes exchange information
with each other The relationship is used to construct sensornodes in the ontologyThere are two concepts of sensor nodeequal concept and sibling concept as follows
Definition 1 (equal concept) Consider
119864119902119906119886119897 (1199041
119894 1199042
119894) = (119904
1
119894 1199042
119894) | ℎ119900119901 (119904
1
119894 1199042
119894) = 1
and (119878119890119899119904119900119903119873119900119889119890 (1199041
119894) = 119878119890119899119904119900119903119873119900119889119890 (119904
2
119894)
and 119903119890119904119900119906119903119888119890 (1199041
119894) asymp 119903119890119904119900119906119903119888119890 (119904
2
119894))
(2)
The 1199041119894and 1199042119894are two different sensor nodes in theWSN
The distance between 1199041119894and 1199042119894is equal to one hop 119904119899
119894
indicates the sensor node 119899 is managed by 119901119886119905119903119900119897119899119900119889119890 119894119878119890119899119904119900119903119873119900119889119890(119904119899
119894) and 119903119890119904119900119906119903119888119890(119904119899
119894) indicate the class name
of the 119878119890119899119904119900119903119873119900119889119890 and the resources of 119878119890119899119904119900119903119873119900119889119890 119904respectively When 119903119890119904119900119906119903119888119890(1199041
119894) asymp 119903119890119904119900119906119903119888119890(1199042
119894) it means
the resources (energy hops sense type) of 1199041119894are similar
to the resources of 1199042119894 Definition 1 defines the concepts of
sensor nodes having equivalent resources and being close toeach other For example if a pair of concepts ldquo1199041rdquo and ldquo1199042rdquohas overlapped broadcasting range and possesses equivalentresources the equal concept definition is satisfied and thesystem will construct the relationship between them Therest of concepts will be used to determine the hierarchicalrelations in the ontology concepts
Definition 2 (sibling concept) Consider
119878119894119887119897119894119899119892 (1199041
119894 1199042
119894) = (119904
1
119894 1199042
119894) | 1199041
119894= 1199042
119894
and (119878119894119887119897119894119899119892119879119890119903119898 (1199041
119894 1199042
119894)) and 2
6 International Journal of Distributed Sensor Networks
lowast Construct Ontology Stage lowastlowast sort sensor nodes lowastfor each sensor node s in the network do
for (119894 = 119899 minus 1 119894 gt 0 119894 minus minus) dofor (119895 = 0 119895 lt 119894 119895++) do
if energy(119904119895) gt energy(119904
119894) then
buffer = arr[119895]arr[119895] = arr[119895 + 1]
arr[119895 + 1] = bufferreturn arr[] lowast return sort information lowast
set CH = arr[1] lowast the system selects up best sensor node to be cluster head lowastlowastpick up patrol nodeslowast
for (119901 = 0 119901 lt 119899 lowast 02 119901++) doPatrolcandidate[119901] = arr[119901] lowast pick up top 20 of sensor nodes lowastfor each sensor node 119904 in the Patrolcadidate[] doif hop(119904
119894 CH) = 1 then
lowasta patrol node has foundlowastset patrolnode[] = 119904
119894
lowastConstruct patrol nodes in Ontologylowastfor each patrol node in the network do
for (119897 = 1 119897le 119899 119897++) do lowast119897 is the index of patrol node lowast119905119897= intersection (119901119899
119894 119901119899119897) union (119901119899
119894 119901119899119897) lowast119905119897is similarity of patrol node 119897lowast
119905 = 119905 + 119905119896lowast119905 is the similarity lowast
return 119905
similiarity(119901119899119894 119901119899119897) = 119905119896
119901119899119897[] larr 119901119899
119894
Ontology[] larr 119901119899119897[]
lowast definition sensor nodes relationship lowastfor each sensor node s in the network do
if 119904119894ltgt 119904119895and resource(119904
119894) resource(119904
119895) and hop(119904
119894 119904119895) = 1 then
lowast a equal sensor has found lowastset 119904119894and 119904
119895are equal sensor nodes
for each sensor node s in the network doif 119904119894ltgt 119904119895and resource(119904
119894) resource(119904
119895) and 2 ≦ hop(119904
119894 119904119895) ≦ 3 then
lowasta sibling sensor has foundlowastset 119904119894and 119904
119895are sibling sensor nodes
else if patrolnode(119904119894) cap patrolnode(119904
119895) ltgt then
lowast 119886 sibling sensor has found lowastset 119904119894and 119904
119895are sibling sensor nodes
lowast Construct Ontology lowastfor each sensor node in the network do
for (119896 = 1 119896le 119899 119896++) do lowast119896 is the index of patrol node lowast119905119896= intersection (119901119899
119896 119904119894) union (119901119899
119896 119904119894) lowast119905119896is similarity of patrol node 119896lowast
119905 = 119905 + 119905119896
lowast119905 is the similarity lowastreturn 119905
similiarity(119901119899119896 119904119894) = 119905119896
119901119899119896[] larr 119904
119894
Ontology[] larr 119901119899119896[]
Algorithm 2 Algorithm of the construct ontology stage of OWIDS
le ℎ119900119901 (1199041
119894 1199042
119894)
le 3 or (119875119886119905119903119900119897119873119900119889119890 (1199041
119894 1)
cap119875119886119905119903119900119897119873119900119889119890 (1199042
119894 1) = 0)
119903119890119904119900119906119903119888119890 (1199041
119894) asymp 119903119890119904119900119906119903119888119890 (119904
2
119894)
(3)
The 119878119894119887119897119894119899119892119879119890119903119898(1199041119894 1199042119894) indicates that 1199041
119894has a sister
term 1199042119894 In other words the sensor nodes have an identical
patrol node in the WSN and 119875119886119905119903119900119897119873119900119889119890(1199041119894 1) means that
the distance of 1199041119894from the patrol node is one hop When the
distance between 1199041119894and 1199042119894is less than or equal to 3 it will
be adjusted depending on the scale of the WSN Definition 2has two situations either a pair of concepts has sister-termrelations in the WSN or a pair of concepts has a common
International Journal of Distributed Sensor Networks 7
Situation 1 Situation 2
Pnl Pnl
Pn2 s2
s1
s2s1
(a) (b)
Figure 2 The sibling relationship
patrol node over more than one levelThe difference betweenthem is shown in Figures 2(a) and 2(b) Situation 1 andsituation 2 are the relationships of SensorNode 1199041
119894and Sen-
sorNode 1199042119894in the WSN structure Situation 1 indicates that 1199041
119894
and 1199042119894have a sister-term relationship in the WSN situation
2 indicates 1199041119894and 1199042119894are not sister terms However they
satisfy the sibling concept because they have a commonpatrol node on the upper level In this case the distancebetween 119904
1
119894and 1199042119894is 3 hops as shown in Figure 2(b)
An ontology has various elements including conceptsattributes operators instances relations and axioms Ourontology has membership values between the patrol node(119901119899) and the sensor node (119904) The set of values between thepatrol nodes and sensor nodes is called the subclass Forexample the sensor node contains attributes such as senseinformation remaining resources and route informationThe membership values between patrol nodes and sensornodes can be calculated by formula (4) [19] Suchvalues might include for example 119899
1energy(08) hop
(02) ST(09) 1199011198992energy(03) hop(08) ST(08) and
1199041energy(075) hop(02) ST(07)The subclass is (119904
1 1199011198991) =
(075 + 02 + 07) (08 + 02 + 09) = 16519 = 087 Thesubclass is (119904
1 1199011198992) = (03 + 02 + 07) (03 + 08 + 08) =
1221 = 057 The membership value consists of sensornodes such as 119901119899
1(087) and 119901119899
2(057) the numbers
represent the membership values in each patrol node Themembership value between a patrol node and a sensor nodemay then be found The 119904
1is the subclass of 119901119899
1 Consider
119904119906119887119888119897119886119904119904 (119904 119901119899) =
1003816100381610038161003816119904 cap 1199011198991003816100381610038161003816
10038161003816100381610038161199011198991003816100381610038161003816
(4)
The relations between sensor nodes can be defined ina number of ways such as Belong-to and Consist-of whilethe subclass defines the values of the relationships betweenthe sensor nodes After constructing the concept layer themembership values can be simply and directly joined tothe ontology Each concept has the membership values foreach relevant patrol node The system can then build up theconcept hierarchyThe ontology information includes sensornode identify (number) patrol node identify (number)
energy (joule) hop distance (hops) and sensing data type(ST) as shown in Figure 3
The related value of the concept should define a suitablethreshold Let 119901119899
119896be the 119896th patrol node ofWSN 119904
119894indicates
the sensor node 119894 in the WSN 119901119899119898is the patrol node that
belongs to 119901119899119896 and 119899 is the number of comparison nodes
under the patrol node 119901119899119896 The similarity formula is listed in
formula (5) Formula (5) is similar to formula (1) Formula(1) is the similarity between patrol node and patrol nodeFormula (5) is the similarity between patrol node and sensornode
119904119894119898119894119897119886119903119894119905119910 (119901119899119896 119904119894) =
sum119899
119898=119896(1003816100381610038161003816119901119899119898 cap 119904
119894
1003816100381610038161003816 1003816100381610038161003816119901119899119898 cup 119904
119894
1003816100381610038161003816)
119899 (5)
For example the system uses formula (5) to calculatethe similarity of formal concepts Each patrol node hasmany sensor nodes Figure 4 shows an example of calculationbetween 119901119899
119896and 119904119894 It is not an ontology figure An example
of the ontology is shown in Figure 5 The similarity between119901119899119896and 119904119894is calculated as follows
119904119894119898119894119897119886119903119894119905119910 (1199011198991 1199041)
= (075 + 02 + 07
08 + 02 + 09+
02 + 07
075 + 02 + 075
+075 + 06
075 + 02 + 06) times (3)
minus1= 068
119904119894119898119894119897119886119903119894119905119910 (1199011198992 1199041)
= (03 + 02 + 07
03 + 08 + 08+
03 + 07
075 + 02 + 07) times (2)
minus1
= 047
(6)
We select themaximum similarity value of the conceptualpairs between 119901119899
119896and 119904
119894to determine the sonsor node 119904
119894
belongs to which patrol nodes 119901119899 In this case 1199041is more
similar to 1199011198991 The IDS calculates the relationship between
119899119901119896and 119904
119894to define the relationship threshold The IDS
calculation threshold depends on the similarity formula indifferent environments A higher threshold makes the entireWSN more secure However a higher threshold for the IDSmeans that attacks are easily misidentified
An example of an ontology is shown in Figure 5 Thereare 10 sensor nodes in the example For practical applicationsour method supports 50 sensor nodes in the ontology Theontology has a domain layer a category layer a patrol nodelayer and a sensor node layer The domain layer representsthe ontology domain issue thatwe focus on in constructing anIDS for a WSN Next the category layer represents differentjobs on the WSN such as sensing humidity temperatureand brightness One sensor node will take on one or moretasks The patrol node layer contains the information foreach patrol node in the WSN Each patrol node has anID energy (joule (j)) sensing data type (ST) the distanceto the cluster head (Hop) and membership value betweeneach relevant object for example119901119899idEnergy(j) hop(1hop)ST(1number of sense types) The sensor node layer con-tains each sensor node ID energy (joule (j)) sense data type
8 International Journal of Distributed Sensor Networks
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Relation type
Subclass
Hops
Hops
Figure 3 The information of the concept of nodes in ontology
(ST) the distance to the cluster head (hop) and membershipvalue between each relevant object
33 Intrusion Detection Stage The attackers that intrudewireless sensor network can be divided into two stagespreparatory phase the attack and destruction phase Theattack behaviours of attack and destruction phase includesinkhole attack blackhole attack and hello flooding Inorder to obtain the required information of attack anddestruction phase the attackers apply Sybil attack to disguisevarious roles The behaviours of attack phase used differ-ent transmission technology to burn entire network evencause WSN unusable All the above behaviours are calledanomaly behaviours The assignment system will completethe information for the integration of the environmentalanalysis The ontology contains the entire relationship of theWSNThe system can preselect the knowledge based on thoseenvironmental attacks The ontology can thus detect illegalnodes in the WSNThe rules are shown in Algorithm 3
The WSN is usually deployed unequally causing it torapidly consume energy We have proposed a PIDS usingdetection knowledge to detect anomalies [11] The PIDS istransferred between patrol nodes to detect whether neighbor-ing nodes exhibit anomalies The PIDS will choose differentdetection knowledge in different environments The PIDSmerely requires a portion of the detection knowledge todetect an anomaly which reducesWSN energy consumptionThe architecture of the OWIDS combines the PIDS with theontologyTheOWIDS is transferred between the patrol nodesto detectwhether neighbouring nodes are anomalous Similar
to the PIDS the OWIDS will choose different detectionknowledge in different environments It requires merely aportion of the detection knowledge to detect anomaliesreducing WSN energy consumption The system will matchthe database and the attack pattern If there appears to benonselected detection knowledge the detection knowledgewill be added The intrusion detection mechanisms werecomputed on the base station The classification methodof detection knowledge is described in the following para-graphs
The detection knowledge is classification by supportvector machine (SVM) [21] The proposed method provideda strong argument for the improvement of WSN intrusiondetection systems The SVM uses a high dimension spaceto find a hyperplane to perform binary classification to findminimal error rate Notably the SVM is able to handle theproblem of linear inseparability The SVM uses a portion ofthe data to train the system finding several support vectorswhich represent the training data These support vectorswill be formed into a model by the SVM representing acategory According to this model the SVM will classify agiven unknown document A basic input data format and anoutput data domain are given as follows
(119909119894 119910119894) (119909
119899 119910119899) 119909 isin 119877
119898 119910 isin +1 minus1 (7)
where (119909119894 119910119894) (119909
119899 119910119899) are training data 119899 is the number
of samples119898 is the input vector and 119910 belongs to category of+1 or minus1
Regarding linear problems a hyperplane can be dividedinto two categories The hyperplane formula is
(119908 sdot 119909) + 119887 = 0 (8)
The category formula is
(119908 sdot 119909) + 119887 ge 0 if 119910119894= +1
(119908 sdot 119909) + 119887 le 0 if 119910119894= minus1
(9)
However it is not easy to find hyperplanes with which toclassify the dataThe SVMhas several kernel functions whichusers can apply to solve different problems As such selectingthe appropriate kernel function can solve the problem oflinear inseparability Also internal product operations affectthe classification function and a suitable inner product func-tion119870(119883119894 sdot 119883119895) can solve certain linear inseparable problemswithout increasing the complexity of the calculation Originaldata includes 31 features tagged with numbers from 0 to 30The system will convert the contents of the 31 features intonumeric values For instance the first element is ldquoEventrdquo andthe parameter is ldquo119904rdquo which is mapped to ldquo0 01rdquo An exampleof SVM data is shown in Figure 9 The OWIDS combinesontology with detection knowledge The patrol nodes carrypart of ontology to detect Sybil attack and the detectionknowledge is used to detect sinkhole blackhole and helloflooding
The ontology is divided into several parts depending onthe region of the patrol node The system sends detectionknowledge and the ontology to the cluster head The patrol
International Journal of Distributed Sensor Networks 9
lowast Intrusion Detection Stage lowastfor each neighbor of patrol node s doreceive (119904id 119901119899id 119904INFO 119864119894) lowast Receive 119904id 119901119899id 119904INFO and the remaining energy lowastif 119904id ltgt Ontology [] then lowast Check whether the sensor node is constructed in the Ontology lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastif Pattern (119904) = Pattern (119860119872)lowast Check whether the receive information is different from attack knowledge lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastelse if broadcast 119860[] to 119862id lowast Broadcast isolation table to CH to back up lowastend for
Algorithm 3 Algorithm of the intrusion detection stage of OWIDS
Base station
energy (08) hop (02) ST (09) energy (03)
hop (08) ST (08)
hop (02)ST (07)
energy (075) ST (06)
energy (03) ST (07)
energy (075) hop (02) ST (07)
068
047pn1
pn3
pn4
pn5
pn2
s1
Figure 4 An example of membership calculation
node is a sensor node to do detection but its energy is limitedThe OWIDS does not train detection mechanism on patrolnode and only the cluster head transmits detection rules topatrol nodes The patrol nodes detect attacks by rotation toreduce the overall WSN energy consumption and extend thelifetime of the WSN When the duty of the patrol nodes isover the CH will collect the WSN information and transmitit to the base station The BS analyzes the informationtrains the detection data and constructs the ontology againThus the detection knowledge can be adjusted accordingto the WSN environment To improve the accuracy ofthe intrusion detection the system repeats the detectionknowledge training to remove less frequently used data untilthe knowledge converges This reduces the features of thedetection knowledge and makes the detection knowledgemore lightweight
The WSN is a self-organizing network meaning that therouting table will be changed The clustering system of theWSN will change cluster heads periodically The WSN as awhole thus cannot keep isolating anomalous nodes Rede-tection of anomalous nodes consumes energy This paperthus proposes an isolation table recorded in the base station[20] If new cluster heads are assigned or the entire WSNis changed the patrol maintains isolation of anomaly nodesusing the isolation table Intruders thus cannot attack theWSN through isolated anomaly nodes reducing redetectionenergy consumption
4 Experimental Results
The system performance was evaluated by network sim-ulation (NS-2) The experimental hardware environmentsconsisted of an Intel Core 2 i5-2410M CPU 230GHzNotebook with 8GB RAM and was implemented under theWindows 7 operating system The area for the simulationof the WSN was within 10000 square meters The field isstatic and deploys 300 sensor nodes randomly each with abroadcast radius of 50m The OWIDS uses a protegee toconstruct the ontology The behaviors of the attacker weregenerated by a Java program The attacks were randomlygenerated by different kinds of attack patterns For exampleSybil attacks were generated every 20 seconds but theattackers will masquerade different kinds of roles randomlysuch as cluster head sensor node The OWIDS detects Sybilattacks using the relationship of ontology In addition theexperiment was meant to simulate transmission packages inwireless sensor networksThe communications of packets canbe captured byOWIDSThedatawas collected from theWSNpackets of NS-2 simulator The data set can be divided intotwo protocols the training data and the testing data Thepackets are randomly selected for training and testing
Before using SVM classification the system performa data scaling operation to increases the accuracy whilereducing complexity The system kernel is RBF 119870(119909 119910) =
ℓminus119892119909minus119910
2
The systemwill classify the attributes of the features
10 International Journal of Distributed Sensor Networks
WSN Domain layer
Brightness Category layerHumidity Temperature
Patrol nodes layer
Belong-to Belong-to
Sensor nodelayer
086
082
Instance of
Sensor node 2513
Humidity temperature
hop (02) ST (05)
Instance of
092
Instance of
Sensor node 3152
Temperature
hop (03) ST(1)
086
Instance of091
Instance of042
Patrol node 1
Temperature humidity
Sensor node 3241
Patrol node 4
Humidity temperature
Sensor node 0231
Patrol node 2
Brightness temperature
energy (088 ) hop (03) ST (05)
Sensor node 0092
Patrol node 3
Temperature
energy (098) hop (05) ST (1)
Sensor node 2541
Patrol node 5
Temperature
Sensor node 1576
Patrol node 2
Temperature brightness
Sensor node 4561
Sensor node 1254
Humidity temperature
hop (017) ST (05)
Patrol node 4
Patrol node 4
Sensor node 6829
Humidity temperature
hop (025) ST (05)
Patrol node 2
Patrol node 3
ST (05)energy (1) hop (1) pn1
pn2 pn3
middot middot middot
middot middot middot
057
Hop = 1
Hop = 3
Hop = 10
Hop = 6Hop = 3
Hop = 5 Hop = 4
Hop = 3
Hop = 3 Hop = 2
E = 2J E = 176J
E = 126J
E = 186J
E = 076JE = 2J
E = 094J E = 196j
E = 164J
E = 196J
energy (063) hop (03) ST (05)pn4 energy (082)
hop (03) ST (1) pn5
hop (01) ST(05) energy (093 ) S4561 energy (047) S2513 energy (098) S6829
energy (038) S1254 energy (1) S3152
pn2
pn4 pn5
Figure 5 An example of ontology construction
International Journal of Distributed Sensor Networks 11
prior to preprocessing and use the SVM to train and testprocesses The output of SVM is 1 or minus1 If the output is 1there is an intrusion behavior on the model If the outputis minus1 it is normal The distribution of training data andtesting data are shown in Table 1 Specifically the user canemploy this model to evaluate the IDS 27 feature values areused to train three SVMmodels and to compare the accuracyof the three models [21]
This experiment compared OWIDS with the PIDS basedon energy consumption transmission accuracy and per-formance The attack behaviour is camouflaged as differentroles in the WSN The implementation environment is listedin Table 2 The total simulation time was 3600 sec Theattacks were randomly executed every 20 sec with attacksbeginning at six hundred sec The experiment assumes thatthe preprocessing stage is secure for attacks The maximumconnection meaning the maximum number of connections(end-to-end connection) used in the simulation was 80The experimental IDS was intended to simulate transmissionpackages in wireless sensor networks The IDS integratescommunications of packages and analyzes them
To estimate the performance of the OWIDS system threeimportant formulas and an indicator method are used toevaluate system accuracy attack detection rate (ADR) falsepositive rate (FPR) system accuracy (SA) and live nodes(indicator) The ADR represents the number of attacks thatthe IDS has detected out of the total number of attacks TheFPR represents the number of normal processes that theIDS has misclassified The accuracy rate is the total numberof processes the IDS has classified correctly The live nodesrepresent the number of useful nodes in the entire WSNwhich tests the loading of our methods and its performance
Attack Detection Rate
=Total number of detected attacks
Total number of attackstimes 100
False Positive Rate
=Total number of misclassified processes
Total number of normal processestimes 100
Accuracy Rate
=Total number of correct classified processes
Total number of processestimes 100
(10)
In this section we present three experimental resultsfor the OWIDS The first experimental method focuses onthe percentage of patrol nodes The patrol node is a kindof sensor node The BS chooses patrol nodes to executethe IDS The percentage of sensor nodes which should bepatrol nodes is a key issue Second the energy consumptionand remaining resources are present in the live nodes Thethird experimental method focuses on the ADR FPR andSA of the OWIDS Thus two types of experiments wereimplemented comparison of the number of live nodes across
Table 1 The training data and test data
Original Train TestNormal 80641 24192 7258Sinkhole 3568 1070 321Blackhole 5368 1610 483Hello flooding 44084 13225 3968Total 133661 40098 12029
Table 2 Implementation environment
Parameter ValuesSensor nodes 50 150 300Patrol nodes (20 of sensor nodes) 10 30 60WSN size 1000 lowast 1000 (m2)Starting energy 2 JTransmission radius 50mTransmission consumption 0036wReceive consumption 0024w
the non-IDS PIDS and OWIDS and comparison of thetransmission accuracy with PIDS
41 Percentage of Patrol Nodes The patrol node is used todetect abnormal behaviours OWIDS needs to balance thenumbers of patrol nodes and the overall life cycle of wirelesssensor networks From the experiment results twenty per-centages of patrol nodes can provide better detection resultsThe percentage of patrol nodes was set between 10 and 40at intervals of 10 The experiments are divided into 50 150and 300 sensor nodes These numbers are used to calculatethe suggested percentage of patrol nodes The experimentalresults are shown in Tables 3 4 and 5
