Content uploaded by Michael Savva
Author content
All content in this area was uploaded by Michael Savva on Mar 11, 2025
Content may be subject to copyright.
Department of Computer Science
A Framework for the Detection, Localization, and
Recovery from Jamming Attacks in the Internet of Things
Michalis Savva
A Dissertation Submitted in Partial Fulfillment of the
Requirements for the Degree of Doctor of Philosophy at the University of Cyprus
June, 2024
©Copyright by
Michalis Savva
All Rights Reserved
2024
APPROVAL PAGE
Michalis Savva
A Framework for the Detection, Localization, and Recovery from Jamming Attacks
in the Internet of Things
The present Doctorate Dissertation was submitted in partial fulfillment of the requirements for
the Degree of Doctor of Philosophy in the Department of Computer Science and was approved
on June, 2024 by the members of the Examination Committee.
Committee Chair
Assoc. Prof. Elias Athanassopoulos
Research Supervisor
Assoc. Prof. Vasos Vassiliou
Committee Member
Asst. Prof. Panagiotis Kolios
Committee Member
Prof. Christos Douligeris
Committee Member
Asst. Prof. Angelos Marnerides
iii
DECLARATION OF DOCTORAL CANDIDATE
The present doctoral dissertation was submitted in partial fulfillment of the require-
ments for the degree of Doctor of Philosophy of the University of Cyprus. It is a
product of original work of my own, unless otherwise mentioned through references,
notes, or any other statements.
Michalis Savva
iv
Abstract
Internet of Things (IoT) devices face unique security challenges due to their inher-
ent limitations such as limited storage, low computational power, and energy-efficient
wireless communication. Traditional security measures, designed for the legacy Inter-
net, fail to adequately protect IoT devices and networks. Particularly vulnerable are
Wireless Sensor Networks (WSN) and IoT networks that are susceptible to jamming—a
type of attack that significantly threatens wireless networks due to their open nature
and the simplicity of launching such attacks. Perpetrators can initiate jamming without
specialized hardware or in-depth knowledge of the targeted system. Despite advances
in wireless technologies, the ability to thwart jamming attacks in real-world scenar-
ios remains limited, as evidenced by the vulnerability of current security protocols of
cellular and Wi-Fi networks.
This thesis addresses the critical need for practical anti-jamming strategies to en-
hance the security of wireless networks, particularly against intelligent jammers that
employ advanced machine-learning algorithms to adapt to more sophisticated attack
methods such as constant, deceptive, random, or reactive jamming. These intelligent
attackers can adjust their strategies and even manipulate detection systems to evade
identification.
To counter these threats, this dissertation introduces a novel lightweight security
framework that utilizes fuzzy logic algorithms to enhance the detection, localization,
v
and recovery mechanisms against jamming attacks in IoT networks. The framework
employs network layer metrics to detect jamming at the node level, utilizes a modi-
fied multilateration technique to accurately locate jammers, and implements recovery
strategies by blacklisting the affected nodes and rerouting traffic within the RPL net-
work.
This thesis makes several noteworthy contributions representing a significant IoT
security advancement. By applying fuzzy logic to combine crucial metrics from the
data link and network layers, the proposed framework not only detects jamming
incidents, but also precisely pinpoints their origin, which is essential for effective mit-
igation. This thesis performs accurate real-time detection and localization using data
link and network-layer metrics collected and processed at the edge. Furthermore,
the framework’s capability to blacklist and recover from compromised network paths
introduces a dynamic recovery mechanism that enhances network resilience. Addi-
tionally, this thesis introduces a novel jammer called the complex jammer, in which the
proposed framework has been accurately identified. Moreover, the framework effec-
tively demonstrates the suitability of fuzzy logic for accurately recognizing multiple
jamming attacks in diverse situations, with high accuracy, low memory usage, and
quick execution.
The effectiveness of this framework was validated through extensive simulations,
demonstrating its capability to handle multiple jammers and adapt to evolving jam-
ming strategies, thus significantly improving the resilience of IoT networks against
these pervasive threats.
vi
Περίληψη
Οι συσκευές στο Διαδίκτυο των Πραγμάτων αντιμετωπίζουν μοναδικές προκλήσεις α-
σφαλείας λόγω των εγγενών περιορισμών τους, όπως η περιορισμένη αποθηκευτική χωρη-
τικότητα, η χαμηλή υπολογιστική ισχύς και η ανάγκη για ενεργειακά αποδοτική ασύρματη
επικοινωνία. Τα παραδοσιακά μέτρα ασφαλείας, σχεδιασμένα για το κλασικό Διαδίκτυο, α-
ποτυγχάνουν να προστατεύσουν επαρκώς τις συσκευές και τα δίκτυα ΙοΤ. Ιδιαίτερα ευάλωτα
είναι τα Ασύρματα Δίκτυα Αισθητήρων και τα δίκτυα στο Διαδίκτυο των Πραγμάτων, τα
οποία είναι επιρρεπή σε επιθέσεις τύπου παρεμβολών, μία από τις σοβαρότερες απειλές για
τα ασύρματα δίκτυα, εξαιτίας της ανοιχτής τους φύσης και της ευκολίας εκτέλεσης τέτοιων
επιθέσεων. Οι επιτιθέμενοι μπορούν να εκτελέσουν επιθέσεις παρεμβολών χωρίς εξειδικευ-
μένο εξοπλισμό ή προηγμένες γνώσεις του στοχευμένου συστήματος. Παρά την πρόοδο
στις ασύρματες τεχνολογίες, η δυνατότητα αντιμετώπισης τέτοιων επιθέσεων σε πραγμα-
τικές συνθήκες παραμένει περιορισμένη, όπως φαίνεται από τις ευπάθειες στα πρωτόκολλα
ασφαλείας των ασύρματων δικτύων και δικτύων κινητής τηλεφωνίας. Αυτή η διατριβή αντι-
μετωπίζει την επιτακτική ανάγκη για πρακτικές στρατηγικές ενάντια στις επιθέσεις παρεμβο-
λων, με στόχο την ενίσχυση της ασφάλειας των ασύρματων δικτύων. Εστιάζει ιδιαίτερα σε
έξυπνους επιτιθέμενους, οι οποίοι αξιοποιούν προηγμένους αλγόριθμους μηχανικής μάθησης
για να προσαρμόζουν εξελιγμένες μεθόδους επίθεσης, όπως το συνεχές, παραπλανητικό, τυ-
χαίο ή αντιδραστικό παρεμβολέα. Αυτοί οι επιτιθέμενοι μπορούν να προσαρμόζουν δυναμικά
vii
τις στρατηγικές τους και να παρακάμπτουν συστήματα ανίχνευσης, καθιστώντας τους ιδια-
ίτερα επικίνδυνους. Για την αντιμετώπιση αυτών των απειλών, η παρούσα διατριβή προτείνει
ένα καινοτόμο, ελαφρύ πλαίσιο ασφάλειας που βασίζεται σε αλγορίθμους ασαφούς λογικής.
Το πλαίσιο αυτό ενισχύει τους μηχανισμούς ανίχνευσης, εντοπισμού και ανάκαμψης από
επιθέσεις περαμβολών σε δίκτυα στο Διαδίκτυο των Πραγμάτων. Χρησιμοποιεί μετρήσεις
του επιπέδου δικτύου για την ανίχνευση του παρεμβολέα σε επίπεδο κόμβου, εφαρμόζει μια
τροποποιημένη τεχνική πολυτοπισμού για ακριβή εντοπισμό των επιτιθέμενων και υλοποιεί
δυναμικές στρατηγικές ανάκαμψης, εισάγοντας τους επηρεασμένους κόμβους σε μαύρη λίστα
και αναδρομολογώντας την κυκλοφορία εντός του δικτύου ΡΠΛ. Η διατριβή συνεισφέρει ση-
μαντικά στην ασφάλεια του στο Διαδίκτυο των Πραγμάτων, παρέχοντας ένα ολοκληρωμένο
πλαίσιο που όχι μόνο ανιχνεύει περιστατικά παρεμβολείς αλλά και προσδιορίζει με ακρίβεια
την τοποθεσία τους, που είναι αρκετά κρίσιμο για την αποτελεσματική αντιμετώπιση. Το πλα-
ίσιο επιτυγχάνει ανίχνευση και εντοπισμό σε πραγματικό χρόνο, χρησιμοποιώντας μετρήσεις
από τα επίπεδα σύνδεσης δεδομένων και δικτύου, οι οποίες συλλέγονται και επεξεργάζονται
στην περιφέρεια του δικτύου. Επιπλέον, η δυνατότητα του πλαισίου να εισάγει σε μαύρη
λίστα και να ανακάμπτει από συμβιβασμένα μονοπάτια δικτύου εισάγει έναν δυναμικό μηχα-
νισμό ανάκαμψης, ενισχύοντας την ανθεκτικότητα του δικτύου. Επίσης, η διατριβή εισάγει
έναν νέο τύπο παρεμβολέα, τον «σύνθετο παρεμβολέα», ο οποίος αναγνωρίζεται με ακρίβεια
από το προτεινόμενο πλαίσιο. Το πλαίσιο αποδεικνύει την καταλληλότητα της ασαφούς λο-
γικής για την ακριβή ανίχνευση και αντιμετώπιση πολλαπλών επιθέσεων παρεμβολέων σε
διαφορετικές συνθήκες, με υψηλή ακρίβεια, χαμηλή χρήση μνήμης και γρήγορη εκτέλεση.
Η αποτελεσματικότητα του πλαισίου επιβεβαιώνεται μέσω εκτεταμένων προσομοιώσεων, οι
οποίες αποδεικνύουν την ικανότητά του να διαχειρίζεται πολλαπλούς επιτιθέμενους και να
προσαρμόζεται σε εξελισσόμενες στρατηγικές παρεμβολών, ενισχύοντας σημαντικά την αν-
viii
θεκτικότητα των δικτύων στο Διαδίκτυο των Πραγμάτων απέναντι σε αυτές τις απειλές.
ix
Acknowledgments
I am deeply grateful to all individuals who provided invaluable assistance and
support throughout my Ph.D. journey. Above all, I would like to extend my heartfelt
appreciation to my esteemed supervisor, Associate Professor Dr. Vasos Vassiliou,
whose expert guidance and constructive feedback were indispensable at every step of
the way. Without his mentorship, this thesis would have been impossible.
Dr. Iacovos Ioannou provided invaluable guidance and support during my PhD
studies, helping me overcome the challenges and shape my research.
I am immensely thankful to the Polydorou family and the University of Cyprus
for awarding me the first Scholarship in Memory of Mike Polydorou 2023-24. Their
generous support not only alleviated financial burdens but also motivated me to pursue
excellence in my studies. This opportunity empowers me to focus on advancing my
skills and contributing to the field of Cybersecurity. I deeply appreciate their trust and
investment in my future.
I would like to express my gratitude to my family for their unwavering support. Of
course, I cannot forget to thank my wife, Paraskevi, and my two sons, Charalambos and
Constantinos, for their love, encouragement, understanding, support, and patience.
Their persistent presence drove my success and kept me focused on achieving my
dreams.
x
Acronyms
ACK Acknowledgement
AI Artificial intelligence
ANFIS Adaptive Neuro-Fuzzy Inference System
AoA Angle of Arrival
ATX Average number of required transmissions per packet
BER Bit Error Rate
BPR Bad Packet Ratio
CCA Clear Channel Assessment
CRC Cyclic Redundancy Check
CSMA Carrier Sense Multiple Access
DAO Destination Advertisement Object message
DIO DODAG Information Object messages
DODAG Destination Oriented Directed Acyclic Graph
ETX Expected Transmission Count
FIS Fuzzy Inference System
FLIDS Fuzzy Logic-based IDS
FLJDA Fuzzy Logic-based Jamming Detection Algorithm
FN False Negative
xi
FP False Positive
FPR False Positive Rate
IDS Intrusion Detection System
IoT Internet of Things
JI Jamming Index
MAC Medium Access Control
PDPT Packets Drop per Terminal
PDR Packet Delivery Ratio
PHY Physical Layer
PLR Packet Loss Ratio
PSR Packet Send Ratio
ROC Curve Receiver Operating Characteristic Curve
RPL Routing Protocol for Low-Power and Lossy Networks
RSSI Received Signal Strength Indicator
SNR Signal to Noise Ratio
TDoA Time Difference of Arrival
TDR True Detection Rate
TN True Negative
ToA Time of Arrival
TP True Positive
TPR True Positive Rate
WSN Wireless Sensor Networks
xii
Publications
Published conference proceedings
1. M. Savva, I. Ioannou, and V. Vassiliou, ”Evaluating Localization Algorithms in
IoT Networks Under Jamming Attacks” in proc. of IFIP Networking Conference
(IFIP Networking), 2024, pp. 627-633.
2. M. Savva, I. Ioannou, and V. Vassiliou, ”Detecting Multiple Jammers using Fuzzy-
Logic Intrusion Detection System (FLIDS)” in proc. of 2024 20th International
Conference on Distributed Computing in Smart Systems and The Internet Of
Things (DCOSS-IoT 2024), 2024, pp. 369–376.
3. T. Ahmad, X. J. Li, M. Ashfaq, M. Savva, I. Ioannou and V. Vassiliou ”Location-
enabled IoT (LE-IoT): Indoor Localization for IoT Environments using Machine
Learning” in proc. of 2024 20th International Conference On Distributed Com-
puting In Smart Systems And The Internet Of Things (DCOSS-IoT 2024), 2024,
pp. 392-399.
4. I. Ioannou, M. Savva, M Raspopoulos, and V. Vassiliou, ”Revolutionising IoT
Network Security By Assessing ML Localization Techniques Against Jamming
Attacks” in proc. of 2024 22nd Mediterranean Communication and Computer
Networking Conference (MedComNet), 2024, pp. 1-10.
xiii
5. M. Savva, I. Ioannou, and V. Vassiliou, ”Performance Evaluation of a Fuzzy Logic-
based ids (FLIDS) Technique for the Detection of Different Types of Jamming
Attacks in IoT Networks,” in proc. of 2023 21st Mediterranean Communication
and Computer Networking Conference (MedComNet), 2023, pp. 93–100.
6. M. Savva, I. Ioannou, and V. Vassiliou, ”Fuzzy-logic based IDS for Detecting
Jamming Attacks in Wireless Mesh IoT Networks,” in proc. of 2022 20th Mediter-
ranean Communication and Computer Networking Conference (MedComNet),
2022, pp. 54–63.
Under Review
1. M. Savva, I. Ioannou, and V. Vassiliou, ”Fuzzy Logic-based IDS (FLIDS) for
the Detection of Different Types of Jamming Attacks in IoT Networks” Elsevier
Computer Communications
xiv
Contents
1 Introduction 1
1.1 Motivation.................................... 1
1.2 ProblemStatement ............................... 3
1.3 ThesisContributions .............................. 6
1.4 Thesisorganization............................... 8
2 Background and Related Work 10
2.1 Background ................................... 11
2.1.1 Detection................................. 12
2.1.2 Localization............................... 45
2.1.3 Recovery................................. 51
2.2 RelatedWork .................................. 55
2.2.1 Detection................................. 55
2.2.2 Localization............................... 67
2.2.3 Recovery................................. 76
2.3 Summary..................................... 78
3 Framework for Detection, Localization, and Recovery from Jamming Attacks
in the Internet of Things 79
xv
3.1 JammersDescription .............................. 79
3.1.1 ConstantJammer............................ 80
3.1.2 DeceptiveJammer ........................... 80
3.1.3 RandomJammer ............................ 81
3.1.4 ReactiveJammer ............................ 82
3.1.5 ComplexJammer............................ 83
3.1.6 MultipleJammers............................ 85
3.2 ProposedFramework.............................. 85
3.2.1 Detectionphase............................. 85
3.2.2 Localizationphase ........................... 85
3.2.3 Recoveryphase............................. 86
3.3 Threatmodel................................... 87
3.4 Summary..................................... 88
4 Anomaly Detection for Jamming Attacks using Fuzzy Logic Intrusion Detec-
tion System (FLIDS) 90
4.1 Fuzzy Logic Intrusion Detection System (FLIDS) description . . . . . . . 91
4.1.1 Membership Functions . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.1.2 Selecting Optimal Input Parameters for Fuzzy Logic Intrusion
DetectionSystems ........................... 98
4.1.3 Detection Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 104
4.1.4 FuzzyRules...............................104
4.1.5 Performance Evaluation Metrics . . . . . . . . . . . . . . . . . . . 107
4.1.6 Methodology ..............................110
4.2 Proposed Solution Fuzzy Logic Intrusion Detection System (FLIDS) . . . 113
xvi
4.2.1 Detection Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . 117
4.3 Simulation Set-up and Configuration . . . . . . . . . . . . . . . . . . . . . 118
4.4 Summary.....................................126
5 Jamming Localization Algorithm 127
5.1 Modified Multilateration Localization Algorithm with Weights (MMLAW)128
5.1.1 Localization Module . . . . . . . . . . . . . . . . . . . . . . . . . . 128
5.2 Performance Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
5.2.1 Predicted topologies . . . . . . . . . . . . . . . . . . . . . . . . . . 136
5.2.2 Randomtopologies...........................141
5.3 Theoretical Complexity Analysis . . . . . . . . . . . . . . . . . . . . . . . 147
5.3.1 Discussion of Results of the Five Algorithms . . . . . . . . . . . . 148
5.4 Summary.....................................152
6 Intrusion Recovery Strategies 154
6.1 ProposedSolution................................154
6.2 Evaluation ....................................156
6.2.1 Sink in the middle of the Grid . . . . . . . . . . . . . . . . . . . . . 156
6.2.2 Sink in the top left edge of the Grid . . . . . . . . . . . . . . . . . 162
6.2.3 Sink on the top middle of the Grid . . . . . . . . . . . . . . . . . . 168
6.2.4 Discussion................................174
6.3 Summary.....................................175
7 Performance Evaluation of the Proposed Framework 176
7.1 Performance evaluation of FLIDS for the Detection of Different Types of
Attacks......................................177
xvii
7.2 Real-time detection jamming attacks . . . . . . . . . . . . . . . . . . . . . 183
7.3 Assessing the Practical Applicability of FLIDS . . . . . . . . . . . . . . . 184
7.4 Evaluation of Strategies for Real-Time Jamming Identification . . . . . . 188
7.5 Multiple Jammers Detection using FLIDS . . . . . . . . . . . . . . . . . . 198
7.5.1 Determining the number of jammers. . . . . . . . . . . . . . . . . 201
7.5.2 Sink in the Middle of the grid predicted scenarios . . . . . . . . . 202
7.5.3 Sink in the top Middle of the grid predicted scenarios . . . . . . . 203
7.5.4 Sink in the top left edge of the grid predicted scenarios . . . . . . 204
7.5.5 Sink in the Middle of the grid random scenarios . . . . . . . . . . 205
7.5.6 Sink in the top Middle of the random scenarios . . . . . . . . . . 206
7.5.7 Sink in the top left edge of the random scenarios . . . . . . . . . . 207
7.6 Comparison with other comparative approaches in the literature review 209
7.7 Evaluating Our Approach Compared to Existing Methodologies . . . . . 211
7.8 Summary.....................................215
8 Conclusions and Future Work 216
8.1 FutureWork ...................................218
A List of Tables 245
B List of Protocols 261
xviii
List of Figures
2.1 Intrusion Detection Methods . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2 Anomaly-basedIDS............................... 28
2.3 Artificial Intelligent IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.4 StatisticalIDS .................................. 40
2.5 Types of Jamming Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
2.6 Jamming Attack Detection Parameters . . . . . . . . . . . . . . . . . . . . 59
3.1 Framework for the Detection, Localization, and Recovery of Jamming
Attacks in the Internet of Things . . . . . . . . . . . . . . . . . . . . . . . 86
4.1 Distribution values of ETX . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4.2 Distribution values of Retransmissions . . . . . . . . . . . . . . . . . . . . 95
4.3 Distribution values of Packets Drop per Terminal . . . . . . . . . . . . . . 96
4.4 Distribution values of Packet Delivery Ratio . . . . . . . . . . . . . . . . 96
4.5 The trapezoidal Membership function plots for the input ETX . . . . . . 98
4.6 The trapezoidal Membership function plots for the Retransmissions . . . 98
4.7 The trapezoidal Membership function plots for the input PDPT . . . . . 99
4.8 The trapezoidal Membership function plots for the input PDR . . . . . . 99
xix
4.9 The trapezoidal Membership function plots for the output, Jamming
Indicator(JI)...................................100
4.10 Input-output surface corresponding to the membership values of inputs
(ETX, Retransmissions) and output (JI) . . . . . . . . . . . . . . . . . . . . 100
4.11 Input-output surface corresponding to the membership values of inputs
(PDR, Retransmissions) and output (JI) . . . . . . . . . . . . . . . . . . . 100
4.12 Input-output surface corresponding to the membership values of inputs
(PDPT, Retransmissions) and output (JI) . . . . . . . . . . . . . . . . . . . 101
4.13 Input-output surface corresponding to the membership values of inputs
ETX,PDR)andoutput(JI) ...........................101
4.14 Input-output surface corresponding to the membership values of inputs
ETX, PDPT) and output (JI) . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.15 Fuzzy Controller Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
4.16 Comparison Chart of different approaches . . . . . . . . . . . . . . . . . . 111
4.17 ROC Curve when Sink is in the Middle of the grid . . . . . . . . . . . . . 112
4.18 ROC Curve when Sink is on Top Middle of the grid . . . . . . . . . . . . 112
4.19 ROC Curve when Sink is on Top Edge of the grid . . . . . . . . . . . . . 113
4.20 Random Simulation Set-up and Configuration . . . . . . . . . . . . . . . 114
4.21 The trapezoidal Membership function plots for the input ETX . . . . . . 116
4.22 The trapezoidal Membership function plots for the Retransmissions . . . 116
4.23 The trapezoidal Membership function plots for the output, Jamming
Indicator(JI)...................................116
4.24 Input-output surface corresponding to the membership values of inputs
(ETX, Retransmissions) and output (JI) . . . . . . . . . . . . . . . . . . . . 117
xx
4.25 Sink is in the middle of the grid . . . . . . . . . . . . . . . . . . . . . . . . 119
4.26 Sink is on the top edge of the grid . . . . . . . . . . . . . . . . . . . . . . . 120
4.27 Sink is in the top middle of the grid . . . . . . . . . . . . . . . . . . . . . . 120
4.28 Random nodes placement, Sink is in the middle of the grid . . . . . . . . 121
4.29 Random nodes placement, Sink is on the top left edge of the grid . . . . 121
4.30 Random nodes placement, Sink is in the top middle of the grid . . . . . 122
4.31 Predicted Simulation Set-up and Configuration . . . . . . . . . . . . . . . 122
4.32 Random Simulation Set-up and Configuration . . . . . . . . . . . . . . . 123
4.33 Sink in the Middle of the Grid, Jammer Position 6 . . . . . . . . . . . . . 125
5.1 Centroid Localization Algorithm . . . . . . . . . . . . . . . . . . . . . . . 129
5.2 Modified Multilateration Localization Algorithm with Weights . . . . . 133
5.3 Euclidean Distance Error (in m) Predicted topology Sink in the Middle
oftheGrid....................................137
5.4 Execution Time (in ms) Predicted topology Sink in the Middle of the Grid138
5.5 Euclidean Distance Error (in m) Predicted topology Sink in the Top
MiddleoftheGrid ...............................139
5.6 Execution Time (in ms) Predicted topology Sink in the Top Middle of
theGrid......................................140
5.7 Euclidean Distance Error (in m) Predicted topology Sink in the Top left
edgeoftheGrid.................................140
5.8 Execution Time (in ms) Predicted topology Sink in the Top left edge of
theGrid......................................141
5.9 Euclidean Distance Error (in m) Random topology Sink in the Middle of
theGrid......................................142
xxi
5.10 Execution Time (in ms) Random topology Sink in the Middle of the Grid 143
5.11 Euclidean Distance Error (in m) Random topology Sink in the Top Mid-
dleoftheGrid..................................144
5.12 Execution Time (in ms) Random topology Sink in the Top Middle of the
Grid........................................144
5.13 Euclidean Distance Error (in m) Random topology Sink in the Top left
edgeoftheGrid.................................145
5.14 Execution Time (in ms) Random topology Sink in the Top left edge of
theGrid......................................146
6.1 Average of Retransmissions when the sink is in the middle of the grid . 157
6.2 Average of Drop Packets when the sink is in the middle of the grid . . . 158
6.3 Sink in the Middle attacker position 1 . . . . . . . . . . . . . . . . . . . . 158
6.4 RPL tree when Sink in the Middle a healthy scenario . . . . . . . . . . . . 159
6.5 RPL tree when attacker at position 1 in attack phase and sink is in the
middleofthegrid................................159
6.6 RPL tree when attacker at position 1 in recovery phase and sink is in the
middleofthegrid................................160
6.7 Sink in the Middle attacker position 6 . . . . . . . . . . . . . . . . . . . . 161
6.8 RPL tree when attacker at position 6 in attack phase and sink is in the
middleofthegrid................................162
6.9 RPL tree when attacker at position 6 in recovery phase and sink is in the
middleofthegrid................................162
6.10 Average of Retransmissions when the sink is in the top left edge of the
grid........................................163
xxii
6.11 Average of Drop Packets when the sink is in the top left edge of the grid 164
6.12 Sink in the top left edge of the grid attacker position 2 . . . . . . . . . . . 165
6.13 RPL tree when Sink in the top left edge of the grid in healthy scenario . 165
6.14 RPL tree when attacker at position 2 in attack phase when the sink
located in the top left edge of grid . . . . . . . . . . . . . . . . . . . . . . 166
6.15 RPL tree when attacker at position 2 in recovery phase when the sink
located in the top left edge of grid . . . . . . . . . . . . . . . . . . . . . . 167
6.16 Sink in the top left edge of the grid attacker position 15 . . . . . . . . . . 167
6.17 RPL tree when attacker at position 15 in attack phase and Sink in the top
leftedgeofthegrid...............................168
6.18 RPL tree when attacker at position 15 in recovery phase and Sink in the
topleftedgeofthegrid.............................168
6.19 Average of Retransmissions when the sink is in the top middle of the grid169
6.20 Average of Drop Packets when the sink is in the top middle of the grid . 170
6.21 Sink in the top middle of the grid attacker position 2 . . . . . . . . . . . . 171
6.22 RPL tree when Sink in the top middle of the grid healthy scenario . . . . 171
6.23 RPL tree when attacker at position 2 in attack phase when the sink is in
thetopmiddleofthegrid ...........................172
6.24 RPL tree when attacker at position 2 in recovery phase when the sink is
in the top middle of the grid . . . . . . . . . . . . . . . . . . . . . . . . . . 173
6.25 Sink in the top middle of the grid attacker position 14 . . . . . . . . . . . 173
6.26 RPL tree when attacker at position 14 in attack phase when the sink is
in the top middle of the grid . . . . . . . . . . . . . . . . . . . . . . . . . . 174
xxiii
6.27 RPL tree when attacker at position 14 in recovery phase when the sink
is in the top middle of the grid . . . . . . . . . . . . . . . . . . . . . . . . 174
7.1 ROC Curves for Constant Jammer in Grid Topology . . . . . . . . . . . . 177
7.2 ROC Curves for Constant Jammer and Random Topology . . . . . . . . 178
7.3 ROC Curves for Deceptive Jammer with Grid Topology . . . . . . . . . . 178
7.4 ROC Curves for Deceptive Jammer and Random Topology . . . . . . . . 179
7.5 ROC Curves for Random Jammer with Specific Shape Signal in Grid
Topology.....................................180
7.6 ROC Curves for Random Jammer with Specific Shape Signal and Ran-
domTopology..................................180
7.7 ROC Curves for Random Jammer with Random Shape Signal in Grid
Topology.....................................181
7.8 ROC Curves for Random Jammer with Random Shape Signal and Ran-
domTopology..................................181
7.9 ROC Curves for Reactive Jammer in Grid Topology . . . . . . . . . . . . 182
7.10 ROC Curves for Reactive Jammer and Random Topology . . . . . . . . . 182
7.11 Accuracy in differenttimeperiods ......................184
7.12 CPU usage in Seconds per type of Jammer . . . . . . . . . . . . . . . . . . 186
7.13 CPU processing overhead (%) per type of Jammer . . . . . . . . . . . . . 186
7.14 Memory Usage per type of Jammer . . . . . . . . . . . . . . . . . . . . . 187
7.15 Execution time per type of Jammer . . . . . . . . . . . . . . . . . . . . . . 188
7.16 Sink in the middle of the Grid, predicted scenarios . . . . . . . . . . . . . 190
7.17 Sink in the top middle of the Grid, predicted scenarios . . . . . . . . . . 191
7.18 Sink on the Top Edge of the Grid in Predicted Scenario . . . . . . . . . . 193
xxiv
7.19 Sink in the middle of the Grid, Random topology . . . . . . . . . . . . . 194
7.20 Sink in the top middle of the Grid, Random topology . . . . . . . . . . . 195
7.21 Sink in the Top Edge of the Grid, Random topology . . . . . . . . . . . . 197
7.22 Jammers are located at Position 12 . . . . . . . . . . . . . . . . . . . . . . 199
7.23 Jammers are located at Position 6, and their signal overlaps into two nodes200
7.24 Position 11 is experiencing jamming from multiple Jammers, causing
their signals to overlap into a single node . . . . . . . . . . . . . . . . . . 200
7.25 Multiple Jammer Sink Middle Grid predicted scenarios . . . . . . . . . . 203
7.26 Multiple Jammer Sink top Middle grid predicted scenarios . . . . . . . . 205
7.27 Multiple Jammer Sink top left edge grid predicted scenarios . . . . . . . 206
7.28 Accuracy Sink in the Middle of the grid random scenarios . . . . . . . . 207
7.29 Accuracy Sink in the top Middle of the grid random scenarios . . . . . . 207
7.30 Multiple Jammer Sink top left edge grid random scenarios figure . . . . 208
7.31 Accuracy Comparison of different jammers Positions sink is in the top
leftedge .....................................214
7.32 Accuracy Comparison FLIDS and FLJDA Approach . . . . . . . . . . . . 215
xxv
List of Tables
2.1 AttacksonIoTandWSN............................ 13
4.1 Values of variables used in the definition of membership functions . . . 97
4.2 Confusion matrix for Jamming attack detection . . . . . . . . . . . . . . 107
4.3 Results of the DifferentApproaches .....................110
4.4 Summary of the Best Operating Points for Various Approaches . . . . . 113
4.5 Values of variables used in the definition of membership functions . . . 115
4.6 Experimental Parameters of Nodes . . . . . . . . . . . . . . . . . . . . . . 124
4.7 Experimental Parameters of Jammer . . . . . . . . . . . . . . . . . . . . . 124
7.1 Accuracy in differenttimeperiods ......................183
7.2 Sink is in the middle of the grid in predicted scenario . . . . . . . . . . . 189
7.3 Sink located in Top Middle of the grid in predicted scenario . . . . . . . 191
7.4 Sink on the top edge of the grid in predicted scenario . . . . . . . . . . . 193
7.5 Random Topology when the sink is in the Middle of the grid . . . . . . . 193
7.6 Random topology when the sink is in the top middle of the grid . . . . . 196
7.7 Random topology when the Sink is in the top edge . . . . . . . . . . . . . 197
7.8 Comparison table of Related Work on Using Fuzzy Logic Algorithms
for Detecting Different Jamming Attacks . . . . . . . . . . . . . . . . . . . 209
xxvi
7.9 Input and Output Membership Functions with Ranges . . . . . . . . . . 211
A.1 Sink in the Middle of the grid nodes positions . . . . . . . . . . . . . . . 245
A.2 Sink in the Middle of the grid nodes positions Random . . . . . . . . . . 246
A.3 JammersPositions................................247
A.4 Sink on Top Middle of the grid Nodes Positions . . . . . . . . . . . . . . 248
A.5 Sink on Top Middle of the grid Nodes Positions Random . . . . . . . . . 249
A.6 Sink on Top left edge of the grid Nodes Positions . . . . . . . . . . . . . . 250
A.7 Random Sink on Top left edge of the grid Nodes Positions . . . . . . . . 251
A.8 Euclidean Distance Error (in m) for a Predicted Topology with the Sink
intheMiddleoftheGrid............................251
A.9 Execution Time (in ms) for a Predicted Topology with the Sink in the
MiddleoftheGrid ...............................252
A.10 Euclidean Distance Error (in m) for a Predicted Topology with the Sink
in the Top Middle of the Grid . . . . . . . . . . . . . . . . . . . . . . . . . 252
A.11 Execution Time (in ms) Predicted topology Sink in the Top Middle of
theGrid......................................252
A.12 Euclidean Distance Error (in m) for a Predicted Topology with the Sink
in the Top Left Edge of the Grid . . . . . . . . . . . . . . . . . . . . . . . . 252
A.13 Execution Time (in ms) for a Predicted Topology with the Sink in the
TopLeftEdgeoftheGrid ...........................253
A.14 Euclidean Distance Error (in m) for a Random Topology with the Sink
intheMiddleoftheGrid............................253
A.15 Execution Time (in ms) for a Random Topology with the Sink in the
MiddleoftheGrid ...............................253
xxvii
A.16 Euclidean Distance Error (in m) for a Random Topology with the Sink
in the Top Middle of the Grid . . . . . . . . . . . . . . . . . . . . . . . . . 253
A.17 Execution Time (in ms) for a Random Topology with the Sink in the Top
MiddleoftheGrid ...............................254
A.18 Execution Time (in ms) for a Random Topology with the Sink in the Top
LeftEdgeoftheGrid..............................254
A.19 Euclidean Distance Error (in m) for a Random Topology with the Sink
in the Top Left Edge of the Grid . . . . . . . . . . . . . . . . . . . . . . . . 254
A.20 Results when the inputs are ETX and Retransmission in Predicted Sce-
narios.......................................254
A.21 Results when the inputs are PDPT and Retransmission in Predicted
Scenarios.....................................255
A.22 Results when the inputs are ETX and Retransmission in Random Scenarios255
A.23 Results when the inputs are PDPT and Retransmission in Random Sce-
narios.......................................255
A.24 Multiple Jammer Coordinates table . . . . . . . . . . . . . . . . . . . . . . 256
A.25 Multiple Jammer Sink in the Middle of the Grid Predicted Scenarios . . 257
A.26 Multiple Jammer Sink in the Top Middle of the Grid Predicted Scenarios 257
A.27 Multiple Jammer Sink in the Top Left Edge of the Grid Predicted Scenarios258
A.28 Multiple Jammer Sink in the Middle of the Grid Random Scenarios . . . 258
A.29 Accuracy Sink in the top Middle of the grid random scenarios . . . . . . 259
A.30 Multiple Jammer Sink in the top left edge of the random scenarios . . . . 259
A.31 Comparison table between FLIDS and FLJDA approach . . . . . . . . . . 260
xxviii
Chapter 1
Introduction
1.1 Motivation
The Internet of Things (IoT) is revolutionizing modern industries and daily life
by interconnecting devices to facilitate seamless communication and automation.
From industrial automation and healthcare systems to smart cities and environmental
monitoring, IoT technologies are becoming foundational to contemporary infrastruc-
tures [1]. However, this widespread adoption brings to the forefront significant security
challenges, particularly for wireless sensor networks (WSNs) that underpin many IoT
applications. Unlike traditional networks, IoT and WSNs are characterized by their
resource-constrained devices—limited in computational power, memory, and energy
capacity [2]. This intrinsic vulnerability is compounded by their reliance on open
wireless communication channels, exposing them to a wide range of malicious threats,
including denial-of-service and jamming attacks [3, 4]. Jamming attacks, in particu-
lar, are alarming due to their ease of execution and significant impact. By interfering
with the radio frequencies used for communication, attackers can disrupt network
functionality, causing delays, data loss, and, in extreme cases, network paralysis. The
1
consequences of such attacks are far-reaching. For instance, a compromised indus-
trial control system could lead to production halts, while a disrupted healthcare IoT
system might endanger lives by impeding critical data transmission [5, 6]. The acces-
sibility of tools and techniques for launching jamming attacks amplifies the severity
of this issue, making it crucial to develop robust security measures that can protect
these networks effectively. Despite significant advances in IoT and WSN technologies,
addressing the multifaceted nature of jamming attacks remains a pressing challenge.
Many existing security measures, such as encryption and intrusion detection, were
designed for traditional networks and fail to meet the unique demands of IoT envi-
ronments [7]. Solutions for detecting, localizing, and mitigating such threats often
operate in silos, focusing on one aspect of the problem while neglecting the broader
context. For instance, some systems excel at identifying attacks but lack mechanisms
for swift recovery or resilience-building. The critical need for integrated, adaptive,
and lightweight security solutions for IoT networks remains unmet. Comprehensive
frameworks that can simultaneously detect, localize, and recover from jamming attacks
while being tailored to the resource-constrained nature of IoT devices are essential to
ensure network reliability and resilience. These frameworks should also adapt to
evolving attack strategies, particularly as adversaries adopt sophisticated approaches
like machine-learning-based adaptive jamming [8]. Recent research supports the ur-
gent need for such comprehensive solutions. For example, studies have highlighted the
rising frequency of jamming attacks targeting IoT networks, emphasizing the inability
of current systems to cope with adaptive jamming techniques effectively [7,8]. Further-
more, investigations into IoT network vulnerabilities have consistently identified a gap
in integrated security measures, particularly those addressing the complete lifecycle
2
of attack detection, localization, and mitigation [4,6]. These findings underline the ne-
cessity for frameworks designed explicitly for the dynamic and resource-constrained
environments of IoT and WSNs. In this context, the present thesis aligns with ongoing
efforts to address these gaps, emphasizing the importance of developing solutions that
are both practical and effective for real-world deployment. By enhancing the resilience
of IoT networks against jamming attacks, such work contributes to the broader goal of
securing interconnected systems in an increasingly digitized world.
1.2 Problem Statement
Despite the critical role IoT devices and WSNs play in modern systems, their in-
herent limitations make them vulnerable to a spectrum of security threats. Among
these, jamming attacks pose a severe challenge due to their ability to disrupt com-
munication, degrade network performance, and exhaust device resources. Traditional
security measures, originally designed for legacy networks, fail to address the unique
constraints of IoT systems, such as limited computational power, memory, and energy
resources.
Moreover, existing solutions for mitigating jamming attacks are fragmented. De-
tection mechanisms, for instance, may identify an attack but lack the capability to
locate its source or recover from its impact. Localization techniques often require
resource-intensive computations that are impractical for IoT environments, while re-
covery strategies are seldom integrated with detection systems. The lack of a cohesive,
resource-efficient approach leaves IoT networks inadequately protected against these
threats.
This gap becomes more pronounced with the advent of intelligent jammers that
adapt to detection systems, further complicating mitigation efforts. The absence of a
3
holistic solution that addresses detection, localization, and recovery in a unified and
lightweight manner limits the resilience of IoT networks and increases their suscep-
tibility to disruptions. This thesis seeks to address this problem by designing and
validating a comprehensive security framework tailored to the specific requirements
of IoT and WSN environments.
In this thesis, we undertake a comprehensive examination of low-level Internet
of Things (IoT) systems, with a particular focus on wireless sensor networks (WSNs)
that leverage microcontrollers. The research examines mesh networks composed of
static nodes, which are critical for ensuring reliable, energy-efficient, and scalable
wireless communication in IoT environments. Key characteristics of these networks
include constrained storage capacity, limited computational capabilities, and restricted
power consumption. Specifically, our simulations are based in TelosB motes where is a
specialized platform designed for wireless sensor networks (WSNs) within the realm of
low-level Internet of Things (IoT) applications. These motes are IEEE 802.15.4/ZigBee
compliant, offering a 250 kbps data rate over a 2.4 GHz ISM band, making them suitable
for a wide range of global applications. The TelosB motes are powered by a low-power,
16-bit TI MSP430 microcontroller with 10kB RAM and 48kB of program flash memory,
which ensures efficient performance with minimal energy consumption. Additionally,
the motes feature 1MB of external flash for data logging, which is essential for long-term
monitoring applications. These devices come equipped with an integrated onboard
antenna and optional sensor suites, including temperature, light, and humidity sensors,
making them versatile tools for environmental monitoring and other sensor-based
research.