The experimental results show that 30 and 40 yieldthe highest accuracy However the lifecycle of entire WSN isshorter than that when 10 and 20 are used The lifecycleof 10 is the longest but its accuracy is the lowest WhenOWIDS sets the patrol node percentage to 10 the loading isthe lightest However for theOWIDS at 10 the patrol nodeslack sufficient data to be compared with each other meaningthat the accuracy is the lowestThe accuracy of the case of 20patrol nodes is close to that of the case of 30 or 40 patrolnodes Hence the system selected 20 of whole sensor nodesas patrol nodes to do detection to save energy
42 Live Nodes of OWIDS The first simulation is shown inFigures 6 7 and 8The number of live nodes is defined as thenumber of sensor nodes in theWSN that still work normallyThe normal IDS trains detection features and translates theentire IDS onto the sensor nodes This consumes the WSNenergymore rapidlyThe lightweight IDS trains the detectionmethod on the base station and uses filtered features to detectintrusions In this case the IDS ismore lightweight and nodesremain alive longer Since a WSN may be used in manyapplications our method is implemented in eight situations
12 International Journal of Distributed Sensor Networks
Table 3 Percentage of patrol nodes (50 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 5 9835 8520 10 9573 9330 15 8952 9440 20 8703 94
Table 4 Percentage of patrol nodes (150 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 15 9605 8120 30 9495 9630 45 8864 9640 60 8518 97
Table 5 Percentage of patrol nodes (300 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 30 9598 7920 60 9468 9630 90 8867 9740 120 8361 97
The live nodes experiment has six situations no IDS andno attack no IDS but faces attacks loads PIDS but no attacksloads PIDS and faces attacks loads OWIDS but no attacksand loads OWIDS and faces attacks The overhead for PCHmonitoring is high if the notion of collaborative monitoringis absent If the patrol nodes are too few an intruder caneasily infiltrate the network The OWIDS combines PIDSand the ontology to detect anomalies Though it consumesmore energy than the PIDS the energy expenditure is nearlyidentical We simulate 50 150 and 300 sensor nodes in thenon-IDS PIDS and OWIDS Results show that the lifetimeof a sensor node is longest using OWIDS and that the sensornodes die slowly The MN sends data to the RN but not toany MN The RN obtains information directly from the MNThe connections between the RN and the PCH are similarmeaning that the OWIDS consumes less energy in gatheringdata andmonitoring theWSNTheOWIDS takes a part of theontology from PIDS The energy consumption of PIDS andOWIDS is similar in the no attack environment In Figures 6ndash8 there are more sensor nodes in theWSN meaning that thesystem hasmore patrol nodes to detect anomalies Hence theOWIDS detects misbehaviour more effectively The results ofthe simulation show that the OWIDS can easily be loadedonto the WSN
43 ADR FPR and SA of OWIDS The second simulationaddresses the attack detection rate the false positive rateand the accuracy rate in PIDS and OWIDS as shown inTable 6The total number of simulation packages is 1065474
0
10
20
30
40
50
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 6 The case of 50 sensor nodes in alive nodes
50
100
150
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 7 The case of 150 sensor nodes in alive nodes
100140180220260300
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 8 Case of 300 sensor nodes in live nodes
which include 1697 attack packages and 1063777 normalpackages In the PIDS patrol nodes carry attack knowledgeto detect anomalies The false positive rate is higher andthe attack detection rate is lower than that of OWIDS TheOWIDS appends the relationships of ontology making iteasier to detect illegal sensor nodes in the WSN The system
International Journal of Distributed Sensor Networks 13
Table 6 Accuracy attack detection rate and false positive rate of OWIDS
IDS method Attack detection rate False positive rate AccuracyPIDS (15351697) 9045 (1414451063777) 1329 (9532871063777) 8961OWIDS (16651697) 9811 (401221063777) 377 (10253521063777) 9639
Table 7 The accuracy rate of detection classification
IDS method Sybil attack Sinkhole Blackhole Hello floodingPIDS (136150) 9067 (118130) 9077 (5562) 8871 (12261355) 9048OWIDS (145150) 9667 (128130) 9846 (5762) 9194 (13351355) 9852
Original Datas -t 1000000000 -Hs 8 -Hd -2 -Ni 8 -Nx 203200 -Ny 69300 -Nz 000 -Ne -1000000 -Nl AGT -Nw mdash -Ma 0 -Md 0-Ms 0 -Mt 0 -Is 80 -Id 40 -It cbr -Il 1000 -If 0 -Ii 0 -Iv 32 -Pn cbr -Pi 0 -Pf 0 -Po 0SVM Input Data0 01 1 1000000000 2 8 3minus2 4 8 5 203200 6 69300 7 000 8minus1000000 9 1 10 0 11 0 12 0 13 0 14 0 15 8016 40 17 1 18 1000 19 0 20 0 21 32 22 1 23 0 24 0 25 0 26 0 27 0 28 0 29 0 30 0
Figure 9 The SVM input data
accuracy of PIDS and OWIDS is higher than 8961 thetolerance value of the IDS in the WSN The results of thesecond simulation show that theOWIDSdetects attacksmoreeffectively
The attack packages include four types of attacks Sybilattack sinkhole attack blackhole attack and hello floodingthe detailed detection classification is shown in Table 7 Thesystem simulates 150 Sybil attacks 130 sinkhole attacks 62blackhole and 1355 hello flooding attacks The results ofaccuracy rate are shown in Table 7 The accuracy rate ofdetection classification is better than 90 and OWIDS isbetter than PIDS The results of the second simulation showthat the OWIDS detects attacks more effectively
5 Conclusions and Future Work
In this paper a preliminary research of intrusion detectionsystems based on domain ontology is proposed and therelevance of a lightweight patrol intrusion detection systemis explored A major finding is that the effect of ontology canbe observed in attack detection at all levels of the wirelesssensor network The results indicated that the constructedontology relationship between the WSNs can detect attackseffectively This implies that an ontology indicating each roleand its membership in the WSN could be constructed forother attack types This research leads to an ontology-basedintrusion detection system which allows us to study the rela-tionship mechanism involving patrol node status and sensornodes Such ontologies can also be applied to reduce theburden of lightweight intrusion detection systems onwirelesssensor networks In general they will be useful in improvingthe lifecycle of wireless sensor networks and particularly theusability of intrusion detection systems for wireless sensornetworks This research can also serve to reinforce the useof soft computing technology for intrusion detection systemsand to systematize preprocessing technology to reduce thefeatures of the intrusion detection system The attacker may
intrude network in preprocessing stage The preprocessingsecurity issuewill be solved in the future workThis ontology-based intrusion detection system remains experimental onlyand much work remains to be done More must be knownabout constructing ontologies to detect different types ofattacks in wireless sensor networks There is a continuingneed for an adequate theoretical basis for the practicalapplication of ontology-based intrusion detection systems
Conflict of Interests
In this paper the specifications and brand of CPUdo not haveany financial relationship with the commercial identities
Acknowledgments
This work is partially supported by the National ScienceCouncil (NSC) Taiwan with Project no NSC-99-2221-E-324-021 The authors also express many thanks for thecomments from the reviewers that improved the paper
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] T P Hong and C H Wu ldquoAn improved weighted clusteringalgorithm for determination of application nodes in hetero-geneous sensor networksrdquo Journal of Information Hiding andMultimedia Signal Processing vol 2 no 2 pp 173ndash184 2011
[3] J Newsome E Shi D Song and A Perrig ldquoThe Sybil attack insensor networks analysis amp defensesrdquo in Proceedings of the 3rdInternational Symposium on Information Processing in SensorNetworks (IPSN rsquo04) pp 259ndash268 April 2004
[4] W-H Chen S-H Hsu and H-P Shen ldquoApplication of SVMand ANN for intrusion detectionrdquo Computers and OperationsResearch vol 32 no 10 pp 2617ndash2634 2005
14 International Journal of Distributed Sensor Networks
[5] Z Pawlak ldquoRough setsrdquo International Journal of Computer ampInformation Sciences vol 11 no 5 pp 341ndash356 1982
[6] A N Toosi and M Kahani ldquoA new approach to intrusiondetection based on an evolutionary soft computingmodel usingneuro-fuzzy classifiersrdquoComputer Communications vol 30 no10 pp 2201ndash2212 2007
[7] A Patwardhan J Parker M Iorga A Joshi T Karygiannisand Y Yesha ldquoThreshold-based intrusion detection in ad hocnetworks and secure AODVrdquoAdHoc Networks vol 6 no 4 pp578ndash599 2008
[8] R-C Chen and C-H Hsieh ldquoWeb page classification based ona support vectormachine using aweighted vote schemardquoExpertSystems with Applications vol 31 no 2 pp 427ndash435 2006
[9] G Song J Zhang and Z Sun ldquoThe research of dynamic changelearning rate strategy in BP neural network and applicationin network intrusion detectionrdquo in Proceedings of the 3rdInternational Conference on Innovative Computing Informationand Control (ICICIC rsquo08) pp 514ndash517 June 2008
[10] RCChenC J Yeh andC T Bau ldquoMerging domain ontologiesbased on the WordNet system and Fuzzy Formal ConceptAnalysis techniquesrdquoApplied SoftComputing Journal vol 11 no2 pp 1908ndash1923 2011
[11] R C Chen Y F Haung and C F Hsieh ldquoRanger intrusiondetection system for wireless sensor networks with sybil attackbased on ontologyrdquo in Proceedings of the 10th WSEAS Interna-tional Conference on Applied Informatics and Communications2010
[12] M A Simplıcio Jr P S L M Barreto C B Margi and T CM B Carvalho ldquoA survey on key management mechanisms fordistributedWireless SensorNetworksrdquoComputerNetworks vol54 no 15 pp 2591ndash2612 2010
[13] M Depren E Topallar andM Kemal ldquoAn intelligent intrusiondetection system (IDS) for anomaly and misuse detection incomputer networksrdquo Expert Systems with Applications vol 29no 4 pp 713ndash722 2005
[14] S Tilak B Abu-Ghazaleh and W A Heinzelman ldquoTaxonomyof wireless micro-sensor network modelsrdquo Mobile Computingand Communications Review vol 6 no 2 pp 28ndash36 2002
[15] J Undercoffer A Joshi and J Pinkston ldquoModeling computerattacks an ontology for intrusion detectionrdquo Computer Sciencevol 2820 pp 113ndash135 2003
[16] N Cuppens-Boulahia F Cuppens F Autrel and H DebarldquoAn ontology-based approach to react to network attacksrdquoInternational Journal of Information and Computer Security vol3 no 3-4 pp 280ndash305 2009
[17] H-C Hsieh J-S Leu and W-K Shih ldquoReaching consensusunderlying an autonomous local wireless sensor networkrdquoInternational Journal of Innovative Computing Information andControl vol 6 no 4 pp 1905ndash1914 2010
[18] W K Lai C-S Fan and C-S Shieh ldquoOptimal cluster sizefor balanced power consumption in wireless sensor networksrdquoICIC Express Letters vol 6 no 2 pp 1471ndash1476 2012
[19] T T Quan S C Hui A C M Fong and T H CaoldquoAutomatic Fuzzy ontology generation for semanticWebrdquo IEEETransactions on Knowledge and Data Engineering vol 18 no 6pp 842ndash856 2006
[20] R-C Chen C-F Hsieh and Y-F Huang ldquoAn isolation intru-sion detection system for hierarchical wireless sensor networksrdquoJournal of Networks vol 5 no 3 pp 335ndash342 2010
[21] C F -Hsieh K F Cheng Y F Huang and R C Chen ldquoAnintrusion detection system for Ad Hoc networks with multi-attacks based on a support vector machine and rough settheoryrdquo Journal of Convergence Information Technology vol 8no 2 pp 767ndash776 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
6 International Journal of Distributed Sensor Networks
lowast Construct Ontology Stage lowastlowast sort sensor nodes lowastfor each sensor node s in the network do
for (119894 = 119899 minus 1 119894 gt 0 119894 minus minus) dofor (119895 = 0 119895 lt 119894 119895++) do
if energy(119904119895) gt energy(119904
119894) then
buffer = arr[119895]arr[119895] = arr[119895 + 1]
arr[119895 + 1] = bufferreturn arr[] lowast return sort information lowast
set CH = arr[1] lowast the system selects up best sensor node to be cluster head lowastlowastpick up patrol nodeslowast
for (119901 = 0 119901 lt 119899 lowast 02 119901++) doPatrolcandidate[119901] = arr[119901] lowast pick up top 20 of sensor nodes lowastfor each sensor node 119904 in the Patrolcadidate[] doif hop(119904
119894 CH) = 1 then
lowasta patrol node has foundlowastset patrolnode[] = 119904
119894
lowastConstruct patrol nodes in Ontologylowastfor each patrol node in the network do
for (119897 = 1 119897le 119899 119897++) do lowast119897 is the index of patrol node lowast119905119897= intersection (119901119899
119894 119901119899119897) union (119901119899
119894 119901119899119897) lowast119905119897is similarity of patrol node 119897lowast
119905 = 119905 + 119905119896lowast119905 is the similarity lowast
return 119905
similiarity(119901119899119894 119901119899119897) = 119905119896
119901119899119897[] larr 119901119899
119894
Ontology[] larr 119901119899119897[]
lowast definition sensor nodes relationship lowastfor each sensor node s in the network do
if 119904119894ltgt 119904119895and resource(119904
119894) resource(119904
119895) and hop(119904
119894 119904119895) = 1 then
lowast a equal sensor has found lowastset 119904119894and 119904
119895are equal sensor nodes
for each sensor node s in the network doif 119904119894ltgt 119904119895and resource(119904
119894) resource(119904
119895) and 2 ≦ hop(119904
119894 119904119895) ≦ 3 then
lowasta sibling sensor has foundlowastset 119904119894and 119904
119895are sibling sensor nodes
else if patrolnode(119904119894) cap patrolnode(119904
119895) ltgt then
lowast 119886 sibling sensor has found lowastset 119904119894and 119904
119895are sibling sensor nodes
lowast Construct Ontology lowastfor each sensor node in the network do
for (119896 = 1 119896le 119899 119896++) do lowast119896 is the index of patrol node lowast119905119896= intersection (119901119899
119896 119904119894) union (119901119899
119896 119904119894) lowast119905119896is similarity of patrol node 119896lowast
119905 = 119905 + 119905119896
lowast119905 is the similarity lowastreturn 119905
similiarity(119901119899119896 119904119894) = 119905119896
119901119899119896[] larr 119904
119894
Ontology[] larr 119901119899119896[]
Algorithm 2 Algorithm of the construct ontology stage of OWIDS
le ℎ119900119901 (1199041
119894 1199042
119894)
le 3 or (119875119886119905119903119900119897119873119900119889119890 (1199041
119894 1)
cap119875119886119905119903119900119897119873119900119889119890 (1199042
119894 1) = 0)
119903119890119904119900119906119903119888119890 (1199041
119894) asymp 119903119890119904119900119906119903119888119890 (119904
2
119894)
(3)
The 119878119894119887119897119894119899119892119879119890119903119898(1199041119894 1199042119894) indicates that 1199041
119894has a sister
term 1199042119894 In other words the sensor nodes have an identical
patrol node in the WSN and 119875119886119905119903119900119897119873119900119889119890(1199041119894 1) means that
the distance of 1199041119894from the patrol node is one hop When the
distance between 1199041119894and 1199042119894is less than or equal to 3 it will
be adjusted depending on the scale of the WSN Definition 2has two situations either a pair of concepts has sister-termrelations in the WSN or a pair of concepts has a common
International Journal of Distributed Sensor Networks 7
Situation 1 Situation 2
Pnl Pnl
Pn2 s2
s1
s2s1
(a) (b)
Figure 2 The sibling relationship
patrol node over more than one levelThe difference betweenthem is shown in Figures 2(a) and 2(b) Situation 1 andsituation 2 are the relationships of SensorNode 1199041
119894and Sen-
sorNode 1199042119894in the WSN structure Situation 1 indicates that 1199041
119894
and 1199042119894have a sister-term relationship in the WSN situation
2 indicates 1199041119894and 1199042119894are not sister terms However they
satisfy the sibling concept because they have a commonpatrol node on the upper level In this case the distancebetween 119904
1
119894and 1199042119894is 3 hops as shown in Figure 2(b)
An ontology has various elements including conceptsattributes operators instances relations and axioms Ourontology has membership values between the patrol node(119901119899) and the sensor node (119904) The set of values between thepatrol nodes and sensor nodes is called the subclass Forexample the sensor node contains attributes such as senseinformation remaining resources and route informationThe membership values between patrol nodes and sensornodes can be calculated by formula (4) [19] Suchvalues might include for example 119899
1energy(08) hop
(02) ST(09) 1199011198992energy(03) hop(08) ST(08) and
1199041energy(075) hop(02) ST(07)The subclass is (119904
1 1199011198991) =
(075 + 02 + 07) (08 + 02 + 09) = 16519 = 087 Thesubclass is (119904
1 1199011198992) = (03 + 02 + 07) (03 + 08 + 08) =
1221 = 057 The membership value consists of sensornodes such as 119901119899
1(087) and 119901119899
2(057) the numbers
represent the membership values in each patrol node Themembership value between a patrol node and a sensor nodemay then be found The 119904
1is the subclass of 119901119899
1 Consider
119904119906119887119888119897119886119904119904 (119904 119901119899) =
1003816100381610038161003816119904 cap 1199011198991003816100381610038161003816
10038161003816100381610038161199011198991003816100381610038161003816
(4)
The relations between sensor nodes can be defined ina number of ways such as Belong-to and Consist-of whilethe subclass defines the values of the relationships betweenthe sensor nodes After constructing the concept layer themembership values can be simply and directly joined tothe ontology Each concept has the membership values foreach relevant patrol node The system can then build up theconcept hierarchyThe ontology information includes sensornode identify (number) patrol node identify (number)
energy (joule) hop distance (hops) and sensing data type(ST) as shown in Figure 3
The related value of the concept should define a suitablethreshold Let 119901119899
119896be the 119896th patrol node ofWSN 119904
119894indicates
the sensor node 119894 in the WSN 119901119899119898is the patrol node that
belongs to 119901119899119896 and 119899 is the number of comparison nodes
under the patrol node 119901119899119896 The similarity formula is listed in
formula (5) Formula (5) is similar to formula (1) Formula(1) is the similarity between patrol node and patrol nodeFormula (5) is the similarity between patrol node and sensornode
119904119894119898119894119897119886119903119894119905119910 (119901119899119896 119904119894) =
sum119899
119898=119896(1003816100381610038161003816119901119899119898 cap 119904
119894
1003816100381610038161003816 1003816100381610038161003816119901119899119898 cup 119904
119894
1003816100381610038161003816)
119899 (5)
For example the system uses formula (5) to calculatethe similarity of formal concepts Each patrol node hasmany sensor nodes Figure 4 shows an example of calculationbetween 119901119899
119896and 119904119894 It is not an ontology figure An example
of the ontology is shown in Figure 5 The similarity between119901119899119896and 119904119894is calculated as follows
119904119894119898119894119897119886119903119894119905119910 (1199011198991 1199041)
= (075 + 02 + 07
08 + 02 + 09+
02 + 07
075 + 02 + 075
+075 + 06
075 + 02 + 06) times (3)
minus1= 068
119904119894119898119894119897119886119903119894119905119910 (1199011198992 1199041)
= (03 + 02 + 07
03 + 08 + 08+
03 + 07
075 + 02 + 07) times (2)
minus1
= 047
(6)
We select themaximum similarity value of the conceptualpairs between 119901119899
119896and 119904
119894to determine the sonsor node 119904
119894
belongs to which patrol nodes 119901119899 In this case 1199041is more
similar to 1199011198991 The IDS calculates the relationship between
119899119901119896and 119904
119894to define the relationship threshold The IDS
calculation threshold depends on the similarity formula indifferent environments A higher threshold makes the entireWSN more secure However a higher threshold for the IDSmeans that attacks are easily misidentified
An example of an ontology is shown in Figure 5 Thereare 10 sensor nodes in the example For practical applicationsour method supports 50 sensor nodes in the ontology Theontology has a domain layer a category layer a patrol nodelayer and a sensor node layer The domain layer representsthe ontology domain issue thatwe focus on in constructing anIDS for a WSN Next the category layer represents differentjobs on the WSN such as sensing humidity temperatureand brightness One sensor node will take on one or moretasks The patrol node layer contains the information foreach patrol node in the WSN Each patrol node has anID energy (joule (j)) sensing data type (ST) the distanceto the cluster head (Hop) and membership value betweeneach relevant object for example119901119899idEnergy(j) hop(1hop)ST(1number of sense types) The sensor node layer con-tains each sensor node ID energy (joule (j)) sense data type
8 International Journal of Distributed Sensor Networks
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Relation type
Subclass
Hops
Hops
Figure 3 The information of the concept of nodes in ontology
(ST) the distance to the cluster head (hop) and membershipvalue between each relevant object
33 Intrusion Detection Stage The attackers that intrudewireless sensor network can be divided into two stagespreparatory phase the attack and destruction phase Theattack behaviours of attack and destruction phase includesinkhole attack blackhole attack and hello flooding Inorder to obtain the required information of attack anddestruction phase the attackers apply Sybil attack to disguisevarious roles The behaviours of attack phase used differ-ent transmission technology to burn entire network evencause WSN unusable All the above behaviours are calledanomaly behaviours The assignment system will completethe information for the integration of the environmentalanalysis The ontology contains the entire relationship of theWSNThe system can preselect the knowledge based on thoseenvironmental attacks The ontology can thus detect illegalnodes in the WSNThe rules are shown in Algorithm 3
The WSN is usually deployed unequally causing it torapidly consume energy We have proposed a PIDS usingdetection knowledge to detect anomalies [11] The PIDS istransferred between patrol nodes to detect whether neighbor-ing nodes exhibit anomalies The PIDS will choose differentdetection knowledge in different environments The PIDSmerely requires a portion of the detection knowledge todetect an anomaly which reducesWSN energy consumptionThe architecture of the OWIDS combines the PIDS with theontologyTheOWIDS is transferred between the patrol nodesto detectwhether neighbouring nodes are anomalous Similar
to the PIDS the OWIDS will choose different detectionknowledge in different environments It requires merely aportion of the detection knowledge to detect anomaliesreducing WSN energy consumption The system will matchthe database and the attack pattern If there appears to benonselected detection knowledge the detection knowledgewill be added The intrusion detection mechanisms werecomputed on the base station The classification methodof detection knowledge is described in the following para-graphs
The detection knowledge is classification by supportvector machine (SVM) [21] The proposed method provideda strong argument for the improvement of WSN intrusiondetection systems The SVM uses a high dimension spaceto find a hyperplane to perform binary classification to findminimal error rate Notably the SVM is able to handle theproblem of linear inseparability The SVM uses a portion ofthe data to train the system finding several support vectorswhich represent the training data These support vectorswill be formed into a model by the SVM representing acategory According to this model the SVM will classify agiven unknown document A basic input data format and anoutput data domain are given as follows
(119909119894 119910119894) (119909
119899 119910119899) 119909 isin 119877
119898 119910 isin +1 minus1 (7)
where (119909119894 119910119894) (119909
119899 119910119899) are training data 119899 is the number
of samples119898 is the input vector and 119910 belongs to category of+1 or minus1
Regarding linear problems a hyperplane can be dividedinto two categories The hyperplane formula is
(119908 sdot 119909) + 119887 = 0 (8)
The category formula is
(119908 sdot 119909) + 119887 ge 0 if 119910119894= +1
(119908 sdot 119909) + 119887 le 0 if 119910119894= minus1
(9)
However it is not easy to find hyperplanes with which toclassify the dataThe SVMhas several kernel functions whichusers can apply to solve different problems As such selectingthe appropriate kernel function can solve the problem oflinear inseparability Also internal product operations affectthe classification function and a suitable inner product func-tion119870(119883119894 sdot 119883119895) can solve certain linear inseparable problemswithout increasing the complexity of the calculation Originaldata includes 31 features tagged with numbers from 0 to 30The system will convert the contents of the 31 features intonumeric values For instance the first element is ldquoEventrdquo andthe parameter is ldquo119904rdquo which is mapped to ldquo0 01rdquo An exampleof SVM data is shown in Figure 9 The OWIDS combinesontology with detection knowledge The patrol nodes carrypart of ontology to detect Sybil attack and the detectionknowledge is used to detect sinkhole blackhole and helloflooding