TelosB motes are designed for ease of use in research and development, with USB
4
programming and data collection capabilities. They run on the open-source TinyOS
operating system, which supports large-scale, self-configuring sensor networks, fur-
ther enhancing their suitability for experimental and field applications. The platform’s
low power consumption is highlighted by its ability to draw only 5.1 µA in sleep mode
and 1.8 mA in active mode, which extends battery life significantly when powered
by two AA batteries. Moreover, the motes provide robust communication features,
including digital I/O, I2C, and SPI interfaces, making them highly adaptable for in-
terfacing with various peripherals. The TelosB’s combination of energy efficiency,
comprehensive sensor integration, and flexible interfacing options makes it an ideal
choice for developing scalable, reliable, and cost-effective IoT solutions in academic
and industrial research [9].
This thesis delves into the application of WSN-oriented IoT in practical settings,
including industrial control systems [10], military operations [11], environmental and
remote area monitoring [12], and fire detection [13]. It does not focus on innovative
city applications utilizing LoraWan [14] and Naroband [15] IoT, as these networks are
single-hop. The thesis specifically addresses the distribution detection at the node,
which is not suitable for this type of network and does not align with the focus of our
study.
This thesis does not consider the mobility of nodes or mobile jammers. Integrating
mobility into the analysis of jamming attacks significantly increases the complexity
of this study. Concentrating on static scenarios can help establish a more controlled
environment for the development of foundational theories and algorithms that can
eventually encompass mobility.
5
1.3 Thesis Contributions
This thesis presents a groundbreaking security framework designed to detect, lo-
calize, and recover from jamming attacks in IoT and WSN environments. The contri-
butions of this work are unique in their scope, integration, and practical applicability,
representing a significant advancement in the field of IoT security. The major contri-
butions are summarized as follows:
•Development of a Comprehensive and Unified Framework: This thesis intro-
duces a novel security framework that integrates detection, localization, and
recovery phases into a single cohesive system for IoT networks. Unlike existing
works, which typically focus on one or two of these phases in isolation, this
framework provides an end-to-end solution. The proposed approach addresses
the critical need for a lightweight and resource-efficient system tailored to the
unique constraints of IoT and WSN devices. To the best of our knowledge, no
similar holistic framework exists in the current literature, positioning this work
as a pioneering effort in IoT network security [16, 17].
•Distributed Detection Using Fuzzy Logic Algorithms: A distinguishing fea-
ture of the proposed framework is its distributed architecture. Detection is
performed locally at the node level using fuzzy logic-based intrusion detection
systems (FLIDS), which rely on lightweight computations and RPL metrics from
the data-link and network layers. This distributed approach ensures scalabil-
ity and efficiency, as each node autonomously detects anomalies using its local
resources without relying on a centralized processing unit. This architecture min-
imizes latency, reduces communication overhead, and enhances the framework’s
6
applicability to real-time IoT environments [16,17].
•Introduction of a Novel Jammer and Enhanced Detection Capabilities: This
research introduces the ”complex jammer,” a sophisticated attack model de-
signed to mimic real-world adaptive jamming scenarios. The FLIDS algorithm
effectively detects this novel jammer and other adaptive jamming techniques,
showcasing the system’s robustness and flexibility. By utilizing fuzzy logic,
the framework accurately recognizes various jamming types, even in resource-
constrained scenarios, with high accuracy and low false-positive rates.
•Effective Recognition of Multiple Jamming Attacks: Demonstrating the suit-
ability of fuzzy logic in accurately recognizing multiple jamming attacks in di-
verse situations, marked by high accuracy, low memory usage, and quick execu-
tion [18].
•Accurate Localization via Modified Multilateration with Weights (MMLAW):
The localization phase employs a modified multilateration algorithm that uses
network metrics, such as ETX and retransmissions, to estimate jammer posi-
tions with minimal error. This method leverages distributed computations to
localize attackers, further reinforcing the distributed nature of the framework.
The lightweight algorithm is specifically designed to operate within the resource
constraints of IoT devices, ensuring practical deployment [19].
•Dynamic Recovery Mechanism: The recovery phase introduces a dynamic and
effective strategy to restore network functionality after a jamming attack. By
blacklisting compromised nodes and rerouting traffic through alternative paths,
the framework ensures quick and reliable recovery. This recovery mechanism is
7
fully integrated with the detection and localization phases, providing a seamless
transition from attack identification to mitigation.
•Extensive Validation Through Realistic Simulations: The proposed frame-
work is rigorously validated through simulations using TelosB motes and IEEE
802.15.4/ZigBee protocols, which replicate real-world IoT conditions. The results
demonstrate the framework’s effectiveness in handling various jamming sce-
narios, including multiple concurrent jammers, and its adaptability to evolving
attack strategies. Metrics such as memory usage, processing overhead, and exe-
cution time confirm its suitability for resource-constrained environments [16,17].
•High-Level Impact: The proposed security framework represents a transforma-
tive approach to IoT network security by addressing critical gaps in existing
research. Its distributed design not only enhances scalability but also makes it
highly applicable to diverse IoT environments, including industrial automation,
healthcare, and environmental monitoring. By unifying detection, localization,
and recovery into an integrated framework, this work sets a new benchmark for
practical and comprehensive IoT security solutions [16,17].
1.4 Thesis organization
This thesis includes eight chapters and two appendices, organized as follows.
Chapter 2: This chapter introduces security in IoT and WSN, including attacks,
intrusion detection systems (IDS), attack localization mechanisms, and attack recovery
methodologies discussed in recent literature.
Chapter 3: This chapter explains the threat model and the behaviors of jamming
attacks and introduces our security framework, which consists of three phases: detec-
8
tion, localization, and recovery.
Chapter 4: This chapter offers a succinct introduction to jamming attacks and inves-
tigates how fuzzy-logic algorithms can be utilized for their detection. It also contains
a comprehensive evaluation in order to determine the optimal input parameters for
fuzzy-logic intrusion detection systems. Finally, this chapter introduces the first part of
the proposed framework, namely the Fuzzy Logic-based Intrusion Detection Systems
for jamming attacks (FLIDS).
Chapter 5: In this section, related work on localizing jamming attacks is reviewed;
a novel localization algorithm named MMLAW is designed using multilateration,
where the distance is estimated using two metrics: ETX or Retransmissions. Finally,
the proposed algorithm is evaluated.
Chapter 6: Intrusion Recovery Strategies are discussed in the following section. A
solution for network recovery following a jamming attack has been developed by our
team. The strategy involves blacklisting the nodes that are under attack and allowing
the RPL to reconstruct the network paths. To assess the approach’s effectiveness, the
networks under attack were compared with those that underwent the recovery phase.
Chapter 7: In this section, we discuss the evaluation of the security framework and
its outcomes. We assess assess the applicability and real-time detection capabilities of
the FLIDS technique. In addition, we compared our solution with the existing literature
review. We also compared our technique and the FIS technique with simulated data.
Finally, we carried out a comprehensive simulation involving multiple jammers in our
environment, yielding excellent results.
Chapter 8: This chapter provides a summary of this thesis and discusses future
research and its limitations.
9
Chapter 2
Background and Related Work
The Internet of Things (IoT) is revolutionizing our interactions with the digital
world, turning ordinary objects into smart interconnected devices. However, this
rapid expansion also introduces significant security vulnerabilities, particularly in
wireless sensor networks (WSNs), which form the backbone of several IoT systems.
This chapter explores the multifaceted aspects of IoT security, emphasizing the critical
need for robust mechanisms to protect against various types of attacks. It delves
into the existing literature spanning the past ten years, focusing on the evolution of
IoT technologies and their corresponding security challenges. By analyzing scholarly
databases and employing a combination of keywords related to IoT security, this
chapter aims to build a comprehensive understanding of the subject, highlighting the
importance of addressing security threats to ensure the integrity and reliability of IoT
systems.
This study used information from databases such as ScienceDirect Elsevier, IEEE
Xplore, Scopus, Scientific Research Publishing (SCIRP), Researchgate, Springer, and
ProQuest. We used a combination of keywords to identify and extract useful informa-
10
tion for building our subjects. First, abstract keywords such as ”Wireless Sensor Net-
works,” ”Internet of things,” and ”IoT security” were utilized to extract more general
information on the subject. After that, specific keywords such as ”Intrusion detection,”
”prevention,” ”Localization,” and ”recovery” were utilized to gain detailed informa-
tion on different topics related to the subject of interest. Furthermore, keywords such
as ”Security,” ”Attacks,” ”Denial-of-Service attacks,” and ”Jamming attacks” were in-
cluded. Moreover, we searched with keywords of the Protocols, specifically ”IPv6,”
”6LowPAN,” and ”RPL,” and simulations like ”Contiki” were used to gain detailed
insights on “IoT-related attacks.” Finally, we searched for the methodology of detection
of such malicious attacks using keywords such as ”Signature – Pattern” and ”Anomaly
detection,” as well as search on detection techniques including ”Machine Learning,”
”Data Mining,” and ”Fuzzy Logic tools.” The main criteria for choosing related sci-
entific publications were the number of citations, year of publication, and the impact
factor of the journal and conference where the research paper was published.
2.1 Background
In this section, we discuss the foundational work related to the detection, localiza-
tion, and recovery from attacks, as well as security mechanisms in WSN within the IoT
context. First, we will perform a thorough literature review of the various attacks and
intrusion detection mechanisms in IoT and WSN. We will then delve into the discus-
sion of localization techniques. Finally, we provide a succinct overview of the existing
recovery strategies.
11
2.1.1 Detection
2.1.1.1 Attacks on IoT and WSN
This Section briefly describes possible IoT attacks. A taxonomy of attacks per layer
[20] is illustrated in Table 2.1. Attacks targeting WSNs are generally categorized into
five primary types that follow the layered structure of the OSI stack, as demonstrated
in Table 2.1. The OSI network architecture for WSNs (and IoT) comprises five layers,
as outlined in [21]: Physical, Data-Link (MAC), Network, Transport, and Application.
It should be noted that the Session and Presentation layers of the conventional OSI
network model are integrated into the Application layer of WSNs (and the IoT).
2.1.1.1.1 Physical Layer The physical layer is responsible for frequency selection,
carrier frequency generation, signal detection, modulation and data encryption [22,23].
Jamming and tampering are the most common attacks on the physical layer.
Jamming is a type of attack that interferes with the radio frequencies the network
nodes are using [22,24]. A jamming source may either be powerful enough to disrupt
the entire network or less powerful and can only disrupt a smaller portion of the
network. A detailed analysis of Jamming Attacks is presented in Section 2.2.1.1.
Tampering is another physical layer attack. Upon a Tampering attack, attackers
have physical access to a node. Consequently, they can extract sensitive information
such as cryptographic keys or other data on the node. A node may also be altered or
replaced to create a compromised node for which attackers have control [25].
2.1.1.1.2 Data Link Layer The data link layer is responsible for multiplexing data
streams, data-frame detection, medium access, and error control [22,80]. This ensures
reliable point-to-point and point-to-multihop connections in the network. Collisions,
12
Table 2.1: Attacks on IoT and WSN
Layer Attack IDS Solution
Physical Layer Jamming Attack [26–32]
Tampering Attack [25]
Data Link Layer Collision Attack [23]
Denial of Sleep [33, 34]
De-synchronization [35]
Exhaustion Attack [23]
Link Layer Flooding [36]
Link Layer Jamming [37,38]
Spoofing/ARP-Spoofing [39]
Unfairness Attack [23]
Network Layer HELLO Flood Attack [29, 40, 41]
Black Hole Attack [28, 41–46, 46–49]
Selective Forward Attack [29, 41, 43, 46, 48, 50–
52]
Sinkhole Attack [48, 52, 53]
Wormhole Attack [23, 54–56]
Node-Replication (Clone) [57, 58]
Misdirection [59]
Routing Loop [60]
Rushing [61, 62]
Spoofed, Altered, or Replayed
Routing Information
[60, 63, 64]
RPL Exploit [65, 66]
Local repair attack [65]
(DIS) attack [65]
Sybil Attack [41, 46, 50, 51, 67]
Fake Attack [31]
Rank Attack [68, 69]
6LoWPAN Exploit
Resource Depleting Attack [70]
ICMP Flood Attack [71]
Smurf Attack [72–74]
Transport Layer Flooding Attack [22, 55]
Desynchronisation Attack [22]
MQTT Exploit [75]
Session Hijacking
Application Layer CoAP Exploit [76, 77]
Path-based Denial of Service
Attack
[78, 79]
Reprogramming Attack [78, 79]
13
unfairness, or exhaustion attacks can be launched against a data-link layer [23].
ACollision attack occurs when two nodes attempt to transmit packets of the same
frequency simultaneously [22].
Denial of Sleep (Sleep Deprivation Torture) preventing a node from falling into
a state of inactivity that results in energy depletion by draining the battery, such as
through collision attacks or persistent handshaking, which involves Request to Send
(RTS) and Clear to Send (CTS) flow control signals. In this type of attack, a node is
compelled to exhaust the entire energy reserve stored in its batteries [33, 34, 81].
De-synchronization Time Synchronized Channel Hopping (TSCH) is a Medium
Access Control (MAC) layer protocol that is specified in the IEEE 802.15.4e standard. It
offers exceptional reliability and employs small duty cycles by utilizing time synchro-
nization and channel-hopping techniques [81]. Attacks against TSCH time synchro-
nization can occur when an attacker sends messages in time slots that are designated
for other users, resulting in packet collisions and loss. By carefully observing the
back-offtimes, an attacker can initiate a series of these events, ultimately causing the
neighboring motes to become desynchronized. Therefore, this attack can be considered
an advanced version of collision attack [35].
The goal of an Exhaustion attack is to consume all the resources and energy of
the victim node by obliging it to perform calculations or to receive and transmit data
unnecessarily [82].
Link Layer Flooding In this type of attack, a malicious node exploits the fairness of
medium access by sending an excessive amount of MAC data or control packets to its
neighboring nodes. Consequently, the victim nodes may experience denial of service
or depleted battery power. Moreover, this attack may deplete channel bandwidth
14
resources [36].
Link Layer Jamming In this type of attack, the most valuable packets, specifically
the data packets, are aimed at jamming. The probability distribution of the packet
arrival times was obtained and applied to the packet transmission. This attack has
been proven successful against the following MAC protocols: B-MAC, L-MAC, and
S-MAC [37, 38].
Spoofing/ARP-Spoofing In a spoofing attack, a malicious node falsely portrays
the MAC address of another node, typically a victim, and subsequently develops
numerous legitimate identities by using the victim’s information. These identities can
be used throughout a network [83]. In contrast, an ARP spoofing attack involves
an attacker sending fraudulent ARP (Address Resolution Protocol) messages into the
network. The objective is typically to connect the attacker’s MAC address to the IP
address of a more significant node, such as the default gateway, causing any traffic
intended for the IP address to be redirected to the attacker [39].
Unfairness Attacks can prevent benign nodes from using the network channel. To
prevent this, one proposed solution is to utilize small frames, which would enable
benign nodes to find a slot to transmit [70].
2.1.1.1.3 Network Layer The network layer is responsible for routing information
through the sensor network; for example, finding the most efficient path for the packet
to travel on its way to a destination [23].
The HELLO Flood attack uses HELLO packets to deceive the WSN sensors. An
attacker with a powerful transceiver ( high radio transmission and processing power)
sends HELLO packets to several sensor nodes that are dispersed over a large area
within the WSN. Consequently, the sensor perceives a malicious node as a neighboring
15
sensor and transmits packets. Consequently, while sending information to the base
station, the victim’s nodes try to go through the malicious node neighbor, considering
it as a neighboring node being spoofed by the malicious node [70].
The Black Hole Attack is a malicious tactic in which a node falsely claims to have the
shortest path to the destination. This node then attracts the traffic of the surrounding
nodes; however, instead of forwarding the packets, it drops them, ultimately causing
network disruption. In WSNs, the impact of a Black Hole Attack can be particularly
harmful owing to limited resources and connectivity options. Effective countermea-
sures involve implementing secure routing protocols designed to detect and isolate
malicious nodes, thereby upholding network integrity and performance [70,84, 85].
During a sinkhole attack, an attacker makes a compromised node appear more
attractive to the surrounding nodes by forging the routing information. Thus, the
surrounding nodes choose a compromised node as the next node to route their data
[22, 53, 70].
In Selective Forward (Grayhole) attacks, an attacker creates malicious nodes that
selectively forward only certain messages, and simply drops others [52].
AWormhole attack occurs when a node broadcasts the routing request packet
received by the attacker, who then replays it in its neighborhood. Each neighboring
node receiving this replayed packet considers itself to be within the range of the node
and marks this node as its parent. Consequently, the attacker is convinced that the
node is only a single hop away from them, creating a wormhole even if the victim’s
nodes are multiple hops away from the node [56].
Node-Replication (Clone) An attacker deliberately places replicas of compromised
nodes in various locations within the network to create inconsistency. Node replication
16
(clone) attacks are particularly dreadful because they allow the attacker to manipulate
the network behavior using only a few copies of previously hacked nodes [57]. Similar
to a Sybil attack, a node-replication (clone) attack can also enable attackers to disrupt
data aggregation, misbehavior detection, and voting protocols by injecting false data
or suppressing legitimate data [58].
Misdirection In a misdirection attack, the attacker intentionally directs messages to
the wrong path by sending false routing advertisements. This causes routing tables of
neighboring nodes to be updated with incorrect information [84]. This type of attack is
also classified as a Denial of Service (DoS) attack, resulting in the targeted nodes being
completely blacked out and unable to receive any further packets after false routing
information is advertised [59].
Routing Loop A routing loop can occur in a path when spoofing routing updates.
An adversary can create this loop when they determine that nodes A and B are within
radio range of each other. By sending a forged routing update to node B with a spoofed
source address claiming that it originated from node A, the adversary can cause node
B to mark node A as its parent and rebroadcast the update. As a result, node A hears
the update from nodes B and B as its parent. Consequently, messages sent to either A
or B are continuously looped between the two nodes, leading to energy depletion and
eventual failure of the node or network [60].
Rushing When this type of attack is launched against ”on-demand ad hoc network
routing protocols,” it can result in a denial of service (DoS) for the network. For
example, protocols such as AODV and DSR, and more secure protocols based on
these, such as ARAN, SAODV, and Ariadne, may not be able to discover routes that
are more than two hops away when subjected to this type of attack. The ”rushing
17
attack” is particularly harmful to networks and can be executed by relatively weak
adversaries [61, 62].
The Spoofed, Altered, or Replayed Routing Information is the most direct attack
on the routing protocols. This type of attack targets the routing information in a
network. Specifically, in this attack, a malicious node may spoof, alter, or replay
routing data to interrupt and/or cause a disturbance within network traffic [60]. These
disruptions include the creation of routing loops, attracting or repelling network traffic
from selected nodes, extending or shortening source routes, generating false-error
messages, causing network partitioning, and increasing end-to-end latency [63]. More
direct attacks on routing protocols aim to alter or modify the information transmitted
among nodes [64].
RPL Exploit IoT includes devices with limited resources such as battery power,
memory, and processing capability. To accommodate these types of networks, a new
network layer routing protocol, called the Routing Protocol for Low-power and Lossy
networks (RPL), was developed [86]. RPL is lightweight and does not have all of the
features of traditional routing protocols. It was specifically designed for multi-point-
to-point communications, which are now being adopted by IoT. Several attacks against
the RPL of IoT have been outlined in [65].
The IoT is also vulnerable to most attacks on WSNs. The attacks presented in [65]
and [66] corroborate this notion in that, except for a few attacks specifically targeting
the RPL protocol, all of the attacks are similar to the ”Attacks against Routing Layer”
described in this section. Specific attacks against the RPL protocol include local attacks,
rank attacks, DODAG version attacks, DIS attacks, and neighbor attacks [65].
In a local repair attack, an attacker intentionally and periodically sends a local
18
repair message originally used to enhance link quality. This causes neighboring nodes
to enter a local repair cycle, impacting the delivery ratio more than other types of
attacks, generating more control packets, and increasing the end-to-end delay [65].
DODAG is a destination-oriented directed acyclic graph that is created using RPL
to establish a loop-free topology. DODAG organizes nodes in a hierarchical manner
with a single root, children, and descendants [87].
In the RPL, the rank value increases from the root node to the child node. In the
RPL DODAG rank attack, an attacker can manipulate the DODAG version system by
advancing its rank in a hierarchical tree, attracting many children who are then forced
to route packets through the attacker parent. By intentionally altering its rank value,
an attacker can draw many child nodes to select it as a parent, diverting a large volume
of traffic toward the root node (main branch) to flow through itself.
A DODAG textbfversion attackis another exploitation of the RPL DODAG version
system. This attack involved publishing a higher version of the DODAG tree. Upon
receiving the new higher version number in the DODAG Information Object (DIO)
messages, nodes begin to form a new DODAG tree. This can lead to the creation
of a new, unoptimized topology and inconsistencies in the network topology. The
loops and rank inconsistencies created by an attack are usually centered around the
attacker’s neighborhood [65].
In a DODAG Information Solicitation (DIS) attack, an attacker sends DIS mes-
sages with fake IP addresses, prompting the recipient node to regenerate DIO messages,
thereby increasing overhead.
In an RPL neighbor attack, a malicious node broadcasts DIO messages that it
receives without adding its own information. The receiving node may mistakenly
19
believe that a new neighboring node transmits a DIO message. The victim node then
attempts to modify the routing tables to include the pointed node. This attack is
somewhat similar to a selective forwarding attack, in which only DIO messages are
selected. The impact of this attack on the network includes a slight increase in end-
to-end delay, changes in network topology, and control overhead. However, this can
have serious consequences in combination with other attacks.
6LoWPAN Exploit 6LoWPAN is a protocol developed for the Internet of Things
(IoT) to enable the extended use of IPv6 by smart devices. It integrates IP-based infras-
tructures and Wireless Sensor Networks (WSNs) by defining how IPv6 packets should
be routed in constrained networks, such as IEEE 802.15.4, through the fragmentation
and reassembly of datagram data fields.
A specific vulnerability of 6LoWPAN is the fragment duplication attack, where an
attacker inserts its own fragments into the fragmentation chain. This type of attack
takes advantage of the fact that, at the 6LoWPAN layer, a recipient is unable to verify
whether a fragment comes from the same source as previously received fragments of
the same IPv6 packet. Because there is no authentication mechanism at the receiver
when receiving a fragment, an attacker can easily deceive the recipient. The recipients
were unable to differentiate between authentic and spoofed duplicates.
As a result, the recipient must process all fragments that seem to belong to the same
IPv6 packet based on the sender’s MAC address and 6LoWPAN datagram tag. Conse-
quently, an attacker can masquerade as a legitimate node and exploit this vulnerability
to launch further attacks such as Denial of Service (DoS) attacks [65, 88].
In Sybil Attack, a malicious node presents more than one identity to the network
and acts as a fake node [67, 70, 89, 90]. Specifically, in a Sybil attack, a malicious node
20
steals identities from other sensor nodes in the network and uses this information to
create new fake nodes. Consequently, an attacker can present multiple identities within
the network. A Sybil attack is particularly confusing to the geographic routing protocol
because the adversary appears to be in various locations simultaneously. Sybil attacks
can significantly reduce the effectiveness of fault-tolerance schemes such as distributed
storage, multipath routing, and topology maintenance.
AFake Attack in IoT occurs when a compromised device alters a transmitted
message by injecting malicious code. This type of attack generates counterfeit data,
deceiving other nodes or the central system. To prevent this, stringent authentication
protocols, data verification processes, and anomaly-detection techniques have been
implemented. [31].
ARank Attack occurs when a node within the network advertises an artificially
low rank and manipulates the routing information. Routing protocols such as RPL,
which are commonly used in these environments, rely on node ranks to form a Directed
Acyclic Graph (DAG) for data forwarding. By presenting a lower rank, a malicious
node can position itself as a preferred route, attracting a significant portion of network
traffic. This can lead to data traffic diversion, potential interception or alteration of
data, network congestion, and reduced overall network performance [68,69].
When a Local repair attack occurs, the attacker periodically broadcasts local repair
messages, even though there is no problem with link quality around the node. The
node receiving the local repair messages will need to recalculate the route related to
malicious nodes. This type of attack creates more control overhead messages and
packet dropping owing to temporarily unavailable routes [68]. In conclusion, a local
repair attack has a greater impact on the delivery ratio than any other type of attack
21
does. It also generates more control packets and increases the end-to-end delay. More-
over, they can exhaust the energy of nodes [91]. Local repair attacks are another serious
type of attack that affect RPL networks [70].
The Resource depleting attack or else, vampire attack is an attack by which a
compromised node is involved in generating more network traffic, depleting the energy
of the nodes. The vampire node behaves as an underlying protocol; therefore, vampire
attacks are difficult to detect. This is the main problem that must be addressed for
vampire attacks [70].
In an ICMP Flood Attack, a malicious node sends a large number of ICMP Echo
Reply messages to the victim using several different identities as the sender [71].
ASmurf attack is a distributed denial-of-service (DDoS) network-based attack [72].
Upon Smurf attacks, attackers send ICMP Echo Request messages to the victims’
neighbors using the victims’ identity as the sender. This causes neighbors to respond
to ICMP Echo Reply messages directed at the victim. ICMP flood and Smurf attacks
show the same symptoms, such as a high number of ICMP Echo Reply messages sent
to victims [73, 74].
2.1.1.1.4 Transport Layer The transport layer is responsible for managing the end-
to-end connections. Possible attacks in the transport layer include flooding and/or
desynchronization attacks.
The Desychronization attack refers to the breakup of an existing link between
nodes [22]. In this type of attack, an intruder may constantly spoof messages to an
end node, challenging the node to request retransmission of missed frames. If timed
correctly, an attacker may degrade or even prevent the ability of end nodes to exchange
data successfully. Consequently, sensor nodes lose energy by attempting to recover
22
from errors that have never actually existed [22].
MQTT Exploit MQTT, also known as Message Queue Telemetry Transport, is a
connectivity protocol designed for lightweight publish-and-subscribe messaging on
low-power embedded sensors and other resource-constrained devices. In the context
of the Internet of Things (IoT), MQTT is commonly used to facilitate communication
between devices via a publish-and-subscribe messaging model. However, MQTT does
not include built-in security measures, necessitating that users take responsibility for
addressing security concerns. To enhance the security of MQTT, it is recommended that
SSL/TLS be implemented using certificates and session-key management. Nonetheless,
managing and storing certificates and key exchanges for every IoT session can become
onerous owing to the diverse array of heterogeneous devices. Moreover, SSL/TLS is
susceptible to various attacks such as BEAST, CRIME, RC4, and Heartbleed. Conse-
quently, a scalable, lightweight, and robust security mechanism is required for MQTT
and its variants to be effectively deployed in the IoT [75].
Session Hijacking In the field of computer science, this type of attack exploits and
manipulates legitimate communication sessions (also known as session keys) to gain
unauthorized access to information or services on a system. The session hijacking of
TCP messages is also problematic for IoT networks, as they are an extension of IP
networks.
SYN-flooding In the case of a Flooding attack, a malicious node may repeatedly
make new connection requests until the resources required for each connection are
exhausted or the maximum limit is reached. In either case, additional legitimate
requests are typically ignored [22,55].
23
2.1.1.1.5 Application Layer The application layer is responsible for presenting all
of the required information to an application and propagating requests from the ap-
plication layer to the lower layers.
CoAP Exploit The Constrained Application Protocol (CoAP) [76] is a widely used
application-layer protocol designed to provide communication capabilities for small
IoT devices with the rest of the Internet, similar to HTTP. CoAP is being increasingly
implemented in IoT applications, indicating its potential as a crucial component in
future IoT development. However, as stated in [77], there are several security chal-
lenges associated with the introduction of CoAP, particularly with regard to multicast
messages. CoAP does not offer the full security features of HTTP, which can create
security issues for IoT devices.
False Data Injection Captured nodes deliberately introduce fake data into a WSN
to manipulate the overall measurement or reading results. This type of attack occurs
at a semantic level and only impacts logic, leaving other aspects unaffected.
Path-based Denial of Service attack involves injecting spurious or replayed packets
into the network to leaf nodes. This type of attack can starve a network of legitimate
traffic because it consumes resources on the path to the base station, thereby preventing
other nodes from sending data to the base station [78,79].
Reprogramming attacks can be found in literature, bearing the name of Deluge as
well. Deluge attacks occur when the reprogramming process is not secure. Specifically,
in the case of deluge attacks, network programming systems allow users to remotely
reprogram nodes in deployed networks. Notably, in a Deluge attack, a malicious
attacker can process reprogramming during hijacking, aiming to take the malicious
authority of a large part of a network [78,79].
24
Intrusion Detection Methods
Signature-based
[52, 53, 97–102]
Anomaly-based Specification-based
[31, 68, 70, 103–111]
Figure 2.1: Intrusion Detection Methods
2.1.1.2 Intrusion Detection Methods
An Intrusion Detection System (IDS) is a software or hardware implementation
that monitors network traffic to detect malicious behavior [92]. Specifically, an IDS is
an effective method for both internal and external intruders [93]. An IDS is the most
efficient technique for detecting malicious activities with high accuracy when cryptog-
raphy fails [31,94,95]. According to existing literature, intrusion detection systems can
be classified into several categories [31, 94, 95]. An IDS can be classified according to
the following attributes: IDS placement strategy, detection method, security threats,
and validation strategy.
This section examines IDS classification based on the detection method. Intrusion
Detection Techniques are classified into three categories depending on the detection
mechanism used in the system: signature-based, anomaly based, and specification-
based [96]. Figure 2.1 presents a comprehensive taxonomy of Intrusion Detection
methods.
2.1.1.2.1 Signature or Pattern-based Intrusion Detection Signature-based IDSs pro-
vide high accuracy and effectively detect known attacks; however, their mechanisms
are easy to implement and understand. This approach is inefficient in identifying novel
attacks and variants of known threats because the matching signature for these attacks
is still unknown.
25
This type of IDS stores a database that includes attack signatures or patterns. This
IDS approach compares the system or network behavior with that of the database, and
if any system or network activity matches the stored signatures, it raises a security
alarm. This solution provides high accuracy and low false-alarm rates. Nevertheless,
Signature-based IDSs are unable to detect unknown or new types of attacks, as the
signature of these attacks is not in the database. In conclusion, this technique requires
a large storage space to store a large amount of data to be analyzed [70, 96]. This
type of detection works similarly to antivirus software, and requires the records and
signatures of its database to be updated frequently.
Several studies have explored the use of signatures or patterns for intrusion detec-
tion in IoT networks [52, 53, 97–102].
In [53], Raza et al. proposed Svelte, a real-time IDS for IoT based on signatures and
anomaly based techniques. This approach was evaluated using the Contiki OS and a
scenario with 32 nodes, including four malicious nodes.
Kasinathan et al. [98] developed an IDS based on signatures to detect DoS attacks
on 6LoWPAN networks, as part of the EU FP7 project ebbits. However, it remains
unclear how the signature database is updated.
Kasinathan et al. [99] developed an IDS framework for IoT using 6LoWPAN, which
is based on signatures and aims to improve the security. They evaluated the framework
using a penetration testing (PenTest) system and found it to be a promising solution
for enhancing the security of 6LoWPANs.
Oh et al. [100] introduced an efficient multiple-pattern-matching algorithm for em-
bedded security systems. Their method reduces unnecessary matching operations and
achieves a speedup of up to 2.14 compared to traditional algorithms under restricted
26
resources [96]. The algorithm was specifically designed to detect DoS attacks in the
IoT and was successfully implemented and tested on a real embedded system [100].
In [101], J. Chen and C. Chen proposed a real-time pattern-matching system for
IoT devices using Complex Event Processing (CEP). This method reduces false alarms
compared to traditional intrusion detection systems, although it increases the comput-
ing resource consumption of the system. This significantly reduces the feedback delay
of the IDS systems [31].
In [52], Ioulianou et al. introduced a new signature-based IDS approach to enhance
IoT network security. The system includes centralized and distributed IDS modules
to detect and prevent various attacks, such as DoS and routing attacks. The IDS
was tested using the Cooja simulator, demonstrating its effectiveness against ”Hello”
flooding and version number modification attacks.
Rullo et al. [102] introduced Kalis2.0, an advanced IoT IDS that operates on a
security-as-a-service (SECaaS) framework. Its design gathers data about the IoT net-
work autonomously and dynamically updates its detection strategy. This system is
tailored for prompt and efficient detection and reaction to security threats in different
IoT contexts. It emphasizes the necessity of robust network-level security monitoring
for IoT devices and proposes centralized IoT security solutions to counter the limita-
tions of traditional distributed IDS architectures. This study advocates for an adaptive
network-level intrusion detection approach suited to the dynamic nature of IoT envi-
ronments, shifting from distributed architectures to more centralized and less intrusive
systems.
2.1.1.2.2 Anomaly-based Intrusion Detection Anomaly based intrusion detection
systems (IDS) utilize supervised learning algorithms, such as data mining, fuzzy logic,
27
Anomaly-based
Statistical Artificial Intelligent
Figure 2.2: Anomaly-based IDS
and game theory, to establish a network’s normal behavior. They promptly compare a
system’s activities to a normal behavior profile and generate an alert when any devia-
tion from normal behavior exceeds a predefined threshold. This process involved two
phases: training and deployment. Selecting an appropriate threshold value is critical
in an IDS because a low threshold can weaken security, whereas a high threshold can
be energy-intensive and shorten the lifespan of the network [70]. The primary advan-
tage of this approach is its high detection rate because it can detect novel attacks that
have not been previously encountered. However, certain issues cannot be neglected.
The primary disadvantage is the high computational overhead required to model nor-
mal behavior. In addition, anomaly based methods often display a high rate of false
positive results. According to existing literature, artificial intelligence and statistical
approaches are the most widely used techniques, as shown in Figure 2.2.
Artificial Intelligence
Artificial intelligence (AI) is a field of information technology that deals with the
production of intelligent machines that perform and react in a manner similar to that
of humans. Some of the reactions of AI include learning, planning, and problem-
solving [112]. Several IDS have been applied to AI. The main benefit of AI is its ability
to extract useful information about mischievous intrusions from data with a high
accuracy. However, AI consumes a large amount of resources to train and test the data.
Some of the vital AI techniques that use intrusion detection systems are as follows:
semantic-based [113–115], fuzzy logic [26,27,41,45,48,116–125], game theory [126–128],
28
bio-inspired [129, 130] and Data Mining [42, 131, 132]. A graphical representation of
the classification of AI techniques is shown in Figure 2.3.
The Semantic-based technique offers a systematic approach to IDS, consisting of
four distinct steps. First, features were extracted from the WSNs. Second, a security
ontology is constructed to provide a structured framework for the security aspects of
the network. The third step involves developing formal semantics for the network, and
creating a clear and systematic representation of its elements and interactions. Finally,
semantics is applied to scrutinize and identify patterns that may indicate security
threats or breaches within an IDS.
In [114], Chen et al. developed an anger intrusion detection system (RIDS) for
WSNs based on a combination of Semantics and Support Vector Machines (SVM).
The proposed mechanism was evaluated using the NS-2 Simulator tool. Finally, RIDS
effectively detects Sybil attacks.
Fu et al. [115] presented an Intrusion Detection Scheme Based on Anomaly Mining
for IoT. The proposed technique used perception data from the Intel Lab Project,
which included temperature, humidity, light, and voltage readings collected at 30-
second intervals. The dataset comprised approximately 2.3 million readings. The
performance of the intrusion detection scheme relies on an anomaly mining algorithm.
The experiments demonstrated that the slice window interval significantly affects the
performance of the algorithm. In addition, Fu et al. added random attack anomalies
to real-valued sensor readings for evaluation purposes. The proposed method was
found to require fewer resources, making it suitable for the IoT perception layer, and
the self-adaptive detection method was shown to ensure fewer false alarms.
Fuzzy logic is an algorithm that provides a mathematical tool for representing
29
Artificial Intelligent
Semantic-based
[113–115]
Fuzzy Logic
[26, 27, 41, 45, 48, 116–125]
Game Theory
[126–128]
Bio-inspired
[129, 130]
Data Mining
[42, 131, 132]
Figure 2.3: Artificial Intelligent IDS
and manipulating information in a manner that resembles human communication
and reasoning processes. In simple terms, fuzzy logic represents a logic that cannot
be crispy. The investor of fuzzy logic Lotfi Zadeh observed that, unlike computers,
human decision making includes a range of possibilities between Yes and No or True
and False, or 1 and 0 [26]. Fuzzy logic can output a range of values instead of Boolean
ones [26]. The fuzzy-logic system had four modules. First, a fuzzification module
transforms the system inputs, which are crisp numbers, into fuzzy sets. Second, the
Knowledge Base stores the if-then rules provided by the experts. Third, the Inference
Engine simulates the human reasoning process by making fuzzy inferences on the
inputs and if-then rules. Finally, the Defuzzification Module transforms the fuzzy set
obtained by using the inference engine into a crisp value.
The study in [121] focused on enhancing IoT security using a neuro-fuzzy approach.
It discusses the increasing importance of IoT and the associated security challenges, es-
pecially intrusion detection. This methodology combines Self-Organizing Map (SOM)
neural networks and fuzzy logic to detect and analyze anomalies in IoT systems,
effectively identifying various types of attacks.
Berjab et al. [122] proposed a novel framework for detecting abnormal nodes in
WSNs using fuzzy logic within an Event-Condition-Action (ECA) rule-based system.
The study focused on detecting ”integrity attacks” in WSNs using a hierarchical detec-
tion approach and spatiotemporal and multivariate attribute correlations to differenti-
30
ate malicious data from other anomalies. The experimental results demonstrated high
detection accuracy with low false-alarm rates, outperforming traditional classification
algorithms.
In [27], a novel anomaly detection method for WSNs was proposed using a fuzzy
logic approach. It integrates fuzzy logic with anomaly detection and reduces computa-
tional complexity while maintaining accuracy. This approach utilizes entropy metrics
and fuzzy estimators to detect abnormal network behavior, thereby demonstrating
improved performance over traditional methods.
Singh et al. [45] introduced a novel system using fuzzy logic to categorize nodes
in WSNs into ”red” (malicious), ”orange” (potentially malicious), and ”green” (safe)
classes to prevent intrusions. The system achieved 98.2
A previous study [41] presented a neurofuzzy-based IDS for WSNs. It improves on
existing anomaly based IDS by combining fuzzy logic and neural networks to address
high false positive rates. The system categorizes nodes as trust, distrust, or enemy
using fuzzy logic and further filters false positives using a neural network. It was
designed to detect various types of attacks on WSNs, such as DoS and DDoS, with a
demonstrated 100% true-positive rate and 0% false positives in the NS2.35 simulator.
Thangaramya et al. [123] proposed a novel approach for secure routing in WSNs by
focusing on energy optimization and security against malicious nodes. Their method
integrated trust analysis and outlier detection using a fuzzy temporal clustering-based
communication model to improve network performance and security. The key metrics
used for evaluation include the packet delivery ratio, delay reduction, and energy
efficiency.
Sinha et al. [124] introduced a lightweight neuro-fuzzy-based IDS for IoT-integrated
31
WSNs, effectively detecting various types of attacks, including DoS attacks, with low
false positive rates. The system adapts well to various attack scenarios and network
conditions.
Ezhilarasi et al. [48] introduced a novel IDS using fuzzy logic and feed-forward
neural networks to detect various routing attacks in WSNs. The system demonstrated
superior performance compared with traditional techniques, achieving an average
detection rate of 97.8% and a maximum accuracy of 98.8%. The study utilized a
Network Simulation (NS-2) for validation and performance evaluation.
Subramani and Selvi [125] presented an innovative IDS tailored for WSNs to bolster
security against diverse attacks. The system overcomes the shortcomings of conven-
tional IDSs in identifying emerging attack types. It synergizes deep learning with
fuzzy inference, and incorporates spatiotemporal constraints and the Feynman Path
Integral to achieve superior accuracy. The approach includes a novel fuzzy rule-based
Convolutional Neural Network (CNN) classification algorithm named F-CNN. The
deployment strategy involves installing an IDS on nodes, particularly cluster head
nodes, to enhance the intrusion-handling capabilities. Notable enhancements in se-
curity parameters include network lifetime, energy consumption, and reduction in
false-positive rates. The model is adept at identifying a range of attack types such as
DoS, user-to-root (U2R), root-to-local (R2L), and probe attacks, outperforming tradi-
tional systems in terms of security and network performance.