The ontology is divided into several parts depending onthe region of the patrol node The system sends detectionknowledge and the ontology to the cluster head The patrol
International Journal of Distributed Sensor Networks 9
lowast Intrusion Detection Stage lowastfor each neighbor of patrol node s doreceive (119904id 119901119899id 119904INFO 119864119894) lowast Receive 119904id 119901119899id 119904INFO and the remaining energy lowastif 119904id ltgt Ontology [] then lowast Check whether the sensor node is constructed in the Ontology lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastif Pattern (119904) = Pattern (119860119872)lowast Check whether the receive information is different from attack knowledge lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastelse if broadcast 119860[] to 119862id lowast Broadcast isolation table to CH to back up lowastend for
Algorithm 3 Algorithm of the intrusion detection stage of OWIDS
Base station
energy (08) hop (02) ST (09) energy (03)
hop (08) ST (08)
hop (02)ST (07)
energy (075) ST (06)
energy (03) ST (07)
energy (075) hop (02) ST (07)
068
047pn1
pn3
pn4
pn5
pn2
s1
Figure 4 An example of membership calculation
node is a sensor node to do detection but its energy is limitedThe OWIDS does not train detection mechanism on patrolnode and only the cluster head transmits detection rules topatrol nodes The patrol nodes detect attacks by rotation toreduce the overall WSN energy consumption and extend thelifetime of the WSN When the duty of the patrol nodes isover the CH will collect the WSN information and transmitit to the base station The BS analyzes the informationtrains the detection data and constructs the ontology againThus the detection knowledge can be adjusted accordingto the WSN environment To improve the accuracy ofthe intrusion detection the system repeats the detectionknowledge training to remove less frequently used data untilthe knowledge converges This reduces the features of thedetection knowledge and makes the detection knowledgemore lightweight
The WSN is a self-organizing network meaning that therouting table will be changed The clustering system of theWSN will change cluster heads periodically The WSN as awhole thus cannot keep isolating anomalous nodes Rede-tection of anomalous nodes consumes energy This paperthus proposes an isolation table recorded in the base station[20] If new cluster heads are assigned or the entire WSNis changed the patrol maintains isolation of anomaly nodesusing the isolation table Intruders thus cannot attack theWSN through isolated anomaly nodes reducing redetectionenergy consumption
4 Experimental Results
The system performance was evaluated by network sim-ulation (NS-2) The experimental hardware environmentsconsisted of an Intel Core 2 i5-2410M CPU 230GHzNotebook with 8GB RAM and was implemented under theWindows 7 operating system The area for the simulationof the WSN was within 10000 square meters The field isstatic and deploys 300 sensor nodes randomly each with abroadcast radius of 50m The OWIDS uses a protegee toconstruct the ontology The behaviors of the attacker weregenerated by a Java program The attacks were randomlygenerated by different kinds of attack patterns For exampleSybil attacks were generated every 20 seconds but theattackers will masquerade different kinds of roles randomlysuch as cluster head sensor node The OWIDS detects Sybilattacks using the relationship of ontology In addition theexperiment was meant to simulate transmission packages inwireless sensor networksThe communications of packets canbe captured byOWIDSThedatawas collected from theWSNpackets of NS-2 simulator The data set can be divided intotwo protocols the training data and the testing data Thepackets are randomly selected for training and testing
Before using SVM classification the system performa data scaling operation to increases the accuracy whilereducing complexity The system kernel is RBF 119870(119909 119910) =
ℓminus119892119909minus119910
2
The systemwill classify the attributes of the features
10 International Journal of Distributed Sensor Networks
WSN Domain layer
Brightness Category layerHumidity Temperature
Patrol nodes layer
Belong-to Belong-to
Sensor nodelayer
086
082
Instance of
Sensor node 2513
Humidity temperature
hop (02) ST (05)
Instance of
092
Instance of
Sensor node 3152
Temperature
hop (03) ST(1)
086
Instance of091
Instance of042
Patrol node 1
Temperature humidity
Sensor node 3241
Patrol node 4
Humidity temperature
Sensor node 0231
Patrol node 2
Brightness temperature
energy (088 ) hop (03) ST (05)
Sensor node 0092
Patrol node 3
Temperature
energy (098) hop (05) ST (1)
Sensor node 2541
Patrol node 5
Temperature
Sensor node 1576
Patrol node 2
Temperature brightness
Sensor node 4561
Sensor node 1254
Humidity temperature
hop (017) ST (05)
Patrol node 4
Patrol node 4
Sensor node 6829
Humidity temperature
hop (025) ST (05)
Patrol node 2
Patrol node 3
ST (05)energy (1) hop (1) pn1
pn2 pn3
middot middot middot
middot middot middot
057
Hop = 1
Hop = 3
Hop = 10
Hop = 6Hop = 3
Hop = 5 Hop = 4
Hop = 3
Hop = 3 Hop = 2
E = 2J E = 176J
E = 126J
E = 186J
E = 076JE = 2J
E = 094J E = 196j
E = 164J
E = 196J
energy (063) hop (03) ST (05)pn4 energy (082)
hop (03) ST (1) pn5
hop (01) ST(05) energy (093 ) S4561 energy (047) S2513 energy (098) S6829
energy (038) S1254 energy (1) S3152
pn2
pn4 pn5
Figure 5 An example of ontology construction
International Journal of Distributed Sensor Networks 11
prior to preprocessing and use the SVM to train and testprocesses The output of SVM is 1 or minus1 If the output is 1there is an intrusion behavior on the model If the outputis minus1 it is normal The distribution of training data andtesting data are shown in Table 1 Specifically the user canemploy this model to evaluate the IDS 27 feature values areused to train three SVMmodels and to compare the accuracyof the three models [21]
This experiment compared OWIDS with the PIDS basedon energy consumption transmission accuracy and per-formance The attack behaviour is camouflaged as differentroles in the WSN The implementation environment is listedin Table 2 The total simulation time was 3600 sec Theattacks were randomly executed every 20 sec with attacksbeginning at six hundred sec The experiment assumes thatthe preprocessing stage is secure for attacks The maximumconnection meaning the maximum number of connections(end-to-end connection) used in the simulation was 80The experimental IDS was intended to simulate transmissionpackages in wireless sensor networks The IDS integratescommunications of packages and analyzes them
To estimate the performance of the OWIDS system threeimportant formulas and an indicator method are used toevaluate system accuracy attack detection rate (ADR) falsepositive rate (FPR) system accuracy (SA) and live nodes(indicator) The ADR represents the number of attacks thatthe IDS has detected out of the total number of attacks TheFPR represents the number of normal processes that theIDS has misclassified The accuracy rate is the total numberof processes the IDS has classified correctly The live nodesrepresent the number of useful nodes in the entire WSNwhich tests the loading of our methods and its performance
Attack Detection Rate
=Total number of detected attacks
Total number of attackstimes 100
False Positive Rate
=Total number of misclassified processes
Total number of normal processestimes 100
Accuracy Rate
=Total number of correct classified processes
Total number of processestimes 100
(10)
In this section we present three experimental resultsfor the OWIDS The first experimental method focuses onthe percentage of patrol nodes The patrol node is a kindof sensor node The BS chooses patrol nodes to executethe IDS The percentage of sensor nodes which should bepatrol nodes is a key issue Second the energy consumptionand remaining resources are present in the live nodes Thethird experimental method focuses on the ADR FPR andSA of the OWIDS Thus two types of experiments wereimplemented comparison of the number of live nodes across
Table 1 The training data and test data
Original Train TestNormal 80641 24192 7258Sinkhole 3568 1070 321Blackhole 5368 1610 483Hello flooding 44084 13225 3968Total 133661 40098 12029
Table 2 Implementation environment
Parameter ValuesSensor nodes 50 150 300Patrol nodes (20 of sensor nodes) 10 30 60WSN size 1000 lowast 1000 (m2)Starting energy 2 JTransmission radius 50mTransmission consumption 0036wReceive consumption 0024w
the non-IDS PIDS and OWIDS and comparison of thetransmission accuracy with PIDS
41 Percentage of Patrol Nodes The patrol node is used todetect abnormal behaviours OWIDS needs to balance thenumbers of patrol nodes and the overall life cycle of wirelesssensor networks From the experiment results twenty per-centages of patrol nodes can provide better detection resultsThe percentage of patrol nodes was set between 10 and 40at intervals of 10 The experiments are divided into 50 150and 300 sensor nodes These numbers are used to calculatethe suggested percentage of patrol nodes The experimentalresults are shown in Tables 3 4 and 5
The experimental results show that 30 and 40 yieldthe highest accuracy However the lifecycle of entire WSN isshorter than that when 10 and 20 are used The lifecycleof 10 is the longest but its accuracy is the lowest WhenOWIDS sets the patrol node percentage to 10 the loading isthe lightest However for theOWIDS at 10 the patrol nodeslack sufficient data to be compared with each other meaningthat the accuracy is the lowestThe accuracy of the case of 20patrol nodes is close to that of the case of 30 or 40 patrolnodes Hence the system selected 20 of whole sensor nodesas patrol nodes to do detection to save energy
42 Live Nodes of OWIDS The first simulation is shown inFigures 6 7 and 8The number of live nodes is defined as thenumber of sensor nodes in theWSN that still work normallyThe normal IDS trains detection features and translates theentire IDS onto the sensor nodes This consumes the WSNenergymore rapidlyThe lightweight IDS trains the detectionmethod on the base station and uses filtered features to detectintrusions In this case the IDS ismore lightweight and nodesremain alive longer Since a WSN may be used in manyapplications our method is implemented in eight situations
12 International Journal of Distributed Sensor Networks
Table 3 Percentage of patrol nodes (50 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 5 9835 8520 10 9573 9330 15 8952 9440 20 8703 94
Table 4 Percentage of patrol nodes (150 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 15 9605 8120 30 9495 9630 45 8864 9640 60 8518 97
Table 5 Percentage of patrol nodes (300 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 30 9598 7920 60 9468 9630 90 8867 9740 120 8361 97
The live nodes experiment has six situations no IDS andno attack no IDS but faces attacks loads PIDS but no attacksloads PIDS and faces attacks loads OWIDS but no attacksand loads OWIDS and faces attacks The overhead for PCHmonitoring is high if the notion of collaborative monitoringis absent If the patrol nodes are too few an intruder caneasily infiltrate the network The OWIDS combines PIDSand the ontology to detect anomalies Though it consumesmore energy than the PIDS the energy expenditure is nearlyidentical We simulate 50 150 and 300 sensor nodes in thenon-IDS PIDS and OWIDS Results show that the lifetimeof a sensor node is longest using OWIDS and that the sensornodes die slowly The MN sends data to the RN but not toany MN The RN obtains information directly from the MNThe connections between the RN and the PCH are similarmeaning that the OWIDS consumes less energy in gatheringdata andmonitoring theWSNTheOWIDS takes a part of theontology from PIDS The energy consumption of PIDS andOWIDS is similar in the no attack environment In Figures 6ndash8 there are more sensor nodes in theWSN meaning that thesystem hasmore patrol nodes to detect anomalies Hence theOWIDS detects misbehaviour more effectively The results ofthe simulation show that the OWIDS can easily be loadedonto the WSN
43 ADR FPR and SA of OWIDS The second simulationaddresses the attack detection rate the false positive rateand the accuracy rate in PIDS and OWIDS as shown inTable 6The total number of simulation packages is 1065474
0
10
20
30
40
50
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 6 The case of 50 sensor nodes in alive nodes
50
100
150
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 7 The case of 150 sensor nodes in alive nodes
100140180220260300
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 8 Case of 300 sensor nodes in live nodes
which include 1697 attack packages and 1063777 normalpackages In the PIDS patrol nodes carry attack knowledgeto detect anomalies The false positive rate is higher andthe attack detection rate is lower than that of OWIDS TheOWIDS appends the relationships of ontology making iteasier to detect illegal sensor nodes in the WSN The system
International Journal of Distributed Sensor Networks 13
Table 6 Accuracy attack detection rate and false positive rate of OWIDS
IDS method Attack detection rate False positive rate AccuracyPIDS (15351697) 9045 (1414451063777) 1329 (9532871063777) 8961OWIDS (16651697) 9811 (401221063777) 377 (10253521063777) 9639
Table 7 The accuracy rate of detection classification
IDS method Sybil attack Sinkhole Blackhole Hello floodingPIDS (136150) 9067 (118130) 9077 (5562) 8871 (12261355) 9048OWIDS (145150) 9667 (128130) 9846 (5762) 9194 (13351355) 9852
Original Datas -t 1000000000 -Hs 8 -Hd -2 -Ni 8 -Nx 203200 -Ny 69300 -Nz 000 -Ne -1000000 -Nl AGT -Nw mdash -Ma 0 -Md 0-Ms 0 -Mt 0 -Is 80 -Id 40 -It cbr -Il 1000 -If 0 -Ii 0 -Iv 32 -Pn cbr -Pi 0 -Pf 0 -Po 0SVM Input Data0 01 1 1000000000 2 8 3minus2 4 8 5 203200 6 69300 7 000 8minus1000000 9 1 10 0 11 0 12 0 13 0 14 0 15 8016 40 17 1 18 1000 19 0 20 0 21 32 22 1 23 0 24 0 25 0 26 0 27 0 28 0 29 0 30 0
Figure 9 The SVM input data
accuracy of PIDS and OWIDS is higher than 8961 thetolerance value of the IDS in the WSN The results of thesecond simulation show that theOWIDSdetects attacksmoreeffectively
The attack packages include four types of attacks Sybilattack sinkhole attack blackhole attack and hello floodingthe detailed detection classification is shown in Table 7 Thesystem simulates 150 Sybil attacks 130 sinkhole attacks 62blackhole and 1355 hello flooding attacks The results ofaccuracy rate are shown in Table 7 The accuracy rate ofdetection classification is better than 90 and OWIDS isbetter than PIDS The results of the second simulation showthat the OWIDS detects attacks more effectively
5 Conclusions and Future Work
In this paper a preliminary research of intrusion detectionsystems based on domain ontology is proposed and therelevance of a lightweight patrol intrusion detection systemis explored A major finding is that the effect of ontology canbe observed in attack detection at all levels of the wirelesssensor network The results indicated that the constructedontology relationship between the WSNs can detect attackseffectively This implies that an ontology indicating each roleand its membership in the WSN could be constructed forother attack types This research leads to an ontology-basedintrusion detection system which allows us to study the rela-tionship mechanism involving patrol node status and sensornodes Such ontologies can also be applied to reduce theburden of lightweight intrusion detection systems onwirelesssensor networks In general they will be useful in improvingthe lifecycle of wireless sensor networks and particularly theusability of intrusion detection systems for wireless sensornetworks This research can also serve to reinforce the useof soft computing technology for intrusion detection systemsand to systematize preprocessing technology to reduce thefeatures of the intrusion detection system The attacker may
intrude network in preprocessing stage The preprocessingsecurity issuewill be solved in the future workThis ontology-based intrusion detection system remains experimental onlyand much work remains to be done More must be knownabout constructing ontologies to detect different types ofattacks in wireless sensor networks There is a continuingneed for an adequate theoretical basis for the practicalapplication of ontology-based intrusion detection systems
Conflict of Interests
In this paper the specifications and brand of CPUdo not haveany financial relationship with the commercial identities
Acknowledgments
This work is partially supported by the National ScienceCouncil (NSC) Taiwan with Project no NSC-99-2221-E-324-021 The authors also express many thanks for thecomments from the reviewers that improved the paper
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] T P Hong and C H Wu ldquoAn improved weighted clusteringalgorithm for determination of application nodes in hetero-geneous sensor networksrdquo Journal of Information Hiding andMultimedia Signal Processing vol 2 no 2 pp 173ndash184 2011
[3] J Newsome E Shi D Song and A Perrig ldquoThe Sybil attack insensor networks analysis amp defensesrdquo in Proceedings of the 3rdInternational Symposium on Information Processing in SensorNetworks (IPSN rsquo04) pp 259ndash268 April 2004
[4] W-H Chen S-H Hsu and H-P Shen ldquoApplication of SVMand ANN for intrusion detectionrdquo Computers and OperationsResearch vol 32 no 10 pp 2617ndash2634 2005
14 International Journal of Distributed Sensor Networks
[5] Z Pawlak ldquoRough setsrdquo International Journal of Computer ampInformation Sciences vol 11 no 5 pp 341ndash356 1982
[6] A N Toosi and M Kahani ldquoA new approach to intrusiondetection based on an evolutionary soft computingmodel usingneuro-fuzzy classifiersrdquoComputer Communications vol 30 no10 pp 2201ndash2212 2007
[7] A Patwardhan J Parker M Iorga A Joshi T Karygiannisand Y Yesha ldquoThreshold-based intrusion detection in ad hocnetworks and secure AODVrdquoAdHoc Networks vol 6 no 4 pp578ndash599 2008
[8] R-C Chen and C-H Hsieh ldquoWeb page classification based ona support vectormachine using aweighted vote schemardquoExpertSystems with Applications vol 31 no 2 pp 427ndash435 2006
[9] G Song J Zhang and Z Sun ldquoThe research of dynamic changelearning rate strategy in BP neural network and applicationin network intrusion detectionrdquo in Proceedings of the 3rdInternational Conference on Innovative Computing Informationand Control (ICICIC rsquo08) pp 514ndash517 June 2008
[10] RCChenC J Yeh andC T Bau ldquoMerging domain ontologiesbased on the WordNet system and Fuzzy Formal ConceptAnalysis techniquesrdquoApplied SoftComputing Journal vol 11 no2 pp 1908ndash1923 2011
[11] R C Chen Y F Haung and C F Hsieh ldquoRanger intrusiondetection system for wireless sensor networks with sybil attackbased on ontologyrdquo in Proceedings of the 10th WSEAS Interna-tional Conference on Applied Informatics and Communications2010
[12] M A Simplıcio Jr P S L M Barreto C B Margi and T CM B Carvalho ldquoA survey on key management mechanisms fordistributedWireless SensorNetworksrdquoComputerNetworks vol54 no 15 pp 2591ndash2612 2010
[13] M Depren E Topallar andM Kemal ldquoAn intelligent intrusiondetection system (IDS) for anomaly and misuse detection incomputer networksrdquo Expert Systems with Applications vol 29no 4 pp 713ndash722 2005
[14] S Tilak B Abu-Ghazaleh and W A Heinzelman ldquoTaxonomyof wireless micro-sensor network modelsrdquo Mobile Computingand Communications Review vol 6 no 2 pp 28ndash36 2002
[15] J Undercoffer A Joshi and J Pinkston ldquoModeling computerattacks an ontology for intrusion detectionrdquo Computer Sciencevol 2820 pp 113ndash135 2003
[16] N Cuppens-Boulahia F Cuppens F Autrel and H DebarldquoAn ontology-based approach to react to network attacksrdquoInternational Journal of Information and Computer Security vol3 no 3-4 pp 280ndash305 2009
[17] H-C Hsieh J-S Leu and W-K Shih ldquoReaching consensusunderlying an autonomous local wireless sensor networkrdquoInternational Journal of Innovative Computing Information andControl vol 6 no 4 pp 1905ndash1914 2010
[18] W K Lai C-S Fan and C-S Shieh ldquoOptimal cluster sizefor balanced power consumption in wireless sensor networksrdquoICIC Express Letters vol 6 no 2 pp 1471ndash1476 2012
[19] T T Quan S C Hui A C M Fong and T H CaoldquoAutomatic Fuzzy ontology generation for semanticWebrdquo IEEETransactions on Knowledge and Data Engineering vol 18 no 6pp 842ndash856 2006
[20] R-C Chen C-F Hsieh and Y-F Huang ldquoAn isolation intru-sion detection system for hierarchical wireless sensor networksrdquoJournal of Networks vol 5 no 3 pp 335ndash342 2010
[21] C F -Hsieh K F Cheng Y F Huang and R C Chen ldquoAnintrusion detection system for Ad Hoc networks with multi-attacks based on a support vector machine and rough settheoryrdquo Journal of Convergence Information Technology vol 8no 2 pp 767ndash776 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 7
Situation 1 Situation 2
Pnl Pnl
Pn2 s2
s1
s2s1
(a) (b)
Figure 2 The sibling relationship
patrol node over more than one levelThe difference betweenthem is shown in Figures 2(a) and 2(b) Situation 1 andsituation 2 are the relationships of SensorNode 1199041
119894and Sen-
sorNode 1199042119894in the WSN structure Situation 1 indicates that 1199041
119894
and 1199042119894have a sister-term relationship in the WSN situation
2 indicates 1199041119894and 1199042119894are not sister terms However they
satisfy the sibling concept because they have a commonpatrol node on the upper level In this case the distancebetween 119904
1
119894and 1199042119894is 3 hops as shown in Figure 2(b)
An ontology has various elements including conceptsattributes operators instances relations and axioms Ourontology has membership values between the patrol node(119901119899) and the sensor node (119904) The set of values between thepatrol nodes and sensor nodes is called the subclass Forexample the sensor node contains attributes such as senseinformation remaining resources and route informationThe membership values between patrol nodes and sensornodes can be calculated by formula (4) [19] Suchvalues might include for example 119899
1energy(08) hop
(02) ST(09) 1199011198992energy(03) hop(08) ST(08) and
1199041energy(075) hop(02) ST(07)The subclass is (119904
1 1199011198991) =
(075 + 02 + 07) (08 + 02 + 09) = 16519 = 087 Thesubclass is (119904
1 1199011198992) = (03 + 02 + 07) (03 + 08 + 08) =
1221 = 057 The membership value consists of sensornodes such as 119901119899
1(087) and 119901119899
2(057) the numbers
represent the membership values in each patrol node Themembership value between a patrol node and a sensor nodemay then be found The 119904
1is the subclass of 119901119899
1 Consider
119904119906119887119888119897119886119904119904 (119904 119901119899) =
1003816100381610038161003816119904 cap 1199011198991003816100381610038161003816
10038161003816100381610038161199011198991003816100381610038161003816
(4)
The relations between sensor nodes can be defined ina number of ways such as Belong-to and Consist-of whilethe subclass defines the values of the relationships betweenthe sensor nodes After constructing the concept layer themembership values can be simply and directly joined tothe ontology Each concept has the membership values foreach relevant patrol node The system can then build up theconcept hierarchyThe ontology information includes sensornode identify (number) patrol node identify (number)
energy (joule) hop distance (hops) and sensing data type(ST) as shown in Figure 3
The related value of the concept should define a suitablethreshold Let 119901119899
119896be the 119896th patrol node ofWSN 119904
119894indicates
the sensor node 119894 in the WSN 119901119899119898is the patrol node that
belongs to 119901119899119896 and 119899 is the number of comparison nodes
under the patrol node 119901119899119896 The similarity formula is listed in
formula (5) Formula (5) is similar to formula (1) Formula(1) is the similarity between patrol node and patrol nodeFormula (5) is the similarity between patrol node and sensornode
119904119894119898119894119897119886119903119894119905119910 (119901119899119896 119904119894) =
sum119899
119898=119896(1003816100381610038161003816119901119899119898 cap 119904
119894
1003816100381610038161003816 1003816100381610038161003816119901119899119898 cup 119904
119894
1003816100381610038161003816)
119899 (5)
For example the system uses formula (5) to calculatethe similarity of formal concepts Each patrol node hasmany sensor nodes Figure 4 shows an example of calculationbetween 119901119899
119896and 119904119894 It is not an ontology figure An example
of the ontology is shown in Figure 5 The similarity between119901119899119896and 119904119894is calculated as follows
119904119894119898119894119897119886119903119894119905119910 (1199011198991 1199041)
= (075 + 02 + 07
08 + 02 + 09+
02 + 07
075 + 02 + 075
+075 + 06
075 + 02 + 06) times (3)
minus1= 068
119904119894119898119894119897119886119903119894119905119910 (1199011198992 1199041)
= (03 + 02 + 07
03 + 08 + 08+
03 + 07
075 + 02 + 07) times (2)
minus1
= 047
(6)
We select themaximum similarity value of the conceptualpairs between 119901119899
119896and 119904
119894to determine the sonsor node 119904
119894
belongs to which patrol nodes 119901119899 In this case 1199041is more
similar to 1199011198991 The IDS calculates the relationship between
119899119901119896and 119904
119894to define the relationship threshold The IDS
calculation threshold depends on the similarity formula indifferent environments A higher threshold makes the entireWSN more secure However a higher threshold for the IDSmeans that attacks are easily misidentified
An example of an ontology is shown in Figure 5 Thereare 10 sensor nodes in the example For practical applicationsour method supports 50 sensor nodes in the ontology Theontology has a domain layer a category layer a patrol nodelayer and a sensor node layer The domain layer representsthe ontology domain issue thatwe focus on in constructing anIDS for a WSN Next the category layer represents differentjobs on the WSN such as sensing humidity temperatureand brightness One sensor node will take on one or moretasks The patrol node layer contains the information foreach patrol node in the WSN Each patrol node has anID energy (joule (j)) sensing data type (ST) the distanceto the cluster head (Hop) and membership value betweeneach relevant object for example119901119899idEnergy(j) hop(1hop)ST(1number of sense types) The sensor node layer con-tains each sensor node ID energy (joule (j)) sense data type
8 International Journal of Distributed Sensor Networks
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Relation type
Subclass
Hops
Hops
Figure 3 The information of the concept of nodes in ontology
(ST) the distance to the cluster head (hop) and membershipvalue between each relevant object
33 Intrusion Detection Stage The attackers that intrudewireless sensor network can be divided into two stagespreparatory phase the attack and destruction phase Theattack behaviours of attack and destruction phase includesinkhole attack blackhole attack and hello flooding Inorder to obtain the required information of attack anddestruction phase the attackers apply Sybil attack to disguisevarious roles The behaviours of attack phase used differ-ent transmission technology to burn entire network evencause WSN unusable All the above behaviours are calledanomaly behaviours The assignment system will completethe information for the integration of the environmentalanalysis The ontology contains the entire relationship of theWSNThe system can preselect the knowledge based on thoseenvironmental attacks The ontology can thus detect illegalnodes in the WSNThe rules are shown in Algorithm 3
The WSN is usually deployed unequally causing it torapidly consume energy We have proposed a PIDS usingdetection knowledge to detect anomalies [11] The PIDS istransferred between patrol nodes to detect whether neighbor-ing nodes exhibit anomalies The PIDS will choose differentdetection knowledge in different environments The PIDSmerely requires a portion of the detection knowledge todetect an anomaly which reducesWSN energy consumptionThe architecture of the OWIDS combines the PIDS with theontologyTheOWIDS is transferred between the patrol nodesto detectwhether neighbouring nodes are anomalous Similar
to the PIDS the OWIDS will choose different detectionknowledge in different environments It requires merely aportion of the detection knowledge to detect anomaliesreducing WSN energy consumption The system will matchthe database and the attack pattern If there appears to benonselected detection knowledge the detection knowledgewill be added The intrusion detection mechanisms werecomputed on the base station The classification methodof detection knowledge is described in the following para-graphs
The detection knowledge is classification by supportvector machine (SVM) [21] The proposed method provideda strong argument for the improvement of WSN intrusiondetection systems The SVM uses a high dimension spaceto find a hyperplane to perform binary classification to findminimal error rate Notably the SVM is able to handle theproblem of linear inseparability The SVM uses a portion ofthe data to train the system finding several support vectorswhich represent the training data These support vectorswill be formed into a model by the SVM representing acategory According to this model the SVM will classify agiven unknown document A basic input data format and anoutput data domain are given as follows
(119909119894 119910119894) (119909
119899 119910119899) 119909 isin 119877
119898 119910 isin +1 minus1 (7)
where (119909119894 119910119894) (119909
119899 119910119899) are training data 119899 is the number
of samples119898 is the input vector and 119910 belongs to category of+1 or minus1
Regarding linear problems a hyperplane can be dividedinto two categories The hyperplane formula is
(119908 sdot 119909) + 119887 = 0 (8)
The category formula is
(119908 sdot 119909) + 119887 ge 0 if 119910119894= +1
(119908 sdot 119909) + 119887 le 0 if 119910119894= minus1
(9)
However it is not easy to find hyperplanes with which toclassify the dataThe SVMhas several kernel functions whichusers can apply to solve different problems As such selectingthe appropriate kernel function can solve the problem oflinear inseparability Also internal product operations affectthe classification function and a suitable inner product func-tion119870(119883119894 sdot 119883119895) can solve certain linear inseparable problemswithout increasing the complexity of the calculation Originaldata includes 31 features tagged with numbers from 0 to 30The system will convert the contents of the 31 features intonumeric values For instance the first element is ldquoEventrdquo andthe parameter is ldquo119904rdquo which is mapped to ldquo0 01rdquo An exampleof SVM data is shown in Figure 9 The OWIDS combinesontology with detection knowledge The patrol nodes carrypart of ontology to detect Sybil attack and the detectionknowledge is used to detect sinkhole blackhole and helloflooding
The ontology is divided into several parts depending onthe region of the patrol node The system sends detectionknowledge and the ontology to the cluster head The patrol
International Journal of Distributed Sensor Networks 9
lowast Intrusion Detection Stage lowastfor each neighbor of patrol node s doreceive (119904id 119901119899id 119904INFO 119864119894) lowast Receive 119904id 119901119899id 119904INFO and the remaining energy lowastif 119904id ltgt Ontology [] then lowast Check whether the sensor node is constructed in the Ontology lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastif Pattern (119904) = Pattern (119860119872)lowast Check whether the receive information is different from attack knowledge lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastelse if broadcast 119860[] to 119862id lowast Broadcast isolation table to CH to back up lowastend for
Algorithm 3 Algorithm of the intrusion detection stage of OWIDS
Base station
energy (08) hop (02) ST (09) energy (03)
hop (08) ST (08)
hop (02)ST (07)
energy (075) ST (06)
energy (03) ST (07)
energy (075) hop (02) ST (07)
068
047pn1
pn3
pn4
pn5
pn2
s1
Figure 4 An example of membership calculation
node is a sensor node to do detection but its energy is limitedThe OWIDS does not train detection mechanism on patrolnode and only the cluster head transmits detection rules topatrol nodes The patrol nodes detect attacks by rotation toreduce the overall WSN energy consumption and extend thelifetime of the WSN When the duty of the patrol nodes isover the CH will collect the WSN information and transmitit to the base station The BS analyzes the informationtrains the detection data and constructs the ontology againThus the detection knowledge can be adjusted accordingto the WSN environment To improve the accuracy ofthe intrusion detection the system repeats the detectionknowledge training to remove less frequently used data untilthe knowledge converges This reduces the features of thedetection knowledge and makes the detection knowledgemore lightweight
The WSN is a self-organizing network meaning that therouting table will be changed The clustering system of theWSN will change cluster heads periodically The WSN as awhole thus cannot keep isolating anomalous nodes Rede-tection of anomalous nodes consumes energy This paperthus proposes an isolation table recorded in the base station[20] If new cluster heads are assigned or the entire WSNis changed the patrol maintains isolation of anomaly nodesusing the isolation table Intruders thus cannot attack theWSN through isolated anomaly nodes reducing redetectionenergy consumption
4 Experimental Results
The system performance was evaluated by network sim-ulation (NS-2) The experimental hardware environmentsconsisted of an Intel Core 2 i5-2410M CPU 230GHzNotebook with 8GB RAM and was implemented under theWindows 7 operating system The area for the simulationof the WSN was within 10000 square meters The field isstatic and deploys 300 sensor nodes randomly each with abroadcast radius of 50m The OWIDS uses a protegee toconstruct the ontology The behaviors of the attacker weregenerated by a Java program The attacks were randomlygenerated by different kinds of attack patterns For exampleSybil attacks were generated every 20 seconds but theattackers will masquerade different kinds of roles randomlysuch as cluster head sensor node The OWIDS detects Sybilattacks using the relationship of ontology In addition theexperiment was meant to simulate transmission packages inwireless sensor networksThe communications of packets canbe captured byOWIDSThedatawas collected from theWSNpackets of NS-2 simulator The data set can be divided intotwo protocols the training data and the testing data Thepackets are randomly selected for training and testing
Before using SVM classification the system performa data scaling operation to increases the accuracy whilereducing complexity The system kernel is RBF 119870(119909 119910) =
ℓminus119892119909minus119910
2
The systemwill classify the attributes of the features
10 International Journal of Distributed Sensor Networks
WSN Domain layer
Brightness Category layerHumidity Temperature
Patrol nodes layer
Belong-to Belong-to
Sensor nodelayer
086
082
Instance of
Sensor node 2513
Humidity temperature
hop (02) ST (05)
Instance of
092
Instance of
Sensor node 3152
Temperature
hop (03) ST(1)
086
Instance of091
Instance of042
Patrol node 1
Temperature humidity
Sensor node 3241
Patrol node 4
Humidity temperature
Sensor node 0231
Patrol node 2
Brightness temperature
energy (088 ) hop (03) ST (05)
Sensor node 0092
Patrol node 3
Temperature
energy (098) hop (05) ST (1)
Sensor node 2541
Patrol node 5
Temperature
Sensor node 1576
Patrol node 2
Temperature brightness
Sensor node 4561
Sensor node 1254
Humidity temperature
hop (017) ST (05)
Patrol node 4
Patrol node 4
Sensor node 6829
Humidity temperature
hop (025) ST (05)
Patrol node 2
Patrol node 3
ST (05)energy (1) hop (1) pn1
pn2 pn3
middot middot middot
middot middot middot
057
Hop = 1
Hop = 3
Hop = 10
Hop = 6Hop = 3
Hop = 5 Hop = 4
Hop = 3
Hop = 3 Hop = 2
E = 2J E = 176J
E = 126J
E = 186J
E = 076JE = 2J
E = 094J E = 196j
E = 164J
E = 196J
energy (063) hop (03) ST (05)pn4 energy (082)
hop (03) ST (1) pn5
hop (01) ST(05) energy (093 ) S4561 energy (047) S2513 energy (098) S6829
energy (038) S1254 energy (1) S3152
pn2
pn4 pn5
Figure 5 An example of ontology construction
International Journal of Distributed Sensor Networks 11
prior to preprocessing and use the SVM to train and testprocesses The output of SVM is 1 or minus1 If the output is 1there is an intrusion behavior on the model If the outputis minus1 it is normal The distribution of training data andtesting data are shown in Table 1 Specifically the user canemploy this model to evaluate the IDS 27 feature values areused to train three SVMmodels and to compare the accuracyof the three models [21]
This experiment compared OWIDS with the PIDS basedon energy consumption transmission accuracy and per-formance The attack behaviour is camouflaged as differentroles in the WSN The implementation environment is listedin Table 2 The total simulation time was 3600 sec Theattacks were randomly executed every 20 sec with attacksbeginning at six hundred sec The experiment assumes thatthe preprocessing stage is secure for attacks The maximumconnection meaning the maximum number of connections(end-to-end connection) used in the simulation was 80The experimental IDS was intended to simulate transmissionpackages in wireless sensor networks The IDS integratescommunications of packages and analyzes them
To estimate the performance of the OWIDS system threeimportant formulas and an indicator method are used toevaluate system accuracy attack detection rate (ADR) falsepositive rate (FPR) system accuracy (SA) and live nodes(indicator) The ADR represents the number of attacks thatthe IDS has detected out of the total number of attacks TheFPR represents the number of normal processes that theIDS has misclassified The accuracy rate is the total numberof processes the IDS has classified correctly The live nodesrepresent the number of useful nodes in the entire WSNwhich tests the loading of our methods and its performance
Attack Detection Rate
=Total number of detected attacks
Total number of attackstimes 100
False Positive Rate
=Total number of misclassified processes
Total number of normal processestimes 100
Accuracy Rate
=Total number of correct classified processes
Total number of processestimes 100
(10)
In this section we present three experimental resultsfor the OWIDS The first experimental method focuses onthe percentage of patrol nodes The patrol node is a kindof sensor node The BS chooses patrol nodes to executethe IDS The percentage of sensor nodes which should bepatrol nodes is a key issue Second the energy consumptionand remaining resources are present in the live nodes Thethird experimental method focuses on the ADR FPR andSA of the OWIDS Thus two types of experiments wereimplemented comparison of the number of live nodes across
Table 1 The training data and test data
Original Train TestNormal 80641 24192 7258Sinkhole 3568 1070 321Blackhole 5368 1610 483Hello flooding 44084 13225 3968Total 133661 40098 12029
Table 2 Implementation environment
Parameter ValuesSensor nodes 50 150 300Patrol nodes (20 of sensor nodes) 10 30 60WSN size 1000 lowast 1000 (m2)Starting energy 2 JTransmission radius 50mTransmission consumption 0036wReceive consumption 0024w
the non-IDS PIDS and OWIDS and comparison of thetransmission accuracy with PIDS
41 Percentage of Patrol Nodes The patrol node is used todetect abnormal behaviours OWIDS needs to balance thenumbers of patrol nodes and the overall life cycle of wirelesssensor networks From the experiment results twenty per-centages of patrol nodes can provide better detection resultsThe percentage of patrol nodes was set between 10 and 40at intervals of 10 The experiments are divided into 50 150and 300 sensor nodes These numbers are used to calculatethe suggested percentage of patrol nodes The experimentalresults are shown in Tables 3 4 and 5
The experimental results show that 30 and 40 yieldthe highest accuracy However the lifecycle of entire WSN isshorter than that when 10 and 20 are used The lifecycleof 10 is the longest but its accuracy is the lowest WhenOWIDS sets the patrol node percentage to 10 the loading isthe lightest However for theOWIDS at 10 the patrol nodeslack sufficient data to be compared with each other meaningthat the accuracy is the lowestThe accuracy of the case of 20patrol nodes is close to that of the case of 30 or 40 patrolnodes Hence the system selected 20 of whole sensor nodesas patrol nodes to do detection to save energy
42 Live Nodes of OWIDS The first simulation is shown inFigures 6 7 and 8The number of live nodes is defined as thenumber of sensor nodes in theWSN that still work normallyThe normal IDS trains detection features and translates theentire IDS onto the sensor nodes This consumes the WSNenergymore rapidlyThe lightweight IDS trains the detectionmethod on the base station and uses filtered features to detectintrusions In this case the IDS ismore lightweight and nodesremain alive longer Since a WSN may be used in manyapplications our method is implemented in eight situations
12 International Journal of Distributed Sensor Networks
Table 3 Percentage of patrol nodes (50 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 5 9835 8520 10 9573 9330 15 8952 9440 20 8703 94
Table 4 Percentage of patrol nodes (150 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 15 9605 8120 30 9495 9630 45 8864 9640 60 8518 97
Table 5 Percentage of patrol nodes (300 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 30 9598 7920 60 9468 9630 90 8867 9740 120 8361 97
The live nodes experiment has six situations no IDS andno attack no IDS but faces attacks loads PIDS but no attacksloads PIDS and faces attacks loads OWIDS but no attacksand loads OWIDS and faces attacks The overhead for PCHmonitoring is high if the notion of collaborative monitoringis absent If the patrol nodes are too few an intruder caneasily infiltrate the network The OWIDS combines PIDSand the ontology to detect anomalies Though it consumesmore energy than the PIDS the energy expenditure is nearlyidentical We simulate 50 150 and 300 sensor nodes in thenon-IDS PIDS and OWIDS Results show that the lifetimeof a sensor node is longest using OWIDS and that the sensornodes die slowly The MN sends data to the RN but not toany MN The RN obtains information directly from the MNThe connections between the RN and the PCH are similarmeaning that the OWIDS consumes less energy in gatheringdata andmonitoring theWSNTheOWIDS takes a part of theontology from PIDS The energy consumption of PIDS andOWIDS is similar in the no attack environment In Figures 6ndash8 there are more sensor nodes in theWSN meaning that thesystem hasmore patrol nodes to detect anomalies Hence theOWIDS detects misbehaviour more effectively The results ofthe simulation show that the OWIDS can easily be loadedonto the WSN
43 ADR FPR and SA of OWIDS The second simulationaddresses the attack detection rate the false positive rateand the accuracy rate in PIDS and OWIDS as shown inTable 6The total number of simulation packages is 1065474
0
10
20
30
40
50
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 6 The case of 50 sensor nodes in alive nodes
50
100
150
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 7 The case of 150 sensor nodes in alive nodes
100140180220260300
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 8 Case of 300 sensor nodes in live nodes
which include 1697 attack packages and 1063777 normalpackages In the PIDS patrol nodes carry attack knowledgeto detect anomalies The false positive rate is higher andthe attack detection rate is lower than that of OWIDS TheOWIDS appends the relationships of ontology making iteasier to detect illegal sensor nodes in the WSN The system
International Journal of Distributed Sensor Networks 13
Table 6 Accuracy attack detection rate and false positive rate of OWIDS
IDS method Attack detection rate False positive rate AccuracyPIDS (15351697) 9045 (1414451063777) 1329 (9532871063777) 8961OWIDS (16651697) 9811 (401221063777) 377 (10253521063777) 9639
Table 7 The accuracy rate of detection classification
IDS method Sybil attack Sinkhole Blackhole Hello floodingPIDS (136150) 9067 (118130) 9077 (5562) 8871 (12261355) 9048OWIDS (145150) 9667 (128130) 9846 (5762) 9194 (13351355) 9852
Original Datas -t 1000000000 -Hs 8 -Hd -2 -Ni 8 -Nx 203200 -Ny 69300 -Nz 000 -Ne -1000000 -Nl AGT -Nw mdash -Ma 0 -Md 0-Ms 0 -Mt 0 -Is 80 -Id 40 -It cbr -Il 1000 -If 0 -Ii 0 -Iv 32 -Pn cbr -Pi 0 -Pf 0 -Po 0SVM Input Data0 01 1 1000000000 2 8 3minus2 4 8 5 203200 6 69300 7 000 8minus1000000 9 1 10 0 11 0 12 0 13 0 14 0 15 8016 40 17 1 18 1000 19 0 20 0 21 32 22 1 23 0 24 0 25 0 26 0 27 0 28 0 29 0 30 0
Figure 9 The SVM input data
accuracy of PIDS and OWIDS is higher than 8961 thetolerance value of the IDS in the WSN The results of thesecond simulation show that theOWIDSdetects attacksmoreeffectively
The attack packages include four types of attacks Sybilattack sinkhole attack blackhole attack and hello floodingthe detailed detection classification is shown in Table 7 Thesystem simulates 150 Sybil attacks 130 sinkhole attacks 62blackhole and 1355 hello flooding attacks The results ofaccuracy rate are shown in Table 7 The accuracy rate ofdetection classification is better than 90 and OWIDS isbetter than PIDS The results of the second simulation showthat the OWIDS detects attacks more effectively
5 Conclusions and Future Work
In this paper a preliminary research of intrusion detectionsystems based on domain ontology is proposed and therelevance of a lightweight patrol intrusion detection systemis explored A major finding is that the effect of ontology canbe observed in attack detection at all levels of the wirelesssensor network The results indicated that the constructedontology relationship between the WSNs can detect attackseffectively This implies that an ontology indicating each roleand its membership in the WSN could be constructed forother attack types This research leads to an ontology-basedintrusion detection system which allows us to study the rela-tionship mechanism involving patrol node status and sensornodes Such ontologies can also be applied to reduce theburden of lightweight intrusion detection systems onwirelesssensor networks In general they will be useful in improvingthe lifecycle of wireless sensor networks and particularly theusability of intrusion detection systems for wireless sensornetworks This research can also serve to reinforce the useof soft computing technology for intrusion detection systemsand to systematize preprocessing technology to reduce thefeatures of the intrusion detection system The attacker may
intrude network in preprocessing stage The preprocessingsecurity issuewill be solved in the future workThis ontology-based intrusion detection system remains experimental onlyand much work remains to be done More must be knownabout constructing ontologies to detect different types ofattacks in wireless sensor networks There is a continuingneed for an adequate theoretical basis for the practicalapplication of ontology-based intrusion detection systems
Conflict of Interests
In this paper the specifications and brand of CPUdo not haveany financial relationship with the commercial identities
Acknowledgments
This work is partially supported by the National ScienceCouncil (NSC) Taiwan with Project no NSC-99-2221-E-324-021 The authors also express many thanks for thecomments from the reviewers that improved the paper
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] T P Hong and C H Wu ldquoAn improved weighted clusteringalgorithm for determination of application nodes in hetero-geneous sensor networksrdquo Journal of Information Hiding andMultimedia Signal Processing vol 2 no 2 pp 173ndash184 2011
[3] J Newsome E Shi D Song and A Perrig ldquoThe Sybil attack insensor networks analysis amp defensesrdquo in Proceedings of the 3rdInternational Symposium on Information Processing in SensorNetworks (IPSN rsquo04) pp 259ndash268 April 2004
[4] W-H Chen S-H Hsu and H-P Shen ldquoApplication of SVMand ANN for intrusion detectionrdquo Computers and OperationsResearch vol 32 no 10 pp 2617ndash2634 2005
14 International Journal of Distributed Sensor Networks
[5] Z Pawlak ldquoRough setsrdquo International Journal of Computer ampInformation Sciences vol 11 no 5 pp 341ndash356 1982
[6] A N Toosi and M Kahani ldquoA new approach to intrusiondetection based on an evolutionary soft computingmodel usingneuro-fuzzy classifiersrdquoComputer Communications vol 30 no10 pp 2201ndash2212 2007
[7] A Patwardhan J Parker M Iorga A Joshi T Karygiannisand Y Yesha ldquoThreshold-based intrusion detection in ad hocnetworks and secure AODVrdquoAdHoc Networks vol 6 no 4 pp578ndash599 2008
[8] R-C Chen and C-H Hsieh ldquoWeb page classification based ona support vectormachine using aweighted vote schemardquoExpertSystems with Applications vol 31 no 2 pp 427ndash435 2006
[9] G Song J Zhang and Z Sun ldquoThe research of dynamic changelearning rate strategy in BP neural network and applicationin network intrusion detectionrdquo in Proceedings of the 3rdInternational Conference on Innovative Computing Informationand Control (ICICIC rsquo08) pp 514ndash517 June 2008
[10] RCChenC J Yeh andC T Bau ldquoMerging domain ontologiesbased on the WordNet system and Fuzzy Formal ConceptAnalysis techniquesrdquoApplied SoftComputing Journal vol 11 no2 pp 1908ndash1923 2011
[11] R C Chen Y F Haung and C F Hsieh ldquoRanger intrusiondetection system for wireless sensor networks with sybil attackbased on ontologyrdquo in Proceedings of the 10th WSEAS Interna-tional Conference on Applied Informatics and Communications2010
[12] M A Simplıcio Jr P S L M Barreto C B Margi and T CM B Carvalho ldquoA survey on key management mechanisms fordistributedWireless SensorNetworksrdquoComputerNetworks vol54 no 15 pp 2591ndash2612 2010
[13] M Depren E Topallar andM Kemal ldquoAn intelligent intrusiondetection system (IDS) for anomaly and misuse detection incomputer networksrdquo Expert Systems with Applications vol 29no 4 pp 713ndash722 2005
[14] S Tilak B Abu-Ghazaleh and W A Heinzelman ldquoTaxonomyof wireless micro-sensor network modelsrdquo Mobile Computingand Communications Review vol 6 no 2 pp 28ndash36 2002
[15] J Undercoffer A Joshi and J Pinkston ldquoModeling computerattacks an ontology for intrusion detectionrdquo Computer Sciencevol 2820 pp 113ndash135 2003
[16] N Cuppens-Boulahia F Cuppens F Autrel and H DebarldquoAn ontology-based approach to react to network attacksrdquoInternational Journal of Information and Computer Security vol3 no 3-4 pp 280ndash305 2009
[17] H-C Hsieh J-S Leu and W-K Shih ldquoReaching consensusunderlying an autonomous local wireless sensor networkrdquoInternational Journal of Innovative Computing Information andControl vol 6 no 4 pp 1905ndash1914 2010
[18] W K Lai C-S Fan and C-S Shieh ldquoOptimal cluster sizefor balanced power consumption in wireless sensor networksrdquoICIC Express Letters vol 6 no 2 pp 1471ndash1476 2012