The Game Theory approach aims to simulate network security as a game between
players, with antagonistic aims. The game category can be two non-cooperative or
cooperative, zero-sum, or non-zero-sum [126–128]. The aim is to find better strategies
for the players, called Nash Equilibrium [70]. Alpcan and Basar [133], Agah and
32
Das [134], Dong et al. [126], Estiri and Khademzadeh [127, 128], Sedjelmaci et al. [94],
Han et al. [135], Pirozmand et al. [136] have applied game theory to design IDS for
WSNs and IoT.
Subba et al. [46] introduced a game theory-based framework for intrusion detection
in WSNs, which combines specification rules with a neural network-based anomaly
detection module. The framework minimizes energy consumption and IDS traffic
while enhancing detection accuracy against various attacks. It detects selective for-
warding, blackhole, Sybil, wormhole, and DoS attacks using a set of specification rules
based on metrics, such as PDR, DPR, PFR, and RSSI. IDS agents send a Vote Message
to the cluster head when a malicious node is detected, including the node’s ID and
the detected attack type. The paper also details reputation update mechanisms based
on the Shapley value and Vickery-Clark-Grooves mechanisms, presenting simulation
results demonstrating the framework’s effectiveness.
Han et al. [135] presented an IDS model for WSNs that combined game theory
with an autoregressive model to predict attack patterns while efficiently conserving
energy. The model minimizes energy usage without sacrificing detection precision
and integrates both misuse and anomaly detection methodologies. The researchers
validated the model through simulations using Xiaomi phones as the sensor platforms.
Han et al. [135] made a significant contribution to the field of WSN security by
introducing a comprehensive and pioneering approach that integrates game theory
and an autoregressive model into an IDS. This novel approach enhances security
measures against a wide array of attacks and prioritizes energy efficiency, which is a
key factor for the long-term sustainability and effectiveness of WSNs.
Pirozmand et al. [136] applied game theory principles to enhance IDS efficacy in
33
IoT environments, focusing on cloud-fog architectures. This study outlines the com-
ponents of game theory and explains how they can model decision-making processes
in an IDS. The use of MATLAB for simulations demonstrates that cloud-fog-based
IDS can effectively detect attacks in IoT networks. This study suggests that game
theory approaches can optimize resource allocation and be integrated into real-time
applications for network security in IoT environments.
Bio-inspired computing is a research method aimed at solving problems using
computer models based on the principles of biology and the natural world [28,49, 129,
130, 137–142].
Mohammad and colleagues [141] introduced a bio-inspired hybrid feature selec-
tion model for intrusion detection that utilizes an optimized genetic algorithm. This
model incorporates Particle Swarm Optimization, Grey Wolf Optimization, and Firefly
Optimization for the initial feature selection and then employs an Optimized Genetic
Algorithm for the final selection. The model was evaluated on the UNSW-NB15 and
NSL-KDD datasets, and demonstrated improved precision and recall, indicating its
potential as a powerful method for intrusion detection.
Singh et al. [142] introduced a novel IDS for the IoT, combining the sine-cosine
algorithm (SCA) and salp swarm algorithm (SSA) for feature selection, and using
KNN and XGBoost for classification. This hybrid approach enhances IoT security
by improving network intrusion detection and classification. This study shows that
this system achieves higher accuracy and performance than similar methods, thereby
significantly contributing to IoT security.
Data Mining involves the extraction of useful information from large volumes of
data. Thus, it is natural to ask if this technique can be used to extract attack detection
34
rules from large volumes of WSN and IoT network traffic data. [42, 131, 132, 143] This
technique provides high accuracy, but requires significant computational power and
a large memory space [70]. According to data mining, various classifiers are used
to identify anomalous behaviors in IoT networks. The most common methods are
Support Vector Machines (SVM), K-nearest neighbors, Decision Trees, and Rule-based
methods.
An Support Vector Machine (SVM): An SVM is a class of machine-learning algo-
rithms [42]. An SVM is a set of supervised learning techniques used for regression and
classification. The SVM classifier aims to determine a set of vectors, called support
vectors, to construct a hyperplan in the feature spaces.
Several researchers have used SVM to detect attacks in WSN and IoT [42,93, 93, 131,
144–151].
McDermott and Petrovski [146] compared backpropagation neural networks and
SVM for intrusion detection in WSNs. Using the NSL-KDD dataset, they found
that both techniques were effective in detecting cyberattacks, with the SVM classi-
fier demonstrating suitability for anomaly detection in scenarios with small sample
sizes.
Liu et al. [147] proposed a novel technique for identifying internal threats within
IoT networks. Their approach redefines the detection of malicious nodes using a
multivariate multiple linear regression problem by integrating Gradient Descent (GD)
and SVM algorithms. K-means clustering segregates nodes into benign, unknown, or
malicious categories. The advanced detection scheme aims to improve accuracy while
minimizing false positives, achieving impressive detection accuracy rates exceeding
90% and false detection rates below 5%.
35
The study [148] by Ioannou and Vassiliou focused on classifying network attacks in
IoT environments using SVM techniques. It evaluates two SVM approaches, C-SVM
and OC-SVM, using actual network traffic with specific network-layer attacks. C-SVM
exhibited up to 100% classification accuracy in familiar network topologies, and 81% in
unknown topologies. Using benign activity, OC-SVM achieved a maximum accuracy
of 58%. This study highlights the effectiveness of SVM models in detecting malicious
behaviors in IoT networks.
Alsarhan et al. [149] discussed the application of an SVM for intrusion detection
in vehicular networks (VANETs). It focuses on optimizing the SVM using machine
learning algorithms, such as the Genetic Algorithm (GA), Particle Swarm Optimization
(PSO), and Ant Colony Optimization (ACO), to enhance the classification accuracy of
VANETs. The study demonstrates that GA outperforms other optimization algorithms,
highlighting the potential of machine learning in securing VANETs against cyber-
attacks.
In [150], Amaran and R. Madhan Mohan present a novel IDS for WSNs. It introduces
an Optimal Support Vector Machine (OSVM) model that utilizes a whale optimization
algorithm to efficiently select SVM kernels. This method aims to enhance the accuracy
of intrusion detection. The performance of the OSVM model was tested on the NSL
KDDCup 99 dataset, achieving an accuracy of 94.09% and detection rate of 95.02%,
indicating its effectiveness in intrusion detection. This study significantly contributes
to the improvement of WSN security.
Henda et al. [151] introduced an advanced machine-learning-based IDS for IoT net-
works, utilizing an SVM in tandem with a Correlation-based Feature Selection (CFS)
technique. This innovative approach optimizes the feature selection and enhances the
36
IDS efficiency and accuracy. The implementation and performance of this method
were thoroughly evaluated using the NSL-KDD dataset, which demonstrated impres-
sive accuracy rates of 99.09% for binary and 99.11% for multiclass network traffic
classification. These results highlight the superior capability of this method to accu-
rately identify a range of network intrusions, marking a significant step forward in IoT
network security.
K-Nearest Neighbor (KNN): is another classifier that can be used to identify
anomaly behavior in the WSN network. Li et al. [152] introduced a new intrusion
detection system based on the KNN classification algorithm in the IoT. In particular,
this system can separate abnormal nodes from normal nodes by observing their ab-
normal behavior. The authors analyzed the parameter selection and error rate of the
intrusion detection system. In conclusion, the test results show that the system has a
high detection accuracy and speed. The proposed system has three main advantages.
First, the K-value for mining has little effect on the results. Second, the cutoffvalue
was used to determine the abnormal node, which was easy to determine. Third, the
algorithm is fast and efficient. Simulations showed that the system can efficiently
prevent flooding attacks.
Li et al. [152] introduced a new IDS for WSNs using the KNN classification al-
gorithm. It focuses on detecting attacks, such as DoS, replay, integrity, false routing
information, and flooding attacks. The system identifies abnormal nodes based on
behavior and enhances the AODV routing protocol. The key metrics for detection in
packet routing include the routing message numbers and node variety. The system
demonstrated a high simulation accuracy and speed, making it effective in real-world
scenarios.
37
Liu et al. [153] developed an advanced intrusion detection system for IoT environ-
ments to counter increasing threats. Their NIDS uses the k-NN algorithm and enhances
it with feature selection methods such as Principal Component Analysis (PCA), uni-
variate statistical tests, and a Genetic Algorithm (GA). These methods improve data
quality and feature selection, boosting the intrusion detection capabilities of the sys-
tem. Utilizing the Bot-IoT dataset, the model effectively identifies various attack types,
including DoS, DDoS, information gathering, and data theft. The performance of the
model was evaluated using metrics such as TPR, precision, accuracy, F1 score, FPR,
and Area Under the Curve (AUC). It achieved a 99.99% accuracy rate and reduced the
prediction time from over 50,000 s to less than a minute without compromising the
precision. This study represents a major advancement in IoT security by providing a
robust, precise, and efficient intrusion-detection model.
Decision Trees: is another example of the classification algorithm. Classification
is a data-mining technique that assigns objects to one of several predefined categories.
Classification algorithms create a decision tree by identifying patterns in an existing
dataset and using this information to create a tree. The algorithms used preclassified
data as the inputs. They learn the patterns in the data and create simple rules to
differentiate between the various types of data in a preclassified dataset. Decision
trees provide unique insights into the problem of identifying malicious activity, and can
assist in the creation of technology-specific techniques to defend against attacks [132].
Coppolino et al. [132] developed a hybrid, lightweight, distributed IDS for WSN.
The IDS uses a combination of misuse and data-mining techniques with decision trees
as the classification algorithm. Evaluation using the NS-3 simulator and a free dataset
showed a high detection accuracy with a non-negligible false-positive rate.
38
Abdaljabar et al. [154] proposed a methodology using KNN and decision tree
classifiers to protect IoT devices from cyberattacks. Their approach demonstrated a
high detection rate with 100% accuracy, precision, recall, and F1 score, demonstrating
its effectiveness in mitigating cyber threats in an IoT environment.
Tekin et al. [155] proposed an efficient IDS using decision trees to classify various
DoS attacks in IoT systems. The model achieved a high classification accuracy of 97.43%
and could effectively handle large-scale data, thereby contributing to the enhancement
of IoT security.
Rule-based: Anand et al. [156] introduced a rule-based attribute selection algorithm
for removing the unnecessary attributes that are used in decision-making on intrusions
in WSN. Specifically, this study focused on identifying important attributes and used
the DoS to detect them. The system was tested using the KDD’99 Cup data set.
Finally, the experimental results demonstrated that the proposed method provides
high detection rates and reduces false alarms.
Eswari and Vanitha [29] developed a rule-based intrusion detection framework for
WSNs to enhance their security against routing attacks. Their system can detect hello
floods, selective forwarding, and jamming attacks, thereby addressing the limitations
of the existing systems. This study outlines the potential improvements and capabilities
of this new framework.
Lu et al. [157] proposed a novel intrusion detection approach for WSNs, particularly
for human care services. This approach uses a genetic network programming (GNP)
evolving method to efficiently control the number and quality of rules for intrusion
detection. The method was tested on the NSL-KDD dataset, and it demonstrated
improved detection performance by reducing redundancy. The system detects four
39
Statistical
Mathematical Model
[158, 159]
Bayesian Network
[32, 160, 161]
Hidden Markov Chain
[50, 51, 162]
Logistic Regression
[30, 43, 44, 47, 163]
Figure 2.4: Statistical IDS
types of attacks: DoS, probe, user-to-root (U2R), and root-to-local (R2L).
Statistical-based Intrusion Detection System
Statistical-based solutions use various mathematical models such as mathematical
models, Bayesian networks, hidden Markov chains, and logistic regression. A statisti-
cal approach uses mathematical models to analyze a set of data and classify a threshold
pattern for the detection of anomalous behaviors [70].
Mathematical Model: The mathematical approaches use some statistical models
such as linear or nonlinear. This method has low computational cost and low memory
requirements for data storage.
Amin et al. presented an IDS called the Robust Intrusion Detection System (RIDES)
for an IP-based Ubiquitous Sensor Network (IP-USN). The mechanism is a hybrid
intrusion-detection system that incorporates both signature-and anomaly based com-
ponents. The authors proposed a scoring classifier based on a Statistical Process Control
(SPC) technique called CUSUM charts for anomaly based detection. In addition, for
signature-based intrusion detection, the study discussed the implementation of a dis-
tributed pattern-matching algorithm using signature code. The RIDES was evaluated
using UDP flooding and ICMP Smurf DDoS attacks in an NS-2 simulator with 25 nodes
placed in a mesh topology over a 50 ×50 m area.
Ponomarchuk and Seo [159] proposed an intrusion-detection method based on
traffic analysis in a WSN. The method analyzes the behavior of neighbors and uses
40
a thresholding technique for the selected parameters. It does not require additional
hardware, has low computational costs, and provides high attack detection rates.
Bayesian Network: The Bayesian approach was used to calculate the probability
of an event in the future based on current data. Therefore, this approach is typically
used to calculate the trust model between the nodes in a WSN. There is a threshold for
the trust level such that if node monitoring shows that this value is exceeded, it will
be considered malicious. Another direction for applying the Bayesian method is to
clarify the relationship between network operating parameters and the possibility of
an attack. When the system has a reference model for this relationship, it can determine
the attacks that can be initiated from the collected anomalous data.
David and de Sousa Jr [160] proposed a Bayesian trust model to mitigate MAC-
based DoS attacks with little resource expense. The authors used the model to calculate
the media access control sublayer data in a WSN, which can be adapted to other
protocols. Malicious nodes can exploit MAC unfairness vulnerability to cause DoS;
however, the proposed Bayesian trust model efficiently mitigates such attacks with
low resource expenses.
Momani et al. [32] combined data trust and communication trust to infer overall
trust between nodes. They demonstrated the need to combine these two trust values
to prevent misleading threats to the network, resulting in a new trust model using a
Bayesian Fusion Algorithm. Building a trust value for each node is important because
it indicates the node reputation and identifies malicious behavior [70]. Simulation
results showed that a node is highly trustworthy if both trust components confirm its
trustworthiness and highly untrustworthy if both components assert their untrustwor-
thiness.
41
Shi’s study [161] introduced a Naive Bayes-based feature selection model for intru-
sion detection in WSNs. The model focuses on enhancing the accuracy and efficiency
of predicting and preventing intrusion. It demonstrated strong performance, detecting
attacks with approximately 95.8% accuracy and an ROC curve area of approximately
0.989.
Hidden Markov chain method can profile the normal and abnormal patterns when
analyzing data [70].
Kalnoor et al. [50] presented a model for intrusion detection in IoT environments,
particularly for smart homes, using Hidden Markov Models (HMM) and Variational
Dynamic Bayesian (VDB) algorithms. It focuses on detecting and predicting DDoS
attacks using entropy-based features and Kullback–Liebler Divergence for feature se-
lection. The methodology includes data collection from IoT sensors, defining network
states, and training and testing the models. The results demonstrate the model’s high
accuracy in anomaly detection, with improved computational efficiency and lower
false positive and negative rates compared with the traditional HMM.
Kalnoor and Shankar [162] introduced a new intrusion-detection method for WSNs
using a Hidden Markov Bayesian model. The model, called Na¨
ıve Bayesian Hidden
(NBH) and Knowledge-Based Bayesian Hidden System (KBHS), showed high detec-
tion rates and accuracy, outperforming traditional methods such as weighted support
vector machines (WSVM). It was designed to detect flooding, rushing, and black hole
attacks in WSNs, and exhibited better performance in terms of security, throughput,
and minimal transmission delays.
Joshi et al. [51] introduced a Hidden Markov Trust (HMT) model for IoT networks,
which effectively distinguishes between selfish and malicious nodes. The model fea-
42
tures a Learning Module for assessing the node behavior and a Decision Module for
classification. It demonstrates superior performance in terms of Packet Delivery Rate,
overhead, and detection rate, especially against black- and grey-hole attacks, show-
ing a 10% improvement in PDR, a 29% reduction in overhead, and a 17% increase in
detection rate compared to traditional trust models.
Logistic Regression approach is a statistical method that predicts a binary depen-
dent variable based on a set of independent variables. The independent variable of an
IDS is a set of network activity parameters [44].
Ioannou et al. [44] proposed that an mIDS is an anomaly based IDS, and used
Binary Logistic Regression (BLR) to classify sensor activities as benign or malicious.
They tested their method using Contiki O/S and COOJA Simulators, and demonstrated
an accuracy between 88% and 100% for specific attacks when the BLR was trained.
Ioannou and Vassiliou [43] introduced a lightweight intrusion detection system
(mIDS) for WSNs and IoT devices that utilize BLR. It focuses on detecting network
routing layer attacks, such as Selective Forward and Blackhole attacks, by monitoring
parameters such as announcements received, packets sent, packets forwarded, packets
dropped, and packets received. Despite minimal resource usage, the mIDS demon-
strated high accuracy (96 – 100%) in various network topologies, demonstrating its
potential as a practical solution for enhancing IoT and WSN security.
Prathapchandran and Janani [47] proposed a logit trust model that uses logistic
regression to enhance IoT security by identifying and isolating misbehaving nodes,
focusing on black-hole attacks in RPL-based IoT networks. The model calculates trust
values using QoS metrics and demonstrates better prediction accuracy and lower false
predictive rates than the existing models.
43
Arunkumar et al. [30] developed a security framework for IoT and WSNs using
Elliptical Curve Cryptography (ECC) and Logistic Regression (LR) to address vul-
nerabilities and combat various types of attacks. ECC is used for key generation
and distribution, whereas LR aids in selecting optimal transmitters to improve secu-
rity, reduce routing overhead, minimize delays, and enhance energy efficiency. The
framework was shown to effectively detect active attacks such as Flooding, Jamming,
and Denial-of-Service attacks. Simulations demonstrated the potential of the Logistic
Regression-ECC model to enhance network throughput and reliability, making it a
promising solution for securing diverse IoT applications.
2.1.1.2.3 Specification-based The Specification technique is a set of rules and thresh-
olds that defines the expected behavior for routing protocols or network operations.
An intrusion is detected if the network behavior differs from the specification def-
initions. Nevertheless, the main difference between the other methods is that, in
specification-based methods, a human expert should manually define the rules of each
specification, in contrast to the anomaly in which the machine makes the decisions. It
is clear that, when defined, the specifications manually provide lower false positive
alarms, in contrast to anomaly based detection. Finally, specification-based systems do
not require any additional training. However, incorrect specifications may cause ex-
cessive false positives and false negatives, representing a considerable risk to network
security [31, 68, 70, 103–111].
Surendar and Umamakeswari [109] developed the InDReS IDS. InDReS is an
acronym used for intrusion detection and response systems. The proposed mecha-
nism is applicable to the IoT. This technique, which combines anomaly based concepts,
can be applied to monitor the exchange of packets between nodes and a specification-
44
based method can be used to detect sinkhole attacks. The proposed IDS was evaluated
using the NS-2 simulation tool.
Fu et al. [31] proposed a uniform detection method for diverse IoT networks by
using an automata model to detect and automatically report jamming, false, and replay
attacks. This method combines anomaly detection and specification techniques. This
approach was evaluated using an IoT network comprising two Raspberry Pi 3 devices,
an Android Phone, and an OpenWrt router as the IoT Gateway. While efficient in
detecting attacks, anomaly algorithms need to be improved to improve their efficiency
and accuracy.
Bostani and Sheikhan [110] proposed a real-time hybrid intrusion detection frame-
work for IoT, combining anomaly based and specification-based modules to detect
routing attacks, such as sinkholes, selective forwarding, and wormhole attacks. The
hybrid method achieved a True Positive Rate of 76.19% and a False Positive Rate of
5.92% for Sinkhole and Selective Forwarding Attacks, respectively, and 96.02% TPR
and 2.08% FPR for Wormhole Attacks.
Babu and Reddy [111] developed an SH-IDS, which is an advanced intrusion de-
tection system for IoT networks. It uses machine learning and specification heuristics
to identify security breaches including unauthorized access and privilege escalation.
This system outperforms existing intrusion detection methods, thereby marking a
significant advancement in IoT network security.
2.1.2 Localization
Localization in WSN and IoT networks is the process of identifying the positions
of sensor nodes within the network. Localization algorithms can be classified into
two primary categories: range-based algorithms, as demonstrated in [164–168], and
45
range-free algorithms, as exemplified in [169,170].
2.1.2.1 Range-based algorithms
Range-based algorithms employ absolute point-to-point estimation techniques that
use either distance or angle for range estimation [171]. These techniques require the
installation of precise and costly hardware, such as directional antennas for distance
estimation [172,173]. In Range-based approaches, distance estimation is accomplished
by using one of the following methods: Time of Arrival (ToA) [174], Time Difference of
Arrival (TDoA), Angle of Arrival (AoA) [175], and Received Signal Strength (RSS) [176].
Time of Arrival (ToA): The measurement of the Time of Arrival (ToA) is a critical
means of calculating the distance between two points by analyzing the time it takes
for a signal to travel from a transmitter to a receiver. This calculation is foundational
for determining the position of an object within a given frame of reference. To enable
precise localization, systems that utilize ToA employ multiple receivers or transmitters,
which triangulate the position of an object by exploiting the geometric properties of
the triangles. The accuracy of ToA-based systems relies heavily on the synchronization
between transmitters and receivers as well as on the precision of the time measurement
equipment. Thus, advanced timekeeping and signal-processing technologies play a
critical role in the field of localization [174,177].
Time Difference of Arrival (TDoA): Compared to Time of Arrival (ToA), TDoA
focuses on the relative time differences as signals arrive at different receivers. This
approach enables the accurate determination of an object’s location using the geom-
etry of hyperbolas that intersect at the object’s position. The advantage of TDoA is
that it does not require clock synchronization between the transmitter and receivers,
making it particularly useful in scenarios in which it is challenging to maintain precise
46
time synchronization. TDoA is widely used in various applications, such as mobile
phone triangulation for emergency calls, underwater acoustic localization, and aircraft
tracking in the aerospace industry. The accuracy of TDoA-based systems depends
significantly on the precision of the time difference measurements and spatial config-
uration of the receivers. These factors are critical for reducing localization errors and
improving the resolution [174,177, 178].
Angle of Arrival (AoA): The AOA method estimates the location by analyzing
the angles between an unknown node and multiple anchor nodes. However, this
method requires an antenna array, which may be too expensive for low-cost sensor
nodes [174, 177, 179].
Received Signal Strength (RSS): RSS is a widely adopted method for localizing
sensor nodes. This is because most nodes are equipped to measure the strength of
the signals they receive. The RSS technique capitalizes on radio signals that weaken
exponentially with the distance from the source. Therefore, the node can estimate its
distance from the transmitter by analyzing the power of the received signal, transmitted
power, and the path-loss model. To begin the process, an anchor node emits a signal
picked up by the transceiver circuitry and sends it to the Received Signal Strength
Indicator (RSSI) to measure the power of the signal [177].
2.1.2.2 Range-free algorithms
Range-free algorithms explore the connectivity information between adjacent nodes.
They used protocols to eliminate the need for radio-signal measurement. Instead, this
class of algorithms uses radio communication range to establish nodes within a partic-
ular communication sphere. They operate based on the idea that once two nodes can
communicate, the distance between them within a certain probability is less than their
47
highest transmission range [171]. Some principal range-free algorithms, as reported
in the existing literature, include the Centroid Localization Algorithm, the Weighted
Centroid Localization (WCL), Approximate Point In triangulation (APIT), DV-Hop
algorithm, Amorphous Positioning Algorithm, Virtual Force Iterative Localization
(VFIL), and double-circle localization (DCL) [171]. Approaches to range-free localiza-
tion are being pursued as cost-effective, in contrast to the more expensive range-based
solutions [180].
Centroid Localization Algorithm: This method works by pinpointing the geomet-
ric center (centroid) of several reference points, typically nodes with fixed locations.
Centroid Localization (CL) estimates the target node’s position by averaging the coor-
dinates of the reference nodes within the communication range. The simplicity of the
CL Algorithm makes it ideal for applications with limited computational resources or
large-scale deployment, such as environmental monitoring, agriculture, and smart-city
infrastructure. Although CL has lower computational complexity than other localiza-
tion methods, such as TDoA or AoA, its accuracy can be affected by factors such as the
reference node density, node distribution, and environmental obstacles that may im-
pact signal transmission. Signal processing techniques and strategic node placement
can be enhanced to improve the precision of CL-based localization systems [171].
The Weighted Centroid Localization (WCL) algorithm is an advanced iteration of
the basic CL technique specifically designed to enhance the accuracy of node position-
ing in network settings. This is achieved by applying a weighted average approach, in
which the weights are determined based on the proximity of each node to significant
network elements, such as attacks. Essentially, nodes closer to attacks are assigned
higher weights because their position data have a greater impact on the overall posi-
48
tioning of more distant nodes. Studies have shown that WCL significantly improves
location estimates compared with the standard CL method, making it a more effective
option for practical applications [181].
Approximate Point In Triangulation (APIT): The application of the APIT algorithm
is another method that can be used. This approach is based on an area approach,
wherein arbitrary anchors are formed into triangles. Each node selects three anchors
within its radio coverage area and determines whether it is inside or outside the triangle
using the signal strength measurements of nearby non-anchor neighbors. Upon testing
all the triangle combinations, the node position was situated at the centroid of the
intersection region of the anchor triangles. This algorithm requires less computation
and communication than the other anchor-based algorithms. However, this requires
longer-range anchors, a relatively high ratio of anchors to nodes, and the calibration
of the RSS [171, 177].
DV-Hop and Amorphous Positioning Algorithm: DV-Hop and Amorphous algo-
rithms both utilize a distance vector exchange to determine the estimated distances
in hops between nodes within the network and the anchors rather than the linear
distance between the free node and anchor. By calculating the average distance of
the closest anchor, a node can estimate its position and use the hop count distance
to estimate its position from at least two other anchors. This information was then
used to triangulate and estimate the position of the free node. This method is particu-
larly useful for nodes with limited capabilities that cannot process an entire network.
Once calculated, the anchors transmit the estimated hop size to the nearby nodes.
The distinction between the DV-Hop and amorphous algorithms is rooted in their
respective approaches for calculating the average hop length (AHL). DV-Hop relies
49
on anchors to compute and distribute the AHL across the entire network, leading to
significant overhead. However, the amorphous algorithm takes a different approach
in that each anchor independently calculates the AHL during a smoothing stage [171].
One benefit of utilizing these algorithms is their ability to function with fewer anchors
than the APIT. Nevertheless, the propagation of distances and conversion from hops
to meters can result in inaccurate position calculations, ultimately causing substantial
localization errors.
The Virtual Force Iterative Localization (VFIL) algorithm is a cutting-edge tech-
nique utilized in WSNs to accurately locate sensor nodes. VFIL leverages a virtual
force concept, in which nodes are viewed as objects that influence each other based on
their estimated distances and connectivity. The algorithm fine-tunes the nodes’ posi-
tions iteratively, similar to a system-seeking balance, by analyzing the virtual forces in
play. This approach is particularly effective in networks in which nodes are unevenly
distributed or located in challenging environments, resulting in reduced localization
errors. Studies have demonstrated that VFIL significantly improves the precision in
localization when compared to traditional methods owing to its iterative refinement
of node positions until a stable spatial layout is attained [182–184].
The Double Circle Localization (DCL) technique is an advanced localization
method that leverages two crucial geometric concepts: Minimum Bounding Circle
(MBC) and Maximum Inscribed Circle (MIC). According to Cheng et al.’s research [185],
the MBC is the smallest circle that can contain all nodes in a given set, whereas the MIC
is the largest circle that can fit entirely within the convex hull formed by those nodes.
The DCL utilizes these circles to refine jammer position estimation within wireless
networks. By computing both the MBC and MIC around the jammed nodes, DCL
50
provides more precise localization, significantly enhancing the accuracy of identifying
a jammer’s position. This approach was validated by Inchana et al. [186], who demon-
strated its effectiveness and increased reliability in jammer localization within network
settings.
2.1.3 Recovery
A fundamental action after the detection of a jamming attack and localization of
the jammer is to restore the anomalies of the IoT network [187]. In accordance with the
literature [188–191], a plethora of countermeasures are used to mitigate attacks in the
IoT network. In this section, we propose several intrusion-recovery strategies.
2.1.3.1 Polarization of Antenna
The Polarization of an antenna [192] is the orientation of the electric field of the
radio wave with regard to the Earth’s surface, and is defined by the physical structure
of the antenna and its orientation. For communication between WSN and IoT devices,
the antennas must have the same polarization. More specifically, if the polarization of
one antenna is vertical, it is difficult to communicate with an antenna with a circular
polarization. Additionally, WSN and IoT networks mainly use line-of-sight commu-
nications, wherever using the same polarization of the transmitter and receiver can
make a vital difference in signal quality [188,189]. Consequently, when a node senses
any jamming attack in the network, it can switch its polarization and protect the envi-
ronment from interference. The biggest challenge in this approach is that every node
in the environment must notify the other nodes about the changing polarization prior
to any actual change in its polarization, so that the communication will not be inter-
rupted. To control this problem, nodes must be programmed in advance to address
this obstacle [193].
51
2.1.3.2 Directional Transmission
Most wireless devices use omnidirectional antennas for transmissions [192]. These
kinds of antennas can transmit and receive signals from every direction at the same
point of time [188, 189]. By contrast, directional antennas transmit and receive signals
only in specific directions. Therefore, they exhibit a higher tolerance to jamming attacks
[194]. Directional antennas offer superior protection against jamming attacks [194–196].
Many researchers have proposed directional antennas to avoid various attacks on
WSN. Hu and Evans [197] utilize directional antennas and neighbor cooperation to
prevent wormhole attacks in ad hoc networks. Additionally, Lazos and Poovendran
[198,199] introduced a related approach in their secure localization scheme to identify
wormhole attacks. Furthermore, Stavrou et al. [200] proposed INCURE, which is
an intrusion-recovery security framework for WSNs. The proposed countermeasure
framework utilizes directional antennas to create controlled communication paths and
to physically exclude malicious nodes.
2.1.3.3 Blacklisting
Once a malicious behavior is recognized, the aim is to mitigate its impact and
remove intruders from the network. The easiest approach to removing an attacker is
to ignore it. This requires detection of the attack node. Neither MAC nor IP addresses
are trustworthy, because they can be easily spoofed. One possible way to ignore a
node is to use a blacklist. A blacklist includes all malicious nodes, and a whitelist
includes all legitimate nodes. Subsequently, after the detection of a malicious attack,
the malicious behavior is placed in the blacklist database where the attacker fails if he
attempts another attack on the system [53, 60, 201].
52
2.1.3.4 Channel Surfing
Channel Surfing is another potential mitigation method. Channel Surfing is a
form of spectral evasion that involves legitimate wireless devices that change the
channel on which they operate [202]. In Channel Surfing, when nodes identify a
jamming attack, they immediately switch to another orthogonal channel and wait
for opportunities to reconnect to the remainder of the network. Subsequently, the
nodes that are under attack lose connectivity with their neighbors. The neighbor
nodes discover the disappearance of their attacked neighbor nodes and temporally
change to a new channel to search for them. If lost neighbors are found on the new
channel, the nodes participate in rebuilding the connectivity of the entire network [203].
Consequently, legitimate nodes communicate over a different frequency, leaving the
jammer operating at the default frequency and making the attack inefficient [202, 204,
205]. However, if the jammer node is reprogrammed or self-reprogrammed to search
for available frequency channels and determine the new frequency, the countermeasure
will be overcome, and the jammer can continue attacking the network [200]. Jiang
and Xue [206] proposed a restoration method called ”The Split-Pairing Scheme.” The
basic idea is to split the jammed nodes into two groups, each of which operates on a
different channel. At any given time, the attacker can jam only one channel or when it
is switching channels; a group free of jamming may conduct key propagation [206].
2.1.3.5 Recover Jammed Packets
This method is designed to recover jammed and corrupted packets. Heo et al. [207]
proposed the Dodge-Jam: Anti-Jamming Technique for Low-power and Lossy Wireless
Networks. In this study, the sender partitions a packet into several small blocks, and
adds a CRC to each block. When retransmitting the packet because of transmission
53
failure (upon no ACK reception due to a reactive jamming attack, jamming ACK attack,
or natural link loss), it performs a logical shift to the packet with the expectation that
some blocks have been successfully received at the receiver. The attacker jams parts
that are similar to the packet. After a few retransmissions, the receiver can recover
original jammed packets from multiple erroneous packets [207].
2.1.3.6 Path Switching /Rerouting
Another effective way to recover WSN and IoT networks from jamming attacks is
to change the communication path to avoid jamming areas. Liu et al. [208] suggested
using a recovery agent to protect a network from ongoing attacks. Specifically, recovery
agents reduce the impact of jamming attacks through several mechanisms such as path
switching, direct sequence spread spectrum, and frequency-hopping spread spectrum
[208]. Sergiou et al. [209] proposed DAIPAS, a Dynamic Alternative Path Selection
Scheme. DAIPAS could become a solution to guarantee stable performance under the
requirement that there are sufficient available nodes capable of accommodating traffic
that can be routed to the sink path through the initially established source.
In [210], researchers studied network restoration schemes via joint traffic rerouting
and channel reassignment under jamming attacks, using global and local restoration
strategies. The authors formulated an optimal restoration dilemma for each strategy
using linear programming, from which the best after-restoration throughput perfor-
mance can be derived.
2.1.3.7 Interference Cancellation Technique
The basic principle involves generating a canceling signal that mitigates jamming
threats [211]. In [212], the interference signal was canceled using multiple-input
multiple-output (MIMO) transmissions. Specifically, MIMO interference cancellation
54
treats jamming signals as noise and strategically removes them, whereas transmit pre-
coding adjusts the signal directions to optimize the decoding performance. Hu and
Wang proposed a successive interference cancellation algorithm for multiuser detec-
tion [213].
2.2 Related Work
In the following section, we provide an overview of related work on jamming
attacks, discuss the parameters for detecting these attacks, and explore the use of fuzzy
logic algorithms for detection. We will also examine jamming localization algorithms
and conclude with an overview of jamming recovery strategies.
2.2.1 Detection
2.2.1.1 Related Work Jamming Attacks
This section briefly describes jamming attacks and the use of fuzzy-logic algorithms
to detect them and provide background information. The most common and dangerous
attack that can be proven harmful to wireless mesh WSN or IoT networks is jamming
[189]. Jamming is a type of attack that interferes with the radio frequencies used by
network nodes [22]. A jamming source may either be powerful enough to disrupt the
entire network or less powerful and only disrupt a smaller portion of the network.
Wireless networks are especially vulnerable to radio jamming attacks because they
are straightforward to launch [214]. An attacker can easily generate a jamming attack
without requiring any special hardware [215] and does not require information about
the internals of the control system [216].
2.2.1.1.1 Types of Jamming Attacks According to the literature [3, 188], three types
of jammers are most common: Proactive, Reactive, and Specific-Function jammers.
55
Figure 2.5 illustrates different types of jamming attacks.
Figure 2.5: Types of Jamming Attacks
Proactive Jammers
A Proactive Jammer attacks the network regardless of the data communication. It
randomly transmits bits on the network, making all functional nodes non-responsive.
Finally, it functions only on a single channel and operates until energy is depleted
[189,217]. Proactive Jammers can be categorized into constant, deceptive, and random
jammers.
1. Constant Jammer: A Constant Jammer continuously emits radio signals that
interfere with the transmission of the network [190]. Furthermore, a Constant
Jammer emits random signals that do not follow any underlying MAC protocol
[188]. This type of jammer aims to keep the channel busy and damage the
communication between nodes [188]. In contrast, constant jammer attacks are
energy-inefficient and can be easily detected [217]. Moreover, this type of attack
can be easily implemented, identified, and worked on a single channel [189].
2. Deceptive Jammer: Compared to a Constant Jammer, the Deceptive Jammer
is more challenging to detect because it transmits legitimate packets instead of
random bits. Similar to the Constant Jammer, the Deceptive Jammer is also
energy inefficient owing to continuous transmission; however, it is very easy to
implement [217] and difficult to detect [189].
56
3. Random Jammer: On the other hand, the random jammer alternates from the
sleeping mode to the Jamming mode [217, 218]. It can behave like either a
Constant Jammer or a Deceptive Jammer during its jamming phase. In contrast to
the previous two jammers, this reduces the power consumption [217]. However,
it is less effective than the two aforementioned jammers and incapable of jamming
during sleep [189].
Reactive Jammers
The Reactive Jammer listens to channel activity. If an action is identified, it imme-
diately sends a random signal to collide with the existing signal on the channel [188].
The amount of power required to listen to a channel is significantly lower than that
required for proactive jamming [190]. Unfortunately, reactive jammers are difficult to
detect and design, energy-inefficient, and work on a single channel [189].
1. Reactive RTS/CTS Jammer: In this attack, the jammer begins the offensive when
it senses a request-to-send (RTS) message to transmit from the sender. Conse-
quently, the receiver cannot send back a clear-to-send (CTS) reply, because the
RTS packet sent from the sender is destroyed. Finally, the sender will not send
data because or it believes that the receiver is busy with another ongoing trans-
mission. Consequently, the sender is not sending data, and the receiver is always
waiting for the data packet [217].
2. Reactive Data Acknowledgement Jammer: In the Data/ACK attack, the jammer
destroys the transmissions of data or acknowledgment (ACK) packets. The
attacker does not respond until the data transmission begins at the end of the
transmitter. This type of jammer can corrupt data or ACK packets. Consequently,
we observe an increase in retransmissions. This occurs because the data packets
57
are not received correctly at the receiver in the case of data transmission. In the
case of ACK, since the sender does not receive the ACKs, it believes something
is going wrong at the receiver side [217].
Specific-Function Jammer
These types of jammers are manufactured to achieve a specific function. For ex-
ample, they can be used to interfere with a single channel, or they can cause jamming
of the entire network depending upon their purpose, which means they can minimize
their energy consumption or increase their maximum throughput [189].
1. Follow-on Jammer: This category of the jammer hops over all available channels
very frequently and jams each channel for a short period [188]. If a transmitter
detects an attack at a specific frequency and hops to another frequency, then the
follow-on jammer scans the channel and hops in the spectrum where there is
traffic, or they can hop and jam randomly at different frequencies. In conclusion,
the follow-on jammer is particularly effective against anti-jamming techniques
such as frequency-hopping spread spectrum (FHSS), which uses a slow hopping
rate [189, 217].
2. Channel-hopping Jammer: In the Channel-hopping attack, the jammer interferes
while hopping between different channels. In addition, a jammer has direct
access to channels, because it can override the CSMA algorithm of the MAC
protocol. Furthermore, Channel-hopping jammers can join multiple channels
simultaneously. Therefore, the jammer is quiet and invisible to its neighbors
during the discovery phase, and it starts performing attacks are initiated on
different channels at different times according to a predetermined pseudorandom
sequence [189, 217].
58
3. Pulse Noise Jammer: This attack category can switch channels and jam on
different bandwidths at different periods. Moreover, the pulse-noise jammer
saves energy by turning offand following the programming of the jammer.
Pulse-noise jammers can attack multiple channels simultaneously [189, 217].
2.2.1.2 Parameters for Jamming Attack Detection
The jamming detection parameters applied to the existing systems are discussed
in this section. These parameters can be broadly classified into Local and Centralized
parameters. Figure 2.6 shows the different parameters used to detect the jamming
attacks.
Figure 2.6: Jamming Attack Detection Parameters
Local Parameters: These metrics are measured at or relevant to the individual node
level, enabling an in-depth analysis of the performance or condition of single nodes
within the network. Here, is a brief description of the local parameters.
•Packet Send Ratio (PSR): Xu et al. [3] defined PSR as the ratio of packets that
are successfully sent out by a legitimate traffic source compared to the number
of packets it intends to send out at the MAC layer.