[19] T T Quan S C Hui A C M Fong and T H CaoldquoAutomatic Fuzzy ontology generation for semanticWebrdquo IEEETransactions on Knowledge and Data Engineering vol 18 no 6pp 842ndash856 2006
[20] R-C Chen C-F Hsieh and Y-F Huang ldquoAn isolation intru-sion detection system for hierarchical wireless sensor networksrdquoJournal of Networks vol 5 no 3 pp 335ndash342 2010
[21] C F -Hsieh K F Cheng Y F Huang and R C Chen ldquoAnintrusion detection system for Ad Hoc networks with multi-attacks based on a support vector machine and rough settheoryrdquo Journal of Convergence Information Technology vol 8no 2 pp 767ndash776 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
8 International Journal of Distributed Sensor Networks
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Patrol node number
Sensor node number
Energy(J)
Sense data type
The membership value between each relevance object
Relation type
Subclass
Hops
Hops
Figure 3 The information of the concept of nodes in ontology
(ST) the distance to the cluster head (hop) and membershipvalue between each relevant object
33 Intrusion Detection Stage The attackers that intrudewireless sensor network can be divided into two stagespreparatory phase the attack and destruction phase Theattack behaviours of attack and destruction phase includesinkhole attack blackhole attack and hello flooding Inorder to obtain the required information of attack anddestruction phase the attackers apply Sybil attack to disguisevarious roles The behaviours of attack phase used differ-ent transmission technology to burn entire network evencause WSN unusable All the above behaviours are calledanomaly behaviours The assignment system will completethe information for the integration of the environmentalanalysis The ontology contains the entire relationship of theWSNThe system can preselect the knowledge based on thoseenvironmental attacks The ontology can thus detect illegalnodes in the WSNThe rules are shown in Algorithm 3
The WSN is usually deployed unequally causing it torapidly consume energy We have proposed a PIDS usingdetection knowledge to detect anomalies [11] The PIDS istransferred between patrol nodes to detect whether neighbor-ing nodes exhibit anomalies The PIDS will choose differentdetection knowledge in different environments The PIDSmerely requires a portion of the detection knowledge todetect an anomaly which reducesWSN energy consumptionThe architecture of the OWIDS combines the PIDS with theontologyTheOWIDS is transferred between the patrol nodesto detectwhether neighbouring nodes are anomalous Similar
to the PIDS the OWIDS will choose different detectionknowledge in different environments It requires merely aportion of the detection knowledge to detect anomaliesreducing WSN energy consumption The system will matchthe database and the attack pattern If there appears to benonselected detection knowledge the detection knowledgewill be added The intrusion detection mechanisms werecomputed on the base station The classification methodof detection knowledge is described in the following para-graphs
The detection knowledge is classification by supportvector machine (SVM) [21] The proposed method provideda strong argument for the improvement of WSN intrusiondetection systems The SVM uses a high dimension spaceto find a hyperplane to perform binary classification to findminimal error rate Notably the SVM is able to handle theproblem of linear inseparability The SVM uses a portion ofthe data to train the system finding several support vectorswhich represent the training data These support vectorswill be formed into a model by the SVM representing acategory According to this model the SVM will classify agiven unknown document A basic input data format and anoutput data domain are given as follows
(119909119894 119910119894) (119909
119899 119910119899) 119909 isin 119877
119898 119910 isin +1 minus1 (7)
where (119909119894 119910119894) (119909
119899 119910119899) are training data 119899 is the number
of samples119898 is the input vector and 119910 belongs to category of+1 or minus1
Regarding linear problems a hyperplane can be dividedinto two categories The hyperplane formula is
(119908 sdot 119909) + 119887 = 0 (8)
The category formula is
(119908 sdot 119909) + 119887 ge 0 if 119910119894= +1
(119908 sdot 119909) + 119887 le 0 if 119910119894= minus1
(9)
However it is not easy to find hyperplanes with which toclassify the dataThe SVMhas several kernel functions whichusers can apply to solve different problems As such selectingthe appropriate kernel function can solve the problem oflinear inseparability Also internal product operations affectthe classification function and a suitable inner product func-tion119870(119883119894 sdot 119883119895) can solve certain linear inseparable problemswithout increasing the complexity of the calculation Originaldata includes 31 features tagged with numbers from 0 to 30The system will convert the contents of the 31 features intonumeric values For instance the first element is ldquoEventrdquo andthe parameter is ldquo119904rdquo which is mapped to ldquo0 01rdquo An exampleof SVM data is shown in Figure 9 The OWIDS combinesontology with detection knowledge The patrol nodes carrypart of ontology to detect Sybil attack and the detectionknowledge is used to detect sinkhole blackhole and helloflooding
The ontology is divided into several parts depending onthe region of the patrol node The system sends detectionknowledge and the ontology to the cluster head The patrol
International Journal of Distributed Sensor Networks 9
lowast Intrusion Detection Stage lowastfor each neighbor of patrol node s doreceive (119904id 119901119899id 119904INFO 119864119894) lowast Receive 119904id 119901119899id 119904INFO and the remaining energy lowastif 119904id ltgt Ontology [] then lowast Check whether the sensor node is constructed in the Ontology lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastif Pattern (119904) = Pattern (119860119872)lowast Check whether the receive information is different from attack knowledge lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastelse if broadcast 119860[] to 119862id lowast Broadcast isolation table to CH to back up lowastend for
Algorithm 3 Algorithm of the intrusion detection stage of OWIDS
Base station
energy (08) hop (02) ST (09) energy (03)
hop (08) ST (08)
hop (02)ST (07)
energy (075) ST (06)
energy (03) ST (07)
energy (075) hop (02) ST (07)
068
047pn1
pn3
pn4
pn5
pn2
s1
Figure 4 An example of membership calculation
node is a sensor node to do detection but its energy is limitedThe OWIDS does not train detection mechanism on patrolnode and only the cluster head transmits detection rules topatrol nodes The patrol nodes detect attacks by rotation toreduce the overall WSN energy consumption and extend thelifetime of the WSN When the duty of the patrol nodes isover the CH will collect the WSN information and transmitit to the base station The BS analyzes the informationtrains the detection data and constructs the ontology againThus the detection knowledge can be adjusted accordingto the WSN environment To improve the accuracy ofthe intrusion detection the system repeats the detectionknowledge training to remove less frequently used data untilthe knowledge converges This reduces the features of thedetection knowledge and makes the detection knowledgemore lightweight
The WSN is a self-organizing network meaning that therouting table will be changed The clustering system of theWSN will change cluster heads periodically The WSN as awhole thus cannot keep isolating anomalous nodes Rede-tection of anomalous nodes consumes energy This paperthus proposes an isolation table recorded in the base station[20] If new cluster heads are assigned or the entire WSNis changed the patrol maintains isolation of anomaly nodesusing the isolation table Intruders thus cannot attack theWSN through isolated anomaly nodes reducing redetectionenergy consumption
4 Experimental Results
The system performance was evaluated by network sim-ulation (NS-2) The experimental hardware environmentsconsisted of an Intel Core 2 i5-2410M CPU 230GHzNotebook with 8GB RAM and was implemented under theWindows 7 operating system The area for the simulationof the WSN was within 10000 square meters The field isstatic and deploys 300 sensor nodes randomly each with abroadcast radius of 50m The OWIDS uses a protegee toconstruct the ontology The behaviors of the attacker weregenerated by a Java program The attacks were randomlygenerated by different kinds of attack patterns For exampleSybil attacks were generated every 20 seconds but theattackers will masquerade different kinds of roles randomlysuch as cluster head sensor node The OWIDS detects Sybilattacks using the relationship of ontology In addition theexperiment was meant to simulate transmission packages inwireless sensor networksThe communications of packets canbe captured byOWIDSThedatawas collected from theWSNpackets of NS-2 simulator The data set can be divided intotwo protocols the training data and the testing data Thepackets are randomly selected for training and testing
Before using SVM classification the system performa data scaling operation to increases the accuracy whilereducing complexity The system kernel is RBF 119870(119909 119910) =
ℓminus119892119909minus119910
2
The systemwill classify the attributes of the features
10 International Journal of Distributed Sensor Networks
WSN Domain layer
Brightness Category layerHumidity Temperature
Patrol nodes layer
Belong-to Belong-to
Sensor nodelayer
086
082
Instance of
Sensor node 2513
Humidity temperature
hop (02) ST (05)
Instance of
092
Instance of
Sensor node 3152
Temperature
hop (03) ST(1)
086
Instance of091
Instance of042
Patrol node 1
Temperature humidity
Sensor node 3241
Patrol node 4
Humidity temperature
Sensor node 0231
Patrol node 2
Brightness temperature
energy (088 ) hop (03) ST (05)
Sensor node 0092
Patrol node 3
Temperature
energy (098) hop (05) ST (1)
Sensor node 2541
Patrol node 5
Temperature
Sensor node 1576
Patrol node 2
Temperature brightness
Sensor node 4561
Sensor node 1254
Humidity temperature
hop (017) ST (05)
Patrol node 4
Patrol node 4
Sensor node 6829
Humidity temperature
hop (025) ST (05)
Patrol node 2
Patrol node 3
ST (05)energy (1) hop (1) pn1
pn2 pn3
middot middot middot
middot middot middot
057
Hop = 1
Hop = 3
Hop = 10
Hop = 6Hop = 3
Hop = 5 Hop = 4
Hop = 3
Hop = 3 Hop = 2
E = 2J E = 176J
E = 126J
E = 186J
E = 076JE = 2J
E = 094J E = 196j
E = 164J
E = 196J
energy (063) hop (03) ST (05)pn4 energy (082)
hop (03) ST (1) pn5
hop (01) ST(05) energy (093 ) S4561 energy (047) S2513 energy (098) S6829
energy (038) S1254 energy (1) S3152
pn2
pn4 pn5
Figure 5 An example of ontology construction
International Journal of Distributed Sensor Networks 11
prior to preprocessing and use the SVM to train and testprocesses The output of SVM is 1 or minus1 If the output is 1there is an intrusion behavior on the model If the outputis minus1 it is normal The distribution of training data andtesting data are shown in Table 1 Specifically the user canemploy this model to evaluate the IDS 27 feature values areused to train three SVMmodels and to compare the accuracyof the three models [21]
This experiment compared OWIDS with the PIDS basedon energy consumption transmission accuracy and per-formance The attack behaviour is camouflaged as differentroles in the WSN The implementation environment is listedin Table 2 The total simulation time was 3600 sec Theattacks were randomly executed every 20 sec with attacksbeginning at six hundred sec The experiment assumes thatthe preprocessing stage is secure for attacks The maximumconnection meaning the maximum number of connections(end-to-end connection) used in the simulation was 80The experimental IDS was intended to simulate transmissionpackages in wireless sensor networks The IDS integratescommunications of packages and analyzes them
To estimate the performance of the OWIDS system threeimportant formulas and an indicator method are used toevaluate system accuracy attack detection rate (ADR) falsepositive rate (FPR) system accuracy (SA) and live nodes(indicator) The ADR represents the number of attacks thatthe IDS has detected out of the total number of attacks TheFPR represents the number of normal processes that theIDS has misclassified The accuracy rate is the total numberof processes the IDS has classified correctly The live nodesrepresent the number of useful nodes in the entire WSNwhich tests the loading of our methods and its performance
Attack Detection Rate
=Total number of detected attacks
Total number of attackstimes 100
False Positive Rate
=Total number of misclassified processes
Total number of normal processestimes 100
Accuracy Rate
=Total number of correct classified processes
Total number of processestimes 100
(10)
In this section we present three experimental resultsfor the OWIDS The first experimental method focuses onthe percentage of patrol nodes The patrol node is a kindof sensor node The BS chooses patrol nodes to executethe IDS The percentage of sensor nodes which should bepatrol nodes is a key issue Second the energy consumptionand remaining resources are present in the live nodes Thethird experimental method focuses on the ADR FPR andSA of the OWIDS Thus two types of experiments wereimplemented comparison of the number of live nodes across
Table 1 The training data and test data
Original Train TestNormal 80641 24192 7258Sinkhole 3568 1070 321Blackhole 5368 1610 483Hello flooding 44084 13225 3968Total 133661 40098 12029
Table 2 Implementation environment
Parameter ValuesSensor nodes 50 150 300Patrol nodes (20 of sensor nodes) 10 30 60WSN size 1000 lowast 1000 (m2)Starting energy 2 JTransmission radius 50mTransmission consumption 0036wReceive consumption 0024w
the non-IDS PIDS and OWIDS and comparison of thetransmission accuracy with PIDS
41 Percentage of Patrol Nodes The patrol node is used todetect abnormal behaviours OWIDS needs to balance thenumbers of patrol nodes and the overall life cycle of wirelesssensor networks From the experiment results twenty per-centages of patrol nodes can provide better detection resultsThe percentage of patrol nodes was set between 10 and 40at intervals of 10 The experiments are divided into 50 150and 300 sensor nodes These numbers are used to calculatethe suggested percentage of patrol nodes The experimentalresults are shown in Tables 3 4 and 5
The experimental results show that 30 and 40 yieldthe highest accuracy However the lifecycle of entire WSN isshorter than that when 10 and 20 are used The lifecycleof 10 is the longest but its accuracy is the lowest WhenOWIDS sets the patrol node percentage to 10 the loading isthe lightest However for theOWIDS at 10 the patrol nodeslack sufficient data to be compared with each other meaningthat the accuracy is the lowestThe accuracy of the case of 20patrol nodes is close to that of the case of 30 or 40 patrolnodes Hence the system selected 20 of whole sensor nodesas patrol nodes to do detection to save energy
42 Live Nodes of OWIDS The first simulation is shown inFigures 6 7 and 8The number of live nodes is defined as thenumber of sensor nodes in theWSN that still work normallyThe normal IDS trains detection features and translates theentire IDS onto the sensor nodes This consumes the WSNenergymore rapidlyThe lightweight IDS trains the detectionmethod on the base station and uses filtered features to detectintrusions In this case the IDS ismore lightweight and nodesremain alive longer Since a WSN may be used in manyapplications our method is implemented in eight situations
12 International Journal of Distributed Sensor Networks
Table 3 Percentage of patrol nodes (50 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 5 9835 8520 10 9573 9330 15 8952 9440 20 8703 94
Table 4 Percentage of patrol nodes (150 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 15 9605 8120 30 9495 9630 45 8864 9640 60 8518 97
Table 5 Percentage of patrol nodes (300 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 30 9598 7920 60 9468 9630 90 8867 9740 120 8361 97
The live nodes experiment has six situations no IDS andno attack no IDS but faces attacks loads PIDS but no attacksloads PIDS and faces attacks loads OWIDS but no attacksand loads OWIDS and faces attacks The overhead for PCHmonitoring is high if the notion of collaborative monitoringis absent If the patrol nodes are too few an intruder caneasily infiltrate the network The OWIDS combines PIDSand the ontology to detect anomalies Though it consumesmore energy than the PIDS the energy expenditure is nearlyidentical We simulate 50 150 and 300 sensor nodes in thenon-IDS PIDS and OWIDS Results show that the lifetimeof a sensor node is longest using OWIDS and that the sensornodes die slowly The MN sends data to the RN but not toany MN The RN obtains information directly from the MNThe connections between the RN and the PCH are similarmeaning that the OWIDS consumes less energy in gatheringdata andmonitoring theWSNTheOWIDS takes a part of theontology from PIDS The energy consumption of PIDS andOWIDS is similar in the no attack environment In Figures 6ndash8 there are more sensor nodes in theWSN meaning that thesystem hasmore patrol nodes to detect anomalies Hence theOWIDS detects misbehaviour more effectively The results ofthe simulation show that the OWIDS can easily be loadedonto the WSN
43 ADR FPR and SA of OWIDS The second simulationaddresses the attack detection rate the false positive rateand the accuracy rate in PIDS and OWIDS as shown inTable 6The total number of simulation packages is 1065474
0
10
20
30
40
50
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 6 The case of 50 sensor nodes in alive nodes
50
100
150
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 7 The case of 150 sensor nodes in alive nodes
100140180220260300
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 8 Case of 300 sensor nodes in live nodes
which include 1697 attack packages and 1063777 normalpackages In the PIDS patrol nodes carry attack knowledgeto detect anomalies The false positive rate is higher andthe attack detection rate is lower than that of OWIDS TheOWIDS appends the relationships of ontology making iteasier to detect illegal sensor nodes in the WSN The system
International Journal of Distributed Sensor Networks 13
Table 6 Accuracy attack detection rate and false positive rate of OWIDS
IDS method Attack detection rate False positive rate AccuracyPIDS (15351697) 9045 (1414451063777) 1329 (9532871063777) 8961OWIDS (16651697) 9811 (401221063777) 377 (10253521063777) 9639
Table 7 The accuracy rate of detection classification
IDS method Sybil attack Sinkhole Blackhole Hello floodingPIDS (136150) 9067 (118130) 9077 (5562) 8871 (12261355) 9048OWIDS (145150) 9667 (128130) 9846 (5762) 9194 (13351355) 9852
Original Datas -t 1000000000 -Hs 8 -Hd -2 -Ni 8 -Nx 203200 -Ny 69300 -Nz 000 -Ne -1000000 -Nl AGT -Nw mdash -Ma 0 -Md 0-Ms 0 -Mt 0 -Is 80 -Id 40 -It cbr -Il 1000 -If 0 -Ii 0 -Iv 32 -Pn cbr -Pi 0 -Pf 0 -Po 0SVM Input Data0 01 1 1000000000 2 8 3minus2 4 8 5 203200 6 69300 7 000 8minus1000000 9 1 10 0 11 0 12 0 13 0 14 0 15 8016 40 17 1 18 1000 19 0 20 0 21 32 22 1 23 0 24 0 25 0 26 0 27 0 28 0 29 0 30 0
Figure 9 The SVM input data
accuracy of PIDS and OWIDS is higher than 8961 thetolerance value of the IDS in the WSN The results of thesecond simulation show that theOWIDSdetects attacksmoreeffectively
The attack packages include four types of attacks Sybilattack sinkhole attack blackhole attack and hello floodingthe detailed detection classification is shown in Table 7 Thesystem simulates 150 Sybil attacks 130 sinkhole attacks 62blackhole and 1355 hello flooding attacks The results ofaccuracy rate are shown in Table 7 The accuracy rate ofdetection classification is better than 90 and OWIDS isbetter than PIDS The results of the second simulation showthat the OWIDS detects attacks more effectively
5 Conclusions and Future Work
In this paper a preliminary research of intrusion detectionsystems based on domain ontology is proposed and therelevance of a lightweight patrol intrusion detection systemis explored A major finding is that the effect of ontology canbe observed in attack detection at all levels of the wirelesssensor network The results indicated that the constructedontology relationship between the WSNs can detect attackseffectively This implies that an ontology indicating each roleand its membership in the WSN could be constructed forother attack types This research leads to an ontology-basedintrusion detection system which allows us to study the rela-tionship mechanism involving patrol node status and sensornodes Such ontologies can also be applied to reduce theburden of lightweight intrusion detection systems onwirelesssensor networks In general they will be useful in improvingthe lifecycle of wireless sensor networks and particularly theusability of intrusion detection systems for wireless sensornetworks This research can also serve to reinforce the useof soft computing technology for intrusion detection systemsand to systematize preprocessing technology to reduce thefeatures of the intrusion detection system The attacker may
intrude network in preprocessing stage The preprocessingsecurity issuewill be solved in the future workThis ontology-based intrusion detection system remains experimental onlyand much work remains to be done More must be knownabout constructing ontologies to detect different types ofattacks in wireless sensor networks There is a continuingneed for an adequate theoretical basis for the practicalapplication of ontology-based intrusion detection systems
Conflict of Interests
In this paper the specifications and brand of CPUdo not haveany financial relationship with the commercial identities
Acknowledgments
This work is partially supported by the National ScienceCouncil (NSC) Taiwan with Project no NSC-99-2221-E-324-021 The authors also express many thanks for thecomments from the reviewers that improved the paper
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] T P Hong and C H Wu ldquoAn improved weighted clusteringalgorithm for determination of application nodes in hetero-geneous sensor networksrdquo Journal of Information Hiding andMultimedia Signal Processing vol 2 no 2 pp 173ndash184 2011
[3] J Newsome E Shi D Song and A Perrig ldquoThe Sybil attack insensor networks analysis amp defensesrdquo in Proceedings of the 3rdInternational Symposium on Information Processing in SensorNetworks (IPSN rsquo04) pp 259ndash268 April 2004
[4] W-H Chen S-H Hsu and H-P Shen ldquoApplication of SVMand ANN for intrusion detectionrdquo Computers and OperationsResearch vol 32 no 10 pp 2617ndash2634 2005
14 International Journal of Distributed Sensor Networks
[5] Z Pawlak ldquoRough setsrdquo International Journal of Computer ampInformation Sciences vol 11 no 5 pp 341ndash356 1982
[6] A N Toosi and M Kahani ldquoA new approach to intrusiondetection based on an evolutionary soft computingmodel usingneuro-fuzzy classifiersrdquoComputer Communications vol 30 no10 pp 2201ndash2212 2007
[7] A Patwardhan J Parker M Iorga A Joshi T Karygiannisand Y Yesha ldquoThreshold-based intrusion detection in ad hocnetworks and secure AODVrdquoAdHoc Networks vol 6 no 4 pp578ndash599 2008
[8] R-C Chen and C-H Hsieh ldquoWeb page classification based ona support vectormachine using aweighted vote schemardquoExpertSystems with Applications vol 31 no 2 pp 427ndash435 2006
[9] G Song J Zhang and Z Sun ldquoThe research of dynamic changelearning rate strategy in BP neural network and applicationin network intrusion detectionrdquo in Proceedings of the 3rdInternational Conference on Innovative Computing Informationand Control (ICICIC rsquo08) pp 514ndash517 June 2008
[10] RCChenC J Yeh andC T Bau ldquoMerging domain ontologiesbased on the WordNet system and Fuzzy Formal ConceptAnalysis techniquesrdquoApplied SoftComputing Journal vol 11 no2 pp 1908ndash1923 2011
[11] R C Chen Y F Haung and C F Hsieh ldquoRanger intrusiondetection system for wireless sensor networks with sybil attackbased on ontologyrdquo in Proceedings of the 10th WSEAS Interna-tional Conference on Applied Informatics and Communications2010
[12] M A Simplıcio Jr P S L M Barreto C B Margi and T CM B Carvalho ldquoA survey on key management mechanisms fordistributedWireless SensorNetworksrdquoComputerNetworks vol54 no 15 pp 2591ndash2612 2010
[13] M Depren E Topallar andM Kemal ldquoAn intelligent intrusiondetection system (IDS) for anomaly and misuse detection incomputer networksrdquo Expert Systems with Applications vol 29no 4 pp 713ndash722 2005
[14] S Tilak B Abu-Ghazaleh and W A Heinzelman ldquoTaxonomyof wireless micro-sensor network modelsrdquo Mobile Computingand Communications Review vol 6 no 2 pp 28ndash36 2002
[15] J Undercoffer A Joshi and J Pinkston ldquoModeling computerattacks an ontology for intrusion detectionrdquo Computer Sciencevol 2820 pp 113ndash135 2003
[16] N Cuppens-Boulahia F Cuppens F Autrel and H DebarldquoAn ontology-based approach to react to network attacksrdquoInternational Journal of Information and Computer Security vol3 no 3-4 pp 280ndash305 2009
[17] H-C Hsieh J-S Leu and W-K Shih ldquoReaching consensusunderlying an autonomous local wireless sensor networkrdquoInternational Journal of Innovative Computing Information andControl vol 6 no 4 pp 1905ndash1914 2010
[18] W K Lai C-S Fan and C-S Shieh ldquoOptimal cluster sizefor balanced power consumption in wireless sensor networksrdquoICIC Express Letters vol 6 no 2 pp 1471ndash1476 2012
[19] T T Quan S C Hui A C M Fong and T H CaoldquoAutomatic Fuzzy ontology generation for semanticWebrdquo IEEETransactions on Knowledge and Data Engineering vol 18 no 6pp 842ndash856 2006
[20] R-C Chen C-F Hsieh and Y-F Huang ldquoAn isolation intru-sion detection system for hierarchical wireless sensor networksrdquoJournal of Networks vol 5 no 3 pp 335ndash342 2010
[21] C F -Hsieh K F Cheng Y F Huang and R C Chen ldquoAnintrusion detection system for Ad Hoc networks with multi-attacks based on a support vector machine and rough settheoryrdquo Journal of Convergence Information Technology vol 8no 2 pp 767ndash776 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 9
lowast Intrusion Detection Stage lowastfor each neighbor of patrol node s doreceive (119904id 119901119899id 119904INFO 119864119894) lowast Receive 119904id 119901119899id 119904INFO and the remaining energy lowastif 119904id ltgt Ontology [] then lowast Check whether the sensor node is constructed in the Ontology lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastif Pattern (119904) = Pattern (119860119872)lowast Check whether the receive information is different from attack knowledge lowast
then 119860[] = (119904id 119901119899id 119860119899) lowast Record 119904id 119901119899id and anomaly information lowastelse if broadcast 119860[] to 119862id lowast Broadcast isolation table to CH to back up lowastend for
Algorithm 3 Algorithm of the intrusion detection stage of OWIDS
Base station
energy (08) hop (02) ST (09) energy (03)
hop (08) ST (08)
hop (02)ST (07)
energy (075) ST (06)
energy (03) ST (07)
energy (075) hop (02) ST (07)
068
047pn1
pn3
pn4
pn5
pn2
s1
Figure 4 An example of membership calculation
node is a sensor node to do detection but its energy is limitedThe OWIDS does not train detection mechanism on patrolnode and only the cluster head transmits detection rules topatrol nodes The patrol nodes detect attacks by rotation toreduce the overall WSN energy consumption and extend thelifetime of the WSN When the duty of the patrol nodes isover the CH will collect the WSN information and transmitit to the base station The BS analyzes the informationtrains the detection data and constructs the ontology againThus the detection knowledge can be adjusted accordingto the WSN environment To improve the accuracy ofthe intrusion detection the system repeats the detectionknowledge training to remove less frequently used data untilthe knowledge converges This reduces the features of thedetection knowledge and makes the detection knowledgemore lightweight
The WSN is a self-organizing network meaning that therouting table will be changed The clustering system of theWSN will change cluster heads periodically The WSN as awhole thus cannot keep isolating anomalous nodes Rede-tection of anomalous nodes consumes energy This paperthus proposes an isolation table recorded in the base station[20] If new cluster heads are assigned or the entire WSNis changed the patrol maintains isolation of anomaly nodesusing the isolation table Intruders thus cannot attack theWSN through isolated anomaly nodes reducing redetectionenergy consumption
4 Experimental Results
The system performance was evaluated by network sim-ulation (NS-2) The experimental hardware environmentsconsisted of an Intel Core 2 i5-2410M CPU 230GHzNotebook with 8GB RAM and was implemented under theWindows 7 operating system The area for the simulationof the WSN was within 10000 square meters The field isstatic and deploys 300 sensor nodes randomly each with abroadcast radius of 50m The OWIDS uses a protegee toconstruct the ontology The behaviors of the attacker weregenerated by a Java program The attacks were randomlygenerated by different kinds of attack patterns For exampleSybil attacks were generated every 20 seconds but theattackers will masquerade different kinds of roles randomlysuch as cluster head sensor node The OWIDS detects Sybilattacks using the relationship of ontology In addition theexperiment was meant to simulate transmission packages inwireless sensor networksThe communications of packets canbe captured byOWIDSThedatawas collected from theWSNpackets of NS-2 simulator The data set can be divided intotwo protocols the training data and the testing data Thepackets are randomly selected for training and testing
Before using SVM classification the system performa data scaling operation to increases the accuracy whilereducing complexity The system kernel is RBF 119870(119909 119910) =
ℓminus119892119909minus119910
2
The systemwill classify the attributes of the features
10 International Journal of Distributed Sensor Networks
WSN Domain layer
Brightness Category layerHumidity Temperature
Patrol nodes layer
Belong-to Belong-to
Sensor nodelayer
086
082
Instance of
Sensor node 2513
Humidity temperature
hop (02) ST (05)
Instance of
092
Instance of
Sensor node 3152
Temperature
hop (03) ST(1)
086
Instance of091
Instance of042
Patrol node 1
Temperature humidity
Sensor node 3241
Patrol node 4
Humidity temperature
Sensor node 0231
Patrol node 2
Brightness temperature
energy (088 ) hop (03) ST (05)
Sensor node 0092
Patrol node 3
Temperature
energy (098) hop (05) ST (1)
Sensor node 2541
Patrol node 5
Temperature
Sensor node 1576
Patrol node 2
Temperature brightness
Sensor node 4561
Sensor node 1254
Humidity temperature
hop (017) ST (05)
Patrol node 4
Patrol node 4
Sensor node 6829
Humidity temperature
hop (025) ST (05)
Patrol node 2
Patrol node 3
ST (05)energy (1) hop (1) pn1
pn2 pn3
middot middot middot
middot middot middot
057
Hop = 1
Hop = 3
Hop = 10
Hop = 6Hop = 3
Hop = 5 Hop = 4
Hop = 3
Hop = 3 Hop = 2
E = 2J E = 176J
E = 126J
E = 186J
E = 076JE = 2J
E = 094J E = 196j
E = 164J
E = 196J
energy (063) hop (03) ST (05)pn4 energy (082)
hop (03) ST (1) pn5
hop (01) ST(05) energy (093 ) S4561 energy (047) S2513 energy (098) S6829
energy (038) S1254 energy (1) S3152
pn2
pn4 pn5
Figure 5 An example of ontology construction
International Journal of Distributed Sensor Networks 11
prior to preprocessing and use the SVM to train and testprocesses The output of SVM is 1 or minus1 If the output is 1there is an intrusion behavior on the model If the outputis minus1 it is normal The distribution of training data andtesting data are shown in Table 1 Specifically the user canemploy this model to evaluate the IDS 27 feature values areused to train three SVMmodels and to compare the accuracyof the three models [21]
This experiment compared OWIDS with the PIDS basedon energy consumption transmission accuracy and per-formance The attack behaviour is camouflaged as differentroles in the WSN The implementation environment is listedin Table 2 The total simulation time was 3600 sec Theattacks were randomly executed every 20 sec with attacksbeginning at six hundred sec The experiment assumes thatthe preprocessing stage is secure for attacks The maximumconnection meaning the maximum number of connections(end-to-end connection) used in the simulation was 80The experimental IDS was intended to simulate transmissionpackages in wireless sensor networks The IDS integratescommunications of packages and analyzes them
To estimate the performance of the OWIDS system threeimportant formulas and an indicator method are used toevaluate system accuracy attack detection rate (ADR) falsepositive rate (FPR) system accuracy (SA) and live nodes(indicator) The ADR represents the number of attacks thatthe IDS has detected out of the total number of attacks TheFPR represents the number of normal processes that theIDS has misclassified The accuracy rate is the total numberof processes the IDS has classified correctly The live nodesrepresent the number of useful nodes in the entire WSNwhich tests the loading of our methods and its performance
Attack Detection Rate
=Total number of detected attacks
Total number of attackstimes 100
False Positive Rate
=Total number of misclassified processes
Total number of normal processestimes 100
Accuracy Rate
=Total number of correct classified processes
Total number of processestimes 100
(10)
In this section we present three experimental resultsfor the OWIDS The first experimental method focuses onthe percentage of patrol nodes The patrol node is a kindof sensor node The BS chooses patrol nodes to executethe IDS The percentage of sensor nodes which should bepatrol nodes is a key issue Second the energy consumptionand remaining resources are present in the live nodes Thethird experimental method focuses on the ADR FPR andSA of the OWIDS Thus two types of experiments wereimplemented comparison of the number of live nodes across
Table 1 The training data and test data
Original Train TestNormal 80641 24192 7258Sinkhole 3568 1070 321Blackhole 5368 1610 483Hello flooding 44084 13225 3968Total 133661 40098 12029
Table 2 Implementation environment
Parameter ValuesSensor nodes 50 150 300Patrol nodes (20 of sensor nodes) 10 30 60WSN size 1000 lowast 1000 (m2)Starting energy 2 JTransmission radius 50mTransmission consumption 0036wReceive consumption 0024w
the non-IDS PIDS and OWIDS and comparison of thetransmission accuracy with PIDS
41 Percentage of Patrol Nodes The patrol node is used todetect abnormal behaviours OWIDS needs to balance thenumbers of patrol nodes and the overall life cycle of wirelesssensor networks From the experiment results twenty per-centages of patrol nodes can provide better detection resultsThe percentage of patrol nodes was set between 10 and 40at intervals of 10 The experiments are divided into 50 150and 300 sensor nodes These numbers are used to calculatethe suggested percentage of patrol nodes The experimentalresults are shown in Tables 3 4 and 5
The experimental results show that 30 and 40 yieldthe highest accuracy However the lifecycle of entire WSN isshorter than that when 10 and 20 are used The lifecycleof 10 is the longest but its accuracy is the lowest WhenOWIDS sets the patrol node percentage to 10 the loading isthe lightest However for theOWIDS at 10 the patrol nodeslack sufficient data to be compared with each other meaningthat the accuracy is the lowestThe accuracy of the case of 20patrol nodes is close to that of the case of 30 or 40 patrolnodes Hence the system selected 20 of whole sensor nodesas patrol nodes to do detection to save energy
42 Live Nodes of OWIDS The first simulation is shown inFigures 6 7 and 8The number of live nodes is defined as thenumber of sensor nodes in theWSN that still work normallyThe normal IDS trains detection features and translates theentire IDS onto the sensor nodes This consumes the WSNenergymore rapidlyThe lightweight IDS trains the detectionmethod on the base station and uses filtered features to detectintrusions In this case the IDS ismore lightweight and nodesremain alive longer Since a WSN may be used in manyapplications our method is implemented in eight situations
12 International Journal of Distributed Sensor Networks
Table 3 Percentage of patrol nodes (50 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 5 9835 8520 10 9573 9330 15 8952 9440 20 8703 94
Table 4 Percentage of patrol nodes (150 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 15 9605 8120 30 9495 9630 45 8864 9640 60 8518 97
Table 5 Percentage of patrol nodes (300 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 30 9598 7920 60 9468 9630 90 8867 9740 120 8361 97
The live nodes experiment has six situations no IDS andno attack no IDS but faces attacks loads PIDS but no attacksloads PIDS and faces attacks loads OWIDS but no attacksand loads OWIDS and faces attacks The overhead for PCHmonitoring is high if the notion of collaborative monitoringis absent If the patrol nodes are too few an intruder caneasily infiltrate the network The OWIDS combines PIDSand the ontology to detect anomalies Though it consumesmore energy than the PIDS the energy expenditure is nearlyidentical We simulate 50 150 and 300 sensor nodes in thenon-IDS PIDS and OWIDS Results show that the lifetimeof a sensor node is longest using OWIDS and that the sensornodes die slowly The MN sends data to the RN but not toany MN The RN obtains information directly from the MNThe connections between the RN and the PCH are similarmeaning that the OWIDS consumes less energy in gatheringdata andmonitoring theWSNTheOWIDS takes a part of theontology from PIDS The energy consumption of PIDS andOWIDS is similar in the no attack environment In Figures 6ndash8 there are more sensor nodes in theWSN meaning that thesystem hasmore patrol nodes to detect anomalies Hence theOWIDS detects misbehaviour more effectively The results ofthe simulation show that the OWIDS can easily be loadedonto the WSN
43 ADR FPR and SA of OWIDS The second simulationaddresses the attack detection rate the false positive rateand the accuracy rate in PIDS and OWIDS as shown inTable 6The total number of simulation packages is 1065474
0
10
20
30
40
50
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 6 The case of 50 sensor nodes in alive nodes
50
100
150
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 7 The case of 150 sensor nodes in alive nodes
100140180220260300
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 8 Case of 300 sensor nodes in live nodes
which include 1697 attack packages and 1063777 normalpackages In the PIDS patrol nodes carry attack knowledgeto detect anomalies The false positive rate is higher andthe attack detection rate is lower than that of OWIDS TheOWIDS appends the relationships of ontology making iteasier to detect illegal sensor nodes in the WSN The system
International Journal of Distributed Sensor Networks 13
Table 6 Accuracy attack detection rate and false positive rate of OWIDS
IDS method Attack detection rate False positive rate AccuracyPIDS (15351697) 9045 (1414451063777) 1329 (9532871063777) 8961OWIDS (16651697) 9811 (401221063777) 377 (10253521063777) 9639
Table 7 The accuracy rate of detection classification
IDS method Sybil attack Sinkhole Blackhole Hello floodingPIDS (136150) 9067 (118130) 9077 (5562) 8871 (12261355) 9048OWIDS (145150) 9667 (128130) 9846 (5762) 9194 (13351355) 9852
Original Datas -t 1000000000 -Hs 8 -Hd -2 -Ni 8 -Nx 203200 -Ny 69300 -Nz 000 -Ne -1000000 -Nl AGT -Nw mdash -Ma 0 -Md 0-Ms 0 -Mt 0 -Is 80 -Id 40 -It cbr -Il 1000 -If 0 -Ii 0 -Iv 32 -Pn cbr -Pi 0 -Pf 0 -Po 0SVM Input Data0 01 1 1000000000 2 8 3minus2 4 8 5 203200 6 69300 7 000 8minus1000000 9 1 10 0 11 0 12 0 13 0 14 0 15 8016 40 17 1 18 1000 19 0 20 0 21 32 22 1 23 0 24 0 25 0 26 0 27 0 28 0 29 0 30 0
Figure 9 The SVM input data
accuracy of PIDS and OWIDS is higher than 8961 thetolerance value of the IDS in the WSN The results of thesecond simulation show that theOWIDSdetects attacksmoreeffectively
The attack packages include four types of attacks Sybilattack sinkhole attack blackhole attack and hello floodingthe detailed detection classification is shown in Table 7 Thesystem simulates 150 Sybil attacks 130 sinkhole attacks 62blackhole and 1355 hello flooding attacks The results ofaccuracy rate are shown in Table 7 The accuracy rate ofdetection classification is better than 90 and OWIDS isbetter than PIDS The results of the second simulation showthat the OWIDS detects attacks more effectively
5 Conclusions and Future Work
In this paper a preliminary research of intrusion detectionsystems based on domain ontology is proposed and therelevance of a lightweight patrol intrusion detection systemis explored A major finding is that the effect of ontology canbe observed in attack detection at all levels of the wirelesssensor network The results indicated that the constructedontology relationship between the WSNs can detect attackseffectively This implies that an ontology indicating each roleand its membership in the WSN could be constructed forother attack types This research leads to an ontology-basedintrusion detection system which allows us to study the rela-tionship mechanism involving patrol node status and sensornodes Such ontologies can also be applied to reduce theburden of lightweight intrusion detection systems onwirelesssensor networks In general they will be useful in improvingthe lifecycle of wireless sensor networks and particularly theusability of intrusion detection systems for wireless sensornetworks This research can also serve to reinforce the useof soft computing technology for intrusion detection systemsand to systematize preprocessing technology to reduce thefeatures of the intrusion detection system The attacker may
intrude network in preprocessing stage The preprocessingsecurity issuewill be solved in the future workThis ontology-based intrusion detection system remains experimental onlyand much work remains to be done More must be knownabout constructing ontologies to detect different types ofattacks in wireless sensor networks There is a continuingneed for an adequate theoretical basis for the practicalapplication of ontology-based intrusion detection systems
Conflict of Interests
In this paper the specifications and brand of CPUdo not haveany financial relationship with the commercial identities
Acknowledgments
This work is partially supported by the National ScienceCouncil (NSC) Taiwan with Project no NSC-99-2221-E-324-021 The authors also express many thanks for thecomments from the reviewers that improved the paper
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] T P Hong and C H Wu ldquoAn improved weighted clusteringalgorithm for determination of application nodes in hetero-geneous sensor networksrdquo Journal of Information Hiding andMultimedia Signal Processing vol 2 no 2 pp 173ndash184 2011
[3] J Newsome E Shi D Song and A Perrig ldquoThe Sybil attack insensor networks analysis amp defensesrdquo in Proceedings of the 3rdInternational Symposium on Information Processing in SensorNetworks (IPSN rsquo04) pp 259ndash268 April 2004
[4] W-H Chen S-H Hsu and H-P Shen ldquoApplication of SVMand ANN for intrusion detectionrdquo Computers and OperationsResearch vol 32 no 10 pp 2617ndash2634 2005
14 International Journal of Distributed Sensor Networks
[5] Z Pawlak ldquoRough setsrdquo International Journal of Computer ampInformation Sciences vol 11 no 5 pp 341ndash356 1982
[6] A N Toosi and M Kahani ldquoA new approach to intrusiondetection based on an evolutionary soft computingmodel usingneuro-fuzzy classifiersrdquoComputer Communications vol 30 no10 pp 2201ndash2212 2007
[7] A Patwardhan J Parker M Iorga A Joshi T Karygiannisand Y Yesha ldquoThreshold-based intrusion detection in ad hocnetworks and secure AODVrdquoAdHoc Networks vol 6 no 4 pp578ndash599 2008
[8] R-C Chen and C-H Hsieh ldquoWeb page classification based ona support vectormachine using aweighted vote schemardquoExpertSystems with Applications vol 31 no 2 pp 427ndash435 2006
[9] G Song J Zhang and Z Sun ldquoThe research of dynamic changelearning rate strategy in BP neural network and applicationin network intrusion detectionrdquo in Proceedings of the 3rdInternational Conference on Innovative Computing Informationand Control (ICICIC rsquo08) pp 514ndash517 June 2008
[10] RCChenC J Yeh andC T Bau ldquoMerging domain ontologiesbased on the WordNet system and Fuzzy Formal ConceptAnalysis techniquesrdquoApplied SoftComputing Journal vol 11 no2 pp 1908ndash1923 2011
[11] R C Chen Y F Haung and C F Hsieh ldquoRanger intrusiondetection system for wireless sensor networks with sybil attackbased on ontologyrdquo in Proceedings of the 10th WSEAS Interna-tional Conference on Applied Informatics and Communications2010
[12] M A Simplıcio Jr P S L M Barreto C B Margi and T CM B Carvalho ldquoA survey on key management mechanisms fordistributedWireless SensorNetworksrdquoComputerNetworks vol54 no 15 pp 2591ndash2612 2010
[13] M Depren E Topallar andM Kemal ldquoAn intelligent intrusiondetection system (IDS) for anomaly and misuse detection incomputer networksrdquo Expert Systems with Applications vol 29no 4 pp 713ndash722 2005
[14] S Tilak B Abu-Ghazaleh and W A Heinzelman ldquoTaxonomyof wireless micro-sensor network modelsrdquo Mobile Computingand Communications Review vol 6 no 2 pp 28ndash36 2002
[15] J Undercoffer A Joshi and J Pinkston ldquoModeling computerattacks an ontology for intrusion detectionrdquo Computer Sciencevol 2820 pp 113ndash135 2003
[16] N Cuppens-Boulahia F Cuppens F Autrel and H DebarldquoAn ontology-based approach to react to network attacksrdquoInternational Journal of Information and Computer Security vol3 no 3-4 pp 280ndash305 2009
[17] H-C Hsieh J-S Leu and W-K Shih ldquoReaching consensusunderlying an autonomous local wireless sensor networkrdquoInternational Journal of Innovative Computing Information andControl vol 6 no 4 pp 1905ndash1914 2010
[18] W K Lai C-S Fan and C-S Shieh ldquoOptimal cluster sizefor balanced power consumption in wireless sensor networksrdquoICIC Express Letters vol 6 no 2 pp 1471ndash1476 2012
[19] T T Quan S C Hui A C M Fong and T H CaoldquoAutomatic Fuzzy ontology generation for semanticWebrdquo IEEETransactions on Knowledge and Data Engineering vol 18 no 6pp 842ndash856 2006
[20] R-C Chen C-F Hsieh and Y-F Huang ldquoAn isolation intru-sion detection system for hierarchical wireless sensor networksrdquoJournal of Networks vol 5 no 3 pp 335ndash342 2010
[21] C F -Hsieh K F Cheng Y F Huang and R C Chen ldquoAnintrusion detection system for Ad Hoc networks with multi-attacks based on a support vector machine and rough settheoryrdquo Journal of Convergence Information Technology vol 8no 2 pp 767ndash776 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
10 International Journal of Distributed Sensor Networks
WSN Domain layer
Brightness Category layerHumidity Temperature
Patrol nodes layer
Belong-to Belong-to
Sensor nodelayer
086
082
Instance of
Sensor node 2513
Humidity temperature
hop (02) ST (05)
Instance of
092
Instance of
Sensor node 3152
Temperature
hop (03) ST(1)
086
Instance of091
Instance of042
Patrol node 1
Temperature humidity
Sensor node 3241
Patrol node 4
Humidity temperature
Sensor node 0231
Patrol node 2
Brightness temperature
energy (088 ) hop (03) ST (05)
Sensor node 0092
Patrol node 3
Temperature
energy (098) hop (05) ST (1)
Sensor node 2541
Patrol node 5
Temperature
Sensor node 1576
Patrol node 2
Temperature brightness
Sensor node 4561
Sensor node 1254
Humidity temperature
hop (017) ST (05)
Patrol node 4
Patrol node 4
Sensor node 6829
Humidity temperature
hop (025) ST (05)
Patrol node 2
Patrol node 3
ST (05)energy (1) hop (1) pn1
pn2 pn3
middot middot middot
middot middot middot
057
Hop = 1
Hop = 3
Hop = 10
Hop = 6Hop = 3
Hop = 5 Hop = 4
Hop = 3
Hop = 3 Hop = 2
E = 2J E = 176J
E = 126J
E = 186J
E = 076JE = 2J
E = 094J E = 196j
E = 164J
E = 196J
energy (063) hop (03) ST (05)pn4 energy (082)
hop (03) ST (1) pn5
hop (01) ST(05) energy (093 ) S4561 energy (047) S2513 energy (098) S6829
energy (038) S1254 energy (1) S3152
pn2
pn4 pn5
Figure 5 An example of ontology construction
International Journal of Distributed Sensor Networks 11
prior to preprocessing and use the SVM to train and testprocesses The output of SVM is 1 or minus1 If the output is 1there is an intrusion behavior on the model If the outputis minus1 it is normal The distribution of training data andtesting data are shown in Table 1 Specifically the user canemploy this model to evaluate the IDS 27 feature values areused to train three SVMmodels and to compare the accuracyof the three models [21]
This experiment compared OWIDS with the PIDS basedon energy consumption transmission accuracy and per-formance The attack behaviour is camouflaged as differentroles in the WSN The implementation environment is listedin Table 2 The total simulation time was 3600 sec Theattacks were randomly executed every 20 sec with attacksbeginning at six hundred sec The experiment assumes thatthe preprocessing stage is secure for attacks The maximumconnection meaning the maximum number of connections(end-to-end connection) used in the simulation was 80The experimental IDS was intended to simulate transmissionpackages in wireless sensor networks The IDS integratescommunications of packages and analyzes them
To estimate the performance of the OWIDS system threeimportant formulas and an indicator method are used toevaluate system accuracy attack detection rate (ADR) falsepositive rate (FPR) system accuracy (SA) and live nodes(indicator) The ADR represents the number of attacks thatthe IDS has detected out of the total number of attacks TheFPR represents the number of normal processes that theIDS has misclassified The accuracy rate is the total numberof processes the IDS has classified correctly The live nodesrepresent the number of useful nodes in the entire WSNwhich tests the loading of our methods and its performance
Attack Detection Rate
=Total number of detected attacks
Total number of attackstimes 100
False Positive Rate
=Total number of misclassified processes
Total number of normal processestimes 100
Accuracy Rate
=Total number of correct classified processes
Total number of processestimes 100
(10)
In this section we present three experimental resultsfor the OWIDS The first experimental method focuses onthe percentage of patrol nodes The patrol node is a kindof sensor node The BS chooses patrol nodes to executethe IDS The percentage of sensor nodes which should bepatrol nodes is a key issue Second the energy consumptionand remaining resources are present in the live nodes Thethird experimental method focuses on the ADR FPR andSA of the OWIDS Thus two types of experiments wereimplemented comparison of the number of live nodes across
Table 1 The training data and test data
Original Train TestNormal 80641 24192 7258Sinkhole 3568 1070 321Blackhole 5368 1610 483Hello flooding 44084 13225 3968Total 133661 40098 12029
Table 2 Implementation environment
Parameter ValuesSensor nodes 50 150 300Patrol nodes (20 of sensor nodes) 10 30 60WSN size 1000 lowast 1000 (m2)Starting energy 2 JTransmission radius 50mTransmission consumption 0036wReceive consumption 0024w
the non-IDS PIDS and OWIDS and comparison of thetransmission accuracy with PIDS