•Average number of required transmissions per packet (ATX): Heo et al. [207]
define the ATX metric as the total number of transmissions divided by the number
of successfully received unique packets.
59
•Bit Error Rate (BER): According to Strasser et al. [219], the BER is calculated
as the ratio of the number of corrupted bits to the number of total bits received
by a node during a transmission session. However, measuring the BER using
a sensor node is difficult, because it requires the collection of a large amount
of data. Moreover, this method cannot classify the different types of jamming
attacks [220].
•Packets Dropped per Terminal (PDPT): Misra et al. [26], Cakiroglu et al. [221]
and Balarengadurai et al. [222] used PDPT for detection of Jamming attacks.
PDPT refers to the ratio of the number of received packets that have not passed
the Cyclic Redundancy Check (CRC) carried out by the node to the total number
of packets received by the node over a given period.
•Signal-to-Noise Ratio (SNR): SNR is measured as the ratio of the received signal
power at a node to the received noise power at the node. Misra et al. [26],
Balarengadurai et al. [222], and Sasikala and Rengarajan [223] used SNR as a
metric to detect Jamming attacks. SNR is a useful metric for identifying the
behavior of jamming in the physical layer [220].
•Signal-to-Interference-plus-Noise Ratio (SINR): SINR is a measure used in wire-
less communication to quantify the quality of a signal in the presence of interfer-
ence and noise. It is a key performance indicator for the reliability and efficiency
of communication systems. A higher SINR value indicates better quality of com-
munication links. Improving the SINR can lead to a better data throughput,
higher reliability, and lower error rates. Techniques to improve SINR include
power control, adaptive modulation and coding, interference mitigation strate-
60
gies, and advanced signal processing methods [224].
•Energy Consumption: Cakiroglu et al. [221] define Energy Consumption as
the approximated energy amount consumed in a specified time for a sensor
network [218, 225, 226].
•Received Signal Strength Indicator (RSSI): RSSI [220,225–228] is defined as the
power content of the radio signal when received by the receiver.
•Expected Transmission Count (ETX): ETX [229] represents the expected number
of transmissions required to transmit and acknowledge a packet on a wireless
link successfully.
•Clear Channel Assessment (CCA): The transceiver provides a feature called
CCA, which operates at the MAC level. Each time the transmitter attempts to
send data and detects that the channel is in use, the CCA is incremented by one.
This variable was responsible for this functionality. [228].
•Bad Packet Ratio (BPR): BPR is a metric that indicates the percentage of in-
correctly received packages, calculated by dividing the number of erroneously
received packages by the total number of received packages. The receiver deter-
mines this metric by verifying the Frame Check Sequence (FCS) of the incoming
packets at the MAC level. [228, 230]
•Retransmissions: the number of retransmissions required before a frame is suc-
cessfully transmitted to the next hop.
Centralised Parameters: These metrics are characteristics evaluated across the
entire network or system that are essential for assessing the overall network health
61
and security.
•Packet Delivery Ratio (PDR): Xu et al. [3] describe PDR as the ratio of packets that
are successfully delivered to a destination compared to the number of packets that
have been sent out by the sender. [225]. From the results, it was recognized that
PSR and PDR were difficult to decide on jamming and its types [220,226,228,230].
•Number of hops for received packets: A Hop count refers to the number of
routers that a packet goes through from its source to its destination [134].
•Throughput: Agah and Das [134] define Throughput as the measure that charac-
terizes the total number of forwarded packets over the total number of received
packets.
•Delay: Delay in [218] is calculated as the total time from the transmission of a
packet from a node to the sink to the time when the sink received the packet.
•Packet Loss Ratio (PLR): PLR is calculated as the number of packets lost divided
by the number of packets sent [227, 231].
•Routing Overhead: Chen et al. [231] proposed routing overhead as the average
number of routing packets (including DIS, DIO, and DAO packets) transmitted
in the whole network every minute.
2.2.1.3 Related Work on Using Fuzzy Logic Algorithms for Detecting Jamming
Attacks
Fuzzy logic dealing with vagueness and imprecision can describe imprecise forms
of reasoning in areas where firm decisions have to be made under indefinite conditions
and are found to be appropriate for intrusion detection [232]. Fuzzy logic can make
62
real-time decisions even with incomplete knowledge. Conventional control systems
rely on accurate representation of the environment, which typically does not exist in
reality. Fuzzy logic systems that can naturally handle linguistic rules are suitable for
this purpose. Moreover, it can be used in context by combining different parameter
rules to produce a suitable result [222]. Furthermore, Fuzzy rules allow us to efficiently
and easily construct if-then rules that reflect general ways of describing security attacks
[233]. Thus, fuzzy logic is an adequate means for defining network attacks [233]. AI
methods, such as decision trees, neural networks, and fuzzy logic, are applied to detect
anomalies in a network, where a fuzzy-based system presents important advantages
over other AI techniques [234].
According to the literature, the following studies considered jamming attacks and
used fuzzy logic algorithms to detect malicious activity in wireless mesh networks.
Misra et al. [26] proposed a fuzzy inference system for Jamming attack detection. In
this approach, network nodes receive input values, whereas the base station performs
jamming detection using a centralized methodology. The nodes send three inputs to the
base station: the total number of packets received during a specified period, number of
packets dropped during the period, and RSS. Using these metrics, the base station can
calculate the PDPT and SNR. Subsequently, the central node uses the values of PDPT
and SNR as inputs to the fuzzy inference system to extract the jamming indicator.
Finally, they confirmed the occurrence of a jamming attack on the node. The validation
is performed using a 2-means Clustering algorithm that constructs a confirmatory
check through the study of the neighborhood of a node to ascertain the correctness
of the JI grade allotted to that node compared with the JI distributed to its neighbor
nodes. This work was performed using NS2, MATLAB, and Simulink simulators and
63
four types of jammers (constant, deceptive, random, and reactive) in 720 different
simulation setups. In the simulations, there were four positions for the jammer: two
inside and two outside the grid, six sets of inter-nodal distances (5, 10, 15, 20, 25, and
30 m), and three sets of nodes (25, 50, and 100). Finally, the researchers performed
simulations using standard power and high energy at the jammer node.
Using Fuzzy logic systems, Balarengadurai and Saraswathi [235] detected jamming
attacks at the PHY and MAC layers in IEEE 802.15.4 low-rate wireless personal area
networks. This system uses three inputs sent by nodes to the base station. The inputs
are a) the total number of packets received by it during a specified period, b) the
number of packets dropped by it during that period, and c) the RSS. Thereafter, the
base station calculates the PDPT and SNR from these values, and then uses the metrics
of PDPT and SNR as inputs to a fuzzy logic system to obtain the Jamming Indicator as
the output of the system. Finally, jamming attack detection is confirmed through Fuzzy
K-means clustering. These experiments used the S-MAC protocol as a MAC standard.
In the simulations, the nodes sent one packet every 5 s for light traffic and two packages
every 1 s for heavy traffic. In addition, the authors examined four types of jammers:
constant, deceptive, random, and reactive—the evaluation of this approach simulated
in a Network Simulation environment.
Reyes and Kaabouch [228] introduced a fuzzy logic technique to detect link loss
in wireless networks, motivated by the need to assess a link’s general state, and not
just jamming. The system employs metrics such as Clear Channel Assessment (CCA),
Bad Packet Ratio (BPR), Packet Delivery Ratio (PDR), and Received Strength Signal
(RSS) to assess the link status and determine the cause of link failure. Extensive
simulations and field tests were conducted, yielding high efficiency rates of 98.4% and
64
95.25% for detecting constant and random jamming, respectively. In conclusion, the
study significantly advances wireless network diagnostics, especially in environments
where link stability is critical.
Vijayakumar et al. [220] proposed a fuzzy logic-based jamming detection algorithm
(FLJDA) to detect the presence of jamming in downstream data communication for
cluster-based wireless sensor networks. FLJDA monitors the behavior of nodes by
computing the jamming probability using two inputs in a fuzzy-logic system: packet
delivery ratio and RSSI. This approach was simulated using the MATLAB software.
This approach shifts from node-centric to network-centric detection, which involves
cluster heads and base stations. The algorithm demonstrates a high true detection
ratio (99.89%), showcasing its effectiveness in accurately identifying different types of
jamming attacks, such as constant, deceptive, random, and reactive jamming.
Meenalochani and Sudha [227] proposed a hybrid algorithm based on fuzzy logic
and Ant Colony Optimization for the detection of jamming attacks. This approach
was simulated using MATLAB. The authors used fuzzy logic to detect the interference
node and ant colony to route the data even in the presence of jamming. The ant colony
approach discards a congested node and identifies the path from the source to the
destination for successful transmission. The fuzzy logic system uses the inputs of the
PDR, PLR, and RSSI to determine the jamming percentage of the node. The authors
used 12 wireless Zigbee real nodes where node one was assigned as the Base Station
and connected to a laptop to display the received data in real time.
In [27], a novel anomaly detection method for WSNs was proposed using a fuzzy
logic approach. It addresses the limitations of traditional entropy-based methods
in detecting attacks, such as DDoS and jamming, in WSNs. The methodology inte-
65
grates fuzzy logic with anomaly detection, reducing computational complexity while
maintaining accuracy. This approach utilizes entropy metrics and fuzzy estimators to
detect abnormal network behavior, demonstrating improved performance over tradi-
tional methods. The paper concludes with the potential of this approach for enhancing
the security of WSNs.
In [236], an Adaptive Neuro-Fuzzy Inference System (ANFIS) was used for detect-
ing jamming attacks in WSN. This approach enhances the network performance and
reduces the energy consumption. This study compared different jamming techniques
and analyzed the effectiveness of the ANFIS model against the proposed Fuzzy Inter-
ference system using MATLAB. The results indicate that the ANFIS jamming detection
system performs better than existing and proposed fuzzy models. The methodology
used in the paper for detecting attacks involves the ANFIS, which is a fuzzy model
based on Artificial Neural Networks (ANN). This system integrates fuzzy logic with
an ANN to improve its performance. The ANFIS model focuses on optimizing pa-
rameters such as the Beacon Interval, Back-off-Tx, and buffer size to reduce energy
consumption and delay in the network. The ANFIS model was used to minimize
errors and enhance network performance in the context of detecting attacks on WSN.
The specific metrics or inputs considered in this experiment are not detailed in the
quoted section, but the general approach involves loading data, which include inputs
and outputs, to implement the ANFIS interface system. Bengag et al. [226] provided
an in-depth analysis and proposed a new IDS utilizing fuzzy logic tailored for Wireless
Body Area Networks (WBANs). This study thoroughly explores various aspects of an
IDS, including its functions and classifications, and highlights the role of fuzzy logic
in augmenting its efficiency. The authors introduced an innovative IDS framework
66
that employs a Mamdani-type fuzzy inference system, specifically designed to detect
jamming attacks in WBANs. They meticulously outlined the system architecture, im-
plementation strategy, and performance evaluation criteria. The effectiveness of this
system is assessed using three key network parameters as crisp inputs: PDR, RSSI, and
Energy Consumption Analysis (ECA).
In contrast to the existing solutions shown above, which also detect jamming at-
tacks using a fuzzy logic algorithm, our approach uses only two metrics as the inputs.
It uses a lightweight version of an IDS to achieve a high-performance evaluation sys-
tem. Our solution uses only one algorithm compared to Mirsa et al. [26], who used
the 2-means clustering algorithm to achieve the best results. Similarly, Balarengadu-
rai and Saraswathi [235] used an additional k-mean clustering algorithm. Finally,
Meenalochani and Sudha [227] used three metrics as inputs: PDR, PLR, and RSSI
and used the Ant Colony Optimization algorithm. Overall, none of the researchers
have comprehensively examined the position of the jammer. Our approach examines
forty-eight different positions of jammers with equivalent simulations in a distributed
and centralized manner. More precisely, the jammer is identified at each node (ETX,
Retransmissions, and PDPT parameters) and at the sink (PDR parameter). Moreover,
all approaches use input metrics from the physical layer and centralize the detection
decision, unlike our solution, which uses input values from the data-link and network-
layer metrics and makes the detection decision locally.
2.2.2 Localization
Accurately determining the source of a jamming attack is crucial for implementing
security measures against disruptive nodes and restoring network communication,
as was emphasized by [185]. To this end, nine jammer localization algorithms have
67
been demonstrated: Centroid Localization (CL) [237], Weighted Centroid Localization
(WCL) [181], Double Circle Localization (DCL) [185], Virtual Force Iterative Localiza-
tion (VFIL) [182], Particle Swarm Optimization (PSO) [180], Antenna Identification
and Localization (AIJL) [238], Minimum Enclosing Circle (MEC) center [239], mono-
tone chain algorithm [240] and Single Circle.
2.2.2.1 Centroid Localization (CL)
The CL method provides a way to locate jammers without requiring the cooperation
of the target nodes. This is achieved by utilizing the positional data of the nearby nodes,
which are defined as those within the transmission range of the target node. To locate
the jammer, CL analyzes the coordinates of all the jammed nodes and calculates their
average, which provides an estimated location for the jammer [182].
Because the CL relies solely on the coordinates of the network nodes, it can with-
stand uncertainties in radio propagation within the environment. However, the accu-
racy of the estimation can be affected by the distribution of jammed nodes. The esti-
mation is biased if the overloaded nodes are concentrated on one side of the jammer.
In a uniformly distributed network with higher density, the jammed nodes are more
likely to be evenly distributed around the jammer, leading to more precise estimations.
Suppose there are N jammed nodes represented as {(X1,Y1),(X2,Y2),...,(XN,YN)}.
The jammer location can be estimated as follows:
Äb
Xjammer,b
Yjammerä=(ΣN
i=1Xi
N,ΣN
i=1Yi
N) (2.1)
The CL algorithm described in [237] estimates the location of a jammer by calcu-
lating the average of the boundary and the jammed node locations. However, the
accuracy of the algorithm depends on the position and density of nodes. Thus, the
68
accuracy of the estimated location depended on the number and location of the affected
nodes.
2.2.2.2 Weighted Centroid Localization (WCL)
WCL represents a refined version of CL that utilizes a weighted average calculation
to determine the position of the target node. One approach for assigning weights
is to consider the proximity of the target node to its neighboring nodes, considering
factors such as the distance between a jammed node and its jammer. The underlying
principle is that a node located closer to the jammer should have a greater impact on
the average location estimate of the nodes situated farther away. Empirical evidence
shows that the WCL outperforms the CL in generating more precise estimations in
practical settings [181].
By incorporating a weighting factor into the centroid approach, jammer location
estimation is formulated as follows:
Äb
Xjammer,b
Yjammerä=(ΣN
i=1wiXi
ΣN
i=1wi
,ΣN
i=1wiYi
ΣN
i=1wi
) (2.2)
The weight wi=1
d2
i
where diis the distance between the i-th neighboring node and
the jammer node. One possible technique for acquiring distance data is through the
measurement of the incoming radio signal RSS, which is inversely correlated with
distance. In the context of WCL, location estimation depends solely on the positional
information of the boundary nodes, which serve as reference points. This approach
utilizes the RSS measurements of these nodes as weighting factors to determine the
closeness of nearby nodes to the jammer.
Blumenthal et al. [181] devised a WCL algorithm that uses a Link Quality Indicator
(LQI) to track ZigBee nodes in outdoor locations. WCL provides a quick and simple
69
approach for locating devices in wireless sensor networks. Furthermore, the authors
utilized LQI measurements were used to estimate the distance between the nodes and
reference points.
Wang et al. [241] introduced an improved method called WCL, which is based on the
RSSI variation algorithm. The WCL method refines the CL algorithm to determine node
locations. The CL technique estimates the jammer’s location by averaging the positions
of all affected nodes within or near the jamming area. However, this technique can
result in significant errors when only a few nodes are affected by the jamming signal
depending on their location. To address this issue, the WCL method calculates the
average jamming power received by the boundary nodes and uses it as a weight to
minimize location errors.
2.2.2.3 Virtual Force Iterative Localization (VFIL)
In [182], a method was proposed to improve localization accuracy by considering
the distribution of jammed nodes. First, the VFIL estimates the transmission range of
the jammer. Next, it creates a circular area around the estimated location of the jammed
nodes, with the center being the estimated location of the jamming signal source and
including all the jammed nodes. The boundary nodes were placed outside this area.
Finally, CL estimation was used to refine the estimation process.
VFIL uses an iterative approach to adjust the center of the estimated jammed region
within the network until it covers the maximum number of jammed nodes. The
estimated jammed region was assumed to coincide with the real jammed region when
the estimated jammer’s location matched the actual position.
VFIL employs two virtual forces called ”pull” and ”push” through multiple iter-
ations to align the estimated location with the actual jammer location. During each
70
iteration step, nodes outside the estimated jammed region exert a pull force, drawing
the jammed region towards them. Conversely, unaffected nodes located within the
estimated jammed region apply a push force that pushes the jammed region away.
Consider (X0,Y0) as the estimated jammer’s position, (Xi,Yi) as the position of a
jammed node, and (Xj,Yj) as the location of the affected node. We represent forces Fi
(pull) and Fj(push) as normalized vectors, indicating their directions relative to the
estimated position of the jammer.
Fi
pull =
Xi−b
X0
»(Xi−b
X0)2+(Yi−b
Y0)2
,Yi−b
Y0
»(Xi−b
X0)2+(Yi−b
Y0)2
,
Fj
push =
b
X0−Xj
»(b
X0−Xj)2+(b
Y0−Yj)2,b
Y0−Yj
»(b
X0−Xj)2+(b
Y0−Yj)2
(2.3)
Liu et al. [182] chose a threshold of 100 iterations as the stopping point during
the adjustment of virtual force. Liu et al. [183] presented VFIL, a technique that
utilizes network topology and node states to estimate jammer positions. This paper
examines the challenges of localizing jamming attacks, compares two jamming attack
models, region-based and SNR-based, and discusses the VFIL approach. This study
employs extensive simulations and experiments to demonstrate that VFIL outperforms
traditional centroid-based methods under different network conditions. The VFIL
method can identify various types of jamming attacks including constant and reactive
jammers.
2.2.2.4 Double Circle Localization (DCL)
As described in Cheng et al.’s algorithm [185], DCL is based on two fundamental
concepts: the Minimum Bounding Circle (MBC) and Maximum Inscribed Circle (MIC).
MBC represents the smallest circles that can be inscribed, whereas MIC corresponds
to the largest circle that can be inscribed within the convex hull formed by a collection
71
of jammed nodes. By utilizing the DCL method, the jammer position identification
accuracy can be significantly improved, as evidenced by the study by Inchana et
al. [186], thereby providing a more robust level of confidence.
The final values for both MBC and MIC were determined using DCL by calculating
their respective average values. The average values were obtained using the following
equations:
(XMBC,YMBC)=ÇXmbc +X′
mbc
2,Ymbc +Y′
mbc
2å,
(XMIC,YMIC)=ÅXmic +X′
mic
2,Ymic +Y′
mic
2ã(2.4)
The following equation was used to obtain the final result.
(b
Xjammer,b
Yjammer)=(w1XMBC +w2YMIC ,w1YMBC +w2XMIC)(2.5)
Where (Xmbc,Ymbc)and (Xmic,Ymic)are the circle centers of MBC and MIC, the values
for the wcan be obtained by either an empirical approach under the condition of
w1+w2=1.
Cheng et al. [185] proposed a jammer localization algorithm called DCL. They
compared their DCL approach with three other existing algorithms: CL, WCL, and
VFIL [182]. Simulations and experiments were conducted for thorough comparison.
In addition, they tested their algorithm in isotropic jammer scenarios and modified
the antenna direction of the jammer to imitate anisotropic jammer scenarios. WCL, a
Weighted Centroid-based localization algorithm [242], improves CL by considering the
average distance between the boundary nodes and jammer as the weight to decrease
the localization error [243].
72
2.2.2.5 Particle Swarm Optimization (PSO)
The PSO algorithm is a powerful computational technique inspired by the collective
behavior of birds and fish. It aims to optimize a given problem by iteratively enhanc-
ing a candidate solution according to a predefined quality measure. PSO operates by
utilizing a population of particles representing a candidate solution, and moving them
through the solution space by following the best-performing particles. As the particles
fly, they adjust their movements based on their own experience and that of their neigh-
bors to find the most optimal solution. In their study, Pang et al. [180] introduced a
novel solution for localizing jammers in wireless networks using PSO, without requir-
ing additional hardware. The proposed algorithm estimates the location of the jammer
by identifying the minimum covering circle of jammed positions, assuming that the
jammed region is circular. To solve this problem, the algorithm divides positional
information into two datasets, jammed and non-jammed, formulating the localization
problem as an optimization problem and using PSO to find the solution. The key
contributions of this study include a more accurate localization method compared to
existing range-free solutions, a PSO algorithm that works with non-uniformly dis-
tributed jammed positions, and extensive validation through simulations in wireless
sensors and vehicular ad-hoc networks. Simulations were conducted using MATLAB
and the performance of the method was assessed by comparing the estimated Eu-
clidean distance of the jammer location with the actual jammer location within the
network.
2.2.2.6 Antenna Identification and Localization (AIJL)
Fan et al. [238] introduced a novel technique called Antenna Identification and
Localization of the Jammer (AIJL) to locate jammers in unconventional environments.
73
This approach considers the jammed and boundary nodes to determine the position
of the jammer accurately. The technique involves two main steps: computing the
convex hulls of the jammed and boundary nodes and calculating the circumcircles
of the clusters formed by these nodes within these convex hulls. Three nodes were
selected to determine the circumcircle: the first two were the two farthest points within
the convex hull and the third node was the farthest from the midpoint of the previous
two points. This process results in circumcircles for both jammed and boundary nodes.
The estimated location of the jammer was determined to be the orthocenter of these
two circumcircles.
2.2.2.7 Minimum Enclosing Circle (MEC) center
Researchers have developed a technique [239] called the MEC method that can
locate jammers in WSNs. By identifying the smallest circle that encompasses all the
affected nodes, this method can estimate the jammer’s location as the center of that
circle. This approach [239] is particularly useful when angle or range information is
not available and when quick and straightforward jammer localization is needed in
circular areas. One study compared this method with other methods that did not
use angle or range information, such as CL, WCL, minimum closing rectangle center
localization (MERCL), and minimum closing circle center localization (MECCL). The
results showed that the MEC technique was the most precise for localizing jammers,
making it a valuable tool for enhancing the security of WSNs against jamming attacks.
2.2.2.8 Monotone chain (MC) algorithm
The MC algorithm is a widely used computational geometry technique that gen-
erates a convex hull that encloses all the points in a set. This is achieved by sorting
the points based on their x-coordinates and gradually adding them to the upper and
74
lower hulls, based on whether they create a left or right turn. Eventually, the hulls are
merged to create a fully convex hull. The MC algorithm is highly effective and com-
monly used in fields such as computer graphics, geographic information systems, and
robotic navigation. Alikh and Rajabzadeh [240] introduced a novel method for detect-
ing and locating jamming attacks on sensor networks. Their technique falls under the
range-free localization category, and utilizes a lightweight security mechanism. The
approach involved the use of the MC algorithm, which was evaluated through simu-
lations conducted in MATLAB. However, the authors did not provide any information
regarding the type or characteristics of jammers used in their study.
2.2.2.9 Single Circle Localization (SC)
The SC approach that we introduced employs a geometric method to determine
the position of a jammer within a network. This algorithm processes datasets con-
taining the positions of the nodes, distinguishing between jammed and boundary nodes
based on their connectivity status. It utilizes the concept of minimum bounding circles
(MBC), which are calculated separately for both jammed and boundary nodes using
Welzl’s algorithm. Welzl’s algorithm efficiently determines the smallest enclosing cir-
cle for a set of points. The differential component of SC is realized by computing two
MBCs: one for the boundary nodes (MBCboundary) and another for the jammed nodes
(MBCjammed). The estimated position of the jammer was then derived by analyzing the
geometric differences between these two circles, specifically their centers and radii.
This approach allows for refined estimation by accounting for variations in the node
distribution affected by the jamming signal, thereby enhancing localization accuracy in
environments where traditional methods might be compromised by noise and signal
distortion.
75
2.2.3 Recovery
The authors in [244,245] proposed a solution for network restoration in the event of
jamming attacks. Their proposed solution involves joint traffic rerouting and channel
reassignment to bypass jamming. This study investigated two restoration schemes,
global restoration and local restoration, to minimize the performance degradation
caused by jamming attacks. An optimization-based approach was used to formulate
network-restoration schemes under jamming attacks in multihop multichannel wire-
less networks as a linear programming problem. The optimal network restoration
schemes were evaluated through extensive simulations under various jamming attack
scenarios. These algorithms can be implemented in both centralized and distributed
ways.
Sergiou et al. [209] proposed DAIPAS, a Dynamic Alternative Path Selection Scheme.
DAIPAS could become a solution to guarantee stable performance under the require-
ment that a sufficient number of available nodes can accommodate traffic that can be
routed to the sink path through the initially established source.
Lim et al. [246] proposed a technique to improve the reliability of WSNs in mi-
crogrids against jamming attacks. This approach involves creating alternate paths for
data transmission within a wireless mesh network by randomly selecting detour routes
to distribute traffic and to reduce the effects of jamming. The aim is to maintain the
quality of service during attacks using packet delivery ratio and end-to-end delay as
performance metrics. The proposed method was tested using an NS-2 network simu-
lator, and the results demonstrated that it can effectively enhance the packet delivery
ratio and end-to-end delay compared with traditional methods. This indicates that the
approach can be useful in ensuring uninterrupted communication during jamming
76
attacks on WSNs for microgrids.
In order to defend against reactive jamming attacks, Liu et al. [208] have proposed
an immunological anti-jamming method based on the adaptive immune system of
human beings. The system consists of three function modules: a monitoring agent,
decision agent, and recovery agent. A monitoring agent monitors the behavior of its
neighbors and sends the results to decision agents. The decision agent detects jamming
attacks based on the features of known jamming attacks from a local jamming-pattern
database. The jamming pattern database is updated when new jamming attacks are
recognized by examining the abnormal behaviors of the jammers. Finally, Liu et
al. [208] suggested using a recovery agent to protect a network from ongoing attacks.
Specifically, recovery agents reduce the impact of jamming attacks through several
mechanisms, such as path switching, direct sequence spread spectrum, and frequency-
hopping spread spectrum [208].
In [210], researchers studied network restoration schemes via joint traffic rerouting
and channel reassignment under jamming attacks using global and local restoration
strategies. The authors formulated the optimal restoration dilemma for each strategy
using linear programming, from which the best after-restoration throughput perfor-
mance can be derived.
The authors in [223] attempted to detect jamming attacks. Consequently, the au-
thors propose a defense mechanism using an artificial bee colony. The proposed system
was simulated using MATLAB. Simulation results demonstrate the effectiveness of the
proposed method, which can defeat a jamming attack and maintain considerable per-
formance of the overall network. The proposed scheme detects jamming attacks by
checking the Energy, Distance, Packet Loss, and PDR and investigating the abnormal
77
behavior of neighbors’ radio signals. Finally, the proposed approach recovers the
network from jamming attacks by using path switching.
2.3 Summary
This chapter provides an in-depth examination of IoT security, underscoring the
complex challenges and the necessity for effective security measures in the IoT ecosys-
tem. We explored the vulnerabilities of these systems by reviewing the literature
and identifying various attacks on the IoT and WSN networks. The discussion also
covers strategies for intrusion detection, emphasizing the need for a combination of
signature-based, anomaly based, and specification-based methods to detect and miti-
gate potential threats. In addition, we explored innovative approaches to localization
and recovery techniques to safeguard IoT systems from attacks. As the IoT has become
more ubiquitous in our lives, it is crucial to advance our understanding and develop-
ment of security measures. The insights gained from this chapter will contribute to
ongoing efforts to fortify IoT networks and ensure their resilience against the constantly
evolving landscape of jamming threats.
78
Chapter 3
Framework for Detection, Localization,
and Recovery from Jamming Attacks in
the Internet of Things
This chapter explains the threat model and the behavior of jamming attacks, and
introduces our security framework, which consists of three phases: detection, local-
ization, and recovery.
3.1 Jammers Description
Jamming is a type of attack that interferes with radio frequencies used by network
nodes [22]. A jamming source may either be powerful enough to disrupt the entire
network or less powerful and only disrupt a smaller portion of the network. The most
common and dangerous attack that can be proven harmful for wireless mesh WSN or
IoT networks is a jamming attack [189]. Wireless networks are particularly vulnerable
to radio jamming attacks because they are straightforward to launch [214]. An attacker
can easily generate a jamming attack without requiring any special hardware [215] and
79
does not require information about the internals of the control system [216]. In this
thesis, we conducted experiments using jammers from the JamLab framework [247].
To test our proposed technique, we implemented five different types of jammers and
set up corresponding configurations for each.
3.1.1 Constant Jammer
A constant jammer is a type of signal interference that disrupts network transmis-
sion. It operates by emitting radio signals in an ON-OFF pattern without following
any underlying MAC protocol [188,190]. This type of jammer aims to keep the chan-
nel busy and disrupt the communication between nodes. However, constant jammer
attacks are inefficient in terms of energy consumption and can be easily detected [217].
In addition, these attacks are easy to implement, identify, and only work on a single
channel [189]. Algorithm 26 for a constant jammer is as follows:
3.1.2 Deceptive Jammer
We employed a modified deceptive jammer with an ON-OFF pattern. When ON,
the jammer continuously emits interference signals. The transmitted data sequence
length was 8 KB, allowing the nodes to transfer packets when the intrusion signal was
off. With a data packet length of 8 KB, the jammer can execute an attack without fully
disrupting network operations. During intervals when the jammer signal is inactive,
the nodes are still able to communicate and transmit data. A Deceptive Jammer is more
challenging to detect because it transmits legitimate packets instead of random bits.
Similar to the Constant Jammer, the Deceptive Jammer is also energy-inefficient owing
to continuous transmission; however, it is very easy to implement [217] and difficult
to detect [189]. The algorithm for the Deceptive Jammer is described in Algorithm 2.
80
Algorithm 1: Constant Jammer
1: Initialize jammer parameters:
2: jamming frequency ←frequency to jam
3: transmit power ←power level for transmission
4: jamming duration ←total duration for jamming
5:
6: function generate jamming signal()
7: Create a signal with high power and noise characteristics without following any
underlying MAC protocol
8: Set the signal frequency to jamming frequency
9: return jamming signal
10: end function
11:
12: function transmit signal(signal)
13: Set transmission power to transmit power
14: Transmit the signal continuously
15: end function
16:
17: function main()
18: Initialize the jamming timer
19: jamming signal ←generate jamming signal()
20: Start transmitting the jamming signal
21: while jamming duration is not reached do
22: Continue transmitting jamming signal
23: end while
24: End transmission
25: end function
26: main()
3.1.3 Random Jammer
Two random jammers were implemented. The first random jammer produces an
arbitrary signal shape, whereas the second creates a specific signal shape. Both random
jammers transmit packets containing unrecognizable data, with the transmitted data
sequence being 8 KB long. These two random jammers have the lowest accuracy rate
because they cannot jam during sleeping mode. The specific and random signal shapes
for the random jammer are as follows.
Random Jammer with a specific signal shape: The jammer follows this sequence:
”Interfere for 4000 milliseconds, sleep for 60 milliseconds, then intrude for 2200 mil-
81
Algorithm 2: Deceptive Jammer
1: Initialize jammer parameters:
2: jamming frequency ←frequency to jam
3: transmit power ←power level for transmission
4: jamming duration ←total duration for jamming
5:
6: function generate jamming signal()
7: Create a signal with high power and noise characteristics that transmits
legitimate packets
8: Set the signal frequency to jamming frequency
9: return jamming signal
10: end function
11:
12: function transmit signal(signal)
13: Set transmission power to transmit power
14: Transmit the signal continuously
15: end function
16:
17: function main()
18: Initialize the jamming timer
19: jamming signal ←generate jamming signal()
20: Start transmitting the jamming signal
21: while jamming duration is not reached do
22: Continue transmitting jamming signal
23: end while
24: End transmission
25: end function
26: main()
liseconds, rest for 60 milliseconds, jamming for 4000 milliseconds, finally snooze for
20 milliseconds, and start again from the beginning”.
Random Jammer with random shape signal: The jammer’s signal shape is pro-
duced automatically and unplanned.
Algorithm 3 presents the pseudocode for the random jammer.
3.1.4 Reactive Jammer
If a reactive jammer identifies an action, it immediately sends a signal with 8 KB of
data to collide with the existing signal on the channel. Reactive jammers are challenging
to detect. Algorithm 4 demonstrates this reactive jammer.
82
Algorithm 3: Random Jammer
1: Initialize jammer parameters:
2: jamming frequency ←frequency to jam
3: transmit power ←power level for transmission
4: max jamming duration ←maximum duration for each jamming period
5: max silence duration ←maximum duration for each silence period
6:
7: function generate jamming signal()
8: Create a signal with high power and noise characteristics
9: Set the signal frequency to jamming frequency
10: return jamming signal
11: end function
12:
13: function transmit signal(signal, duration)
14: Set transmission power to transmit power
15: Transmit the signal for the specified duration
16: end function
17:
18: function random duration(max duration)
19: return a random value between 0 and max duration
20: end function
21:
22: function main()
23: while True do
24: jamming signal ←generate jamming signal()
25: jamming duration ←random duration(max jamming duration)
26: silence duration ←random duration(max silence duration)
27: transmit signal(jamming signal, jamming duration)
28: Wait for silence duration
29: end while
30: end function
31: main()
3.1.5 Complex Jammer
This thesis introduces a new and innovative concept called the ”Complex Jammer.”
Unlike traditional jammers, complex jammers exhibit a versatile range of behaviors.
It can seamlessly switch between four distinct jammer personas: constant, deceptive,
random, and reactive jammers. The inherent complexity of this jammer type poses
a significant challenge to security mechanisms, making them ill-equipped to reliably
predict their behavior. Consequently, this can lead to increased false alarms. Algorithm
83
Algorithm 4: Reactive Jammer
1: Initialize jammer parameters:
2: detection threshold ←signal strength threshold for detecting activity
3: jamming frequency ←frequency to jam
4: transmit power ←power level for transmission
5: monitoring interval ←time interval to scan for active signals
6:
7: function monitor channel()
8: Continuously scan the communication channel
9: if detected signal strength exceeds detection threshold then
10: return True
11: else
12: return False
13: end if
14: end function
15:
16: function generate jamming signal()
17: Create a signal with high power and noise characteristics
18: Set the signal frequency to jamming frequency
19: return jamming signal
20: end function
21:
22: function transmit signal(signal)
23: Set transmission power to transmit power
24: Transmit the signal
25: end function
26:
27: function main()
28: while True do
29: if
30: monitor channel() then
31: jamming signal ←
32: generate jamming signal()
33:
34: transmit signal(jamming signal)
35: end if
36: Wait for monitoring interval
37: end while
38: end function
39:
40: main()
5 presents the pseudocode for the complex jammer.
84
3.1.6 Multiple Jammers
In this study, we conducted experiments involving strategic use of two jammers.
These jammers were designed to behave like deceptive jammers, and their effectiveness
was tested at different locations across the grid. For reference, the coordinates of the
multiple jammers are listed in Table A.24. With two jammers in play, the attack surface
expands from four to eight jam nodes.
3.2 Proposed Framework
The proposed framework comprises three phases: detection, localization, and re-
covery. Figure 3.1 shows a graphical representation of this framework.
3.2.1 Detection phase
During the detection phase, it is crucial to identify the malicious behaviors or attacks
that may occur. To accomplish this, we developed a lightweight fuzzy-logic algorithm
specifically designed to detect jamming attacks. We thoroughly tested this algorithm
using various inputs, and ultimately determined that the most effective inputs were
ETX and Retransmission. Our local detection approach collects metrics from nodes
and is based on simplicity, making it well suited for use in IoT devices. Ultimately, our
proposed fuzzy-logic detection mechanism can perform real-time intrusion detection.
3.2.2 Localization phase
Once a nefarious activity has been identified in the network, the subsequent action
is to pinpoint the attacker’s location. Our innovative algorithm uses multilateration to
determine the estimated position of the jammer. By leveraging network layer metrics,
such as ETX and retransmissions, we devised a novel multilateration approach that
yields greater precision and speed compared to alternative methods.
85
Figure 3.1: Framework for the Detection, Localization, and Recovery of Jamming
Attacks in the Internet of Things
3.2.3 Recovery phase
In the event that an attack is detected and localized, it is imperative that we take
swift action to recover the network from a malicious attacker. To achieve this, we
developed a set of solutions specifically designed to recover from jamming attacks on
RPL networks. These solutions involve implementing recovery techniques that adjust
routing decisions at the network layer. Our proposed security framework includes
the blacklisting of nodes located within the jamming area, which allows RPL to uti-
lize re-routing techniques and reconfigure network communication. Importantly, our
method does not require additional hardware for its implementation. We conducted
simulations during both the attack and recovery phases to assess the effectiveness of
the proposed method.
86
3.3 Threat model
We consider that before launching an attack on an IoT network, the jammer does
not know about the network’s security protocols. In addition, the jammer initiates
attacks without prior knowledge of the detection strategy and capabilities. Conse-
quently, in the initial phase, the attacker is unable to comprehend our detection model
and is unaware that we are capable of determining the jammer’s location. Attackers
can employ various types of jamming attacks, including deceptive, constant, random,
and reactive methods, as well as complex jamming techniques. A complex jammer
can seamlessly transition between different jamming behaviors at random intervals.
The jammer has many options for selection; however, these options are static. We con-
sider that the jammer cannot change the jamming parameters such as the transmission
power and communication channel. Initially, the jammer disrupts communication by
emitting constant radio frequencies, ignoring any Media Access Control (MAC) pro-
tocol. Although this approach can hamper communication, it is relatively easy for
security systems to detect. As the jammer evolves its tactics, it may adopt a more
deceptive approach by disguising its interference signals as legitimate data transmis-
sion. This makes the detection considerably more difficult. To further obscure its
presence, the jammer may intermittently enter a dormant state via random jamming.
This tactic confuses security mechanisms because of its unpredictable activity pattern.
The jammer becomes reactive when it tunes into ongoing network communication,
launching targeted disruptions. This reactive approach allows the jammer to intercept
and obstruct signals during transmission, thereby effectively crippling communication
channels. If the jammer gains insight into the defensive strategies of the network, it
becomes a sophisticated adversary and alternates between the aforementioned jam-
87
ming techniques, making detection a complex task. An intelligent jammer can adapt
its actions and employ various techniques to complicate detection efforts, a concept we
defined in our thesis as the complex jammer. Moreover, two jammers demonstrating
identical behaviors at the same time in a simulated scenario but in different locations
can cause interference in multiple areas. The aforementioned jammer behaviors were
comprehensively examined in this study.
Moreover, there is a possibility that an attacker may gain insight into our defense
strategy and engage in more sophisticated behaviors, necessitating an additional layer
of security for protection. The attacker can manipulate channel communication and
adjust the transmission power. The proposed security framework was designed to ad-
dress a broad range of jamming behaviors, including adaptive and complex strategies,
through its multiphase architecture. Although this thesis does not address adversaries
capable of dynamically adjusting technical parameters, the modular design of the
framework allows for future integration of advanced defensive mechanisms. These
could include adaptive countermeasures for channel-hopping and power-varying jam-
mers. While the framework effectively addresses static parameters and diverse jam-
ming strategies, attackers can gain insight into the detection and localization mech-
anisms or employ advanced techniques, such as channel-hopping, which remains a
challenge. These scenarios necessitate additional research on adaptive and layered
security mechanisms that can dynamically respond to evolving threats.
3.4 Summary
In this section, we describe the different types of jammers. We also identified a
Threat Security Model to construct our proposed Security Framework for detecting,
localizing, and recovering from jamming attacks in IoT networks.
88
Algorithm 5: Complex Jammer
1: Initialize jammer parameters:
2: modes ←[Constant, Deceptive, Random, Reactive]
3: current mode ←select initial mode from modes
4: switch interval ←predefined interval for switching modes
5:
6: function switch mode()
7: current mode ←select new mode from modes
8: end function
9:
10: function constant jammer()
11: Generate and transmit constant jamming signal
12: end function
13:
14: function deceptive jammer()
15: Generate and transmit deceptive jamming signal
16: end function
17:
18: function random jammer()
19: Generate and transmit jamming signal at random intervals
20: end function
21:
22: function reactive jammer()
23: Monitor channel and transmit jamming signal when activity is detected
24: end function
25:
26: function main()
27: while True do
28: if time to switch mode then
29:
30: switch mode()
31: end if
32: if current mode == Constant then
33:
34: constant jammer()
35: else if current mode == Deceptive then
36:
37: deceptive jammer()
38: else if current mode == Random then
39:
40: random jammer()
41: else if current mode == Reactive then
42:
43: reactive jammer()
44: end if
45: end while
46: end function
47:
48: main()
89
Chapter 4
Anomaly Detection for Jamming
Attacks using Fuzzy Logic Intrusion
Detection System (FLIDS)
The initial segment of the proposed framework focuses on the detection module,
which serves as the cornerstone for identifying jamming attacks and their diverse
manifestations. This chapter delves into the various threats posed by jamming at-
tacks, outlining their classifications and the specific metrics employed to detect such
intrusions accurately. In addition, we explored the realm of existing solutions, par-
ticularly emphasizing the utilization of fuzzy logic algorithms tailored to efficiently
detect jamming attacks. This section provides a comprehensive overview of the pro-
posed solution, laying the groundwork for deeper understanding of its effectiveness
in countering jamming threats.
90
4.1 Fuzzy Logic Intrusion Detection System (FLIDS) de-
scription
In this section, we present our proposed solution, known as the Fuzzy Logic in-
trusion detection system (FLIDS). Initially, we outline the membership functions for
the Input Parameters, as well as the selection process for the optimal set of input pa-
rameters. Finally, we comprehensively explain our solution, which encompasses the
detection algorithm, the simulation setup, and the configuration specifications. Fuzzy
logic, which deals with vagueness and imprecision, has the capacity to describe im-
precise forms of reasoning in situations where firm decisions need to be made under
indefinite conditions. They have been found to be particularly suitable for intrusion
detection [232]. According to the literature, detection frameworks based on fuzzy logic
can effectively handle ambiguous information [248]. Fuzzy logic allows for real-time
decision-making, even with incomplete knowledge, unlike conventional control sys-
tems, which rely on accurate representations of the environment that often do not exist
in reality. Fuzzy logic systems can naturally handle linguistic rules, and can be used
to blend different parameters and rules to produce appropriate results [222]. Further-
more, fuzzy rules allow for the efficient and easy construction of if-then rules that
describe general methods for defining security attacks [233]. Therefore, fuzzy logic
can be an effective means of defining network attacks [233]). In the field of detecting
anomalies in a network, AI methods, such as decision trees, neural networks, and
fuzzy logic, are commonly applied. Among these, fuzzy-logic-based systems offer
significant advantages over other AI techniques [234]. Fuzzy logic systems are often
simpler to design and understand as compared to other AI techniques. The rules and
91
membership functions employed in fuzzy-logic systems are typically straightforward
to comprehend and adjust, thus enhancing the system’s transparency and explainabil-
ity. These systems are highly adaptable and can be easily modified to adapt to changes
in the system or the environment. New rules can be incorporated without the necessity
for a complete system overhaul, enabling incremental enhancements and adjustments.
4.1.1 Membership Functions
There are two primary fuzzy models, Mamdani and Sugeno. The Mamdani model,
developed by Ebrahim Mamdani in 1975 [249], consists of a set of linguistic control
rules used to create a control system, with output membership functions represented
as fuzzy sets [250,251]. Following this, Sugeno and Kang introduced the Sugeno model
in 1985 [252], which generates fuzzy rules from a specified input-output data set. In
this thesis, the Mamdani model was utilized. Mamdani models are known for their
intuitive and interpretable nature, which makes them particularly suitable for human
experts. The rules and fuzzy sets in Mamdani’s model are easier to understand and
explain. Their close resemblance to human reasoning and decision-making makes
them commonly employed in control systems. The Mamdani model allows for a
broader range of membership functions and offers flexibility in defining the fuzzy sets
and rules. However, Sugeno models are less intuitive and are more challenging for
human experts. Their rules often involve mathematical functions that are difficult to
understand. Sugeno models typically utilize linear or constant membership functions
for output, which can limit their flexibility in specific applications. According to
Vijayakumar et al. [220], the primary distinction between the Mamdani and Sugeno
models is the defuzzification component. The Mamdani model is suitable for both
linear and constant functions, while the Sugeno model is most appropriate for linear
92
techniques such as Proportional-Integral-Derivative (PID) control. In the Mamdani
model, defuzzification is used to produce a fuzzy output. In contrast, the Sugeno
model utilizes defuzzification through weighted average calculation to generate crisp
outputs. This method is efficient in terms of defuzzification [226, 253]. Specifically,
in the Sugeno model, the number of fuzzy rules must match the number of output
functions; this is not the case in the Mamdani model [226, 253]. Consequently, the
Mamdani fuzzy model is the most suitable choice for the proposed system to detect
the presence of jamming.
Based on the related work section 2.2.1.3 mentioned above, all previous stud-
ies [26, 27, 220, 226–228, 235] utilized the Mamdani model. Finally, we chose the Mam-
dani model over the Sugeno model because for our application, the simplicity of rule
formation and fuzzy set definition is important.
The membership functions are defined as follows.
µset(uod)=
uod −α
b−α, α ≤uod ≤b
1,b<uod <c
d−uod
d−c,c≤uod ≤d
0,otherwise
(4.1)
To determine the variation of membership values. We performed simulations
using a deceptive jammer and without attacks. The deceptive jammer can help us
understand data behavior because it not only does not change jamming situations but
also interferes with the network during the attack period. The values of the variables in
Table 4.1 were determined using a feedback factor that compares the original result (the
output and JI of the method) with the expected outcome. These values are then fixed by
93
Figure 4.1: Distribution values of ETX
improving them using a feedback factor. A fuzzy logic system can be constructed using
the observed data [227]. The minimum, maximum, average, and standard deviation
values were calculated to determine the ranges of variables. We also observed the
distribution of values used to build the membership functions. Using Figure 4.1, we
can observe the distribution values of the ETX metric where the minimum value is -3,
the maximum value is 13, the mean is 3.21, and the standard deviation is 2.79.
In the provided figure 4.2, it can be observed that the distribution of Retransmissions
is depicted in situations with and without attacks. Figure 4.2 illustrates that the
minimum retransmission value was near zero, whereas the maximum value was close
to 4200. In addition, the mean retransmission value was approximately 1300, with a
standard deviation of approximately 950.
Additionally, the Packet Drop per Terminal (PDPT) distribution is presented in
figure 4.3. In the no-attack condition, packet drops were generally lower, with a
median value well below 50 and minimal variability, although a few outliers showed
94
Figure 4.2: Distribution values of Retransmissions
higher drops. In contrast, the attack condition showed a significantly higher median,
with most terminals experiencing increased packet drops within a narrower range,
indicating a more consistent but elevated level of packet loss. Statistical analysis
reveals a minimum of 0, a maximum of 131, a mean of 32.89, and a standard deviation
of 36.78, underscoring the variability in packet drop rates across terminals, particularly
under attack conditions.
Finally, the distribution values of the Packet Delivery Ratio are shown in Figure 4.4,
where the minimum value is 0 in the attack condition and the maximum value is 1 in
the no-attack condition. In addition, the mean PDR value was 0.59, and the standard
deviation was 0.33.
Figures 4.5, 4.6, 4.7, 4.8 and 4.9 illustrate trapezoidal functions with respect to
ETX, Retransmissions, PDPT, PDR, and JI, respectively. To further demonstrate the
membership values of the inputs, we present their corresponding input-output surfaces
in Figures 4.10, 4.11,4.12, 4.13, and 4.14.
95
Figure 4.3: Distribution values of Packets Drop per Terminal
Figure 4.4: Distribution values of Packet Delivery Ratio
96
Table 4.1: Values of variables used in the definition of membership functions
Universe of Discourse (UoD) Set a b c d
ETX
LOW -4 -2 2 3
MEDIUM 2 3 10 11
HIGH 10 11 18 22
Retransmissions
LOW -150 -100 500 600
MEDIUM 500 600 1100 1200
HIGH 1100 1200 4100 4500
PDPT
LOW -10 -8 8 10
MEDIUM 8 10 78 80
HIGH 78 80 148 150
PDR
LOW -0.5 0 0.45 0.5
MEDIUM 0.45 0.5 0.85 0.9
HIGH 0.85 0.9 1 1.05
Jamming Indicator (JI)
NO ATTACK -0.05 0 0.25 0.3
LOW 0.25 0.3 0.5 0.55
MEDIUM 0.5 0.55 0.75 0.8
HIGH 0.75 0.8 1 1.05
97
Figure 4.5: The trapezoidal Membership function plots for the input ETX
Figure 4.6: The trapezoidal Membership function plots for the Retransmissions
4.1.2 Selecting Optimal Input Parameters for Fuzzy Logic Intrusion
Detection Systems
Our approach uses a combination of the following metrics: ETX, Retransmissions,
PDPT, and PDR as inputs to a Fuzzy Inference System (Mamdani’s fuzzy inference
system) [254] to obtain the Jamming Indicator (JI) as the output of the system. The JI
value was between 0 and 1, signifying No Jamming to Absolute Jamming. The design
of Mamdani’s fuzzy inference system is illustrated in Figure 4.15.
98
Figure 4.7: The trapezoidal Membership function plots for the input PDPT
Figure 4.8: The trapezoidal Membership function plots for the input PDR
As outlined in Section 2.2.1.2, we focus on two main categories of parameters: local
and centralized detection. Our emphasis in this thesis is on real-time node detection;
therefore, we disregard centralized metrics. Additionally, we are not interested in
detecting at the physical layer; however, performing detection at the data link and
network layers is our primary focus. Therefore, we do not consider parameters such
as SNR, SINR, and RSSI, which require additional hardware for measurement, because
we are committed to building a software-based IDS. Our initial focus on an IDS involves
examining retransmission metrics to detect jamming, which entails action at the data
99
Figure 4.9: The trapezoidal Membership function plots for the output, Jamming Indi-
cator (JI)
Figure 4.10: Input-output surface corresponding to the membership values of inputs
(ETX, Retransmissions) and output (JI)
Figure 4.11: Input-output surface corresponding to the membership values of inputs
(PDR, Retransmissions) and output (JI)
100
Figure 4.12: Input-output surface corresponding to the membership values of inputs
(PDPT, Retransmissions) and output (JI)
Figure 4.13: Input-output surface corresponding to the membership values of inputs
ETX, PDR) and output (JI)
Figure 4.14: Input-output surface corresponding to the membership values of inputs
ETX, PDPT) and output (JI)
link and network layer. Additionally, we explore ETX, a composite metric that assesses
the link quality of the nodes. Furthermore, we used the dropped packets to examine
101
Figure 4.15: Fuzzy Controller Design
packet loss as an additional metric. Lastly, we regard PDR as a crucial centralized
metric, which signifies the successful delivery of packets within the network.
In order to determine the best input parameters for the fuzzy logic system, we com-
pared five different combinations of the four metrics. This helped us identify the most
suitable input parameters for the fuzzy-logic intrusion-detection system. Our solu-
tion employs fuzzy logic to make decisions using the values of ETX, Retransmissions,
PDPT, and PDR as input parameters in a fuzzy inference system. We choose these
values by collecting matrices at the node or sink node (PDR), as well as our empirical
experience and experimental results. It has been observed that these values increase
significantly when a jammer attack occurs.
We tested five combinations to determine the most effective inputs for the fuzzy
controller. The first combination used ETX and Retransmissions; the second used
PDPT and Retransmission; the third used PDR and Retransmissions; the fourth used
ETX and PDR; and the fifth used ETX and PDPT. We did not test the combination of
PDR and PDPT, because both inputs were dependent variables.
We started by using a customized proactive deceptive jammer with an ON-OFF
pattern. When turned ON, the jammer emits continuous interference signals that dis-
102
rupt the network. The attacker sends packets containing data that are not recognized
by the nodes, and the length of the transmitted data sequence is 8 KB. With a data
packet length of 8 KB, the jammer was capable of launching an attack without entirely
disrupting the network. This allows the nodes to maintain communication and trans-
mit data during periods when the jammer signal is inactive. We selected this specific
jamming attack owing to its simplicity and ease of use.
We defined three fuzzy sets for the four universes of discourse as follows: ETX,
retransmission, PDPT, and PDR. These fuzzy sets were LOW, MEDIUM, and HIGH,
respectively. Additionally, we defined four fuzzy sets over the universe of discourse
output (JI): NO attack, LOW, MEDIUM, and HIGH. We used Mamdani’s model [254],
where the crisp inputs to the system were combinations of ETX, retransmissions, PDPT,
and PDR, and the crisp output was obtained from the system after defuzzification using
the centroid method, that is, JI.
In this study, we chose trapezoidal shapes as an appropriate membership function
for the fuzzy-logic controller. Trapezoidal shapes are preferred for defining fuzzy
membership functions for two reasons: First, they can be mathematically manipulated
to be very close to the most natural feature, the Gaussian or Bell functions. Secondly,
they can be easily manipulated to be an asymmetrical function, where the same cannot
be done easily using Gaussian or Bell functions [26]. The decision on which method
to use depends completely on the problem size and problem type [255]. The choice
of the trapezoidal shape depends on the distribution of the data. Compared with
Gaussian fuzzy sets, trapezoidal shapes are easy to implement and fast to calculate
[255]. According to [256], there are two strategies for constructing fuzzy sets: a)
model driven and b) knowledge driven. Gaussian fuzzy sets can only be created using
103
the model-driven approach, whereas trapezoidal fuzzy sets can be constructed using
both the model-driven and knowledge-driven approaches. Consequently, working
with trapezoidal fuzzy sets provides the user more freedom in membership function
construction [256]. In conclusion, trapezoidal fuzzy logic controllers are simpler to
analyze [256].
4.1.3 Detection Algorithm
Algorithm 6 for detecting the jamming node is as follows.
Algorithm 6: Algorithm for detection of jammed node using fuzzy inference
system
Input:
•ETX and Retransmissions (Distributed), PDPT and Retransmissions
(Distributed), PDR and Retransmissions (Centralized), ETX and PDR
(Centralized)
Output:
•Jamming Indicator (JI)
BEGIN
•Get the values of ETX and Retransmissions, PDPT and Retransmissions, PDR
and Retransmissions, ETX and PDR of the nodes
•Fuzzify the crisp input parameters: ETX and Retransmissions, PDPT and
Retransmissions, PDR and Retransmissions, ETX and PDR
•Apply the fuzzy rule base and get the fuzzy output
•Defuzzify the fuzzy output to get the crisp output
•The defuzzified crisp output gives the percentage of jamming of a node
END
4.1.4 Fuzzy Rules
In the approach in which the inputs are ETX and Retransmissions, the fuzzy rule
base is given as follows:
1. If ETX is LOW and Retransmissions is LOW, then JI is No ATTACK.
104
2. If ETX is LOW and Retransmissions is MEDIUM, then JI is LOW.
3. If ETX is LOW and Retransmissions is HIGH, then JI is MEDIUM.
4. If ETX is MEDIUM and Retransmissions is LOW, then JI is No ATTACK.
5. If ETX is MEDIUM and Retransmissions is MEDIUM, then JI is LOW.
6. If ETX is MEDIUM and Retransmissions is HIGH, then JI is MEDIUM.
7. If ETX is HIGH and Retransmissions is LOW, then JI is LOW.
8. If ETX is HIGH and Retransmissions is MEDIUM, then JI is MEDIUM.
9. If ETX is HIGH and Retransmissions is HIGH, then JI is HIGH.
In the approach in which the inputs are the PDPT and retransmissions, the fuzzy
rule base is given as follows:
1. If PDPT is LOW and Retransmissions is LOW, then JI is No ATTACK.
2. If PDPT is LOW and Retransmissions is MEDIUM, then JI is LOW.
3. If PDPT is LOW and Retransmissions is HIGH, then JI is MEDIUM.
4. If PDPT is MEDIUM and Retransmissions is LOW, then JI is No ATTACK.
5. If PDPT is MEDIUM and Retransmissions is MEDIUM, then JI is LOW.
6. If PDPT is MEDIUM and Retransmissions is HIGH, then JI is MEDIUM.
7. If PDPT is HIGH and Retransmissions is LOW, then JI is LOW.
8. If PDPT is HIGH and Retransmissions is MEDIUM, then JI is MEDIUM.
9. If PDPT is HIGH and Retransmissions is HIGH, then JI is HIGH.
In the approach in which the inputs are PDR and retransmissions, the fuzzy rule
base is given as follows:
1. If PDR is LOW and Retransmissions is LOW, then JI is No ATTACK.
2. If PDR is LOW and Retransmissions is MEDIUM, then JI is LOW.
3. If PDR is LOW and Retransmissions is HIGH, then JI is MEDIUM.
4. If PDR is MEDIUM and Retransmissions is LOW, then JI is LOW.
5. If PDR is MEDIUM and Retransmissions is MEDIUM, then JI is MEDIUM.
6. If PDR is MEDIUM and Retransmissions is HIGH, then JI is HIGH.
7. If PDR is HIGH and Retransmissions is LOW, then JI is NO ATTACK.
105
8. If PDR is HIGH and Retransmissions is MEDIUM, then JI is LOW.
9. If PDR is HIGH and Retransmissions is HIGH, then JI is MEDIUM.
In the approach in which the inputs are ETX and PDR, the fuzzy rule base is
expressed as follows:
1. If ETX is LOW and PDR is LOW, then JI is LOW.
2. If ETX is LOW and PDR is MEDIUM, then JI is MEDIUM.
3. If ETX is LOW and PDR is HIGH, then JI is LOW.
4. If ETX is MEDIUM and PDR is LOW, then JI is LOW.
5. If ETX is MEDIUM and PDR is MEDIUM, then JI is NO ATTACK.
6. If ETX is MEDIUM and PDR is HIGH, then JI is NO ATTACK.
7. If ETX is HIGH and PDR is LOW, then JI is HIGH.
8. If ETX is HIGH and PDR is MEDIUM, then JI is MEDIUM.
9. If ETX is HIGH and PDR is HIGH, then JI is LOW.
In the approach in which the inputs are ETX and PDPT, the fuzzy rule base is
expressed as follows:
1. If ETX is LOW and PDPT is LOW, then JI is LOW.
2. If ETX is LOW and PDPT is MEDIUM, then JI is MEDIUM.
3. If ETX is LOW and PDPT is HIGH, then JI is HIGH.
4. If ETX is MEDIUM and PDPT is LOW, then JI is NO ATTACK.
5. If ETX is MEDIUM and PDPT is MEDIUM, then JI is LOW.
6. If ETX is MEDIUM and PDPT is HIGH, then JI is MEDIUM.
7. If ETX is HIGH and PDPT is LOW, then JI is NO ATTACK.
8. If ETX is HIGH and PDPT is MEDIUM, then JI is LOW.
9. If ETX is HIGH and PDPT is HIGH, then JI is MEDIUM.
106
Table 4.2: Confusion matrix for Jamming attack detection
Detection
Attack No Attack
Actual Attack TP FN
No Attack FP TN
4.1.5 Performance Evaluation Metrics
In this thesis, we utilized the Confusion Matrix presented in Table 4.2 to describe
the performance.
where TP =True Positive, FP =False Positive, TN =True Negative, FN =False
Negative [257].
The confusion matrix represents true and false classification results [258]. It helps
us calculate various indicators such as Accuracy, Precision, Specificity, FPR, Recall, and
FNR.
ATrue Positive state occurs when the IDS correctly identifies an activity as an
attack and the event is indeed an attack. This is known as successful identification of
an attack [257].
The True Negative state is similar. This state is when the IDS identifies an activity as
acceptable behavior and the activity is acceptable. A true negative successfully ignores
acceptable behavior. Neither of these states is harmful because the IDS performs as
expected [257].
The state of a False positive occurs when the IDS identifies an activity as an attack,
but it is acceptable behavior. This is known as a false alarm [257].
The most severe and dangerous state is a False Negative, where an activity is
identified as acceptable during an attack [257].
Accuracy defined as the percentage of correctly classified records over the total
107
number of records [259]. The equation for Accuracy is shown below.
Accuracy =TP +TN
(TP +TN +FP +FN)(4.2)
In addition, Precision is the ratio of correctly predicted positive observations to the
total number of predicted positive observations. Equation 4.3 shows the calculation of
the precision.
Precision =TP
(TP +FP)(4.3)
Furthermore, Specificity is the proportion of true negative points to negative ele-
ments, calculated using the following equation:
Speci f icity =TN
(TN +FP)(4.4)
The false positive rate (FPR) represents the ROC curve ”X-axis,” as calculated using
equation [260]:
FPR =1−Speci f icity =FP
(TN +FP)(4.5)
In addition, Recall or true positive rate is the ratio of correctly predicted positive
observations to all observations in the actual class. The true positive rate represents
the ROC curve’s ”Y-axis”
The equation for the recall is as follows:
Recall =TP
(TP +FN)(4.6)
The false-negative rate (FNR) was calculated using the following equation [260]:
108
FNR =1−Recall =FN
(TP +FN)(4.7)
F-score scores the balance between precision and recall. The F-score is a measure
of the test accuracy. The F-score can be considered as the harmonic mean of recall and
precision and is given by [260]:
F−score =2∗Precision ∗Recall
(Precision +Recall)(4.8)
A good F-score means that you have low false positives and false negatives, so you
are correctly identifying real threats and not disturbed by false alarms. An F-score is
considered perfect when it is one, whereas the model is a total failure when it is zero.
Finally, the area under the curve (AUC)–receiver operating characteristics (ROC)
(AUC–ROC) plot is another indicator used to evaluate the performance of the classifi-
cation models. The ROC of a classifier shows its performance as a trade-offbetween
the False Positive Rate and a True Positive Rate.
Researchers have evaluated the proposed intrusion detection methods using the-
oretical approaches, simulation tools, or real experiments in testbeds. To assess these
methods, they use specific criteria such as the detection rate, detection accuracy, num-
ber of false alarms, memory cost, and computational cost. The detection accuracy is
equal to the detection rate minus the false-positive rate (DR-FPR) [94], which repre-
sents the number of correctly classified attacks among all detected attacks [187]. The
detection rate is the ratio of detected anomalies to the total number of anomalies in
the set [104]. In simple terms, this tells us whether attacks can be correctly identi-
fied [107, 187]. The false positive rate is the number of normal instances incorrectly
identified as anomalous [104]. This rate can be calculated as FP/FP +TN, where FP
109
is the number of False Positives, and TN is the number of True Negatives. Finally,
Memory Cost refers to the usage of ROM and RAM [53] whereas Computational Cost
refers to the CPU usage [187].
4.1.6 Methodology
As part of our research, we conducted experiments in different scenarios using Con-
tiki OS and Cooja simulator tools. To test our approach, we implemented a Deceptive
Jamming attack using the JamLab suite [247], a Contiki-based library that enables re-
peated experiments using radio interference. Our jammer continuously emits signals,
including legitimate packets that disrupt the network’s communication.
Based on the performance measures of TP, TN, FP, and FN, we calculated the
accuracy rate, precision rate, Specificity, Recall rate, and F-score, as shown in Table
4.3. To find the optimum combination of input metrics, we evaluated each solution
based on its accuracy rate, precision rate, specificity rate, recall rate, and F-Score.
Based on the results, three combinations: 1) ETX and Retransmissions, 2) PDPT and
Retransmissions, and 3) PDR and Retransmissions are the optimum inputs for the
fuzzy controller.
Table 4.3: Results of the Different Approaches
Approach Accuracy(%) Precision (%) Recall (%) Specificity (%) F-score (%)
Middle Top middle Topleft edge Middle Topmiddle Top left edge Middle Topmiddle Top left edge Middle Top middle Top left edge Middle Top middle Top left edge
ETX and Retransmissions 95.03% 93.67% 93.88% 88.04% 79.12% 77.13% 89.40% 90.00% 94.43% 96.60% 94.52% 93.76% 88.72% 84.21% 84.91%
PDPT and Retransmissions 95.10% 93.65% 92.68% 88.08% 78.81% 73.15% 89.76% 90.42% 94.57% 96.60% 94.39% 92.26% 88.92% 84.22% 82.49%
PDR and Retransmissions 93.80% 91.69% 91.61% 79.00% 71.17% 69.09% 97.62% 93.61% 97.71% 92.73% 91.25% 90.25% 87.33% 80.86% 80.95%
ETX and PDR 80.36% 85.47% 84.66% 60.09% 70.77% 60.53% 30.48% 38.33% 45.57% 94.33% 96.35% 93.38% 40.44% 49.73% 52.00%
ETX and PDPT 76.28% 86.51% 84.14% 45.63% 67.78% 55.64% 44.17% 53.47% 64.14% 85.27% 94.13% 88.60% 44.89% 59.78% 59.59%
Figure 4.16 illustrates the Detection Accuracy for various scenarios for each com-
bination of the input metrics. The combination of ETX and Retransmission and PDPT
and Retransmission, showed the best accuracy of 95%. Additionally, we generated an
ROC curve for the proposed approach.
The graph in Figure 4.17 shows the ROC curve for the scenario where the sink is
110
Figure 4.16: Comparison Chart of different approaches
placed in the middle of the grid. This graph shows that the combination of ETX and
Retransmissions, PDPT and Retransmissions, and PDR and Retransmissions provided
better results than the combination of ETX, PDR, ETX, and PDPT. This is because
the true-positive rate is higher and the false-positive rate is lower for the former
combinations. Additionally, the area under the curve for the combination of ETX
and Retransmissions, PDPT and Retransmissions, and PDR and Retransmissions is
larger than the area under the curve for the combinations of ETX and PDR and ETX
and PDPT. In summary, based on the ROC curve analysis, it can be inferred that the
retransmission metric was the most effective.
The ROC Curve is shown in Figure 4.18 and depicts the placement of the sink
in the top middle of the grid. As shown in the Figure, the combination of ETX
and Retransmissions, PDPT and Retransmissions, and PDR and Retransmissions was
found to be the best for the same reasons as in the previous topology.
111
Figure 4.17: ROC Curve when Sink is in the Middle of the grid
Figure 4.18: ROC Curve when Sink is on Top Middle of the grid
Figure 4.19 shows the ROC Curve when the Sink was placed on the Top Edge of the
grid. Additionally, in Figure 4.19, the combination of ETX & Retransmissions, PDPT
& Retransmissions, and PDR & Retransmissions is still the best.
Table 4.4 summarizes the optimal operating points for each approach. The best ap-
proaches are a combination of ETX and retransmissions, which perform local detection,
112
Figure 4.19: ROC Curve when Sink is on Top Edge of the grid
and PDR and retransmissions, which perform central detection.
Table 4.4: Summary of the Best Operating Points for Various Approaches
Approach Detection Rate (%) False Alarm Rate (%)
Middle Top middle Top-left edge Middle Top middle Top-left edge
ETX and
Retransmissions 93 92.8 93.4 5 8 5.6
PDPT and
Retransmissions 93 92.95 90.9 5 7 7.9
PDR and
Retransmissions 95 92.89 94.9 4 7.8 4.5
ETX and
PDR 74 81.8 74.3 2.8 21 25.6
ETX and
PDPT 66 79.6 75 3 17 26
4.2 Proposed Solution Fuzzy Logic Intrusion Detection
System (FLIDS)
FLIDS is a lightweight and intelligent approach to intrusion detection that enables
real-time detection at a node. FLIDS utilizes two metrics, ETX, and retransmissions,
as inputs for the fuzzy controller to execute the Jamming Indicator. We perform local
113
detection using ETX and Retransmissions, two key metrics chosen based on findings
in [16] and section 4.1.2.
Figure 4.20: Random Simulation Set-up and Configuration
4.2.0.1 Membership Functions
We established a distinct fuzzy set for each of the two input universes, which
included the ETX and retransmissions. These fuzzy sets are categorized as LOW,
MEDIUM, and HIGH. Furthermore, we defined four fuzzy sets for the output universe,
JI, encompassing NO attack, LOW, MEDIUM, and HIGH. The membership functions
are defined as follows:
µset(uod)=
uod −α
b−α, α ≤uod ≤b
1,b<uod <c
d−uod
d−c,c≤uod ≤d
0,otherwise
(4.9)
114
Table 4.5: Values of variables used in the definition of membership functions
Universe of discourse (uod) Set a b c d
ETX
LOW −0.05 0.00 0.25 0.30
MEDIUM 0.25 0.30 0.60 0.65
HIGH 0.60 0.65 1.00 1.05
Retransmissions
LOW −0.05 0.00 0.30 0.35
MEDIUM 0.30 0.35 0.50 0.55
HIGH 0.50 0.55 1.00 1.05
Jamming Indicator (JI)
NO ATTACK −0.05 0.00 0.25 0.30
LOW 0.25 0.30 0.50 0.55
MEDIUM 0.50 0.55 0.75 0.80
HIGH 0.75 0.80 1.00 1.05
The values for the individual variables are detailed in Table 4.5. These variable
values, as depicted in Table 4.5, were established by refining them using a feedback
factor generated by comparing the original method output (JI) with the expected out-
come (JI value). A fuzzy logic system was developed using observed data, as outlined
by Meenalochani in 2019 [227]. We examined the minimum, maximum, average, and
standard deviation values to determine the range of the variables. In addition, we
analyzed the value distribution to construct the membership functions. Graphical rep-
resentations of trapezoidal functions for ETX Retransmissions are presented in Figures
4.21, 4.22, and 4.23. Figure 4.24 illustrates the input-output surface corresponding to
the membership values of the inputs. Prior to inputting the values into the fuzzy logic
controller, normalization was performed to scale the values within the range of 0 to
1. This is performed to ensure that the membership functions of our solution remain
highly adaptable, eliminating the need to modify them for every network or attack
variation.
115
Figure 4.21: The trapezoidal Membership function plots for the input ETX
Figure 4.22: The trapezoidal Membership function plots for the Retransmissions
Figure 4.23: The trapezoidal Membership function plots for the output, Jamming
Indicator (JI)
116
4.2.1 Detection Algorithm
The algorithm presented in 7 outlines the procedure for detecting jamming attacks
using FLIDS.
Algorithm 7: Algorithm for detection of jammed node using fuzzy inference
system
Input:
•ETX and Retransmissions
Output:
•Jamming Indicator (JI)
BEGIN
•Get the values of ETX and Retransmissions
•Fuzzify the crisp input parameters: ETX and Retransmissions
•Apply the fuzzy rule base and get the fuzzy output
•Defuzzify the fuzzy output to get the crisp output
•The defuzzified crisp output gives the percentage of jamming of a node
END
Figure 4.24: Input-output surface corresponding to the membership values of inputs
(ETX, Retransmissions) and output (JI)
In our approach, the input metrics for FLIDS are a combination of ETX and retrans-
missions. The inputs had three categories (Low, Medium, and High). Consequently,
117
we built nine fuzzy rules as follows:
1. If ETX is LOW and Retransmissions is LOW, then JI is No ATTACK.
2. If ETX is LOW and Retransmissions is MEDIUM, then JI is LOW.
3. If ETX is LOW and Retransmissions is HIGH, then JI is MEDIUM.
4. If ETX is MEDIUM and Retransmissions is LOW, then JI is No ATTACK.
5. If ETX is MEDIUM and Retransmissions is MEDIUM, then JI is LOW.
6. If ETX is MEDIUM and Retransmissions is HIGH, then JI is MEDIUM.
7. If ETX is HIGH and Retransmissions is LOW, then JI is LOW.
8. If ETX is HIGH and Retransmissions is MEDIUM, then JI is MEDIUM.
9. If ETX is HIGH and Retransmissions is HIGH, then JI is HIGH.
4.3 Simulation Set-up and Configuration
This section provides a detailed overview of our investigation and outlines the
system description used. Our study involved performing experiments using a jammer
device placed at various positions within a 25-node grid. We conducted experiments
in two different scenarios: one involved predicted node placement based on a grid (as
shown in Figure 4.31), whereas the other involved random node placement (as shown
in Figure 4.32).
Our implementation was evaluated using the Contiki 3.1 OS and the Cooja simu-
lator. After collecting data from the Cooja Simulator, we analyzed the simulation data
using Python and MATLAB.
Our experiment involved placing 25 TelosB nodes on a grid measuring 160 ×160
m, with one node acting as a sink. We have devised three scenarios based on the sink’s
placement: 1) when the sink is in the center of the grid, as illustrated in Figure 4.25, 2)
when the sink is situated at the top left corner of the grid, as depicted in Figure 4.26,
and 3) when the sink is located at the top middle portion of the grid, as demonstrated
118
in Figure 4.27. The coordinates of the nodes in the predicted scenarios are listed in
Tables A.1, A.6, andA.4.
Figure 4.25: Sink is in the middle of the grid
However, for random placement scenarios, we distributed 25 nodes on a larger
grid measuring 200 m ×180 m, with one node acting as a central sink. In random
scenarios, three distinct setups were created based on the placement of the sink within
the grid. These setups include 1) a sink located at the center of the grid, as depicted in
Figure 4.28, 2) a sink placed at the top-left corner of the grid, as shown in Figure 4.29,
and 3) a sink situated at the top-middle of the grid, as illustrated in Figure 4.30. The
coordinates of the node in the random scenarios are listed in Tables A.2, A.7, andA.5.
The TelosB nodes were placed at 40 m intervals, with a transmission range of 50 m
and an interference range of 70 m. To maintain a steady data flow, each node transmits
a single 48-byte data packet every 10 s.
TelosB sensor nodes (IEEE 802.15.4/ZigBee) with omnidirectional antennas were
119
Figure 4.26: Sink is on the top edge of the grid
Figure 4.27: Sink is in the top middle of the grid
120
Figure 4.28: Random nodes placement, Sink is in the middle of the grid
Figure 4.29: Random nodes placement, Sink is on the top left edge of the grid
used. Each scenario was tested with 16 different jammer positions; in a healthy (benign)
scenario, the jammer coordinates are provided in Table A.3. Previous studies, such
121
Figure 4.32: Random Simulation Set-up and Configuration
Our study employed RPL for routing. At the Medium Access Control (MAC)
layer, we utilized CSMA, while for the Radio Duty Cycle (RDC), we implemented
ContikiMAC with a Channel Check Rate of 8 Hz.
On the other hand, the jamming node employed the null MAC and nulled protocols
with a Channel Check Rate of 128 Hz. The detailed experimental parameters of the
jamming node are listed in Table 4.7.
The configuration and layout of the simulation are shown in Figure 4.31, where the
sink was situated in the middle of the grid.
The transmission range of each node is represented by a green circle, indicating that
communication between nodes is possible within the confines of the green circle. For
example, node 1, which is identified as a sink, can communicate with nodes 9, 13, 14,
and 18. In addition, the gray circle surrounding the green area indicates the range of
interference. For instance, nodes 8, 17, 10, and 19 within the gray circle cannot receive
123
Table 4.6: Experimental Parameters of Nodes
Parameter Values
No. of nodes 25
Area Size 160 * 160 meters in Predefined topology; 200 * 180 meters in
Random topology
Sensor nodes TelosB nodes IEEE 802.15.4/ZigBee
Sink Position Middle (center), Top Middle, Top left edge
Scenario duration 15 minutes
Transmission rate 1 packet of 48 bytes per 10 seconds
Propagation Model Unit Disk Graph
Antenna Type Omnidirectional
Transmission range 50 m
Interference range 70 m
Routing Protocol RPL
MAC layer CSMA
RDC layer ContikiMAC
Channel Check Rate 8 Hz
Table 4.7: Experimental Parameters of Jammer
Parameter Values
No. of nodes 1 or 2
Sensor nodes TelosB nodes IEEE 802.15.4/ZigBee
Type of Jammer Constant Jammer, Deceptive Jammer, Random Jammer,
Reactive Jammers, Complex Jammer
Antenna Type Omnidirectional
Transmission range 50 m
Interference range 70 m
MAC layer nullmac
RDC layer nullrdc
Channel Check Rate 128 Hz
packets when node 1 transmits data and is incapable of transmitting data from other
nodes, whereas node 1 is engaged in simultaneous communication [262].
Our observations showed that optimal network configuration occurred when the
sink was centrally positioned. This scenario was the most favorable among the three
124
studies. In this setup, four nodes establish a direct connection with the sink and the
maximum number of hops required to reach the sink is four. The network topology
with the sink in the top middle of the grid presents a moderately favorable scenario,
with three nodes having direct access to the sink, and the maximum number of hops
being six. Unfortunately, the least favorable situation is depicted in the network
topology with the sink at the top edge, where only two nodes can directly connect to
the sink and the maximum number of hops extends to eight. Each of the 16 scenarios
was tested by using a strategically placed jammer.
Figure 4.33 shows a jammer located at (-20, -20) while the sink is positioned at the
center of the grid. From the illustration, it is evident that the attacker interfered with the
communication for nodes 8, 9, and 13, in addition to targeting the sink. Furthermore,
the malicious node disrupted the communication with nodes 3, 4, 7, 10, 12, 14, 17, and
18.
Figure 4.33: Sink in the Middle of the Grid, Jammer Position 6
125
4.4 Summary
Following related work, our proposed solution uses fuzzy-logic algorithms to detect
jamming attacks. Our approach uses the values of ETX and Retransmissions as inputs
to a fuzzy inference system to generate a Jamming Indicator (JI) as the system output.
126
Chapter 5
Jamming Localization Algorithm
This chapter delves deeper into our security framework and explores its second
component, jammer localization. Our focus is on the crucial role of jamming lo-
calization algorithms in ensuring wireless communication security. We mapped the
various algorithms available for this purpose through a thorough literature review.
Our contribution to this field is a novel localization algorithm that utilizes the princi-
ples of multilateration, named Modified Multilateration Localization Algorithm with
Weights (MMLAW). By leveraging the data link and network layer metrics such as
retransmissions and ETX, our algorithm accurately estimates the distance, enabling us
to pinpoint and map the jamming region. We present a comprehensive evaluation of
the performance of our algorithm and compare it with four existing algorithms. We
evaluated our proposed algorithm using the Euclidean distance error and provided a
theoretical complexity analysis of the five algorithms. We aim to optimize the security
framework to maximize its efficiency and effectiveness.
127
5.1 Modified Multilateration Localization Algorithm with
Weights (MMLAW)
This section presents the MMLAW Algorithm that leverages multilateration and
estimates the distance using two data link and network layer metrics: Retransmissions
or ETX. Our methodology achieves higher accuracy and faster localization than other
approaches. Furthermore, we successfully identified the positions of four distinct
jammers by incorporating packet retransmissions and ETX as weights in the algorithm.
In contrast to the methods analyzed in the related work 2.2.2, we assessed our
methodology in a simulation environment that closely mimics real-world situations.
We used the Contiki operating system in conjunction with the Cooja Simulation tool.
On the other hand, other approaches were tested using the Matlab software in a
predefined experimental configuration. Our methodology focuses on leveraging mea-
surements derived from the network layer to aid the localization process. The study
examined six distinct network topologies, three of which were based on grid struc-
tures, whereas the remaining three were randomized, considering the influence of
sink placement. In addition, we varied the position of the jammer to understand its
impact. Importantly, our approach enables instantaneous identification and precise
localization of geographical positions.
5.1.1 Localization Module
The second step of the framework is to locate the jammer accurately after the
detection module alarm. To evaluate the effectiveness of our approach, we measured
two metrics: the Euclidean distance for error calculation and the execution time of the
algorithm for performance evaluation.
128
Figure 5.1: Centroid Localization Algorithm
The proposed method employs geometric calculations through multilateration,
which relies on the x- and y-coordinates of the jammed nodes, and the distances
between the jammer and these nodes. This study introduced an innovative distance
calculation method that leverages the most suitable metric identified in our previous
study [16, 17], where retransmissions are the best metric.
During our preliminary analysis, we concentrated on the centroid algorithm and
found that, although it is simple and efficient, it may not be appropriate for all config-
urations. For example, when the jammer targets three nodes, as depicted in figure 5.1,
the centroid exhibits a high error rate.