41 Percentage of Patrol Nodes The patrol node is used todetect abnormal behaviours OWIDS needs to balance thenumbers of patrol nodes and the overall life cycle of wirelesssensor networks From the experiment results twenty per-centages of patrol nodes can provide better detection resultsThe percentage of patrol nodes was set between 10 and 40at intervals of 10 The experiments are divided into 50 150and 300 sensor nodes These numbers are used to calculatethe suggested percentage of patrol nodes The experimentalresults are shown in Tables 3 4 and 5
The experimental results show that 30 and 40 yieldthe highest accuracy However the lifecycle of entire WSN isshorter than that when 10 and 20 are used The lifecycleof 10 is the longest but its accuracy is the lowest WhenOWIDS sets the patrol node percentage to 10 the loading isthe lightest However for theOWIDS at 10 the patrol nodeslack sufficient data to be compared with each other meaningthat the accuracy is the lowestThe accuracy of the case of 20patrol nodes is close to that of the case of 30 or 40 patrolnodes Hence the system selected 20 of whole sensor nodesas patrol nodes to do detection to save energy
42 Live Nodes of OWIDS The first simulation is shown inFigures 6 7 and 8The number of live nodes is defined as thenumber of sensor nodes in theWSN that still work normallyThe normal IDS trains detection features and translates theentire IDS onto the sensor nodes This consumes the WSNenergymore rapidlyThe lightweight IDS trains the detectionmethod on the base station and uses filtered features to detectintrusions In this case the IDS ismore lightweight and nodesremain alive longer Since a WSN may be used in manyapplications our method is implemented in eight situations
12 International Journal of Distributed Sensor Networks
Table 3 Percentage of patrol nodes (50 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 5 9835 8520 10 9573 9330 15 8952 9440 20 8703 94
Table 4 Percentage of patrol nodes (150 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 15 9605 8120 30 9495 9630 45 8864 9640 60 8518 97
Table 5 Percentage of patrol nodes (300 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 30 9598 7920 60 9468 9630 90 8867 9740 120 8361 97
The live nodes experiment has six situations no IDS andno attack no IDS but faces attacks loads PIDS but no attacksloads PIDS and faces attacks loads OWIDS but no attacksand loads OWIDS and faces attacks The overhead for PCHmonitoring is high if the notion of collaborative monitoringis absent If the patrol nodes are too few an intruder caneasily infiltrate the network The OWIDS combines PIDSand the ontology to detect anomalies Though it consumesmore energy than the PIDS the energy expenditure is nearlyidentical We simulate 50 150 and 300 sensor nodes in thenon-IDS PIDS and OWIDS Results show that the lifetimeof a sensor node is longest using OWIDS and that the sensornodes die slowly The MN sends data to the RN but not toany MN The RN obtains information directly from the MNThe connections between the RN and the PCH are similarmeaning that the OWIDS consumes less energy in gatheringdata andmonitoring theWSNTheOWIDS takes a part of theontology from PIDS The energy consumption of PIDS andOWIDS is similar in the no attack environment In Figures 6ndash8 there are more sensor nodes in theWSN meaning that thesystem hasmore patrol nodes to detect anomalies Hence theOWIDS detects misbehaviour more effectively The results ofthe simulation show that the OWIDS can easily be loadedonto the WSN
43 ADR FPR and SA of OWIDS The second simulationaddresses the attack detection rate the false positive rateand the accuracy rate in PIDS and OWIDS as shown inTable 6The total number of simulation packages is 1065474
0
10
20
30
40
50
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 6 The case of 50 sensor nodes in alive nodes
50
100
150
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 7 The case of 150 sensor nodes in alive nodes
100140180220260300
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 8 Case of 300 sensor nodes in live nodes
which include 1697 attack packages and 1063777 normalpackages In the PIDS patrol nodes carry attack knowledgeto detect anomalies The false positive rate is higher andthe attack detection rate is lower than that of OWIDS TheOWIDS appends the relationships of ontology making iteasier to detect illegal sensor nodes in the WSN The system
International Journal of Distributed Sensor Networks 13
Table 6 Accuracy attack detection rate and false positive rate of OWIDS
IDS method Attack detection rate False positive rate AccuracyPIDS (15351697) 9045 (1414451063777) 1329 (9532871063777) 8961OWIDS (16651697) 9811 (401221063777) 377 (10253521063777) 9639
Table 7 The accuracy rate of detection classification
IDS method Sybil attack Sinkhole Blackhole Hello floodingPIDS (136150) 9067 (118130) 9077 (5562) 8871 (12261355) 9048OWIDS (145150) 9667 (128130) 9846 (5762) 9194 (13351355) 9852
Original Datas -t 1000000000 -Hs 8 -Hd -2 -Ni 8 -Nx 203200 -Ny 69300 -Nz 000 -Ne -1000000 -Nl AGT -Nw mdash -Ma 0 -Md 0-Ms 0 -Mt 0 -Is 80 -Id 40 -It cbr -Il 1000 -If 0 -Ii 0 -Iv 32 -Pn cbr -Pi 0 -Pf 0 -Po 0SVM Input Data0 01 1 1000000000 2 8 3minus2 4 8 5 203200 6 69300 7 000 8minus1000000 9 1 10 0 11 0 12 0 13 0 14 0 15 8016 40 17 1 18 1000 19 0 20 0 21 32 22 1 23 0 24 0 25 0 26 0 27 0 28 0 29 0 30 0
Figure 9 The SVM input data
accuracy of PIDS and OWIDS is higher than 8961 thetolerance value of the IDS in the WSN The results of thesecond simulation show that theOWIDSdetects attacksmoreeffectively
The attack packages include four types of attacks Sybilattack sinkhole attack blackhole attack and hello floodingthe detailed detection classification is shown in Table 7 Thesystem simulates 150 Sybil attacks 130 sinkhole attacks 62blackhole and 1355 hello flooding attacks The results ofaccuracy rate are shown in Table 7 The accuracy rate ofdetection classification is better than 90 and OWIDS isbetter than PIDS The results of the second simulation showthat the OWIDS detects attacks more effectively
5 Conclusions and Future Work
In this paper a preliminary research of intrusion detectionsystems based on domain ontology is proposed and therelevance of a lightweight patrol intrusion detection systemis explored A major finding is that the effect of ontology canbe observed in attack detection at all levels of the wirelesssensor network The results indicated that the constructedontology relationship between the WSNs can detect attackseffectively This implies that an ontology indicating each roleand its membership in the WSN could be constructed forother attack types This research leads to an ontology-basedintrusion detection system which allows us to study the rela-tionship mechanism involving patrol node status and sensornodes Such ontologies can also be applied to reduce theburden of lightweight intrusion detection systems onwirelesssensor networks In general they will be useful in improvingthe lifecycle of wireless sensor networks and particularly theusability of intrusion detection systems for wireless sensornetworks This research can also serve to reinforce the useof soft computing technology for intrusion detection systemsand to systematize preprocessing technology to reduce thefeatures of the intrusion detection system The attacker may
intrude network in preprocessing stage The preprocessingsecurity issuewill be solved in the future workThis ontology-based intrusion detection system remains experimental onlyand much work remains to be done More must be knownabout constructing ontologies to detect different types ofattacks in wireless sensor networks There is a continuingneed for an adequate theoretical basis for the practicalapplication of ontology-based intrusion detection systems
Conflict of Interests
In this paper the specifications and brand of CPUdo not haveany financial relationship with the commercial identities
Acknowledgments
This work is partially supported by the National ScienceCouncil (NSC) Taiwan with Project no NSC-99-2221-E-324-021 The authors also express many thanks for thecomments from the reviewers that improved the paper
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] T P Hong and C H Wu ldquoAn improved weighted clusteringalgorithm for determination of application nodes in hetero-geneous sensor networksrdquo Journal of Information Hiding andMultimedia Signal Processing vol 2 no 2 pp 173ndash184 2011
[3] J Newsome E Shi D Song and A Perrig ldquoThe Sybil attack insensor networks analysis amp defensesrdquo in Proceedings of the 3rdInternational Symposium on Information Processing in SensorNetworks (IPSN rsquo04) pp 259ndash268 April 2004
[4] W-H Chen S-H Hsu and H-P Shen ldquoApplication of SVMand ANN for intrusion detectionrdquo Computers and OperationsResearch vol 32 no 10 pp 2617ndash2634 2005
14 International Journal of Distributed Sensor Networks
[5] Z Pawlak ldquoRough setsrdquo International Journal of Computer ampInformation Sciences vol 11 no 5 pp 341ndash356 1982
[6] A N Toosi and M Kahani ldquoA new approach to intrusiondetection based on an evolutionary soft computingmodel usingneuro-fuzzy classifiersrdquoComputer Communications vol 30 no10 pp 2201ndash2212 2007
[7] A Patwardhan J Parker M Iorga A Joshi T Karygiannisand Y Yesha ldquoThreshold-based intrusion detection in ad hocnetworks and secure AODVrdquoAdHoc Networks vol 6 no 4 pp578ndash599 2008
[8] R-C Chen and C-H Hsieh ldquoWeb page classification based ona support vectormachine using aweighted vote schemardquoExpertSystems with Applications vol 31 no 2 pp 427ndash435 2006
[9] G Song J Zhang and Z Sun ldquoThe research of dynamic changelearning rate strategy in BP neural network and applicationin network intrusion detectionrdquo in Proceedings of the 3rdInternational Conference on Innovative Computing Informationand Control (ICICIC rsquo08) pp 514ndash517 June 2008
[10] RCChenC J Yeh andC T Bau ldquoMerging domain ontologiesbased on the WordNet system and Fuzzy Formal ConceptAnalysis techniquesrdquoApplied SoftComputing Journal vol 11 no2 pp 1908ndash1923 2011
[11] R C Chen Y F Haung and C F Hsieh ldquoRanger intrusiondetection system for wireless sensor networks with sybil attackbased on ontologyrdquo in Proceedings of the 10th WSEAS Interna-tional Conference on Applied Informatics and Communications2010
[12] M A Simplıcio Jr P S L M Barreto C B Margi and T CM B Carvalho ldquoA survey on key management mechanisms fordistributedWireless SensorNetworksrdquoComputerNetworks vol54 no 15 pp 2591ndash2612 2010
[13] M Depren E Topallar andM Kemal ldquoAn intelligent intrusiondetection system (IDS) for anomaly and misuse detection incomputer networksrdquo Expert Systems with Applications vol 29no 4 pp 713ndash722 2005
[14] S Tilak B Abu-Ghazaleh and W A Heinzelman ldquoTaxonomyof wireless micro-sensor network modelsrdquo Mobile Computingand Communications Review vol 6 no 2 pp 28ndash36 2002
[15] J Undercoffer A Joshi and J Pinkston ldquoModeling computerattacks an ontology for intrusion detectionrdquo Computer Sciencevol 2820 pp 113ndash135 2003
[16] N Cuppens-Boulahia F Cuppens F Autrel and H DebarldquoAn ontology-based approach to react to network attacksrdquoInternational Journal of Information and Computer Security vol3 no 3-4 pp 280ndash305 2009
[17] H-C Hsieh J-S Leu and W-K Shih ldquoReaching consensusunderlying an autonomous local wireless sensor networkrdquoInternational Journal of Innovative Computing Information andControl vol 6 no 4 pp 1905ndash1914 2010
[18] W K Lai C-S Fan and C-S Shieh ldquoOptimal cluster sizefor balanced power consumption in wireless sensor networksrdquoICIC Express Letters vol 6 no 2 pp 1471ndash1476 2012
[19] T T Quan S C Hui A C M Fong and T H CaoldquoAutomatic Fuzzy ontology generation for semanticWebrdquo IEEETransactions on Knowledge and Data Engineering vol 18 no 6pp 842ndash856 2006
[20] R-C Chen C-F Hsieh and Y-F Huang ldquoAn isolation intru-sion detection system for hierarchical wireless sensor networksrdquoJournal of Networks vol 5 no 3 pp 335ndash342 2010
[21] C F -Hsieh K F Cheng Y F Huang and R C Chen ldquoAnintrusion detection system for Ad Hoc networks with multi-attacks based on a support vector machine and rough settheoryrdquo Journal of Convergence Information Technology vol 8no 2 pp 767ndash776 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 11
prior to preprocessing and use the SVM to train and testprocesses The output of SVM is 1 or minus1 If the output is 1there is an intrusion behavior on the model If the outputis minus1 it is normal The distribution of training data andtesting data are shown in Table 1 Specifically the user canemploy this model to evaluate the IDS 27 feature values areused to train three SVMmodels and to compare the accuracyof the three models [21]
This experiment compared OWIDS with the PIDS basedon energy consumption transmission accuracy and per-formance The attack behaviour is camouflaged as differentroles in the WSN The implementation environment is listedin Table 2 The total simulation time was 3600 sec Theattacks were randomly executed every 20 sec with attacksbeginning at six hundred sec The experiment assumes thatthe preprocessing stage is secure for attacks The maximumconnection meaning the maximum number of connections(end-to-end connection) used in the simulation was 80The experimental IDS was intended to simulate transmissionpackages in wireless sensor networks The IDS integratescommunications of packages and analyzes them
To estimate the performance of the OWIDS system threeimportant formulas and an indicator method are used toevaluate system accuracy attack detection rate (ADR) falsepositive rate (FPR) system accuracy (SA) and live nodes(indicator) The ADR represents the number of attacks thatthe IDS has detected out of the total number of attacks TheFPR represents the number of normal processes that theIDS has misclassified The accuracy rate is the total numberof processes the IDS has classified correctly The live nodesrepresent the number of useful nodes in the entire WSNwhich tests the loading of our methods and its performance
Attack Detection Rate
=Total number of detected attacks
Total number of attackstimes 100
False Positive Rate
=Total number of misclassified processes
Total number of normal processestimes 100
Accuracy Rate
=Total number of correct classified processes
Total number of processestimes 100
(10)
In this section we present three experimental resultsfor the OWIDS The first experimental method focuses onthe percentage of patrol nodes The patrol node is a kindof sensor node The BS chooses patrol nodes to executethe IDS The percentage of sensor nodes which should bepatrol nodes is a key issue Second the energy consumptionand remaining resources are present in the live nodes Thethird experimental method focuses on the ADR FPR andSA of the OWIDS Thus two types of experiments wereimplemented comparison of the number of live nodes across
Table 1 The training data and test data
Original Train TestNormal 80641 24192 7258Sinkhole 3568 1070 321Blackhole 5368 1610 483Hello flooding 44084 13225 3968Total 133661 40098 12029
Table 2 Implementation environment
Parameter ValuesSensor nodes 50 150 300Patrol nodes (20 of sensor nodes) 10 30 60WSN size 1000 lowast 1000 (m2)Starting energy 2 JTransmission radius 50mTransmission consumption 0036wReceive consumption 0024w
the non-IDS PIDS and OWIDS and comparison of thetransmission accuracy with PIDS
41 Percentage of Patrol Nodes The patrol node is used todetect abnormal behaviours OWIDS needs to balance thenumbers of patrol nodes and the overall life cycle of wirelesssensor networks From the experiment results twenty per-centages of patrol nodes can provide better detection resultsThe percentage of patrol nodes was set between 10 and 40at intervals of 10 The experiments are divided into 50 150and 300 sensor nodes These numbers are used to calculatethe suggested percentage of patrol nodes The experimentalresults are shown in Tables 3 4 and 5
The experimental results show that 30 and 40 yieldthe highest accuracy However the lifecycle of entire WSN isshorter than that when 10 and 20 are used The lifecycleof 10 is the longest but its accuracy is the lowest WhenOWIDS sets the patrol node percentage to 10 the loading isthe lightest However for theOWIDS at 10 the patrol nodeslack sufficient data to be compared with each other meaningthat the accuracy is the lowestThe accuracy of the case of 20patrol nodes is close to that of the case of 30 or 40 patrolnodes Hence the system selected 20 of whole sensor nodesas patrol nodes to do detection to save energy
42 Live Nodes of OWIDS The first simulation is shown inFigures 6 7 and 8The number of live nodes is defined as thenumber of sensor nodes in theWSN that still work normallyThe normal IDS trains detection features and translates theentire IDS onto the sensor nodes This consumes the WSNenergymore rapidlyThe lightweight IDS trains the detectionmethod on the base station and uses filtered features to detectintrusions In this case the IDS ismore lightweight and nodesremain alive longer Since a WSN may be used in manyapplications our method is implemented in eight situations
12 International Journal of Distributed Sensor Networks
Table 3 Percentage of patrol nodes (50 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 5 9835 8520 10 9573 9330 15 8952 9440 20 8703 94
Table 4 Percentage of patrol nodes (150 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 15 9605 8120 30 9495 9630 45 8864 9640 60 8518 97
Table 5 Percentage of patrol nodes (300 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 30 9598 7920 60 9468 9630 90 8867 9740 120 8361 97
The live nodes experiment has six situations no IDS andno attack no IDS but faces attacks loads PIDS but no attacksloads PIDS and faces attacks loads OWIDS but no attacksand loads OWIDS and faces attacks The overhead for PCHmonitoring is high if the notion of collaborative monitoringis absent If the patrol nodes are too few an intruder caneasily infiltrate the network The OWIDS combines PIDSand the ontology to detect anomalies Though it consumesmore energy than the PIDS the energy expenditure is nearlyidentical We simulate 50 150 and 300 sensor nodes in thenon-IDS PIDS and OWIDS Results show that the lifetimeof a sensor node is longest using OWIDS and that the sensornodes die slowly The MN sends data to the RN but not toany MN The RN obtains information directly from the MNThe connections between the RN and the PCH are similarmeaning that the OWIDS consumes less energy in gatheringdata andmonitoring theWSNTheOWIDS takes a part of theontology from PIDS The energy consumption of PIDS andOWIDS is similar in the no attack environment In Figures 6ndash8 there are more sensor nodes in theWSN meaning that thesystem hasmore patrol nodes to detect anomalies Hence theOWIDS detects misbehaviour more effectively The results ofthe simulation show that the OWIDS can easily be loadedonto the WSN
43 ADR FPR and SA of OWIDS The second simulationaddresses the attack detection rate the false positive rateand the accuracy rate in PIDS and OWIDS as shown inTable 6The total number of simulation packages is 1065474
0
10
20
30
40
50
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 6 The case of 50 sensor nodes in alive nodes
50
100
150
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 7 The case of 150 sensor nodes in alive nodes
100140180220260300
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 8 Case of 300 sensor nodes in live nodes
which include 1697 attack packages and 1063777 normalpackages In the PIDS patrol nodes carry attack knowledgeto detect anomalies The false positive rate is higher andthe attack detection rate is lower than that of OWIDS TheOWIDS appends the relationships of ontology making iteasier to detect illegal sensor nodes in the WSN The system
International Journal of Distributed Sensor Networks 13
Table 6 Accuracy attack detection rate and false positive rate of OWIDS
IDS method Attack detection rate False positive rate AccuracyPIDS (15351697) 9045 (1414451063777) 1329 (9532871063777) 8961OWIDS (16651697) 9811 (401221063777) 377 (10253521063777) 9639
Table 7 The accuracy rate of detection classification
IDS method Sybil attack Sinkhole Blackhole Hello floodingPIDS (136150) 9067 (118130) 9077 (5562) 8871 (12261355) 9048OWIDS (145150) 9667 (128130) 9846 (5762) 9194 (13351355) 9852
Original Datas -t 1000000000 -Hs 8 -Hd -2 -Ni 8 -Nx 203200 -Ny 69300 -Nz 000 -Ne -1000000 -Nl AGT -Nw mdash -Ma 0 -Md 0-Ms 0 -Mt 0 -Is 80 -Id 40 -It cbr -Il 1000 -If 0 -Ii 0 -Iv 32 -Pn cbr -Pi 0 -Pf 0 -Po 0SVM Input Data0 01 1 1000000000 2 8 3minus2 4 8 5 203200 6 69300 7 000 8minus1000000 9 1 10 0 11 0 12 0 13 0 14 0 15 8016 40 17 1 18 1000 19 0 20 0 21 32 22 1 23 0 24 0 25 0 26 0 27 0 28 0 29 0 30 0
Figure 9 The SVM input data
accuracy of PIDS and OWIDS is higher than 8961 thetolerance value of the IDS in the WSN The results of thesecond simulation show that theOWIDSdetects attacksmoreeffectively
The attack packages include four types of attacks Sybilattack sinkhole attack blackhole attack and hello floodingthe detailed detection classification is shown in Table 7 Thesystem simulates 150 Sybil attacks 130 sinkhole attacks 62blackhole and 1355 hello flooding attacks The results ofaccuracy rate are shown in Table 7 The accuracy rate ofdetection classification is better than 90 and OWIDS isbetter than PIDS The results of the second simulation showthat the OWIDS detects attacks more effectively
5 Conclusions and Future Work
In this paper a preliminary research of intrusion detectionsystems based on domain ontology is proposed and therelevance of a lightweight patrol intrusion detection systemis explored A major finding is that the effect of ontology canbe observed in attack detection at all levels of the wirelesssensor network The results indicated that the constructedontology relationship between the WSNs can detect attackseffectively This implies that an ontology indicating each roleand its membership in the WSN could be constructed forother attack types This research leads to an ontology-basedintrusion detection system which allows us to study the rela-tionship mechanism involving patrol node status and sensornodes Such ontologies can also be applied to reduce theburden of lightweight intrusion detection systems onwirelesssensor networks In general they will be useful in improvingthe lifecycle of wireless sensor networks and particularly theusability of intrusion detection systems for wireless sensornetworks This research can also serve to reinforce the useof soft computing technology for intrusion detection systemsand to systematize preprocessing technology to reduce thefeatures of the intrusion detection system The attacker may
intrude network in preprocessing stage The preprocessingsecurity issuewill be solved in the future workThis ontology-based intrusion detection system remains experimental onlyand much work remains to be done More must be knownabout constructing ontologies to detect different types ofattacks in wireless sensor networks There is a continuingneed for an adequate theoretical basis for the practicalapplication of ontology-based intrusion detection systems
Conflict of Interests
In this paper the specifications and brand of CPUdo not haveany financial relationship with the commercial identities
Acknowledgments
This work is partially supported by the National ScienceCouncil (NSC) Taiwan with Project no NSC-99-2221-E-324-021 The authors also express many thanks for thecomments from the reviewers that improved the paper
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] T P Hong and C H Wu ldquoAn improved weighted clusteringalgorithm for determination of application nodes in hetero-geneous sensor networksrdquo Journal of Information Hiding andMultimedia Signal Processing vol 2 no 2 pp 173ndash184 2011
[3] J Newsome E Shi D Song and A Perrig ldquoThe Sybil attack insensor networks analysis amp defensesrdquo in Proceedings of the 3rdInternational Symposium on Information Processing in SensorNetworks (IPSN rsquo04) pp 259ndash268 April 2004
[4] W-H Chen S-H Hsu and H-P Shen ldquoApplication of SVMand ANN for intrusion detectionrdquo Computers and OperationsResearch vol 32 no 10 pp 2617ndash2634 2005
14 International Journal of Distributed Sensor Networks
[5] Z Pawlak ldquoRough setsrdquo International Journal of Computer ampInformation Sciences vol 11 no 5 pp 341ndash356 1982
[6] A N Toosi and M Kahani ldquoA new approach to intrusiondetection based on an evolutionary soft computingmodel usingneuro-fuzzy classifiersrdquoComputer Communications vol 30 no10 pp 2201ndash2212 2007
[7] A Patwardhan J Parker M Iorga A Joshi T Karygiannisand Y Yesha ldquoThreshold-based intrusion detection in ad hocnetworks and secure AODVrdquoAdHoc Networks vol 6 no 4 pp578ndash599 2008
[8] R-C Chen and C-H Hsieh ldquoWeb page classification based ona support vectormachine using aweighted vote schemardquoExpertSystems with Applications vol 31 no 2 pp 427ndash435 2006
[9] G Song J Zhang and Z Sun ldquoThe research of dynamic changelearning rate strategy in BP neural network and applicationin network intrusion detectionrdquo in Proceedings of the 3rdInternational Conference on Innovative Computing Informationand Control (ICICIC rsquo08) pp 514ndash517 June 2008
[10] RCChenC J Yeh andC T Bau ldquoMerging domain ontologiesbased on the WordNet system and Fuzzy Formal ConceptAnalysis techniquesrdquoApplied SoftComputing Journal vol 11 no2 pp 1908ndash1923 2011
[11] R C Chen Y F Haung and C F Hsieh ldquoRanger intrusiondetection system for wireless sensor networks with sybil attackbased on ontologyrdquo in Proceedings of the 10th WSEAS Interna-tional Conference on Applied Informatics and Communications2010