By incorporating a detection metric into the weight of the examination algorithm,
localization accuracy can be significantly improved. Whereas traditional algorithms
rely on signal strength, such as RSSI, as their weight determinant, this approach is
129
susceptible to multipath propagation, shadowing, and interference. Detection metrics
offer a more comprehensive data source that can enhance localization and provide
valuable information regarding a network’s current conditions and environment. In-
tegrating these metrics renders the proposed algorithm more adaptable to real-time
network scenarios. We selected retransmissions and ETX as the weights for our al-
gorithm, because they provide a reliable indication of the quality of the connection
between devices. These metrics offer essential insights into the network’s ability to
transmit data, and can help optimize the localization process. In the following para-
graph, we explain why we selected retransmissions and ETX as the weights for our
proposed algorithm:
1. Simplicity: Retransmissions and ETX are easily measured and directly signify
link quality.
2. Network Quality Indicator: Retransmissions and ETX reflect network link qual-
ity, pointing to interference, congestion, or weak signals.
3. Metric Reliability: Retransmissions and ETX have proven the most reliable after
testing metrics like PDPT using brute force investigation.
4. PDPT Limitations: Being probabilistic, PDPT can fluctuate, whereas retransmis-
sions and ETX offer more stability.
5. Software-based approach: Our solution is based entirely on a software approach,
not hardware. The collection of retransmissions and ETX metrics did not require
additional hardware to collect, unlike other metrics such as RSSI and SNR.
Multilateration is a widely used approach to determine the location of a target.
130
This method requires a minimum of three anchor nodes to perform the 2-D space
localization. The equations representing multilateration are as follows [263,264]:
(x−x1)2+(y−y1)2=d2
1
(x−x2)2+(y−y2)2=d2
2
.
.
..
.
..
.
.
(x−xN)2+(y−yN)2=d2
N
(5.1)
As shown in Figure 5.2, where (x,y) are the coordinates of the unknown nodes in
this case, the coordinates of the jammer, (x1,y1),(x2,y2)...(xN,yN) are the coordinates of
anchor N, and d is the distance between the anchor nodes. Then, this nonlinear system
of equations must be solved using suitable methods to obtain unknowns xand y.
The system of equations 5.1 can be converted into matrix form by subtracting the
first equation from the others.
Qx =b(5.2)
where Qdenotes a matrix of dimension 2×2, xdenotes the coordinate vector, bdenotes
a vector of dimension 2.
Q=
2(r1−r2) 2(y1−y2)
2(r1−r3) 2(y1−y3)
(5.3)
x=
x
y
(5.4)
131
b=
b1
b2
=
x2
1−x2
2+y2
1−y2
2+d2
2−d2
1
x2
1−x2
3+y2
1−y2
3+d2
3−d2
1
(5.5)
We can ensure that the matrix Qis invertible by selecting an appropriate anchor
position. Consequently, the computed position is
x=Q−1b(5.6)
This method can be expressed in alternative form as follows:
x
y
=M
x2
1−x2
2+y2
1−y2
2+d2
2−d2
1
x2
1−x2
3+y2
1−y2
3+d2
3−d2
1
(5.7)
where Mis a matrix of dimension 2 ×2 with the elements defined as follows:
M1,1=1
2(y2−y3)/C(5.8)
M1,2=1
2(x3−x2)/C(5.9)
M2,1=1
2(y3−y1)/C(5.10)
M2,2=1
2(x1−x3)/C(5.11)
C=y1x2−y2x1−y1x3+y3x1+y2x3−y3x2(5.12)
132
Figure 5.2: Modified Multilateration Localization Algorithm with Weights
133
The Distance calculation in case of retransmissions is based on the following quo-
tation:
d=w∗1
r2
w=weight to adjust the value, r=the normalized value of retransmissions The
retransmission is inversely proportional to distance. A higher retransmission value
indicates that the node is located near the jammer. Parameter ’w’ serves as a weight
for value adjustment. To optimize this value, simulations were conducted from 0 to
20. Our analysis showed that 10 was the optimal weight to achieve the best results.
The Distance calculation in the case of ETX is based on the following quotation:
d=w∗r
w=weight to adjust the value, r=the normalized value of ETX, ETX is proportional
to the distance value. A lower ETX value indicates that the node is located near the
jammer. The parameter ’w’ serves as a weight for value adjustment. Simulations were
conducted from 0 to 30 to optimize this value. Our analysis revealed that the optimal
weight for achieving the best results was 10.
Our approach utilizes the above information related to Multilateration, and we have
concluded the implementation of the Algorithm 8 that utilizes the Retransmissions or
ETX as distance.
5.2 Performance Evaluation
In this section, we provide a comprehensive analysis of the performance of our pro-
posed technique relative to existing algorithms, utilizing two key metrics: Euclidean
Distance Error in meters (m), and Execution Time in seconds. First, we calculated the
Euclidean Distance Error between the actual jammer position and the predictive esti-
134
Algorithm 8: Proposed Localization Algorithm - MMLAW
Require: Jammer affected nodes
Ensure: Estimated position (x result, y result) and error
1: position change ←0
2: N←length(Jammer affected nodes)
3: if N>2then
4: Initialize arrays: x[1 ...N], y[1 ...N], d[1 ...N]
5: for i=1 to Ndo
6: x[i]←Jammer affected nodes[i][1]
7: y[i]←Jammer affected nodes[i][2]
8: d[i]←result d
9: end for
10: Initialize matrices: A[1 ...N−1,1...2], B[1 . . . N−1]
11: for i=1 to N−1do
12: A[i,1] ←2×(x[i+1] −x[1])
13: A[i,2] ←2×(y[i+1] −y[1])
14: B[i]←d[1]2−d[i+1]2−x[1]2−y[1]2+x[i+1]2+y[i+1]2
15: end for
16: result ←linear system solver of Aand B
17: end if
mates. Our findings reveal that our proposed techniques exhibit significantly lower
distance errors when compared to Centroid, Single Circle (SC), Double Circle (DC),
and Virtual Force Iterative Localization (VFIL).
The evaluated approaches encompass MMLAW-Retransmissions, MMLAW-ETX,
Centroid, SC, DC, and VFIL. These methods were tested using Deceptive, Constant,
Random, and Reactive jammers in the Predicted and Random node placement topolo-
gies. The key findings indicate that, for the predicted topologies, the MMLAW-ETX
approach achieves a lower Euclidean distance error, and for the Random Placement
Topology, the MMLAW retransmission algorithm is consistently superior, irrespective
of the type of jammer.
The error in the position estimation is calculated using Equation 5.13.
Error =»(XActual −XPredicted)2+(YActual −YPredicted)2(5.13)
135
5.2.1 Predicted topologies
According to the predicted topologies, the nodes were arranged in a grid pattern
with a set distance of 40 m, horizontally and vertically. The attack surface susceptible to
jammer interference is limited to four nodes situated at the center of the four nodes. Our
study revealed that the multilateration algorithm that utilizes distance measurements
with retransmissions or ETX demonstrated the lowest Euclidean distance error. In
contrast, the VFIL localization algorithm yielded the poorest results. Although the
centroid algorithm produced satisfactory results, it is clear that relying on distance
estimation is a better approach. In conclusion, the centroid algorithm consistently
exhibited the shortest execution times across all jammers, whereas VFIL frequently
required the longest execution times.
5.2.1.1 Sink in the middle of the Grid
We present the results obtained when the sink is located in the middle of the
grid. Table A.8 comprehensively analyzes the Euclidean distance errors associated
with various localization algorithms. The table evaluates the performance of these
algorithms under different jamming strategies, including Deceptive Jammer, Constant
Jammer, Random Jammer, and Reactive Jammer. A graphical representation of the
Euclidean Distance Error is shown in Figure 5.3.
Each row of Table A.8 corresponds to a specific jamming strategy and outlines the
Euclidean distance errors across the different evaluation algorithms. The values are
presented in m and offer valuable insights into the impact of each jamming technique on
algorithm localization accuracy. Our MMLAW approach, with either retransmissions
or the ETX metric, performed with a lower error than the other four localization
algorithms. In conclusion, deceptive and reactive jammers have less error than constant
136
and random jammers do. The MMLAW—ETX algorithm identifies deceptive jammers
at a distance error of 1.41 m, whereas reactive jammers are identified at 0.81 m.
Figure 5.3: Euclidean Distance Error (in m) Predicted topology Sink in the Middle of
the Grid
Table A.9 presents the execution times in milliseconds (ms) linked to the different
localization algorithms implemented in a network topology. The network topology
has a centrally located sink node and the table displays a graphical representation of
the results in Figure 5.4.
Evidently, the centroid algorithm is lightweight, as is the proposed MMLAW with
retransmissions or ETX metrics.
5.2.1.2 Sink in the Top middle of the Grid
We obtained the results when the sink was placed in the top middle of the grid.
Table A.10 displays the Euclidean Distance Error, measured in meters, for a range of
localization techniques in a network topology with predetermined coordinates. The
corresponding Figure is presented in 5.5.
137
Figure 5.4: Execution Time (in ms) Predicted topology Sink in the Middle of the Grid
The results indicate that using the MMLAW algorithm with retransmissions or ETX
metrics can improve the accuracy of jammer location. The MMLAW-ETX algorithm
can locate deceptive jammers up to a distance error of 4.83 m, whereas reactive jammers
can be identified up to 1.18 m.
The following information compares the execution time, measured in ms, for dif-
ferent localization strategies applied to a predefined network topology, with the sink
placed in the top middle of the grid. A detailed comparison is presented in Table A.11.
Additionally, you can see a graphical representation of the results in Figure 5.6.
Figure 5.6 shows that the VFIL algorithm requires the longest execution time com-
pared with the other localization algorithms. The Centroid algorithm had the best
execution time; however, both approaches yielded excellent results.
5.2.1.3 Sink in the Top left Edge of the Grid
We present the results for the sink in the top-left corner of the grid. Table A.12
outlines the Euclidean Distance Error, measured in m, for the six different localization
138
Figure 5.5: Euclidean Distance Error (in m) Predicted topology Sink in the Top Middle
of the Grid
algorithms within a predicted network topology. The algorithms analyzed included
MMLAW-Retransmissions, MMLAW-ETX, Centroid, SC, DC, and VFIL. For visual
representation, refer to Figure 5.7.
The results depicted in Figure 5.7 demonstrate that the proposed MMLAW algo-
rithm utilizes both retransmission and ETX metrics and produces the most accurate
results with a constant jammer, yielding an error rate of 6.51 m. Similarly, the algorithm
performed well with a random jammer, achieving an error rate of 6.36 m when the
ETX metric was used to estimate the distance.
Table A.13 presents a thorough analysis of the execution time, measured in ms,
for various localization strategies implemented in a predicted network topology with
the sink situated in the top-left corner of the grid. The table assesses six critical
localization algorithms: MMLAW-Retransmission, MMLAW-ETX, Centroid, SC, DC,
and VFIL. These data provide valuable insights into the computational efficiency and
operational impact of each jamming strategy on network performance. For a visual
139
Figure 5.6: Execution Time (in ms) Predicted topology Sink in the Top Middle of the
Grid
Figure 5.7: Euclidean Distance Error (in m) Predicted topology Sink in the Top left
edge of the Grid
representation of this information, refer to Figure. 5.8.
Figure 5.8 shows the centroid algorithm’s simplicity and that MMLAW is also a
140
lightweight approach. However, the VFIL algorithm requires high execution time.
Figure 5.8: Execution Time (in ms) Predicted topology Sink in the Top left edge of the
Grid
5.2.2 Random topologies
The nodes in random topologies are haphazardly placed within the grid, resulting
in varying attack surfaces for jammer attacks. Certain topologies may have more
than four jam nodes, whereas others may have fewer. Ultimately, this randomized
distribution caused a notable increase in Euclidean Distance Error measurements.
5.2.2.1 Sink in the middle of the Grid
Figure 5.9 visually represents the Euclidean Distance Error measurements in m for
the various localization techniques. These measurements were performed within a
random topology, with a sink located at the center of the grid. The six different lo-
calization algorithms used were MMLAW-Retransmissions, MMLAW-ETX, Centroid,
SC, DC, and VFIL. Table A.14 lists the Euclidean Distance errors reported by each
algorithm.
141
Figure 5.9 shows that the MMLAW localization approach can accurately predict a
smaller distance error in the random topology when the sink is in the middle of the
grid. The deceptive jammer has an error of 18.32 m, whereas the reactive jammer has
an error of 17.76 m in multilateration, using retransmissions to estimate the distance
error.
Figure 5.9: Euclidean Distance Error (in m) Random topology Sink in the Middle of
the Grid
Table A.15 provides a comprehensive overview of the execution time, measured in
milliseconds, for different localization strategies in a random network topology with
the sink node placed centrally. This table displays the execution times for six essential
localization algorithms: MMLAW-Retransmissions, MMLAW-ETX, Centroid, SC, DC,
and VFIL. Figure 5.10 illustrates the execution time for each localization algorithm
when exposed to various jammer attacks. The figure shows that all the algorithms
have a very low execution time. However, the most lightweight of these methods is
the centroid algorithm.
142
Figure 5.10: Execution Time (in ms) Random topology Sink in the Middle of the Grid
5.2.2.2 Sink in the Top middle of the Grid
The information provided can be found in Table A.16, which shows the Euclidean
Distance Error for different localization strategies within a random network topology.
The sink node is located in the top middle of the grid. Refer to Figure 5.11 for a
visual representation of the results. Our analysis revealed that the MMLAW technique
utilizing retransmissions or ETX metrics performed the best, but the centroid algorithm
also produced satisfactory results, with the Constant jammer displaying the lowest
error among all algorithms.
Table A.17 provides a comprehensive analysis of the execution time, measured in
ms, for various localization techniques in a randomly configured network topology,
with the sink placed at the top center of the grid. Additionally, Figure 5.12 shows the
execution time for each technique. As illustrated in Figure 5.12, the centroid algorithm
exhibited the lowest execution time. Nevertheless, the proposed approach delivers an
acceptable swift execution time.
143
Figure 5.11: Euclidean Distance Error (in m) Random topology Sink in the Top Middle
of the Grid
Figure 5.12: Execution Time (in ms) Random topology Sink in the Top Middle of the
Grid
144
Figure 5.13: Euclidean Distance Error (in m) Random topology Sink in the Top left
edge of the Grid
5.2.2.3 Sink in the Top left Edge of the Grid
The data presented in Table A.19 provide a detailed breakdown of the Euclidean
Distance Error, measured in m, for various localization algorithms utilized in a random
network topology with the sink located at the top left edge of the grid. The analysis
encompasses six distinct localization methods, including MMLAW-Retransmission,
MMLAW-ETX, Centroid, SC, DC, and VFIL, shedding light on the impact of jamming
on the network performance. Figure 5.13 visually represents these results. Upon exam-
ining the figure, we note that our two MMLAW algorithms utilizing retransmissions
or ETX metrics exhibit the lowest error compared to VFIL, which has the highest error
rate.
Table A.18 presents a comprehensive analysis of the execution times for various
jamming strategies in a random network topology with the sink node positioned at the
top-left edge of the grid. The table evaluates the performance of several localization
145
algorithms, such as MMLAW-Retransmissions, MMLAW-ETX, Centroid, SC, DC, and
VFIL, offering valuable insights into the impact of different jamming techniques on the
network performance and computational efficiency. In addition, Figure 5.14 provides a
visual representation of the execution time for each localization algorithm with different
types of jamming attacks. The figure reveals that in this case, the centroid algorithm has
the best execution time owing to its simplicity. Furthermore, our MMLAW algorithms
exhibited lower execution times than the other three algorithms: SC, DC, and VFIL.
Figure 5.14: Execution Time (in ms) Random topology Sink in the Top left edge of the
Grid
In conclusion, the MMLAW algorithm could predict the position of the jammer
with a higher error rate in the predicted scenarios. However, in scenarios where the
nodes are placed randomly, the Euclidean distance error increases but remains within
acceptable values. Furthermore, the ETX metric performs better in predicted scenarios
than in random scenarios, whereas the retransmission metric detects errors in random
scenarios more effectively. It was observed that the deceptive and reactive jammers
146
showed the best performance in various scenarios, as seen from the detection module,
which had the highest accuracy rate. There are several possible reasons for this finding.
First, a deceptive jammer was used for training. Second, misleading and reactive
jammers have the most powerful attack capabilities and severely affect networks.
Therefore, the proposed algorithms were employed with ETX and Retransmission
metrics, which are immensely valuable for detecting and localizing attacks where
there is significant network disruption.
5.3 Theoretical Complexity Analysis
Big O Notation is a mathematical notation utilized to express the efficiency and
performance of an algorithm in terms of time and space complexity. This establishes
an upper limit on how fast an algorithm’s running time or memory usage increases as
the input size increases [265]. Common Big O notations include the following.
•O(1): Constant time - the algorithm’s performance remains consistent regardless
of the input size.
•O(log n): Logarithmic time - performance grows logarithmically with the input
size.
•O(n): Linear time - performance increases linearly with the input size.
•O(nlog n): Log-linear time - commonly seen in efficient sorting algorithms.
•O(n2): Quadratic time - performance grows quadratically with the input size.
•O(2n): Exponential time - performance doubles with each additional input ele-
ment.
•O(n!): Factorial time performance grows factorially with input size.
147
The Big O Notation aids in comparing the efficiency of different algorithms, partic-
ularly for large input sizes, by focusing on their worst-case scenarios.
5.3.1 Discussion of Results of the Five Algorithms
In this section, we discuss the overall time complexity and performance implications
of the five algorithms: MMLAW, Centroid, Single Circle, Double Circle, and VFIL.
5.3.1.1 Complexity of MMLAW Algorithm
The overall complexity of the process involves loading and preparing the dataset,
which has a complexity of O(N+B), and performing multilateration calculations, which
have a complexity of O(B2). These steps indicate the computational effort required to
execute an algorithm.
As B(the number of entries per batch) is constant, the operations inside the inner
loop have a complexity of O(1). Therefore, the dominant term is O(N) from loading and
preparing the dataset. Hence, the overall time complexity of the MMLAW algorithm
was O(N).
The MMLAW algorithm reads and processes the dataset for multilateration to detect
jammers. It involves reading the dataset, filtering the data, and solving a system of
linear equations. Although solving the linear equations has quadratic complexity with
respect to the number of nodes, the overall complexity is determined by the dataset
reading, resulting in a linear complexity, O(N).
The MMLAW algorithm is well-suited for precise jammer position estimation, par-
ticularly in scenarios where accuracy is crucial. Its linear complexity allows for efficient
handling of large datasets, ensuring scalability and reliability in demanding environ-
ments.
148
5.3.1.2 Complexity of Centroid Algorithm
The overall complexity of the Centroid algorithm is determined by examining its
key operations. The process commences with reading and splitting the file, which
has a complexity of O(N), followed by iterating over scenarios and batches as well as
processing entries per batch, both of which have a complexity of O(1). Additionally,
the algorithm involves summing coordinates and finding the farthest node, which has
a complexity of O(M), where Mrepresents the number of jammed nodes per batch
and is a constant value (at most 24). Because Mis independent of N, the operations
within the inner loop are considered O(1). Therefore, the dominant term influencing
the overall time complexity is O(N), which arises from the initial reading and split-
ting of a file. Consequently, the Centroid algorithm possesses an overall linear time
complexity of O(N), ensuring its efficiency for large datasets. This linear complexity
guarantees scalability, making it particularly suitable for real-time applications that
require frequent data update.
In terms of performance implications, the algorithm is well suited for efficiently
handling large datasets owing to its linear complexity. This ensures effective scaling
by increasing the data size and maintaining performance, even as the dataset grows.
Furthermore, its suitability for real-time applications is evident because it can handle
frequent data updates without significant performance degradation.
5.3.1.3 Complexity of Single Circle Algorithm
The overall complexity of the algorithm can be assessed by analyzing its key opera-
tions. The process begins by loading and preparing the dataset, which has a complexity
of O(N+B). Then, it involves calculating the minimum bounding circles with a com-
plexity of O(Blog B) and subsequently determining the jammer position for each batch
149
with a complexity of O(N+B+Blog B). As the number of entries per batch (B) is
a constant, the operations inside the inner loop are considered O(1). Therefore, the
dominant term is O(N), primarily because of the reading and splitting of the files;
consequently, the overall time complexity of the algorithm is O(N).
Similarly, the single-circle algorithm includes reading a dataset and identifying
nodes to calculate bounding circles for jammer detection. The primary operations
involved reading the dataset, processing data in batches, and calculating convex hulls
and bounding circles. Because the number of entries per batch and number of batches
are constants, the dominant operation is reading the dataset, which leads to an overall
linear complexity of O(N).
This algorithm was designed to handle large datasets efficiently. Its linear com-
plexity ensures scalability, making it particularly suitable for applications that require
quick processing.
5.3.1.4 Complexity of Double Circle Algorithm
The complexity of the double-circle algorithm can be understood by analyzing its
key operations. The process begins with loading and preparing the dataset, which has
a complexity of O(N+B). Subsequently, it involves calculating the minimum bounding
circles with a complexity of O(B), determining the maximum inscribed circles with a
complexity of O(B2, and finally establishing the jammer position for each batch, which
has a complexity of O(N+B+Blog B+B2). Because the number of entries per batch (B)
is constant, the operations within the inner loop are considered O(1). Consequently,
the dominant term in the overall complexity is O(N), which arises from the loading
and preparation of a dataset. Hence, the overall time complexity of the double-circle
algorithm was O(N).
150
The algorithm calculates the minimum and maximum inscribed circles. The pri-
mary steps involved reading the dataset, processing data in batches, calculating convex
hulls, and performing circle calculations. Given that the number of batches and entries
per batch are constants, the predominant operation is the initial dataset reading, which
results in an overall linear complexity of O(N).
The double-circle algorithm is effective for comprehensive jammer detection while
maintaining efficiency with large datasets. Its linear complexity ensures support for
real-time data processing, making it well suited for scenarios that require prompt and
accurate responses.
5.3.1.5 Complexity of VFIL Algorithm
The overall complexity of the VFIL algorithm stems from its fundamental operation.
The process begins with loading and preparing the dataset, which entails a complexity
of O(N+B). Subsequently, counting jammed nodes, summing the coordinates, esti-
mating Xand Y, finding the farthest jammed node, and performing virtual iterative
force location all have a complexity of O(B). Finally, executing VFIL for each batch also
has a complexity of O(N+B). Because the number of entries per batch (B) remains
constant, the operations within the inner loop are treated as O(1). Consequently, the
dominant term is O(N) primarily because of the initial reading and preparation of the
dataset. Hence, the overall time complexity of the VFIL algorithm was O(N).
The VFIL algorithm involves reading the dataset, processing data batches, and it-
eratively refining the estimated position of a jammer using virtual forces. The key op-
erations include dataset reading, batch processing, and iterative calculations. Dataset
reading remains the dominant operation with a fixed number of iterations, leading to
an overall linear complexity of O(N).
151
The VFIL algorithm is well suited for applications requiring iterative position re-
finement, adequately manages large datasets, and upholds scalability owing to its
linear complexity.
All five algorithms exhibit a linear overall complexity, O(N), primarily determined
by the dataset-reading operations. This linear complexity makes them efficient, scal-
able, and suitable for applications with large datasets and real-time data-processing
requirements.
5.4 Summary
In this section, we introduce a novel approach to detecting jamming attacks in
WSN-oriented IoT environments. Initially, we utilized fuzzy logic algorithms to iden-
tify jamming attacks, and then employed a multilateration algorithm based on distance
estimation using data link and network-layer metrics to pinpoint the jamming source.
Both local detection and localization are performed at the network edges. Our as-
sessment of this new technique illustrates its effectiveness in accurately identifying
jammers while maintaining efficient execution time.
The analysis revealed several key findings: MMLAW-Retransmissions and MMLAW-
ETX achieved the lowest error rates, with MMLAW-ETX demonstrating superior per-
formance in grid topologies, whereas MMLAW-Retransmissions excelled in random
topologies. Centroids consistently emerged as the most time-efficient approach across
all jammer types and topologies, with only minimal deviations in the time efficiency
observed between them and the proposed methodologies. In contrast, VFIL exhibited
longer processing times and higher error rates, highlighting potential limitations in
real-time applications. In addition, the Single Circle maintained a moderate level of
error performance across various jamming scenarios, providing a balanced approach
152
across different conditions.
Our method outperforms the alternative in measuring the Euclidean Distance error
by factoring in both the data link and network layer metrics to estimate the distance.
In contrast, alternative approaches rely solely on the coordinates of predicted jammed
nodes. MMLAW incorporates weighted distances and enhances node localization
accuracy by assigning varying significance to nodes, depending on their proximity
to the jammer. This approach effectively mitigates the outlier effects and yields more
precise estimations.
153
Chapter 6
Intrusion Recovery Strategies
When detecting malicious activity in a network and locating a jammer, a crucial
step is to fix the anomalies in the IoT network [187]. An effective strategy to recover
the WSN and IoT network from jamming attacks is to modify the communication path
to avoid the affected areas. In this chapter, we discuss related work and propose a
solution for recovering networks from jamming attacks.
6.1 Proposed Solution
The final step of the proposed framework is recovery from a jamming attack. Our
proposed framework utilizes a fuzzy-logic algorithm to detect jamming attacks by
collecting node metrics. The Fuzzy controller employs two metrics (ETX and retrans-
mission) as inputs to execute the Jamming Indicator as the output for decision-making.
In addition, the location of the jammer is mapped using a multilateration algorithm
that estimates the distance using retransmission metrics and ETX. Furthermore, the
jammer area location was determined based on a fuzzy decision. We propose solu-
tions for recovering from jamming attacks in RPL networks by adjusting the routing
decisions at the network layer and blacklisting the nodes under attack.
154
The proposed method does not require additional hardware for its implementa-
tion. Consequently, the proposed technique does not incur further development costs.
Finally, we use our knowledge to develop a recovery strategy.
The RPL protocol creates a network topology using a tree-like structure called a
Directed Acyclic Graph (DAG). Each node within this network is assigned a rank that
increases as the node’s distance from the root node (DODAG root) increases. This
structure helps determine the best path for packet routing based on the lowest rank
criterion. The protocol proactively forms this topology and uses control messages like
DIO the DAG Information Object (DIO) and Destination Advertisement Object (DAO)
to maintain and update the routing information within the network [266].
The RPL rebuilds or updates its tree structure primarily in response to network
changes, such as when a new node joins the network, an existing node leaves, or the
network topology changes owing to link failures or recoveries. The DIO messages are
periodically used to refresh the network topology information among nodes, whereas
DAO messages are sent to the DODAG root to update the routing information for
downward routes.
Our proposed solution involves performing localization after detecting the jammed
nodes, during which the predicted coordinates and IDs of the jammed nodes are
obtained. During the recovery phase, the anticipated coordinates and IDs of the
obstructed nodes are utilized to implement a blacklist in the routing protocol. Our
simulation experiments demonstrate that the RPL protocol is capable of reconstructing
paths using blacklist data. We conducted simulations with varying sink placements,
and ultimately contrasted the outcomes of our network under attack versus post-
recovery.
155
6.2 Evaluation
In this section, we assess the proposed recovery plan and present the results of our
analysis based on two key metrics: retransmission and dropped packets. Our aim was
to compare the network performance when it was under attack and after the recovery
process. We also explored various network scenarios with the sink placed at different
positions: the grid’s middle, edge, and top middle. Finally, we generate RPL trees for
each scenario to demonstrate how the paths change during the attack and restoration
phases.
6.2.1 Sink in the middle of the Grid
Based on the data presented in Figure 6.1, it is evident that the number of retrans-
missions decreases in the post-recovery phase. The results also indicate that positions
1, 4, 13, and 16, which are located further away from the sink, experience minimal
retransmissions compared with positions 6, 7, 10, and 11, which are situated closer to
the sink node and experience the maximum number of retransmissions in the scenario.
In addition, Figure 6.2 shows a comparison of the dropped packets. This demon-
strates that, after the recovery phase, the number of dropped packets decreased signif-
icantly.
In the simulation, when the sink was positioned in the middle of the grid and the
jammer was at position 1, we generated an RPL tree using the simulation network logs.
Figure 6.3 displays a screenshot of this simulation, whereas Figure 6.4 shows the last
generated RPL tree when the Sink is in the Middle of the grid in a healthy scenario. In
this situation, the RPL tree needs one minute to build the first tree.
Figure 6.5 shows a graphical representation of the RPL tree when nodes 2, 3, 7, and
156
Figure 6.1: Average of Retransmissions when the sink is in the middle of the grid
8 are attacked. In this situation, we can observe congestion in the network after an
attack. In the situation under attack, the RPL tree needs four minutes to build the first
tree.
Following restoration, the RPL tree is shown in Figure 6.6 for the same sink position
and jammer location.
The network currently faces an attack, as shown in Figure. 6.5. Nodes 2, 3, 7, and 8
were compromised, which could disrupt the network performance and data forward-
ing. In the recovery phase in 6.6, the network identifies and blacklists the problematic
nodes to mitigate the impact of the attack. By comparing these two phases, notable
changes were observed. During the attack phase, the network topology had multiple
routes that included compromised nodes, which could have caused routing disruptions
and decreased the network performance. However, in the recovery phase, the topol-
157
Figure 6.2: Average of Drop Packets when the sink is in the middle of the grid
Figure 6.3: Sink in the Middle attacker position 1
158
Figure 6.4: RPL tree when Sink in the Middle a healthy scenario
Figure 6.5: RPL tree when attacker at position 1 in attack phase and sink is in the
middle of the grid
ogy would have been reorganized to exclude blacklisted nodes, potentially creating
new paths to maintain connectivity within the network. The efficiency of the recovery
phase can be analyzed by examining how quickly and effectively the network adapts
to the node loss. Key indicators include whether the network maintains its coverage,
the extent of the increase in routing path lengths, and overall network latency. A
159
Figure 6.6: RPL tree when attacker at position 1 in recovery phase and sink is in the
middle of the grid
resilient network should be able to adapt by identifying alternative paths and elect-
ing new coordinator nodes to facilitate communication. The recovery phase should
ideally demonstrate the ability of the network to sustain communication between all
operational nodes and the sink node without a significant loss in performance.
Figure 6.7 depicts the graphical display when the sink is situated at the center of the
grid and the attack is at position 6. In addition, in Figure 6.8, we present an RPL tree
generated using MATLAB during a simulated attack. A tree recovery view is shown
in Figure6.9.
Nodes 8, 9, and 13, and sink node 1 are currently under attack, as shown in
Figure 6.8. This is a serious issue for network routing, because the sink node is
crucial for communication and data collection from all other nodes. If the sink node is
compromised, the entire network can suffer from loss of data integrity and availability.
During the recovery phase, Figure 6.9 shows that nodes 8, 9, and 13 were blacklisted
because of the attack. By blacklisting these nodes, the network aims to isolate problem
160
Figure 6.7: Sink in the Middle attacker position 6
areas and prevent the spread of attacks to stabilize the network. From the visual
observation of the two trees, we can infer that during the attack phase, the network
attempts to route around the compromised nodes, potentially creating redundant and
inefficient paths. Compromised nodes, including the sink node, can cause unreliable
data aggregation and routing. In the recovery phase, the network topology changes
to route data around blacklisted nodes, and the remaining nodes establish new routes
for effective communication. The network structure may appear more streamlined;
however, some nodes may have increased path lengths for communication with the
sink node. The sink node no longer under attack should receive data more effectively
from the other nodes.
161
Figure 6.8: RPL tree when attacker at position 6 in attack phase and sink is in the
middle of the grid
Figure 6.9: RPL tree when attacker at position 6 in recovery phase and sink is in the
middle of the grid
6.2.2 Sink in the top left edge of the Grid
In this section, we present an assessment of the recovery phase in the instance
where the sink is situated at the top-left edge of the grid. As shown in Figure 6.10,
we compared the average retransmissions during an attack simulation with that after
162
the recovery phase. Notably, Position 1 did not yield any data, as it blacklisted the
two primary leaves following the sink. As illustrated in Figure 6.10, our findings
demonstrate a significant decrease in the retransmissions following the recovery phase.
Figure 6.10: Average of Retransmissions when the sink is in the top left edge of the
grid
In addition, the chart depicted in Figure 6.11 illustrates the average number of
dropped packets when the sink is situated on the top left edge. The graph reveals that
positions 2, 5, and 6, which were in close proximity to the sink node, experienced the
highest number of dropped packets. Conversely, positions located farther from the
sink exhibited significantly fewer instances of dropped packets.
The simulation screenshot depicted in Figure 6.12 shows the sink situated at the
top-left edge of the grid, while the attacker occupies position 2.
The RPL tree in the healthy scenario when the sink was placed on the top left edge
163
Figure 6.11: Average of Drop Packets when the sink is in the top left edge of the grid
of the grid is shown in Figure 6.13.
Figure 6.14 displays the RPL tree formation during the simulation under attack,
whereas Figure 6.15 illustrates RPL tree formation during the recovery phase.
During the Attack Phase, as illustrated in Figure 6.14, the network structure exhibits
signs of distress owing to the attack. This includes inconsistent or dense routing
paths, as the network attempts to maintain connectivity despite compromised nodes.
The compromised nodes can create unreliable or inefficient routes, which can lead to
increased latency and reduced network performance. In the Recovery Phase, depicted
in Figure , after nodes 2, 3, 7, and 8 have been blacklisted, we would expect the
network to reorganize itself to avoid these nodes. This results in new routing paths
that bypass blacklisted nodes, thereby streamlining the network if blacklisted nodes
cause significant routing disruptions. The remaining nodes have established new
164
Figure 6.12: Sink in the top left edge of the grid attacker position 2
Figure 6.13: RPL tree when Sink in the top left edge of the grid in healthy scenario
parent-child relationships to maintain the flow of information towards the sink node.
By comparing the Attack and Recovery Phases, we can infer the presence or absence of
blacklisted nodes in routing paths, the formation of new connections to replace paths
previously routed through compromised nodes, changes in topology (such as which
165
Figure 6.14: RPL tree when attacker at position 2 in attack phase when the sink located
in the top left edge of grid
nodes have taken on more significant roles as routing parents or have become leaves
in the tree), and the robustness of the network’s recovery mechanism.
The simulation depicted in Figure 6.16 illustrates the scenario in which the attacker
is positioned at location 15, whereas the sink is situated on the top left edge of the grid
during the attack phase. Furthermore, we created an RPL tree for the sink located at
the top-left edge of the grid during the attack phase, as shown in Figure. 6.17. We refer
to the RPL tree in Figure 6.18 for the recovery phase.
During the Attack Phase 6.17, the network topology may appear disrupted if nodes
18, 19, 23, and 24 are attacked. The area surrounding compromised nodes may be
dense or chaotic, indicating the network’s efforts to maintain communication despite
disruptions. The network also creates multiple redundant routes to find viable paths
for data transmission, which may result in the more frequent use of non-optimal paths.
Moving on to Recovery Phase 6.18, after blacklisting nodes 18, 19, 23, and 24, we can
observe that these nodes are either isolated or completely removed from the network’s
166
Figure 6.15: RPL tree when attacker at position 2 in recovery phase when the sink
located in the top left edge of grid
Figure 6.16: Sink in the top left edge of the grid attacker position 15
active routing topology. This should result in a more streamlined network with fewer
redundant paths and potentially, more direct routes. The network is adapted by nodes
finding new parents or forming new child-parent relationships to bypass blacklisted
167
Figure 6.17: RPL tree when attacker at position 15 in attack phase and Sink in the top
left edge of the grid
Figure 6.18: RPL tree when attacker at position 15 in recovery phase and Sink in the
top left edge of the grid
nodes. This can alter the flow of data within the network; however, ideally, it should
maintain or even improve the network performance despite the loss of nodes.
6.2.3 Sink on the top middle of the Grid
In this section, we evaluate the recovery phase when the sink is in the top-middle of
the grid. Figure 6.19 shows the average number of retransmissions in the simulation.
168
Figure 6.19: Average of Retransmissions when the sink is in the top middle of the grid
The average number of dropped packets is presented in Fig. 6.20. The figure
indicates that jammers positioned near the sink, namely, 1, 2, 3, 4, 6, and 7, experienced
a high rate of dropped packets. Conversely, jammers located further away from the
sink, specifically 5, 8, 9, 10, 11, 12, 13, 14, 15, and 16, encountered a lower rate of
dropped packets.
The simulation displayed in Figure 6.21 depicts the sink in the top middle of the
grid and the attacker in Position 2. Figure 6.22 shows the RPL tree when the sink is in
the top middle of the grid in the healthy scenario.
In Figure 6.23, we can see the RPL tree during the attack phase, with the attacker still
in position 2 and the sink in the top-middle of the grid. From Figure 6.23, it is evident
that the network loses communication in the areas under attack and experiences high
traffic in other parts of the network.
169
Figure 6.20: Average of Drop Packets when the sink is in the top middle of the grid
Similarly, Figure 6.24 illustrates the RPL tree during the recovery phase, with the
attacker still in position 2 and the sink in the top-middle of the grid. We demonstrate
that traffic avoids blacklisted nodes and selects healthy paths to communicate with
other nodes.
In the Attack Phase, when nodes 3, 7, and 8 and the sink nodes are attacked, the
network topology may be disrupted. Dense or chaotic areas may surround compro-
mised nodes, as the network strives to maintain communication despite disruptions.
The network creates multiple redundant routes to ensure successful data transmission,
which may result in the frequent use of non-optimal paths.
In the Recovery Phase, after blacklisting nodes 3, 7, and 8, we observed that these
nodes were either isolated or completely removed from the active routing topology
of the network. This results in a streamlined network with fewer redundant paths
170
Figure 6.21: Sink in the top middle of the grid attacker position 2
Figure 6.22: RPL tree when Sink in the top middle of the grid healthy scenario
and potentially, more direct routes. Nodes adapt by finding new parents or forming
new child-parent relationships to bypass blacklisted nodes. This may alter the data
flow; however, ideally, the network’s performance should be maintained or improved
despite the loss of nodes.
171
Figure 6.23: RPL tree when attacker at position 2 in attack phase when the sink is in
the top middle of the grid
The simulation in Figure 6.25 depicts the sink placed at the top middle of the grid,
with the jammer positioned at position 14. MATLAB was used to construct the RPL
tree, which is illustrated in Figure 6.26 for the attack phase when the jammer was at
position 14, and the sink was in the top middle of the grid. In addition, Figure 6.27
shows the RPL tree during the recovery phase when the attacker is at position 14 and
the sink is in the top middle of the grid.
During the Attack Phase, when nodes 17, 18, 22, and 23 are attacked, the network
topology may be disrupted. In such cases, compromised nodes might be surrounded
by dense or chaotic areas, as the network attempts to maintain communication despite
disruptions. The network creates multiple redundant routes to ensure the successful
transmission of data, which may result in nonoptimal paths being used more fre-
quently.
In the Recovery Phase, after blacklisting Nodes 17, 18, 22, and 23, it was observed
that these nodes were either isolated or completely removed from the network’s active
172
Figure 6.24: RPL tree when attacker at position 2 in recovery phase when the sink is in
the top middle of the grid
Figure 6.25: Sink in the top middle of the grid attacker position 14
routing topology. Consequently, the network becomes streamlined with fewer redun-
dant paths and potentially, more direct routes. Nodes adapt to this change by finding
new parents or forming new child-parent relationships to bypass blacklisted nodes.
173
Figure 6.26: RPL tree when attacker at position 14 in attack phase when the sink is in
the top middle of the grid
Figure 6.27: RPL tree when attacker at position 14 in recovery phase when the sink is
in the top middle of the grid
This might alter the data flow; however, ideally, the network performance should be
maintained or improved despite losing nodes.
6.2.4 Discussion
Contiki uses protocols such as ContikiMAC and carrier-sense multiple access
(CSMA) at the Medium Access Control (MAC) layer to manage access to the wire-
174
less medium. These protocols contain the parameters that control the number of
retransmission attempts. In our configuration, using the ContikiMAC protocol [267],
a packet was dropped after five transmissions, including the initial transmission and
subsequent retransmissions. Therefore, a packet is dropped after four retransmissions.
It is important to note that not every retransmission results in a dropped packet.
Some packets were successfully delivered after one or more retransmissions. Con-
sequently, the number of retransmission logs may increase without corresponding
entries in the drop logs. Specific thresholds or policies, such as the maximum number
of retransmissions, are used to determine whether a packet should be dropped. These
measures ensure that the network does not expend resources on packets that are un-
likely to be successfully transmitted. However, it is also important to recognize that
not every retransmission will result in a dropped packet owing to these thresholds.
6.3 Summary
In summary, we introduce the third phase of our framework, which focuses on
recovery. Our approach involves leveraging detection and localization information
to identify blacklist compromised nodes within the network. The RPL protocol then
utilizes these blacklist IDs to reorganize paths and network trees. By comparing the
under-attack and post-restoration phases, we observed a decrease in retransmissions
and dropped packets following restoration.
175
Chapter 7
Performance Evaluation of the
Proposed Framework
This chapter provides a thorough assessment of this framework. We begin by
evaluating FLIDS for detecting various types of attacks based on the best set of param-
eters. Additionally, we explore the applicability of the FLIDS Framework by analyzing
the execution time in seconds and memory usage in kilobytes per jammer. Next, we
investigate the simulated data to determine the optimal time period for real-time in-
trusion detection in the network. Furthermore, we evaluated the performance of the
complex jammer. In addition, we demonstrated the ability of our approach to detect
multiple jammers. Finally, we comprehensively compare our approach with existing
methods, including a comparison with the FLJDA method, using simulated data from
our environment.
176
7.1 Performance evaluation of FLIDS for the Detection
of Different Types of Attacks
This section evaluates the effectiveness and performance of the FLIDS in recog-
nizing different types of jamming attacks. The proposed method involves inputting
combinations of ETX & Retransmissions and PDPT & Retransmissions values into a
Fuzzy Inference System to produce the JI. The evaluation covered five different types of
jammers, two primary node arrangements, three sink positions, and two sets of input
parameters. The simulation findings indicated that Fuzzy Logic is a suitable approach
for accurately identifying different jamming attacks in diverse scenarios.
In our research, we conducted experiments in both predicted scenarios using grid-
based node placement and in unpredicted scenarios with random placement. To assess
our proposed technique, we implemented five different Jammer behaviors (as detailed
in 3.1).
Figure 7.1: ROC Curves for Constant Jammer in Grid Topology
177
Figure 7.2: ROC Curves for Constant Jammer and Random Topology
Figure 7.3: ROC Curves for Deceptive Jammer with Grid Topology
For the predefined (grid) scenarios, we performed 480 simulations (30 scenario vari-
ations ×16 jammer positions) and additional 480 simulations for the random scenarios.
178
Figure 7.4: ROC Curves for Deceptive Jammer and Random Topology
Our focus was on achieving the optimal accuracy in each setting by conducting various
testing scenarios. We also conducted simulations with adjustments to the ranges of
membership functions of the combination ETX and Retransmissions, as well as the
combination of PDPT & Retransmissions. Additionally, improvements were made to
the fuzzy model rules. Tables A.20, A.21, A.22, and A.23 provide a summary of all
simulations for the 60 different cases examined.
Based on the information in these tables, the Deceptive Jammer achieved perfect
results with an accuracy rate and recall of 100%. This was attributed to the Deceptive
Jammer, which caused the most congestion in the network. Moreover, our FLIDS
approach was trained using the deceptive attack data. Conversely, the worst results
were observed with the Random Jammer in specific scenarios because this jammer
experienced periods without any attacks. To address this issue, in Section 7.2, we
examine the determination of the optimal detection period.
Overall, the ROC curves are depicted in Figures 7.1, 7.2, 7.3, 7.4, 7.5, 7.6, 7.7,7.8,
179
Figure 7.5: ROC Curves for Random Jammer with Specific Shape Signal in Grid Topol-
ogy
Figure 7.6: ROC Curves for Random Jammer with Specific Shape Signal and Random
Topology
7.9,7.10. These figures illustrate the high performance of the proposed approach.
Specifically, Figure 7.3 presents the ROC curve when the jammer was deceptive in
180
Figure 7.7: ROC Curves for Random Jammer with Random Shape Signal in Grid
Topology
Figure 7.8: ROC Curves for Random Jammer with Random Shape Signal and Random
Topology
predefined scenarios. However, a slightly lower accuracy was observed when the
attacker was random with a specific-shape signal. This is due to periods in which the
181
Figure 7.9: ROC Curves for Reactive Jammer in Grid Topology
Figure 7.10: ROC Curves for Reactive Jammer and Random Topology
attacker does not perform an attack, which affects the model’s performance over the
entire 15-minute simulation period.
182
7.2 Real-time detection jamming attacks
This section delves into the crucial task of selecting the optimal time interval to
detect jamming attacks during intrusion detection. Achieving real-time detection
depends on identifying the ideal timeframe for identifying these attacks. It is evident
that a fifteen-minute interval is too long to expect an IDS to make timely decisions.
Consequently, we conducted a series of experiments with time intervals of 30 s, 60
s, and 90 seconds (s) to determine the most effective duration. All experiments were
implemented with the deceptive jammer in three predefined scenarios, when the sink
was in the middle, top edge, and top middle of the grid.
Table 7.1: Accuracy in different time periods
Sink in the Middle Sink in the top Edge Sink top Middle
30 Seconds 98.86% 94.85% 96.47%
60 Seconds 99.31%98.10%98.98%
90 Seconds 98.03% 97.77% 98.58%
As illustrated in Figure 7.11, our findings reveal that, in most cases, the accuracy
of the model shows a notable improvement at the 60 s mark, while it experiences a
decline at 30 s and 90 s intervals. The results presented in Table 7.1 highlight the
significant impact of time duration on the accuracy of data collection. The study
investigates the performance of three different sink placement strategies— ”Sink in
the Middle,” ”Sink in the Top Edge,” and ”Sink in the Top Middle”—over intervals of
30, 60, and 90s. Remarkably, all three scenarios exhibited the highest accuracy at the
60s mark. Specifically, when the sink was placed in the middle, an accuracy of 99.31%
was achieved. When the sink was placed on the top edge, an accuracy of 98.10% was
achieved. Finally, when the sink was placed in the top middle, an accuracy of 98.98%
183
Figure 7.11: Accuracy in different time periods
was achieved. This indicates that the 60s interval emerges as the optimal time period
for detection.
7.3 Assessing the Practical Applicability of FLIDS
Additional measurements were performed to assess the practical effectiveness of the
proposed approach in real-world situations. Specifically, we examine four key metrics
of the FLIDS system: CPU usage in seconds, CPU processing overhead, memory usage
in kilobytes, and execution time [17]. To ensure the reliability of the data, we ran the
FLIDS approach in Matlab ten times for each scenario. The results provide the highest
recorded CPU usage in seconds, CPU processing overhead, and memory usage in
kilobytes.
184
Monitoring CPU usage in a WSN is crucial for understanding the energy consump-
tion and network performance. This metric, typically measured in seconds, is essential
for optimizing the operation of sensor nodes that have limited power and computa-
tional resources. By recording CPU usage data every minute, we can observe how the
system’s computational load fluctuates with different tasks, underscoring the signifi-
cance of efficient resource management in extending the network lifespan [268,269].
The following results were obtained from tests conducted using the FLIDS approach
with different inputs and jammer types:
The CPU usage of the FLIDS approach is shown in Figure 7.12, where the max-
imum CPU usage is 0.00625 s for the deceptive jammer when the inputs are PDPT
and Retransmissions and 0.0033482 s for the reactive jammer when the inputs are ETX
and Retransmissions. These results demonstrate that the proposed approach can be
successfully applied to real sensor networks. However, more CPU usage is required
to identify deceptive and reactive jammers because they are considered the most dan-
gerous.
CPU processing overhead is the percentage of CPU capacity used to handle the
internal operations needed to maintain and manage the network, in addition to the
primary tasks of sensing and communication [268].
The CPU processing overhead of the FLIDS approach is shown in Figure 7.13, where
the maximum CPU processing overhead is 12.7369 % for the Deceptive Jammer when
the inputs are PDPT and Retransmissions and 8.6833 % for the Reactive Jammer when
the inputs are ETX and Retransmissions. These results demonstrate that the proposed
approach can be successfully applied to real sensor networks. However, a higher CPU
processing overhead is required to identify deceptive and reactive jammers.
185
Figure 7.12: CPU usage in Seconds per type of Jammer
Figure 7.13: CPU processing overhead (%) per type of Jammer
Memory usage, usually measured in kilobytes (KB), is a crucial consideration be-
cause of the limited memory resources on the sensor nodes [268–270].
The Memory Usage of the FLIDS approach is shown in Figure 7.14, where the
maximum memory usage is 29.4857 KB for the Reactive Jammer when the inputs are
186
ETX and Retransmissions, and 21.3429 KB for the Deceptive Jammer when the inputs
are PDPT and Retransmissions. These results demonstrate that the proposed approach
can be successfully applied to real sensor networks, although it requires more memory
to identify deceptive and reactive jammers, which are considered the most dangerous.
Figure 7.14: Memory Usage per type of Jammer
Code execution time in a WSN is a crucial metric for evaluating the performance
and efficiency of applications running on sensor nodes. It refers to the duration
for which a node’s CPU executes a specific code, usually measured in seconds (s).
This metric is fundamental for gauging the energy consumption, responsiveness, and
overall performance of a network [269].
Figure 7.15 shows the execution time of the FLIDS approach for different types
of jammers and input combination parameters. The highest average execution time
for our system was 0.0036824 s when the inputs were the PDPT and retransmissions.
This demonstrates that FLIDS has a short execution time and can quickly identify the
jammer being investigated, thereby reducing the damage caused.
187
Figure 7.15: Execution time per type of Jammer
In conclusion, the results of our tests demonstrate that FLIDS is a promising ap-
proach that can be used in IoT devices with limited memory. Finally, according to the
literature [26,220,227, 228,235,253,271] our approach is the only that takes into account
the Memory usage and the Execution time of the method.
7.4 Evaluation of Strategies for Real-Time Jamming Iden-
tification
In this section, we present an in-depth evaluation of different jamming identifica-
tion strategies within diverse network topologies, randomly generated, and predicted.
In our evaluation, we utilized performance metrics, such as TP, TN, FP, and FN, to
calculate the accuracy, precision, specificity, and recall rates. The results of these eval-
uations are listed in Tables 7.2, 7.3, 7.4, 7.5, 7.6 and 7.7. Our investigation encompassed
a wide range of five distinct jamming strategies: Constant Jammer, Deceptive Jammer,
Random Jammer, Reactive Jammer, and Complex Jammer. We thoroughly explored
188
their performance across different topological configurations, and comprehensively
assessed their effectiveness in countering jamming attempts within WSNs.
The Table 7.2 titled ”Sink is in the Middle of the Grid in Predicted Scenario” presents
a comprehensive summary of the performance evaluation results for different jamming
strategies within a specific network configuration. In this scenario, the sink is strate-
gically placed in the middle of the grid, resulting in a distinctive network topology.
Additionally, Table 7.2 is accompanied by the corresponding Figure 7.16, which visually
represents the performance evaluation results. Figure 7.16 enhances our understand-
ing of the data presented in the table, and provides an alternative perspective. Within
this context, the Constant Jammer exhibited a vital accuracy of 96.11%, accompanied
by robust precision. It maintained an above-average recall, highlighting its effective-
ness in network scenarios with a centrally located sink. The Deceptive Jammer was
the best performer in terms of accuracy, achieving a remarkable score of 99.59%. It also
maintains a high precision rate and near-exceptional recall, demonstrating its superior
performance in this network configuration. The Random Jammer achieved a balanced
combination of precision and recall, with an accuracy rate of 95.63 %, making it a good
choice for various network scenarios. Reactive Jammer attained an accuracy of 97.28
Table 7.2: Sink is in the middle of the grid in predicted scenario
Jammer Type Accuracy Precision Recall Specificity F-score
Constant Jammer 96.11% 90.56% 78.14% 98.85% 82.76%
Deceptive Jammer 99.59% 98.06% 99.34% 99.63% 98.66%
Random Jammer 95.63% 94.65% 74.42% 99.28% 83.15%
Reactive Jammer 97.28% 98.91% 82.69% 99.82% 89.73%
Complex Jammer 92.52% 87.64% 57.33% 98.60% 68.41%
Table 7.3 explores the outcomes of jamming strategies in scenarios where the topol-
ogy is predicted and the Sink is located in the Top Middle of the grid. These scenarios
189
Figure 7.16: Sink in the middle of the Grid, predicted scenarios
represent different sets of challenges and opportunities for jammers. The results indi-
cated variations in accuracy, precision, and recall for each strategy, with the Deceptive
Jammer achieving a notably high accuracy of 98.81%. The accuracy, precision, and re-
call graph when the sink is in the top middle of predicted scenarios is shown in Figure
7.17. The Deceptive Jammer excels in accuracy, with a remarkable score of 98.81%. In
addition, it maintains high precision and recall values, highlighting its commendable
performance in this specific context. The Constant Jammer achieved an accuracy of
96.99%. The Random Jammer achieved an accuracy rate of 96.60%, showing a well-
balanced combination of precision and recall. This balanced performance makes it a
strong contender for various applications. The Reactive Jammer, with an accuracy of
97.99%, excelled in precision while maintaining a respectable recall rate, indicating its
capability to effectively detect jamming attempts while minimizing the risk of miss-
190
ing malicious activities. Finally, the Complex Jammer achieves an accuracy of 93.77%
within this scenario. Although it exhibits relatively low precision, it demonstrates high
recall, indicating its proficiency in identifying jamming attempts, although it has the
potential for more false positives.
Figure 7.17: Sink in the top middle of the Grid, predicted scenarios
Table 7.3: Sink located in Top Middle of the grid in predicted scenario
Jammer Type Accuracy Precision Recall Specificity F-score
Constant Jammer 96.99% 89.41% 88.82% 98.11% 87.62%
Deceptive Jammer 98.81% 93.90% 99.48% 98.70% 96.28%
Random Jammer 96.60% 97.70% 78.13% 99.67% 85.78%
Reactive Jammer 97.99% 98.25% 86.94% 99.81% 91.59%
Complex Jammer 93.77% 80.91% 79.65% 96.22% 78.90%
In Table 7.4, ”Sink on the top edge of the grid in the predicted scenario” presents
unique challenges for the jamming strategies, resulting in varied performance metrics.
191
The Deceptive Jammer achieved the highest accuracy at 98.55%, whereas the Complex
Jammer exhibited a lower accuracy of 82.76%. The Figure 7.18 titled ”Sink on the Top
Edge of the Grid in Predicted Scenario” visually encapsulates the evaluation outcomes
for diverse jamming strategies within a specific network environment. In this scenario,
the sink was strategically located at the top edge of the grid, resulting in a distinctive
network topology. Among the jamming strategies, the Constant Jammer attained an
accuracy of 97.30%, accompanied by robust precision and recall metrics. This suggests
its effectiveness in countering jamming attempts in network scenarios in which the
sink is strategically positioned at the top edge of the grid. The Deceptive Jammer
outperformed the other strategies in terms of accuracy, scoring an impressive 98.55%.
Additionally, it maintains high precision and recall values, underscoring its commend-
able performance in this unique context. The Random Jammer achieved an accuracy
rate of 97.12%, indicating a balanced trade-offbetween precision and recall. This bal-
anced performance makes it a viable choice in specific use cases. The Reactive Jammer
excels in precision, with an accuracy of 97.88%, although it exhibits slightly lower
recall, implying its capability to effectively detect jamming attempts while potentially
missing some malicious activities. Lastly, the Complex Jammer achieves an accuracy
of 82.76% within this scenario. Although it demonstrates notably lower precision, it
exhibits high recall, highlighting its proficiency in identifying jamming attempts, albeit
with the potential for more false positives.
Moving on to Table 7.5, we delve into the results of jamming strategies in a different
random topology, where the sink is positioned in the middle of the grid. In this case,
we observed variations in the performance metrics among the jamming strategies, with
the Constant Jammer achieving an accuracy of 94.79%. Simultaneously, the Complex
192
Figure 7.18: Sink on the Top Edge of the Grid in Predicted Scenario
Table 7.4: Sink on the top edge of the grid in predicted scenario
Jammer Type Accuracy Precision Recall Specificity F-score
Constant Jammer 97.30% 88.45% 97.82% 97.21% 92.22%
Deceptive Jammer 98.55% 95.88% 95.00% 99.20% 95.21%
Random Jammer 97.12% 97.67% 83.33% 99.65% 89.72%
Reactive Jammer 97.88% 93.67% 95.38% 98.33% 93.77%
Complex Jammer 82.76% 51.13% 91.03% 81.24% 63.64%
Jammer lags with an accuracy of 91.74%. Precision and recall metrics also provide
insights into the effectiveness of these strategies.
Table 7.5: Random Topology when the sink is in the Middle of the grid
Jammer Type Accuracy Precision Recall Specificity F-score
Constant Jammer 94.79% 82.00% 82.56% 96.99% 81.12%
Deceptive Jammer 95.21% 84.54% 84.84% 96.91% 82.80%
Random Jammer 93.20% 87.44% 62.86% 98.10% 70.87%
Reactive Jammer 95.61% 96.20% 71.04% 99.47% 80.66%
Complex Jammer 91.74% 84.26% 56.61% 97.86% 64.71%
193
Figure 7.19: Sink in the middle of the Grid, Random topology
Figure 7.19 visually represents the results and shows the performance of each
jamming strategy in the middle of the grid. The Reactive Jammer maintained a lead
in accuracy, with the Deceptive Jammer closely following. The Complex Jammer
exhibited a lower accuracy rate in this scenario. Among these strategies, the Constant
Jammer stands out, with an accuracy of 94.79%. This approach exhibited moderate
precision and recall values, indicating its effectiveness in countering jamming attempts
when the sink occupied the center of the grid. The Deceptive Jammer also excels
in accuracy, achieving a notable score of 95.21%. This strategy also demonstrates
relatively high precision and recall, making it a strong performer in this context.
Despite having a lower accuracy of 93.20% compared with Constant and Deceptive
Jammers, the Random Jammer presents a well-balanced combination of precision and
recall, potentially suiting certain use cases. Reactive Jammer records an accuracy of
95.61% and excels in precision while exhibiting a somewhat lower recall. This suggests
194
its effectiveness in detecting jamming attempts while potentially missing malicious
activity. Lastly, Complex Jammer recorded the lowest accuracy within this scenario,
at 91.74%. Nevertheless, it demonstrates higher precision and lower recall, implying
its effectiveness in identifying jamming attempts, while possibly generating more false
positives.
Table 7.6, ”Random topology when the sink is in the top middle of the grid,”
continues the evaluation in a top-middle placement scenario, with the sink situated
accordingly. The performance metrics show how each jamming strategy responds
to this change in topology with variations in accuracy, precision, and recall. The
Deceptive Jammer leads with an accuracy of 94.96%, whereas the Complex Jammer
trails at 89.90%.
Figure 7.20: Sink in the top middle of the Grid, Random topology
Figure 7.20 Among the jamming strategies, the Constant Jammer achieved an ac-
curacy rate of 94.40%, showing moderate precision and recall values. This suggests
195
Table 7.6: Random topology when the sink is in the top middle of the grid
Jammer Type Accuracy Precision Recall Specificity F-score
Constant Jammer 94.40% 80.15% 84.50% 95.85% 79.29%
Deceptive Jammer 94.96% 79.93% 84.38% 96.50% 80.01%
Random Jammer 92.56% 82.79% 62.66% 97.33% 69.03%
Reactive Jammer 93.34% 75.84% 77.08% 96.04% 72.51%
Complex Jammer 89.90% 72.33% 73.36% 92.72% 66.85%
that it effectively counteracts jamming attempts in scenarios where the sink is situated
in the top middle of the grid. The Deceptive Jammer had an accuracy of 94.96%, sur-
passing other strategies in terms of accuracy. It also demonstrated high precision and
recall, indicating its strong performance in this context. The Random Jammer, with an
accuracy of 92.56%, offers a balanced tradeoffbetween precision and recall, making it
a suitable choice for specific use cases. The Reactive Jammer attained an accuracy of
93.34% and excelled in precision, albeit with a slightly lower recall. This implies its ef-
fectiveness in detecting jamming attempts but with the possibility of missing malicious
activities. Finally, Complex Jammer, with the lowest accuracy within this scenario at
89.90%, demonstrates relatively higher precision and slightly lower recall, indicating
its proficiency in identifying jamming attempts but potentially leading to more false
positives.
Table 7.7, titled ”Random topology when the Sink is in the top edge,” provides an
overview of the performance metrics for each jamming strategy in a random network
scenario. The evaluation criteria were the accuracy, precision, and recall. Notably,
the Constant Jammer demonstrated the highest accuracy at 96.23%, whereas Jammer
Complex exhibited the lowest accuracy at 90.24%. Similar trends were observed in the
precision and recall metrics.
The results of various jamming strategies in a specific random topology are visually
196
Figure 7.21: Sink in the Top Edge of the Grid, Random topology
Table 7.7: Random topology when the Sink is in the top edge
Jammer Strategy/Evaluation Accuracy Precision Recall Specificity F-score
Constant Jammer 96.23% 87.06% 85.64% 97.85% 85.36%
Deceptive Jammer 96.07% 85.70% 85.97% 97.61% 84.83%
Random Jammer 95.69% 85.56% 84.74% 97.35% 84.31%
Reactive Jammer 94.78% 87.36% 75.17% 98.03% 79.55%
Complex Jammer 90.24% 73.43% 69.62% 93.49% 68.67%
represented in Figure 7.21. The chart effectively displays the key performance metrics
of each strategy, such as the accuracy, precision, and recall. The Constant Jammer
showed the highest accuracy at 96.23%, making it the most effective, closely followed
by the Deceptive Jammer with an accuracy of 96.07%. The Random Jammer achieved
an accuracy of 95.69%, while the Reactive Jammer scored 94.78%. The Complex Jammer
showed the lowest accuracy of 90.24%.
197
In summary, our study comprehensively evaluated the performance of different
jamming strategies in various network topologies, both random and predicted. The
results, presented in tables and visually represented in figures, provide valuable in-
sights into the effectiveness of each strategy in different scenarios, aiding in the selection
of the most suitable jamming approach for specific deployment scenarios.
In conclusion, our study comprehensively evaluates the performance of five distinct
jamming strategies across diverse randomly generated and predicted WSN scenarios.
Through 960 simulations encompassing various network topologies and jammer po-
sitions, we observed specific strengths and weaknesses in the performance of each
strategy. Notably, the Constant Jammer demonstrated remarkable effectiveness, par-
ticularly when the sink was placed on the top edge and middle of the grid. The
Deceptive Jammer consistently delivered a high accuracy across different scenarios,
highlighting its robust performance. The Random Jammer offered a well-balanced ap-
proach, while the Reactive Jammer excelled in precision. Complex Jammer effectively
identified jamming attempts, albeit with a higher rate of false positives. Our findings
and visual representations provide valuable resources for researchers and practition-
ers, aiding the informed selection of jamming strategies for specific WSN deployment
scenarios.
7.5 Multiple Jammers Detection using FLIDS
In this study, we conducted experiments involving scenarios in which two jammers
were activated at separate locations. Specifically, we implemented scenarios in which
two deceptive jammers simultaneously appeared at different locations in the grid, as
shown in Figure 7.22. The two jammer nodes are indicated in purple in Figure. 7.22.
The first jammer, labeled 26, is shown by the green area circle in Figure 7.22 and
198
attacked nodes 14, 15, 19, and 20. Additionally, the second jammer of simulation label
27, as shown in Figure 7.22, interferes with nodes 16, 17, 21, and 22. We conducted
experiments with varying positions of the sink (sink in the middle of the grid, sink
at the top left edge of the grid, and sink at the top middle of the grid) as well as
simulations with predicted scenarios and nodes randomly located at the grid.
Figure 7.22: Jammers are located at Position 12
We implemented 16 different jammer positions, the positions and coordinates of
which are presented in Table A.24. The Jammers are distributed over the grid in three
distinct scenarios, as depicted in Figure 7.22, Figure 7.23, and Figure 7.24. Figure 7.22
illustrates that the signals emitted by the two jammers did not intersect with each
other. The two jammers target the eight nodes shown in Figure 7.22. The positions
of the jammers in this situation were 1, 2, 4, 5, 7, 9, 12, 14, 15, and 16. In Figure 7.24,
the jammers overlap the signals and attack nodes 13. To be more precise, in Figure
7.24, the jammers assault a total of seven nodes. The current scenario aligns with the
199
Figure 7.23: Jammers are located at Position 6, and their signal overlaps into two nodes
Figure 7.24: Position 11 is experiencing jamming from multiple Jammers, causing their
signals to overlap into a single node
200
location of jammers 10 and 11. Figure 7.23 demonstrates that the two jammers cover
two nodes, resulting in an attack on six nodes. The current scenario aligns with the
jammers’ spots 3, 6, 8, and 13.
7.5.1 Determining the number of jammers.
This section explains the methodology employed by our solution to ascertain the
quantity of jammers. The literature includes a method introduced by Cheng et al.
in [272] that employs two scenarios to calculate the quantity of jammers. The initial
scenario entails estimating the number of jammers by considering their gearbox range
(which the author named it). In order to achieve this, we first compute the average
size of a congested region caused by a single jammer. This information is then used to
determine the number of jammers required to cover a real congested area. In the sec-
ond scenario, the number of jammers was estimated without any knowledge of their
gearbox range. First, if multiple jammers are activated consecutively to initiate jam-
ming, the position of the first jammer can be estimated using a localization technique
specifically developed for a single jammer. Furthermore, the extent of the jammer
transmission can be ascertained. In the second phase, when jammers are engaged
simultaneously, we can evaluate the extent of different sections within the disturbed
region and estimate the distance covered by the jammer’s transmission by analyzing
the layout of the impacted area.
Our method’s strategy involves utilizing the Jamming Indicator obtained by the
fuzzy logic detection module. The focus of our study is to discover nodes that are
targeted by a jamming attack using a decentralized approach. The jammer is expected
to selectively interfere with up to four neighboring nodes, considering the number of
jammers present in the grid. However, we observed a decrease in the detection rate,
201
and it became difficult to determine the number of jammers present when their signals
overlapped. In future initiatives, we will improve our methods by considering the
convergence of jammers’ positions.
7.5.2 Sink in the Middle of the grid predicted scenarios
The analysis presented in Table A.25 comprehensively evaluates the performance
of a system in scenarios involving multiple jammers located centrally within a grid. A
graphical representation of the table is shown in Figure 7.25. Table A.25 displays the
outcomes across 16 different positions within the grid and is quantitatively evaluated
in terms of accuracy, precision, and recall, all of which are expressed as percentages.
The first column of Table A.25 identifies the scenarios being analyzed. Table A.25
is divided into three main columns corresponding to the key metrics used in the
classification tasks.
The Accuracy column shows the frequency with which the system correctly iden-
tified both the presence and absence of jammers across various positions. The values
ranged from a low of 53.57% at position 3, indicating a challenging scenario, to a high
of 99.70% at positions 7 and 14, signifying a nearly perfect identification.
Precision was measured as the percentage of correctly identified positive predic-
tions from all the positive predictions made. The table reveals a spectrum from a
minimum of 23.29% at Position 3, suggesting many false positives in this scenario, to
100.00% at Positions 11 and 14, indicating that no false positives were generated for
these positions.
The metric Recall indicates the percentage of actual positives that the system suc-
cessfully identifies. The recall percentages varied significantly, with a low of 39.74% at
position 10, reflecting a substantial number of missed detections, and a perfect score
202
of 100.00% at position 7, where every actual positive result was identified.
To summarize, when the sink is located in the center of the grid, the analysis
suggests that certain jammer positions, namely 3, 6, 8, 10, and 11, show overlapping
coverage. Among these, positions 3, 10, and 13 exhibited the lowest accuracy rates.
However, positions 6, 10, and 11 have ideal accuracy rates despite their overlap because
they effectively attack the sink node. In addition, position 8, which interferes with the
sink node, boasts perfect accuracy.
Figure 7.25: Multiple Jammer Sink Middle Grid predicted scenarios
7.5.3 Sink in the top Middle of the grid predicted scenarios
The following section provides a detailed analysis of a system’s performance in
predicting scenarios involving multiple jammers positioned in the top middle of a grid.
The study is presented in Table A.26, with a focus on three key performance indicators:
accuracy, precision, and recall, expressed as percentages. Figure 7.26 shows a graphical
203
representation of the analysis. Table A.26 shows the evaluation of the efficacy of the
system across 16 distinct attack positions.
The effectiveness of the system varied across different scenarios, as indicated by
the fluctuating accuracy values. The system performed nearly flawlessly at positions
7 and 12 with an accuracy of 99.40%, whereas position 8 proved to be a challenging
scenario with an accuracy of only 55.95%. The precision rates ranged from 0% to 100%,
with positions 4, 5, 12, 15, and 16 indicating perfect positive predictions. The recall
percentages also spanned a wide range, with position 7 achieving a 100% success rate
in identifying every actual positive, whereas position 8 failed to correctly identify any
actual positives.
In summary, the table provides a detailed breakdown of the system performance in
identifying multiple jammer scenarios located in the top middle of the grid. As shown
in Figure 7.26, at positions 6, 8, 10, 11, and 13, the accuracy falls below 80% because the
jammers overlap. However, jammers located at position 3 exhibit perfect accuracy as
they target the sink node. On the other hand, positions 1, 2, and 9 show low accuracy
because of their attacks on the first-leaf nodes.
7.5.4 Sink in the top left edge of the grid predicted scenarios
Table A.27 presents the accuracy, precision, and recall for 16 distinct positions when
the sink is located at the top-left edge of the grid in the predicted scenarios. For a visual
representation of these results, see Figure 7.27.
The results show varying levels of accuracy across different positions. Positions 4,
7, 12, and 14 demonstrated exceptionally high accuracies, indicating strong detection
capabilities at these locations. In contrast, positions 3, 6, 8, and 13 exhibited lower
accuracies, suggesting potential challenges in accurately detecting jammers in these
204
Figure 7.26: Multiple Jammer Sink top Middle grid predicted scenarios
scenarios. This was due to the close proximity of the two attackers, causing their
signals to overlap and resulting in elevated false-positive rates. However, the precision
is noteworthy, with position 1 achieving a perfect precision of 100%. Similar high-
precision values are observed at positions 4, 7, 12, 14, 15, and 16. Positions 4 and
12 were particularly effective in capturing most of the jammer signals, with recalls of
98.08% and 100%, respectively.
7.5.5 Sink in the Middle of the grid random scenarios
Table A.28 presents the results of a series of evaluations conducted to assess the
performance of multiple jammer detection systems in scenarios where nodes are placed
randomly and the sink node is in the middle section of the grid. The table provides a
comprehensive breakdown of system performance across 16 distinct positions within
the grid using three critical metrics: accuracy, precision, and recall. A graphical
representation of the table is shown in Figure 7.28.
The accuracy rates of the system differed depending on the position, with the
205
Figure 7.27: Multiple Jammer Sink top left edge grid predicted scenarios
most exceptional performance observed at positions 4 and 11, where the accuracy rate
reached 93.75%. On the other hand, the lowest accuracy rate of 64.58% was recorded
at position 15, which presents a challenging scenario for the system to accurately
detect jammers. Precision rates ranged significantly from a low of 19.44% at position
13, indicating a considerable number of false positives, to a perfect score of 100% at
positions 2, 6, 7, and 11, where every positive prediction made by the system was
accurate. The recall rates displayed considerable variation, from as low as 7.69% at
position 13, suggesting that many actual positives were missed, to a strong performance
of 84.62% at position 1 and 83.52% at position 16, in correctly identifying the presence
of jammers in those scenarios.
7.5.6 Sink in the top Middle of the random scenarios
The predictive accuracy of the system ranged from weak to excellent across various
positions. Position 6 had the lowest accuracy rate of 57.74
206
Figure 7.28: Accuracy Sink in the Middle of the grid random scenarios
Figure 7.29: Accuracy Sink in the top Middle of the grid random scenarios
7.5.7 Sink in the top left edge of the random scenarios
The following section provides a detailed statistical analysis of the jammer detection
system designed to mitigate threats located at the top-left edge of a grid across various
207
Figure 7.30: Multiple Jammer Sink top left edge grid random scenarios figure
randomly predicted scenarios.
The system’s accuracy rates range from 93.75% at position 3, indicating exceptional
performance in detecting jammers, to 61.61% at position 6, where the system struggled
to make accurate predictions. Precision rates varied significantly, with 100% accuracy
at positions 4 and 12 and a low accuracy of 34.16% at position 6, owing to a high
false positive rate. The recall rates also showed considerable variation, with a high
of 92.31% at Position 3, demonstrating the system’s strong ability to identify actual
jammers, and a low of 39.74% at Position 8, indicating that many jammers were missed
in that scenario.
208
7.6 Comparison with other comparative approaches in
the literature review
Table 7.8: Comparison table of Related Work on Using Fuzzy Logic Algorithms for
Detecting Different Jamming Attacks
Input Metrics Additional Algorithm Jammer Positions detection decision Experiments Jammer Type Simulation Topology
FLIDS ETX and
Retransmissions -96 different positions
for the Jammer Distributed
Contiki Cooja O/S,
MATLAB
and python
Constant, Deceptive,
Random ,
Reactive
and Complex
Grid and
Random topologies
[26] PDPT and SNR 2-Means Clustering
Four positions for
the jammer two
inside and two
outside the grid
Centralized NS2 and
MATLAB
Constant, Deceptive,
Random and Reactive Grid
[235] PDPT and SNR K-Means Clustering N/A Centralized
Network
Simulation
environment
Constant, Deceptive,
Random and Reactive Varied topologies
[228]
CCA,
BPR,
PDR and
RSS
two modules One
Make in
external
computer
MATLAB and
5 Xbee nodes
Constant and
Random
Fixed mesh topology
composed of 5 Xbee nodes
and a jammer
[220] PDR and
RSSI -
A jammer is
launched
deliberately
in the cluster
Centralized MATLAB Constant, Deceptive,
Random and Reactive
Clusters of
6 members,
18 sensor nodes
[253] PDR and RSSI Neural network One Jammer
affect two nodes Centralized MATLAB Constant, Deceptive,
Random and Reactive
6 Clusters of
7 members,
42 sensor nodes
and based station
[227] PDR, PLR and RSSI Ant Colony Optimization N/A Centralized MATLAB and
real nodes N/A Random distances
[271] PDR and PLR two modules One Jammer
affect three nodes Centralized MATLAB and
NS 2 simulator
Constant, Deceptive,
Random and Reactive
Four clusters of 7 nodes,
and base station
In this section, we compare the competitive approaches identified in Section 2.2.1.3
with our approach in terms of the performance and jamming attack identification. In
Table 7.8, we comprehensively compare existing intrusion detection methods using
Fuzzy Logic algorithms for jamming identification.
Our approach requires only two metrics as inputs compared with the solutions [228]
and [271]. Our solution employs a single algorithm, uses network layer routing metrics
as inputs, and executes the detection decision locally in a distributed manner at the
edge, instead of the comparative techniques found in the open literature (see Section
2.2.1.3). In addition, the investigated techniques rely solely on physical, transport,
or network layer information, and additional algorithms to achieve high accuracy,
with the decision and detection performed at the central station. More precisely, as
209
shown in the simulations, our approach is distributed and autonomous without the
dependency of its decisions from any other entity, but the IoT RPL routing protocol
metrics at the network layer (i.e., ETX and Retransmissions) that it reads from the
network using Fuzzy Logic. However, the other investigated approaches also use
physical, transport, or network layer metrics (e.g., SNR, CCA, SNR, PDR, RSSI, PLR,
BPR, and RSS) in addition to routing messages, as in our approach (see the approaches
in Section 2.2.1.3 along with the approaches found in [273] and [148]). Moreover,
they depend on their decision from a centralized controller with the use only their
Fuzzy Logic results, but additional decisions from different algorithms such as the [26]
from 2-Means, the [235] from K-Means, the [253] from Neural network and the [227]
from Ant colony optimization. In contrast to the aforementioned approaches, our
solution achieves a recall rate of 100Finally, in our scenarios, jammers affect four
nodes in a predefined environment and more than four nodes in random topologies,
in contrast to existing methods that interfere with one to three nodes [253, 271]. In
addition, as shown by the performance evaluation, our approach can identify all
five jammers (i.e., Constant, Deceptive, Random, Reactive, and Complex) with high
accuracy and reduced power, memory, and CPU execution times. In contrast to the
approaches (e.g., [26], [235], [220], [227], [228], [253], [271]) described in Section 2.2.1.3,
they identified only four jammers (i.e., Constant, Deceptive, Random, Reactive and
Complex) and did not investigate the applicability of their solutions in terms of memory
and execution time. Finally, our method evaluates jammers in numerous locations and
topologies (random) instead of studies in the open literature, which examine jammers
in fewer places and a static topology.
210
7.7 Evaluating Our Approach Compared to Existing Method-
ologies
In this section, we present a thorough and in-depth comparative analysis of our
method and that proposed by Vijayakumar et al. [220] named fuzzy logic–based jam-
ming detection algorithm (FLJDA).
Table 7.9: Input and Output Membership Functions with Ranges
Variable Fuzzy Value a b c d
PDR
VERY LOW -5 0 30 40
LOW 30 40 50 60
MEDIUM 50 60 70 77
HIGH 70 77 100 100
RSSI
LOW -5 0 40 50
MEDIUM 40 50 85 93.14
HIGH 85 93.14 100 120
JC (Jamming Cut-off)
EXTREMELY HIGH -5 0 5 10
SUPERIORLY HIGH 5 10 15 20
ULTRA HIGH 15 20 25 30
AVG HIGH 25 30 35 40
HIGH 35 40 45 50
HIGH MEDIUM 45 50 55 60
AVG MEDIUM 55 60 65 70
LOW MEDIUM 65 70 75 80
AVG LOW 75 80 85 90
LOW 85 90 92 94
BELOW LOW 92 94 96 98
NO 96 98 100 100
To conduct a precise and meaningful comparison, we implement the methodology
introduced by Vijayakumar et al. in their paper [220]. Initially, we developed Mam-
dani’s fuzzy logic model based on the proposed approach, incorporating the member-
ship functions for the input parameters related to the PDR and RSSI combinations in
211
the MATLAB environment.
In the FLJDA system [220], two inputs, the PDR and RSSI, are fuzzified to transform
crisp values into fuzzy values. The output of the fuzzy system is the jamming cutoff
(JC), which indicates the presence or absence of jamming. The membership functions
for the inputs PDR and RSSI and output JC are listed in Table 7.9.
The connection between the input variables PDR and RSSI and the output variable
was established through a set of fuzzy rules. Each rule uses AND connectors to link
different input factors to a specific output. Twelve rules were generated in the FLJDA
system [220], 12 rules are generated. The fuzzy rules are outlined as follows.
1. If PDR is Very Low and RSSI is Low, then JC is E-H
2. If PDR is Very Low and RSSI is Medium, then JC is S-H
3. If PDR is Very Low and RSSI is High, then JC is U-H
4. If PDR is Low and RSSI is Low, then JC is A-H
5. If PDR is Low and RSSI is Medium, then JC is High
6. If PDR is Low and RSSI is High, then JC is H-M
7. If PDR is Medium and RSSI is Low, then JC is A-M
8. If PDR is Medium and RSSI is Medium, then JC is L-M
9. If PDR is Medium and RSSI is High, then JC is A-L
10. If PDR is High and RSSI is Low, then JC is Low
11. If PDR is High and RSSI is Medium, then JC is B-L
12. If PDR is High and RSSI is High, then JC is NO
Subsequently, we executed this algorithm using simulation data extracted from the
Contiki OS and the Cooja Simulator tools in a simulation environment. In addition,
we computed the accuracy, precision, and recall evaluation metrics to compare them
with those of the proposed approach. Table A.31 presents the calculations of the
deceptive jammer performance under predefined scenarios, with the sink located at
212
the top-left of the grid. Table A.31 displays the evaluation metrics, including Accuracy,
Precision, and Recall, for each jammer position in our FLIDS approach compared
with the FLJDA approach by Vijayakumar et al. [220]. Notably, the table reveals
that, on average, our approach achieves an accuracy rate of 96.73%, surpassing the
FLJDA approach, which attains 79.43%. Examining Table A.31, it is evident that most
of the jammer positions attained an accuracy rate exceeding 97.32%, and notably, six
positions achieved perfect 100% accuracy. A graphical comparison of the accuracies for
the different jammer positions is shown in Figure 7.31. The findings presented in Figure
7.31 reveal the challenges that occur at positions 1, 2, 5, and 6 of the jammer, primarily
arising from the jammer targeting the network’s sink at these locations. This issue is
particularly pronounced when employing the FLJDA approach, as evidenced by the
significant occurrence of False Positive alarms. This elevated alarm rate was attributed
to the combination of low RSSI metrics and low PDR in the FLJDA methodology.