[12] M A Simplıcio Jr P S L M Barreto C B Margi and T CM B Carvalho ldquoA survey on key management mechanisms fordistributedWireless SensorNetworksrdquoComputerNetworks vol54 no 15 pp 2591ndash2612 2010
[13] M Depren E Topallar andM Kemal ldquoAn intelligent intrusiondetection system (IDS) for anomaly and misuse detection incomputer networksrdquo Expert Systems with Applications vol 29no 4 pp 713ndash722 2005
[14] S Tilak B Abu-Ghazaleh and W A Heinzelman ldquoTaxonomyof wireless micro-sensor network modelsrdquo Mobile Computingand Communications Review vol 6 no 2 pp 28ndash36 2002
[15] J Undercoffer A Joshi and J Pinkston ldquoModeling computerattacks an ontology for intrusion detectionrdquo Computer Sciencevol 2820 pp 113ndash135 2003
[16] N Cuppens-Boulahia F Cuppens F Autrel and H DebarldquoAn ontology-based approach to react to network attacksrdquoInternational Journal of Information and Computer Security vol3 no 3-4 pp 280ndash305 2009
[17] H-C Hsieh J-S Leu and W-K Shih ldquoReaching consensusunderlying an autonomous local wireless sensor networkrdquoInternational Journal of Innovative Computing Information andControl vol 6 no 4 pp 1905ndash1914 2010
[18] W K Lai C-S Fan and C-S Shieh ldquoOptimal cluster sizefor balanced power consumption in wireless sensor networksrdquoICIC Express Letters vol 6 no 2 pp 1471ndash1476 2012
[19] T T Quan S C Hui A C M Fong and T H CaoldquoAutomatic Fuzzy ontology generation for semanticWebrdquo IEEETransactions on Knowledge and Data Engineering vol 18 no 6pp 842ndash856 2006
[20] R-C Chen C-F Hsieh and Y-F Huang ldquoAn isolation intru-sion detection system for hierarchical wireless sensor networksrdquoJournal of Networks vol 5 no 3 pp 335ndash342 2010
[21] C F -Hsieh K F Cheng Y F Huang and R C Chen ldquoAnintrusion detection system for Ad Hoc networks with multi-attacks based on a support vector machine and rough settheoryrdquo Journal of Convergence Information Technology vol 8no 2 pp 767ndash776 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
12 International Journal of Distributed Sensor Networks
Table 3 Percentage of patrol nodes (50 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 5 9835 8520 10 9573 9330 15 8952 9440 20 8703 94
Table 4 Percentage of patrol nodes (150 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 15 9605 8120 30 9495 9630 45 8864 9640 60 8518 97
Table 5 Percentage of patrol nodes (300 sensor nodes)
Percent of patrolnodes () Patrol nodes Lifecycle (sec) Accuracy ()
10 30 9598 7920 60 9468 9630 90 8867 9740 120 8361 97
The live nodes experiment has six situations no IDS andno attack no IDS but faces attacks loads PIDS but no attacksloads PIDS and faces attacks loads OWIDS but no attacksand loads OWIDS and faces attacks The overhead for PCHmonitoring is high if the notion of collaborative monitoringis absent If the patrol nodes are too few an intruder caneasily infiltrate the network The OWIDS combines PIDSand the ontology to detect anomalies Though it consumesmore energy than the PIDS the energy expenditure is nearlyidentical We simulate 50 150 and 300 sensor nodes in thenon-IDS PIDS and OWIDS Results show that the lifetimeof a sensor node is longest using OWIDS and that the sensornodes die slowly The MN sends data to the RN but not toany MN The RN obtains information directly from the MNThe connections between the RN and the PCH are similarmeaning that the OWIDS consumes less energy in gatheringdata andmonitoring theWSNTheOWIDS takes a part of theontology from PIDS The energy consumption of PIDS andOWIDS is similar in the no attack environment In Figures 6ndash8 there are more sensor nodes in theWSN meaning that thesystem hasmore patrol nodes to detect anomalies Hence theOWIDS detects misbehaviour more effectively The results ofthe simulation show that the OWIDS can easily be loadedonto the WSN
43 ADR FPR and SA of OWIDS The second simulationaddresses the attack detection rate the false positive rateand the accuracy rate in PIDS and OWIDS as shown inTable 6The total number of simulation packages is 1065474
0
10
20
30
40
50
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 6 The case of 50 sensor nodes in alive nodes
50
100
150
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 7 The case of 150 sensor nodes in alive nodes
100140180220260300
0 600 1200 1800 2400 3000 3600
Sens
or n
odes
(s)
Have no IDS and have no attack
Have no IDS but have attacks
Load PIDS but have no attacks
Load PIDS and have attacks
Load OWIDS but have no attacks
Load OWIDS and have attacks
Figure 8 Case of 300 sensor nodes in live nodes
which include 1697 attack packages and 1063777 normalpackages In the PIDS patrol nodes carry attack knowledgeto detect anomalies The false positive rate is higher andthe attack detection rate is lower than that of OWIDS TheOWIDS appends the relationships of ontology making iteasier to detect illegal sensor nodes in the WSN The system
International Journal of Distributed Sensor Networks 13
Table 6 Accuracy attack detection rate and false positive rate of OWIDS
IDS method Attack detection rate False positive rate AccuracyPIDS (15351697) 9045 (1414451063777) 1329 (9532871063777) 8961OWIDS (16651697) 9811 (401221063777) 377 (10253521063777) 9639
Table 7 The accuracy rate of detection classification
IDS method Sybil attack Sinkhole Blackhole Hello floodingPIDS (136150) 9067 (118130) 9077 (5562) 8871 (12261355) 9048OWIDS (145150) 9667 (128130) 9846 (5762) 9194 (13351355) 9852
Original Datas -t 1000000000 -Hs 8 -Hd -2 -Ni 8 -Nx 203200 -Ny 69300 -Nz 000 -Ne -1000000 -Nl AGT -Nw mdash -Ma 0 -Md 0-Ms 0 -Mt 0 -Is 80 -Id 40 -It cbr -Il 1000 -If 0 -Ii 0 -Iv 32 -Pn cbr -Pi 0 -Pf 0 -Po 0SVM Input Data0 01 1 1000000000 2 8 3minus2 4 8 5 203200 6 69300 7 000 8minus1000000 9 1 10 0 11 0 12 0 13 0 14 0 15 8016 40 17 1 18 1000 19 0 20 0 21 32 22 1 23 0 24 0 25 0 26 0 27 0 28 0 29 0 30 0
Figure 9 The SVM input data
accuracy of PIDS and OWIDS is higher than 8961 thetolerance value of the IDS in the WSN The results of thesecond simulation show that theOWIDSdetects attacksmoreeffectively
The attack packages include four types of attacks Sybilattack sinkhole attack blackhole attack and hello floodingthe detailed detection classification is shown in Table 7 Thesystem simulates 150 Sybil attacks 130 sinkhole attacks 62blackhole and 1355 hello flooding attacks The results ofaccuracy rate are shown in Table 7 The accuracy rate ofdetection classification is better than 90 and OWIDS isbetter than PIDS The results of the second simulation showthat the OWIDS detects attacks more effectively
5 Conclusions and Future Work
In this paper a preliminary research of intrusion detectionsystems based on domain ontology is proposed and therelevance of a lightweight patrol intrusion detection systemis explored A major finding is that the effect of ontology canbe observed in attack detection at all levels of the wirelesssensor network The results indicated that the constructedontology relationship between the WSNs can detect attackseffectively This implies that an ontology indicating each roleand its membership in the WSN could be constructed forother attack types This research leads to an ontology-basedintrusion detection system which allows us to study the rela-tionship mechanism involving patrol node status and sensornodes Such ontologies can also be applied to reduce theburden of lightweight intrusion detection systems onwirelesssensor networks In general they will be useful in improvingthe lifecycle of wireless sensor networks and particularly theusability of intrusion detection systems for wireless sensornetworks This research can also serve to reinforce the useof soft computing technology for intrusion detection systemsand to systematize preprocessing technology to reduce thefeatures of the intrusion detection system The attacker may
intrude network in preprocessing stage The preprocessingsecurity issuewill be solved in the future workThis ontology-based intrusion detection system remains experimental onlyand much work remains to be done More must be knownabout constructing ontologies to detect different types ofattacks in wireless sensor networks There is a continuingneed for an adequate theoretical basis for the practicalapplication of ontology-based intrusion detection systems
Conflict of Interests
In this paper the specifications and brand of CPUdo not haveany financial relationship with the commercial identities
Acknowledgments
This work is partially supported by the National ScienceCouncil (NSC) Taiwan with Project no NSC-99-2221-E-324-021 The authors also express many thanks for thecomments from the reviewers that improved the paper
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] T P Hong and C H Wu ldquoAn improved weighted clusteringalgorithm for determination of application nodes in hetero-geneous sensor networksrdquo Journal of Information Hiding andMultimedia Signal Processing vol 2 no 2 pp 173ndash184 2011
[3] J Newsome E Shi D Song and A Perrig ldquoThe Sybil attack insensor networks analysis amp defensesrdquo in Proceedings of the 3rdInternational Symposium on Information Processing in SensorNetworks (IPSN rsquo04) pp 259ndash268 April 2004
[4] W-H Chen S-H Hsu and H-P Shen ldquoApplication of SVMand ANN for intrusion detectionrdquo Computers and OperationsResearch vol 32 no 10 pp 2617ndash2634 2005
14 International Journal of Distributed Sensor Networks
[5] Z Pawlak ldquoRough setsrdquo International Journal of Computer ampInformation Sciences vol 11 no 5 pp 341ndash356 1982
[6] A N Toosi and M Kahani ldquoA new approach to intrusiondetection based on an evolutionary soft computingmodel usingneuro-fuzzy classifiersrdquoComputer Communications vol 30 no10 pp 2201ndash2212 2007
[7] A Patwardhan J Parker M Iorga A Joshi T Karygiannisand Y Yesha ldquoThreshold-based intrusion detection in ad hocnetworks and secure AODVrdquoAdHoc Networks vol 6 no 4 pp578ndash599 2008
[8] R-C Chen and C-H Hsieh ldquoWeb page classification based ona support vectormachine using aweighted vote schemardquoExpertSystems with Applications vol 31 no 2 pp 427ndash435 2006
[9] G Song J Zhang and Z Sun ldquoThe research of dynamic changelearning rate strategy in BP neural network and applicationin network intrusion detectionrdquo in Proceedings of the 3rdInternational Conference on Innovative Computing Informationand Control (ICICIC rsquo08) pp 514ndash517 June 2008
[10] RCChenC J Yeh andC T Bau ldquoMerging domain ontologiesbased on the WordNet system and Fuzzy Formal ConceptAnalysis techniquesrdquoApplied SoftComputing Journal vol 11 no2 pp 1908ndash1923 2011
[11] R C Chen Y F Haung and C F Hsieh ldquoRanger intrusiondetection system for wireless sensor networks with sybil attackbased on ontologyrdquo in Proceedings of the 10th WSEAS Interna-tional Conference on Applied Informatics and Communications2010
[12] M A Simplıcio Jr P S L M Barreto C B Margi and T CM B Carvalho ldquoA survey on key management mechanisms fordistributedWireless SensorNetworksrdquoComputerNetworks vol54 no 15 pp 2591ndash2612 2010
[13] M Depren E Topallar andM Kemal ldquoAn intelligent intrusiondetection system (IDS) for anomaly and misuse detection incomputer networksrdquo Expert Systems with Applications vol 29no 4 pp 713ndash722 2005
[14] S Tilak B Abu-Ghazaleh and W A Heinzelman ldquoTaxonomyof wireless micro-sensor network modelsrdquo Mobile Computingand Communications Review vol 6 no 2 pp 28ndash36 2002
[15] J Undercoffer A Joshi and J Pinkston ldquoModeling computerattacks an ontology for intrusion detectionrdquo Computer Sciencevol 2820 pp 113ndash135 2003
[16] N Cuppens-Boulahia F Cuppens F Autrel and H DebarldquoAn ontology-based approach to react to network attacksrdquoInternational Journal of Information and Computer Security vol3 no 3-4 pp 280ndash305 2009
[17] H-C Hsieh J-S Leu and W-K Shih ldquoReaching consensusunderlying an autonomous local wireless sensor networkrdquoInternational Journal of Innovative Computing Information andControl vol 6 no 4 pp 1905ndash1914 2010
[18] W K Lai C-S Fan and C-S Shieh ldquoOptimal cluster sizefor balanced power consumption in wireless sensor networksrdquoICIC Express Letters vol 6 no 2 pp 1471ndash1476 2012
[19] T T Quan S C Hui A C M Fong and T H CaoldquoAutomatic Fuzzy ontology generation for semanticWebrdquo IEEETransactions on Knowledge and Data Engineering vol 18 no 6pp 842ndash856 2006
[20] R-C Chen C-F Hsieh and Y-F Huang ldquoAn isolation intru-sion detection system for hierarchical wireless sensor networksrdquoJournal of Networks vol 5 no 3 pp 335ndash342 2010
[21] C F -Hsieh K F Cheng Y F Huang and R C Chen ldquoAnintrusion detection system for Ad Hoc networks with multi-attacks based on a support vector machine and rough settheoryrdquo Journal of Convergence Information Technology vol 8no 2 pp 767ndash776 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of Distributed Sensor Networks 13
Table 6 Accuracy attack detection rate and false positive rate of OWIDS
IDS method Attack detection rate False positive rate AccuracyPIDS (15351697) 9045 (1414451063777) 1329 (9532871063777) 8961OWIDS (16651697) 9811 (401221063777) 377 (10253521063777) 9639
Table 7 The accuracy rate of detection classification
IDS method Sybil attack Sinkhole Blackhole Hello floodingPIDS (136150) 9067 (118130) 9077 (5562) 8871 (12261355) 9048OWIDS (145150) 9667 (128130) 9846 (5762) 9194 (13351355) 9852
Original Datas -t 1000000000 -Hs 8 -Hd -2 -Ni 8 -Nx 203200 -Ny 69300 -Nz 000 -Ne -1000000 -Nl AGT -Nw mdash -Ma 0 -Md 0-Ms 0 -Mt 0 -Is 80 -Id 40 -It cbr -Il 1000 -If 0 -Ii 0 -Iv 32 -Pn cbr -Pi 0 -Pf 0 -Po 0SVM Input Data0 01 1 1000000000 2 8 3minus2 4 8 5 203200 6 69300 7 000 8minus1000000 9 1 10 0 11 0 12 0 13 0 14 0 15 8016 40 17 1 18 1000 19 0 20 0 21 32 22 1 23 0 24 0 25 0 26 0 27 0 28 0 29 0 30 0
Figure 9 The SVM input data
accuracy of PIDS and OWIDS is higher than 8961 thetolerance value of the IDS in the WSN The results of thesecond simulation show that theOWIDSdetects attacksmoreeffectively
The attack packages include four types of attacks Sybilattack sinkhole attack blackhole attack and hello floodingthe detailed detection classification is shown in Table 7 Thesystem simulates 150 Sybil attacks 130 sinkhole attacks 62blackhole and 1355 hello flooding attacks The results ofaccuracy rate are shown in Table 7 The accuracy rate ofdetection classification is better than 90 and OWIDS isbetter than PIDS The results of the second simulation showthat the OWIDS detects attacks more effectively
5 Conclusions and Future Work
In this paper a preliminary research of intrusion detectionsystems based on domain ontology is proposed and therelevance of a lightweight patrol intrusion detection systemis explored A major finding is that the effect of ontology canbe observed in attack detection at all levels of the wirelesssensor network The results indicated that the constructedontology relationship between the WSNs can detect attackseffectively This implies that an ontology indicating each roleand its membership in the WSN could be constructed forother attack types This research leads to an ontology-basedintrusion detection system which allows us to study the rela-tionship mechanism involving patrol node status and sensornodes Such ontologies can also be applied to reduce theburden of lightweight intrusion detection systems onwirelesssensor networks In general they will be useful in improvingthe lifecycle of wireless sensor networks and particularly theusability of intrusion detection systems for wireless sensornetworks This research can also serve to reinforce the useof soft computing technology for intrusion detection systemsand to systematize preprocessing technology to reduce thefeatures of the intrusion detection system The attacker may
intrude network in preprocessing stage The preprocessingsecurity issuewill be solved in the future workThis ontology-based intrusion detection system remains experimental onlyand much work remains to be done More must be knownabout constructing ontologies to detect different types ofattacks in wireless sensor networks There is a continuingneed for an adequate theoretical basis for the practicalapplication of ontology-based intrusion detection systems
Conflict of Interests
In this paper the specifications and brand of CPUdo not haveany financial relationship with the commercial identities
Acknowledgments
This work is partially supported by the National ScienceCouncil (NSC) Taiwan with Project no NSC-99-2221-E-324-021 The authors also express many thanks for thecomments from the reviewers that improved the paper
References
[1] I F Akyildiz W Su Y Sankarasubramaniam and E CayircildquoWireless sensor networks a surveyrdquo Computer Networks vol38 no 4 pp 393ndash422 2002
[2] T P Hong and C H Wu ldquoAn improved weighted clusteringalgorithm for determination of application nodes in hetero-geneous sensor networksrdquo Journal of Information Hiding andMultimedia Signal Processing vol 2 no 2 pp 173ndash184 2011
[3] J Newsome E Shi D Song and A Perrig ldquoThe Sybil attack insensor networks analysis amp defensesrdquo in Proceedings of the 3rdInternational Symposium on Information Processing in SensorNetworks (IPSN rsquo04) pp 259ndash268 April 2004
[4] W-H Chen S-H Hsu and H-P Shen ldquoApplication of SVMand ANN for intrusion detectionrdquo Computers and OperationsResearch vol 32 no 10 pp 2617ndash2634 2005
14 International Journal of Distributed Sensor Networks
[5] Z Pawlak ldquoRough setsrdquo International Journal of Computer ampInformation Sciences vol 11 no 5 pp 341ndash356 1982
[6] A N Toosi and M Kahani ldquoA new approach to intrusiondetection based on an evolutionary soft computingmodel usingneuro-fuzzy classifiersrdquoComputer Communications vol 30 no10 pp 2201ndash2212 2007
[7] A Patwardhan J Parker M Iorga A Joshi T Karygiannisand Y Yesha ldquoThreshold-based intrusion detection in ad hocnetworks and secure AODVrdquoAdHoc Networks vol 6 no 4 pp578ndash599 2008
[8] R-C Chen and C-H Hsieh ldquoWeb page classification based ona support vectormachine using aweighted vote schemardquoExpertSystems with Applications vol 31 no 2 pp 427ndash435 2006
[9] G Song J Zhang and Z Sun ldquoThe research of dynamic changelearning rate strategy in BP neural network and applicationin network intrusion detectionrdquo in Proceedings of the 3rdInternational Conference on Innovative Computing Informationand Control (ICICIC rsquo08) pp 514ndash517 June 2008
[10] RCChenC J Yeh andC T Bau ldquoMerging domain ontologiesbased on the WordNet system and Fuzzy Formal ConceptAnalysis techniquesrdquoApplied SoftComputing Journal vol 11 no2 pp 1908ndash1923 2011
[11] R C Chen Y F Haung and C F Hsieh ldquoRanger intrusiondetection system for wireless sensor networks with sybil attackbased on ontologyrdquo in Proceedings of the 10th WSEAS Interna-tional Conference on Applied Informatics and Communications2010
[12] M A Simplıcio Jr P S L M Barreto C B Margi and T CM B Carvalho ldquoA survey on key management mechanisms fordistributedWireless SensorNetworksrdquoComputerNetworks vol54 no 15 pp 2591ndash2612 2010
[13] M Depren E Topallar andM Kemal ldquoAn intelligent intrusiondetection system (IDS) for anomaly and misuse detection incomputer networksrdquo Expert Systems with Applications vol 29no 4 pp 713ndash722 2005
[14] S Tilak B Abu-Ghazaleh and W A Heinzelman ldquoTaxonomyof wireless micro-sensor network modelsrdquo Mobile Computingand Communications Review vol 6 no 2 pp 28ndash36 2002
[15] J Undercoffer A Joshi and J Pinkston ldquoModeling computerattacks an ontology for intrusion detectionrdquo Computer Sciencevol 2820 pp 113ndash135 2003
[16] N Cuppens-Boulahia F Cuppens F Autrel and H DebarldquoAn ontology-based approach to react to network attacksrdquoInternational Journal of Information and Computer Security vol3 no 3-4 pp 280ndash305 2009
[17] H-C Hsieh J-S Leu and W-K Shih ldquoReaching consensusunderlying an autonomous local wireless sensor networkrdquoInternational Journal of Innovative Computing Information andControl vol 6 no 4 pp 1905ndash1914 2010
[18] W K Lai C-S Fan and C-S Shieh ldquoOptimal cluster sizefor balanced power consumption in wireless sensor networksrdquoICIC Express Letters vol 6 no 2 pp 1471ndash1476 2012
[19] T T Quan S C Hui A C M Fong and T H CaoldquoAutomatic Fuzzy ontology generation for semanticWebrdquo IEEETransactions on Knowledge and Data Engineering vol 18 no 6pp 842ndash856 2006
[20] R-C Chen C-F Hsieh and Y-F Huang ldquoAn isolation intru-sion detection system for hierarchical wireless sensor networksrdquoJournal of Networks vol 5 no 3 pp 335ndash342 2010
[21] C F -Hsieh K F Cheng Y F Huang and R C Chen ldquoAnintrusion detection system for Ad Hoc networks with multi-attacks based on a support vector machine and rough settheoryrdquo Journal of Convergence Information Technology vol 8no 2 pp 767ndash776 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
14 International Journal of Distributed Sensor Networks
[5] Z Pawlak ldquoRough setsrdquo International Journal of Computer ampInformation Sciences vol 11 no 5 pp 341ndash356 1982
[6] A N Toosi and M Kahani ldquoA new approach to intrusiondetection based on an evolutionary soft computingmodel usingneuro-fuzzy classifiersrdquoComputer Communications vol 30 no10 pp 2201ndash2212 2007
[7] A Patwardhan J Parker M Iorga A Joshi T Karygiannisand Y Yesha ldquoThreshold-based intrusion detection in ad hocnetworks and secure AODVrdquoAdHoc Networks vol 6 no 4 pp578ndash599 2008
[8] R-C Chen and C-H Hsieh ldquoWeb page classification based ona support vectormachine using aweighted vote schemardquoExpertSystems with Applications vol 31 no 2 pp 427ndash435 2006
[9] G Song J Zhang and Z Sun ldquoThe research of dynamic changelearning rate strategy in BP neural network and applicationin network intrusion detectionrdquo in Proceedings of the 3rdInternational Conference on Innovative Computing Informationand Control (ICICIC rsquo08) pp 514ndash517 June 2008
[10] RCChenC J Yeh andC T Bau ldquoMerging domain ontologiesbased on the WordNet system and Fuzzy Formal ConceptAnalysis techniquesrdquoApplied SoftComputing Journal vol 11 no2 pp 1908ndash1923 2011
[11] R C Chen Y F Haung and C F Hsieh ldquoRanger intrusiondetection system for wireless sensor networks with sybil attackbased on ontologyrdquo in Proceedings of the 10th WSEAS Interna-tional Conference on Applied Informatics and Communications2010
[12] M A Simplıcio Jr P S L M Barreto C B Margi and T CM B Carvalho ldquoA survey on key management mechanisms fordistributedWireless SensorNetworksrdquoComputerNetworks vol54 no 15 pp 2591ndash2612 2010
[13] M Depren E Topallar andM Kemal ldquoAn intelligent intrusiondetection system (IDS) for anomaly and misuse detection incomputer networksrdquo Expert Systems with Applications vol 29no 4 pp 713ndash722 2005
[14] S Tilak B Abu-Ghazaleh and W A Heinzelman ldquoTaxonomyof wireless micro-sensor network modelsrdquo Mobile Computingand Communications Review vol 6 no 2 pp 28ndash36 2002
[15] J Undercoffer A Joshi and J Pinkston ldquoModeling computerattacks an ontology for intrusion detectionrdquo Computer Sciencevol 2820 pp 113ndash135 2003
[16] N Cuppens-Boulahia F Cuppens F Autrel and H DebarldquoAn ontology-based approach to react to network attacksrdquoInternational Journal of Information and Computer Security vol3 no 3-4 pp 280ndash305 2009
[17] H-C Hsieh J-S Leu and W-K Shih ldquoReaching consensusunderlying an autonomous local wireless sensor networkrdquoInternational Journal of Innovative Computing Information andControl vol 6 no 4 pp 1905ndash1914 2010
[18] W K Lai C-S Fan and C-S Shieh ldquoOptimal cluster sizefor balanced power consumption in wireless sensor networksrdquoICIC Express Letters vol 6 no 2 pp 1471ndash1476 2012
[19] T T Quan S C Hui A C M Fong and T H CaoldquoAutomatic Fuzzy ontology generation for semanticWebrdquo IEEETransactions on Knowledge and Data Engineering vol 18 no 6pp 842ndash856 2006
[20] R-C Chen C-F Hsieh and Y-F Huang ldquoAn isolation intru-sion detection system for hierarchical wireless sensor networksrdquoJournal of Networks vol 5 no 3 pp 335ndash342 2010
[21] C F -Hsieh K F Cheng Y F Huang and R C Chen ldquoAnintrusion detection system for Ad Hoc networks with multi-attacks based on a support vector machine and rough settheoryrdquo Journal of Convergence Information Technology vol 8no 2 pp 767ndash776 2013
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
International Journal of
AerospaceEngineeringHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
RoboticsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Active and Passive Electronic Components
Control Scienceand Engineering
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
RotatingMachinery
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporation httpwwwhindawicom
Journal ofEngineeringVolume 2014
Submit your manuscripts athttpwwwhindawicom
VLSI Design
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Shock and Vibration
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Civil EngineeringAdvances in
Acoustics and VibrationAdvances in
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Electrical and Computer Engineering
Journal of
Advances inOptoElectronics
Hindawi Publishing Corporation httpwwwhindawicom
Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
SensorsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Chemical EngineeringInternational Journal of Antennas and
Propagation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Navigation and Observation
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
DistributedSensor Networks
International Journal of
Recommended