Notably, calculating the PDR centrally at the sink exacerbates the problem because it
hinders accurate assessment during network attacks. Addressing this limitation may
involve exploring distributed PDR calculation methods to enhance the resilience of
a system to jamming attacks. In contrast, FLIDS calculated their metrics (ETX and
Retransmissions) at the nodes and achieved high accuracy scores.
Our evaluation comprehensively covered the FLJDA approach across various sce-
narios, considering distinct jammer behaviors, positions, and situations. Despite this
thorough examination, our approach consistently outperformed the FLJDA approach
and maintained a higher level of accuracy.
Table A.32 presents a comprehensive comparison of the FLIDS and FLJDA ap-
proaches for different types of jammers. The table systematically categorizes various
213
Figure 7.31: Accuracy Comparison of different jammers Positions sink is in the top left
edge
jamming scenarios, including Constant, Deceptive, Random, Reactive, and Complex
jammers, and evaluates the performance of each type under both the FLIDS and FLJDA
methodologies. Accuracy, precision, and recall metrics were meticulously measured
for each combination, providing detailed insights into the efficacy of the two ap-
proaches across diverse jamming conditions. Notably, the table shows the superiority
of the FLIDS approach in achieving higher accuracy, precision, and recall in most
scenarios, underscoring its effectiveness compared to the FLJDA approach. A visual
representation of this table is shown in Figure 7.31. This graphical depiction provides
a clear and concise overview of the comparative analysis between FLIDS and FLJDA
approaches across various types of jammers. This figure visually captures the nu-
anced accuracy performance metric, allowing for a quick and intuitive understanding
of the effectiveness of each approach under different jamming scenarios. As a visual
214
aid, Figure 7.31 enhances accessibility and facilitates immediate interpretation of the
comprehensive data presented in the corresponding table.
Figure 7.32: Accuracy Comparison FLIDS and FLJDA Approach
7.8 Summary
This chapter thoroughly evaluates the performance of the proposed framework.
Our analysis assessed the execution time and memory usage of the solution and iden-
tified the optimal detection time for real-time detection. We also conducted a com-
parative analysis between our solution and existing alternatives, and validated our
framework through multiple jammer experiments. Our findings demonstrate that our
framework is well-suited for IoT devices and can effectively detect real-time scenarios,
even within a range of jamming interference.
215
Chapter 8
Conclusions and Future Work
In this PhD thesis, we propose a three-phase Security Framework comprising cor-
responding stages designed to detect, locate, and recover from jamming attacks within
WSN-oriented IoT environments. We have developed a FLIDS designed to detect var-
ious jamming attacks in real time within IoT networks. Unlike conventional methods,
FLIDS operates in a distributed manner using RPL metrics from data-link and network
layer (ETX and Retransmissions) and utilizes fuzzy logic algorithms at the node level,
making it well-suited for IoT environments with limited resources. Extensive research
was carried out to identify the most effective input parameter for a fuzzy logic intru-
sion detection system. The optimal set of input parameters for FLIDS was determined
through a comparative analysis of five different combinations, using ETX, Retrans-
missions, PDPT, and PDR as inputs. The study revealed that the locally collected
retransmission metric at the nodes was the most suitable value for the fuzzy controller.
Our results showed that the combination of ETX and retransmissions achieved the
highest accuracy, with a success rate of 95%. This set of parameters is more effective
for detecting jamming attacks. Our investigation also aimed to determine the optimal
216
time interval for real-time jamming attack detection, and the results indicated that 60 s
was the optimum interval with an accuracy of 99.31%. To test the effectiveness of our
methodology in practical situations, we carried out detailed assessments, measuring
CPU usage, CPU processing overhead, algorithm execution time, and memory usage.
Our findings revealed that the Reactive Jammer required a maximum memory usage
of 29.48 KB when the inputs in the fuzzy controller were ETX and retransmissions,
whereas the Deceptive Jammer required 21.34 KB when the inputs were PDPT and
retransmission. Additionally, the highest average execution time of our system was
0.0036 s when the inputs were PDPT and retransmissions with Deceptive Jammer.
This thesis proposes a new approach to jamming attacks called the Complex Jam-
mer, encompassing all jammer behaviors. Our experiments show that complex jam-
mers are more difficult to detect and exhibited the lowest detection accuracy compared
to other jammers in our experiments (best detection of 93.77%).
Furthermore, our solution was tested against multiple jamming attacks, and it
achieved an impressive accuracy of 99.70%. Our simulations of multiple jammers,
based on the threat model in section 3.3, involved two jammers using the same decep-
tive attack. Our experiments suggest that this approach can be effective when using
multiple jammers with different types of attacks.
To locate the jamming attack, we employed a modified multilateration localization
algorithm with weights (MMLAW), which calculates the distance using retransmis-
sions or ETX metrics. Our MMLAW methodology achieved the lowest Euclidean
distance error value with MMLAW-ETX, measuring just 0.81 m. This was observed
during a scenario in which the sink was placed at the center of the grid, and the sim-
ulation was attacked by a reactive jammer. However, when the sink was placed at
217
the center of a random topology, our MMLAW-ETX approach exhibited the highest
Euclidean distance error, with a constant jammer at 23.82 m.
In the third phase, we implemented a recovery approach where blacklisting nodes
to overcome jamming attacks. Our results show a significant decrease in the number
of retransmissions and dropped packets after the recovery phase.
Our Security Framework is designed to detect, localize, and recover from a variety
of jamming attacks locally in IoT and WSN networks in real time using network layer
metrics and a simple, lightweight algorithm, ensuring high accuracy. Furthermore,
our framework has been rigorously tested to identify multiple and complex jammers,
resulting in high accuracy, minimal memory usage, and quick execution time.
8.1 Future Work
Based on the findings from our current work, we have pinpointed several unre-
solved issues that will be explored in future research.
In the beginning, the jammer is unaware of the defense but can alter its behavior,
such as changing its type. However, this thesis does not delve into the potential scenario
where the jammer comprehends our strategy. We will discuss potential considerations
regarding the jammer’s strategy in the subsequent paragraph.
It’s possible for the jammer to comprehend our constraints. The jammer could
be switched to a dormant state for an extended period, during which our defense
mechanism assumes that the network is in a secure state. Consequently, a significant
amount of time would be required to discern the jammer’s behavior. Our threat
model outlines an intelligent attacker with specific capabilities. Nonetheless, a more
sophisticated jammer could manipulate the communication channel and transmission
power. During the simulation, except for the variety of benefits and innovation security
218
framework that were constructed, we identified a few Drawbacks of our solution to be
solved in future work. We can consider another threat model. For example, suppose
the jammer doesn’t perform a high level of jamming and jams at a low level with low
network disruption but also performs interference. In that case, our mechanism cannot
identify the attacker. For this reason, we should re-construct the membership functions
to increase the sensitivity of our model. For this purpose, we will perform an adaptive
neuro-fuzzy model to adjust and change the membership functions. The adaptive
neuro-fuzzy model has the ability to train the model with the data and auto-adjust
the membership functions with the new data. To improve our FLIDS algorithm, we
can use advanced artificial intelligence techniques like Neuro-fuzzy logic algorithms.
These algorithms entail refining fuzzy rules through training and testing phases using
extensive datasets. In a neuro-fuzzy system, a learning algorithm based on neural
network theory is employed to determine its parameters (fuzzy sets and fuzzy rules)
by processing data samples.
Our future efforts will concentrate on implementing our research in a practical,
real-world setting within a production environment. Our proposed framework will be
evaluated in the FIT IoT-LAB testbed [274,275], enabling us to deploy our algorithms
in real-world scenarios. The Fit IOT Lab is a specialized facility dedicated to advanced
research, testing, and innovation in the domain of the IoT. It provides resources for de-
veloping and validating new IoT technologies and solutions. The FIT IoT-LAB testbed,
as described in [274], comprises 2728 low-power wireless nodes and 117 mobile robots,
facilitating experimentation with large-scale wireless IoT technologies. Notably, mo-
bile jamming attacks exhibit greater efficacy compared to traditional jamming attacks,
as highlighted in [276–278]. These studies explore diverse jamming behaviors [279,280]
219
while considering mobile nodes. For future work, we plan to conduct experiments
using mobile nodes with the RPL protocol and deploy mobile jammers to assess the
effectiveness of our FLIDS detection technique.
The use of FIT IoT-LAB will allow us to evaluate our MMLAW algorithm in a 3D
topology, enhancing the localization aspect for both 2D and 3D deployments. We will
implement extensive scenarios with mobile jammers that change position dynamically
and spread in the area.
We need to focus on improving our methods for identifying the number of jammers
in situations where there are multiple jammers in the environment. In our future work,
it’s essential to create an advanced algorithm for accurately determining the number
of jammers to aid in detection and localization techniques.
We will also focus on the current extensions to the RPL protocol aimed at mitigating
the impact of jamming attacks. With regards to RPL’s resilience, we will examine how
the protocol organizes the network into a Destination-Oriented Directed Acyclic Graph
(DODAG). RPL utilizes objective functions to determine the most efficient route based
on metrics such as link quality, hop count, and energy consumption. These objective
functions help nodes in selecting parents and establishing routes that align with the
network’s performance objectives. In our experiments, we utilized the Minimum
Rank with Hysteresis Objective Function (MRHOF), which typically employs ETX
as the metric and aims to select paths with the highest link reliability and lowest
transmission costs. We intend to adapt the ETX metric to support multiple paths.
Instead of selecting a single best path based on ETX, we will evaluate the overall
reliability of several potential paths to introduce redundancy. Additionally, we aim
to calculate a weighted ETX for nodes with multiple parents, where the weight is
220
determined by the diversity of the paths. Paths that offer greater spatial or frequency
diversity may receive a lower ETX value.
221
Bibliography
[1] S. Sicari, A. Rizzardi, L. A. Grieco, and A. Coen-Porisini, “Security, privacy
and trust in Internet of Things: The road ahead,” Computer Networks, vol. 76,
pp. 146–164, 2015.
[2] D. Liu, P. Ning, and R. Li, “Establishing Pairwise keys in Distributed Sensor
Networks,” ACM Transactions on Information and System Security (TISSEC), vol. 8,
no. 1, pp. 41–77, 2005.
[3] W. Xu, W. Trappe, Y. Zhang, and T. Wood, “The Feasibility of Launching and
Detecting Jamming Attacks in Wireless Networks,” in Proceedings of the 6th ACM
international symposium on Mobile ad hoc networking and computing, pp. 46–57,
ACM, 2005.
[4] I. Butun, P. ¨
Osterberg, and H. Song, “Security of the Internet of Things: Vulnera-
bilities, Attacks, and Countermeasures,” IEEE Communications Surveys Tutorials,
vol. 22, no. 1, pp. 616–644, 2020.
[5] P. Tague, M. Li, and R. Poovendran, “Mitigation of Control Channel Jamming
Under Node Capture Attacks,” IEEE Transactions on Mobile Computing, vol. 8,
no. 9, pp. 1221–1234, 2009.
[6] B. Mbarek, M. Ge, and T. Pitner, “An Adaptive Anti-jamming System in
HyperLedger-based Wireless Sensor Networks,” Wireless Networks, vol. 28, no. 2,
pp. 691–703, 2022.
[7] F. T. Zahra, Y. S. Bostanci, and M. Soyturk, “Real-Time Jamming Detection in
Wireless IoT Networks,” IEEE Access, vol. 11, pp. 70425–70442, 2023.
[8] Z. Dou, G. Si, Y. Lin, and M. Wang, “An Adaptive Resource Allocation Model
With Anti-Jamming in IoT Network,” IEEE Access, vol. 7, pp. 93250–93258, 2019.
[9] A. Stan, “Porting the Core of the Contiki Operating System to the TelosB and Mi-
caZ Platforms,” Computer Science, International University Bremen, Campus Ring,
Bremen, Germany, vol. 1, p. 28759, 2007.
[10] Y. Hu, A. Yang, H. Li, Y. Sun, and L. Sun, “A Survey of Intrusion Detection on
Industrial Control Systems,” International Journal of Distributed Sensor Networks,
vol. 14, no. 8, p. 1550147718794615, 2018.
[11] V. Gotarane and S. Raskar, “IoT Practices in Military Applications,” in 2019 3rd
International Conference on Trends in Electronics and Informatics (ICOEI), pp. 891–
894, IEEE, 2019.
222
[12] A. R. Jaladi, K. Khithani, P. Pawar, K. Malvi, and G. Sahoo, “Environmental
Monitoring Using Wireless Sensor Networks (WSN) Based on IOT,” Int. Res. J.
Eng. Technol, vol. 4, no. 1, pp. 1371–1378, 2017.
[13] S. Vijayalakshmi and S. Muruganand, “A Survey of Internet of Things in Fire
Detection and Fire Industries,” in 2017 International Conference on I-SMAC (IoT in
Social, Mobile, Analytics and Cloud)(I-SMAC), pp. 703–707, IEEE, 2017.
[14] J. Haxhibeqiri, E. De Poorter, I. Moerman, and J. Hoebeke, “A Survey of Lo-
RaWAN for IoT: From Technology to Application,” Sensors, vol. 18, no. 11, p. 3995,
2018.
[15] J. Xu, J. Yao, L. Wang, Z. Ming, K. Wu, and L. Chen, “Narrowband Internet
of Things: Evolutions, Technologies, and Open Issues,” IEEE Internet of things
journal, vol. 5, no. 3, pp. 1449–1462, 2017.
[16] M. Savva, I. Ioannou, and V. Vassiliou, “Fuzzy-Logic Based IDS for Detect-
ing Jamming Attacks in Wireless Mesh IoT Networks,” in 2022 20th Mediter-
ranean Communication and Computer Networking Conference (MedComNet), pp. 54–
63, 2022.
[17] M. Savva, I. Ioannou, and V. Vassiliou, “Performance Evaluation of a Fuzzy
Logic-based IDS (FLIDS) technique for the Detection of Different Types of Jam-
ming Attacks in IoT Networks,” in 2023 21st Mediterranean Communication and
Computer Networking Conference (MedComNet), pp. 93–100, 2023.
[18] M. Savva, I. Ioannou, and V. Vassiliou, “Detecting multiple jammers using fuzzy-
logic intrusion detection system (flids),” in 2024 20th International Conference on
Distributed Computing in Smart Systems and the Internet of Things (DCOSS-IoT),
pp. 369–376, IEEE, 2024.
[19] M. Savva, I. Ioannou, and V. Vassiliou, “Evaluating Localization Algorithms in
IoT Networks Under Jamming Attacks,”
[20] D. Acharjya and N. S. S. Ahmed, “Recognizing Attacks in Wireless Sensor Net-
work in View of Internet Of Things,” in Internet of Things: Novel Advances and
Envisioned Applications, pp. 149–172, Springer, 2017.
[21] M. Kocakulak and I. Butun, “An Overview of Wireless Sensor Networks towards
Internet of Things,” in 2017 IEEE 7th annual computing and communication workshop
and conference (CCWC), pp. 1–6, Ieee, 2017.
[22] Y. Wang, G. Attebury, and B. Ramamurthy, “A Survey of Security Issues in
Wireless Sensor Networks,” 2006.
[23] S. Kaplantzis, N. Mani, M. Palaniswanmi, and G. Egan, “Security Models for
Wireless Sensor Networks,” Conversion report, Monash University, vol. 20, 2006.
[24] F. Hu and N. K. Sharma, “Security Considerations in ad hoc Sensor Networks,”
Ad Hoc Networks, vol. 3, no. 1, pp. 69–89, 2005.
223
[25] A. Becher, Z. Benenson, and M. Dornseif, “Tampering with Motes: Real-World
Physical Attacks on Wireless Sensor Networks,” in International Conference on
Security in Pervasive Computing, pp. 104–118, Springer, 2006.
[26] S. Misra, R. Singh, and S. Mohan, “Information Warfare-Worthy Jamming Attack
Detection Mechanism for Wireless Sensor Networks Using a Fuzzy Inference
System,” Sensors, vol. 10, no. 4, pp. 3444–3479, 2010.
[27] V.-T. Nguyen, T.-X. Nguyen, T.-M. Hoang, and N.-L. Vu, “A new Anomaly Traffic
Detection Based on Fuzzy Logic Approach in Wireless Sensor Networks,” in
Proceedings of the 10th International Symposium on Information and Communication
Technology, pp. 205–209, 2019.
[28] Y. Liu and F. Yu, “Immunity-Based Intrusion Detection for Wireless Sensor Net-
works,” in Neural Networks, 2008. IJCNN 2008.(IEEE World Congress on Computa-
tional Intelligence). IEEE International Joint Conference on, pp. 439–444, IEEE, 2008.
[29] T. Eswari and V. Vanitha, “A Novel Rule Based Intrusion Detection Framework
for Wireless Sensor Networks,” in 2013 international conference on information
communication and embedded systems (ICICES), pp. 1019–1022, IEEE, 2013.
[30] J. Arunkumar, S. Velmurugan, B. Chinnaiah, G. Charulatha, M. R. Prabhu, and
A. P. Chakkaravarthy, “Logistic Regression with Elliptical Curve Cryptography
to Establish Secure IoT.,” Computer Systems Science & Engineering, vol. 46, no. 1,
2023.
[31] Y. Fu, Z. Yan, J. Cao, O. Kon´
e, and X. Cao, “An Automata Based Intrusion
Detection Method for Internet of Things,” Mobile Information Systems, vol. 2017,
2017.
[32] M. Momani, S. Challa, and R. Alhmouz, “Bayesian Fusion Algorithm for Infer-
ring Trust in Wireless Sensor Networks,” Journal of networks, 2010.
[33] G. Mahalakshmi and P. Subathra, “Denial of Sleep Attack Detection Using Mobile
Agent in Wireless Sensor Networks,” Int J Res Trends Innov, vol. 3, no. 5, pp. 139–
149, 2018.
[34] V. Manju, S. S. Lekha, and M. S. Kumar, “Mechanisms for Detecting and Pre-
venting Denial of Sleep Attacks on Wireless Sensor Networks,” in 2013 IEEE
conference on information & communication technologies, pp. 74–77, IEEE, 2013.
[35] D. De Guglielmo, G. Anastasi, and M. Conti, “A Localized De-synchronization
Algorithm for Periodic Data Reporting in IEEE 802.15.4 WSNs,” in 2012 IEEE
Symposium on Computers and Communications (ISCC), pp. 000605–000610, IEEE,
2012.
[36] Y. Liu, Y. Li, and H. Man, “MAC Layer Anomaly Detection in ad hoc Networks,”
in Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop,
pp. 402–409, IEEE, 2005.
224
[37] A. R. Mahmood, H. H. Aly, and M. N. El-Derini, “Defending Against Energy
Efficient Link Layer Jamming Denial of Service Attack in Wireless Sensor Net-
works,” in 2011 9th IEEE/ACS International Conference on Computer Systems and
Applications (AICCSA), pp. 38–45, IEEE, 2011.
[38] Y. W. Law, M. Palaniswami, L. V. Hoesel, J. Doumen, P. Hartel, and P. Havinga,
“Energy-efficient Link-layer Jamming Attacks Against Wireless Sensor Network
MAC Protocols,” ACM Transactions on Sensor Networks (TOSN), vol. 5, no. 1,
pp. 1–38, 2009.
[39] P. K. Devi and R. Manavalan, “Spoofing Attack Detection and Localization in
Wireless Sensor Network: a Review,” International Journal of Computer Science &
Engineering Technology, vol. 5, no. 9, pp. 877–86, 2014.
[40] X. Song, G. Chen, and X. Li, “A Weak Hidden Markov Model based intrusion
detection method for wireless sensor networks,” in Intelligent Computing and
Integrated Systems (ICISS), 2010 International Conference on, pp. 887–889, IEEE,
2010.
[41] S. Sinha and A. Paul, “Neuro-Fuzzy based Intrusion Detection System for Wire-
less Sensor Network,” Wireless personal communications, vol. 114, pp. 835–851,
2020.
[42] S. Kaplantzis, A. Shilton, N. Mani, and Y. A. Sekercioglu, “Detecting Selective
Forwarding Attacks in Wireless Sensor Networks Using Support Vector Ma-
chines,” in Intelligent Sensors, Sensor Networks and Information, 2007. ISSNIP 2007.
3rd International Conference on, pp. 335–340, IEEE, 2007.
[43] C. Ioannou and V. Vassiliou, “An Intrusion Detection System for Constrained
WSN and IoT nodes Based on Binary Logistic Regression,” in Proceedings of the
21st ACM International Conference on Modeling, Analysis and Simulation of Wireless
and Mobile Systems, pp. 259–263, 2018.
[44] C. Ioannou, V. Vassiliou, and C. Sergiou, “An Intrusion Detection System for
Wireless Sensor Networks,” in Telecommunications (ICT), 2017 24th International
Conference on, pp. 1–5, IEEE, 2017.
[45] N. Singh, D. Virmani, and X.-Z. Gao, “A fuzzy logic-based method to avert in-
trusions in wireless sensor networks using wsn-ds dataset,” International Journal
of Computational Intelligence and Applications, vol. 19, no. 03, p. 2050018, 2020.
[46] B. Subba, S. Biswas, and S. Karmakar, “A Game Theory Based Multi Layered In-
trusion Detection Framework for Wireless Sensor Networks,” International Jour-
nal of Wireless Information Networks, vol. 25, pp. 399–421, 2018.
[47] K. Prathapchandran and T. Janani, “A Trust-based Security Model to Detect
Misbehaving Nodes in Internet of Things (IoT) Environment Using Logistic
Regression,” in Journal of physics: conference series, vol. 1850, p. 012031, IOP
Publishing, 2021.
225
[48] M. Ezhilarasi, L. Gnanaprasanambikai, A. Kousalya, and M. Shanmugapriya, “A
Novel Implementation of Routing Attack Detection Scheme by using Fuzzy and
Feed-Forward Neural Networks,” Soft Computing, vol. 27, no. 7, pp. 4157–4168,
2023.
[49] D. Juneja, S. Bansal, G. Kaur, and N. Arora, “Design and Implementation of
EAR Algorithm for Detecting Routing Attacks in WSN,” International Journal of
Engineering Science and Technology, vol. 2, no. 6, pp. 1677–1683, 2010.
[50] G. Kalnoor and S. Gowrishankar, “A Model for Intrusion Detection System using
Hidden Markov and Variational Bayesian model for IoT based Wireless Sensor
Network,” International Journal of Information Technology, pp. 1–13, 2021.
[51] G. Joshi and V. Sharma, “Hidden Markov Trust for Attenuation of Selfish and
Malicious Nodes in the IoT Network,” Wireless Personal Communications, vol. 128,
no. 2, pp. 1437–1469, 2023.
[52] P. Ioulianou, V. Vasilakis, I. Moscholios, and M. Logothetis, “A Signature-based
Intrusion Detection System for the Internet of Things,” Information and Commu-
nication Technology Form, 2018.
[53] S. Raza, L. Wallgren, and T. Voigt, “SVELTE: Real-Time Intrusion Detection in
the Internet of Things,” Ad hoc networks, vol. 11, no. 8, pp. 2661–2674, 2013.
[54] A.-S. K. Pathan, H.-W. Lee, and C. S. Hong, “Security in Wireless Sensor Net-
works: Issues and Challenges,” in Advanced Communication Technology, 2006.
ICACT 2006. The 8th International Conference, vol. 2, pp. 6–pp, IEEE, 2006.
[55] R. Dubey, V. Jain, R. Thakur, and S. Choubey, “Attacks in Wireless Sensor Net-
works,” International Journal of Scientific & Engineering Research, vol. 3, no. 3,
pp. 1–4, 2012.
[56] V. P. Singh, S. Jain, and J. Singhai, “Hello Flood Attack and Its Countermeasures in
Wireless Sensor Networks,” IJCSI International Journal of Computer Science Issues,
vol. 7, no. 11, pp. 23–27, 2010.
[57] M. Conti, R. Di Pietro, and A. Spognardi, “Clone Wars: Distributed Detection of
Clone Attacks in Mobile WSNs,” Journal of Computer and System Sciences, vol. 80,
no. 3, pp. 654–669, 2014.
[58] B. Parno, A. Perrig, and V. Gligor, “Distributed Detection of Node Replication
Attacks in Sensor Networks,” in 2005 IEEE symposium on security and privacy
(S&P’05), pp. 49–63, IEEE, 2005.
[59] J. Joseph and V. P. Vijayan, “Misdirection Attack in WSN Due to Selfish Nodes;
Detection and Suppression using Longer Path Protocol,” International Journal
of Advanced Research in Computer Science and Software Engineering, vol. 4, no. 7,
pp. 825–829, 2014.
[60] C. Karlof and D. Wagner, “Secure Routing in Wireless Sensor Networks: Attacks
and Countermeasures,” Ad hoc networks, vol. 1, no. 2, pp. 293–315, 2003.
226
[61] Y.-C. Hu, A. Perrig, and D. B. Johnson, “Rushing Attacks and Defense in Wireless
ad hoc Network Routing Protocols,” in Proceedings of the 2nd ACM workshop on
Wireless security, pp. 30–40, 2003.
[62] L. Tamilselvan and V. Sankaranarayanan, “Solution to Prevent Rushing Attack
in Wireless Mobile ad hoc Networks,” in 2006 International Symposium on Ad Hoc
and Ubiquitous Computing, pp. 42–47, IEEE, 2006.
[63] J. Sen, “Routing Security Issues in Wireless Sensor Networks: Attacks and De-
fenses,” arXiv preprint arXiv:1101.2759, 2011.
[64] M. Sookhak, R. Karimi, N. Ithnin, M. Haghparast, and I. F. ISnin, “Secure Ge-
ographic Routing Protocols: Issues and Approaches,” International Journal of
Computer Science Issues (IJCSI), vol. 8, no. 5, p. 382, 2011.
[65] P. Pongle and G. Chavan, “A survey: Attacks on rpl and 6lowpan in iot,” in 2015
International conference on pervasive computing (ICPC), pp. 1–6, IEEE, 2015.
[66] M. Nawir, A. Amir, N. Yaakob, and O. B. Lynn, “Internet of Things (IoT): Taxon-
omy of Security Attacks,” in 2016 3rd international conference on electronic design
(ICED), pp. 321–326, IEEE, 2016.
[67] U. Sharma and N. Bahl, “A Review on Security Issues and Attacks in Wireless
Sensor Networks,” International Journal, vol. 8, no. 4, 2017.
[68] A. Le, J. Loo, Y. Luo, and A. Lasebae, “Specification-Based IDS for Securing RPL
from Topology Attacks,” in Wireless Days (WD), 2011 IFIP, pp. 1–3, IEEE, 2011.
[69] U. Shafique, A. Khan, A. Rehman, F. Bashir, and M. Alam, “Detection of Rank
Attack in Routing Protocol for Low Power and Lossy Networks,” Annals of
Telecommunications, vol. 73, pp. 429–438, 2018.
[70] A. Le, J. Loo, A. Lasebae, M. Aiash, and Y. Luo, “6LoWPAN: A Study on Qos Secu-
rity Threats and Countermeasures Using Intrusion Detection System Approach,”
International Journal of Communication Systems, vol. 25, no. 9, pp. 1189–1212, 2012.
[71] D. Midi, A. Rullo, A. Mudgerikar, and E. Bertino, “Kalis—A System for
Knowledge-Driven Adaptable Intrusion Detection for the Internet of Things,”
in Distributed Computing Systems (ICDCS), 2017 IEEE 37th International Conference
on, pp. 656–666, IEEE, 2017.
[72] R. Sandeep, “A Study of DoS & DDoS-Smurf Attack and Preventive Measures,”
International Journal of Computer Science and Information Technology Research, vol. 2,
pp. 1–6, 2014.
[73] M. Malik and Y. Singh, “A Review: DoS and DDoS Attacks,” International Journal
of Computer Science and Mobile Computing, vol. 4, no. 6, pp. 260–265, 2015.
[74] S. Gond and A. Nath, Mitigation Model for DDoS Attack in Wireless Sensor Networks.
PhD thesis, 2015.
227
[75] M. Singh, M. Rajan, V. Shivraj, and P. Balamuralidhar, “Secure MQTT for Internet
of Things (iot),” in 2015 fifth international conference on communication systems and
network technologies, pp. 746–751, IEEE, 2015.
[76] Z. Shelby, K. Hartke, and C. Bormann, “RFC 7252: The Constrained Application
Protocol (CoAP),” 2014.
[77] R. A. Rahman and B. Shah, “Security Analysis of IoT Protocols: A Focus
in CoAP,” in 2016 3rd MEC international conference on big data and smart city
(ICBDSC), pp. 1–7, IEEE, 2016.
[78] H. K. D. Sarma and A. Kar, “Security Threats in Wireless Sensor Networks,”
in Carnahan Conferences Security Technology, Proceedings 2006 40th Annual IEEE
International, pp. 243–251, IEEE, 2006.
[79] T. Kavitha and D. Sridharan, “Security Vulnerabilities in Wireless Sensor Net-
works: A Survey,” Journal of Information Assurance and Security, vol. 5, no. 1,
pp. 31–44, 2010.
[80] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A Survey on
Sensor Networks,” IEEE Communications magazine, vol. 40, no. 8, pp. 102–114,
2002.
[81] S. M. Sajjad and M. Yousaf, “Security Analysis of IEEE 802.15. 4 MAC in the
Context of Internet of Things (IoT),” in 2014 Conference on Information Assurance
and Cyber Security (CIACS), pp. 9–14, IEEE, 2014.
[82] C.-T. Hsueh, C.-Y. Wen, and Y.-C. Ouyang, “A secure scheme against power ex-
hausting attacks in hierarchical wireless sensor networks,” IEEE Sensors journal,
vol. 15, no. 6, pp. 3590–3602, 2015.
[83] K. Shabana, N. Fida, F. Khan, S. R. Jan, M. U. Rehman, et al., “Security Issues and
Attacks in Wireless Sensor Networks,” International Journal of Advanced Research
in Computer Science and Electronics Engineering (IJARCSEE), vol. 5, no. 7, pp. 81–87,
2016.
[84] A. D. Wood and J. A. Stankovic, “Denial of Service in Sensor Networks,” Com-
puter, vol. 35, no. 10, pp. 54–62, 2002.
[85] U. Ghugar and J. Pradhan, “A study on Black Hole Attack in Wireless Sensor
Networks,” International Journal of Advance Computing Techniqueand Applications
(IJACTA), vol. 5, no. 1, 2017.
[86] T. Winter, P. Thubert, A. Brandt, J. Hui, and R. Kelsey, “RFC 6550: RPL: IPv6
Routing Protocol for Low-Power and Lossy Networks (2012),”
[87] A. Mayzaud, A. Sehgal, R. Badonnel, I. Chrisment, and J. Sch¨
onw¨
alder, “A Study
of RPL DODAG Version Attacks,” in Monitoring and Securing Virtualized Networks
and Services: 8th IFIP WG 6.6 International Conference on Autonomous Infrastructure,
Management, and Security, AIMS 2014, Brno, Czech Republic, June 30–July 3, 2014.
Proceedings 8, pp. 92–104, Springer, 2014.
228
[88] R. Hummen, J. Hiller, H. Wirtz, M. Henze, H. Shafagh, and K. Wehrle, “6LoW-
PAN Fragmentation Attacks and Mitigation Mechanisms,” in Proceedings of the
sixth ACM conference on Security and privacy in wireless and mobile networks, pp. 55–
66, 2013.
[89] J. Newsome, E. Shi, D. Song, and A. Perrig, “The Sybil Attack in Sensor Net-
works: Analysis & Defenses,” in Proceedings of the 3rd international symposium on
Information processing in sensor networks, pp. 259–268, ACM, 2004.
[90] K. Zhang, X. Liang, R. Lu, and X. Shen, “Sybil Attacks and their Defenses in
the Internet of Things,” IEEE Internet of Things Journal, vol. 1, no. 5, pp. 372–383,
2014.
[91] D. Sharma, I. Mishra, and S. Jain, “A Detailed Classification of Routing Attacks
against RPL in Internet of Things,” 2017.
[92] H.-J. Liao, C.-H. R. Lin, Y.-C. Lin, and K.-Y. Tung, “Intrusion detection system:
A comprehensive review,” Journal of Network and Computer Applications, vol. 36,
no. 1, pp. 16–24, 2013.
[93] H. Sedjelmaci and M. Feham, “Novel Hybrid Intrusion Detection System for
Clustered Wireless Sensor Network,” arXiv preprint arXiv:1108.2656, 2011.
[94] H. Sedjelmaci, S. M. Senouci, and M. Al-Bahri, “A Lightweight Anomaly Detec-
tion Technique for Low-Resource Iot Devices: A Game-Theoretic Methodology,”
in Communications (ICC), 2016 IEEE International Conference on, pp. 1–6, IEEE,
2016.
[95] B. Arrington, L. Barnett, R. Rufus, and A. Esterline, “Behavioral Modeling In-
trusion Detection System (Bmids) Using Internet of Things (IoT) Behavior-Based
Anomaly Detection via Immunity-Inspired Algorithms,” in Computer Communi-
cation and Networks (ICCCN), 2016 25th International Conference on, pp. 1–6, IEEE,
2016.
[96] B. B. Zarpelao, R. S. Miani, C. T. Kawakani, and S. C. de Alvarenga, “A Survey
of Intrusion Detection in Internet of Things,” Journal of Network and Computer
Applications, vol. 84, pp. 25 – 37, 2017.
[97] C. Liu, J. Yang, Y. Zhang, R. Chen, and J. Zeng, “Research on Immunity-Based
Intrusion Detection Technology for the Internet of Things,” in Natural Computa-
tion (ICNC), 2011 Seventh International Conference on, vol. 1, pp. 212–216, IEEE,
2011.
[98] P. Kasinathan, C. Pastrone, M. A. Spirito, and M. Vinkovits, “Denial-of-Service
Detection in 6LoWPAN Based Internet of Things,” in Wireless and Mobile Com-
puting, Networking and Communications (WiMob), 2013 IEEE 9th International Con-
ference on, pp. 600–607, IEEE, 2013.
[99] P. Kasinathan, G. Costamagna, H. Khaleel, C. Pastrone, and M. A. Spirito, “An
IDS Framework for Internet of Things Empowered by 6LoWPAN,” in Proceed-
ings of the 2013 ACM SIGSAC conference on Computer & communications security,
pp. 1337–1340, ACM, 2013.
229
[100] D. Oh, D. Kim, and W. W. Ro, “A Malicious Pattern Detection Engine for Em-
bedded Security Systems in the Internet of Things,” Sensors, vol. 14, no. 12,
pp. 24188–24211, 2014.
[101] C. Jun and C. Chi, “Design of Complex Event-Processing IDS in Internet of
Things,” in Measuring Technology and Mechatronics Automation (ICMTMA), 2014
Sixth International Conference on, pp. 226–229, IEEE, 2014.
[102] A. Rullo, D. Midi, A. Mudjerikar, and E. Bertino, “Kalis2. 0-a secaas-based
context-aware self-adaptive intrusion detection system for the iot,” IEEE Internet
of Things Journal, 2023.
[103] L. Mostarda and A. Navarra, “Distributed Intrusion Detection Systems for En-
hancing Security in Mobile Wireless Sensor Networks,” International Journal of
Distributed Sensor Networks, vol. 4, no. 2, pp. 83–109, 2008.
[104] N. Stakhanova, S. Basu, and J. Wong, “On the Symbiosis of Specification-Based
and Anomaly-Based Detection,” computers & security, vol. 29, no. 2, pp. 253–268,
2010.
[105] S. Misra, P. V. Krishna, H. Agarwal, A. Saxena, and M. S. Obaidat, “A Learning
Automata Based Solution for Preventing Distributed Denial of Service in Internet
of Things,” in Internet of Things (iThings/CPSCom), 2011 International Conference on
and 4th International Conference on Cyber, Physical and Social Computing, pp. 114–
122, IEEE, 2011.
[106] J. P. Amaral, L. M. Oliveira, J. J. Rodrigues, G. Han, and L. Shu, “Policy
and Network-Based Intrusion Detection System for Ipv6-Enabled Wireless Sen-
sor Networks,” in Communications (ICC), 2014 IEEE International Conference on,
pp. 1796–1801, IEEE, 2014.
[107] C. Cervantes, D. Poplade, M. Nogueira, and A. Santos, “Detection of Sinkhole
Attacks for Supporting Secure Routing on 6lowpan for Internet of Things,” in
Integrated Network Management (IM), 2015 IFIP/IEEE International Symposium on,
pp. 606–611, IEEE, 2015.
[108] A. Le, J. Loo, K. K. Chai, and M. Aiash, “A Specification-based IDS for Detecting
Attacks on RPL-based Network Topology,” Information, vol. 7, no. 2, p. 25, 2016.
[109] M. Surendar and A. Umamakeswari, “InDReS: An Intrusion Detection and Re-
sponse System for Internet of Things with 6LoWPAN,” in 2016 International Con-
ference on Wireless Communications, Signal Processing and Networking (WiSPNET),
pp. 1903–1908, IEEE, 2016.
[110] H. Bostani and M. Sheikhan, “Hybrid of Anomaly-Based and Specification-Based
IDS for Internet of Things Using Unsupervised OPF Based on Mapreduce Ap-
proach,” Computer Communications, vol. 98, pp. 52–71, 2017.
[111] M. J. Babu and A. R. Reddy, “SH-IDS: Specification Heuristics Based Intrusion
Detection System for IoT Networks,” Wireless Personal Communications, vol. 112,
no. 3, pp. 2023–2045, 2020.
230
[112] G. Kumar, K. Kumar, and M. Sachdeva, “The use of Artificial Intelligence based
Techniques for Intrusion Detection: a Review,” Artificial Intelligence Review,
vol. 34, pp. 369–387, 2010.
[113] Y. Mao, “A Semantic-Based Intrusion Detection Framework for Wireless Sensor
Network,” in Networked Computing (INC), 2010 6th International Conference on,
pp. 1–5, IEEE, 2010.
[114] R.-C. Chen, Y.-F. Haung, and C.-F. Hsieh, “Ranger Intrusion Detection System for
Wireless Sensor Networks with Sybil Attack Based on Ontology,” New Aspects
of Applied Informatics, Biomedical Electronics and Informatics and Communications,
2010.
[115] R. Fu, K. Zheng, D. Zhang, and Y. Yang, “An Intrusion Detection Scheme Based
on Anomaly Mining In Internet of Things,” 2011.
[116] S. H. Chi and T. H. Cho, “Fuzzy Logic Anomaly Detection Scheme for Directed
Diffusion Based Sensor Networks,” Lecture Notes in Computer Science, vol. 4223,
p. 725, 2006.
[117] B. Parekh and H. Cam, “Minimizing False Alarms on Intrusion Detection for
Wireless Sensor Networks in Realistic Environments,” in Military Communications
Conference, 2007. MILCOM 2007. IEEE, pp. 1–7, IEEE, 2007.
[118] S. J. Lee, H. Y. Lee, and T. H. Cho, “A Threshold Determining Method for
the Dynamic Filtering in Wireless Sensor Networks Based on Fuzzy Logic,”
International Journal of Computer Science and Network Security, vol. 8, no. 4, pp. 155–
159, 2008.
[119] S. Y. Moon and T. H. Cho, “Intrusion Detection Scheme Against Sinkhole Attacks
in Directed Diffusion Based Sensor Networks,” International Journal of Computer
Science and Network Security, vol. 9, no. 7, pp. 118–122, 2009.
[120] S. Shamshirband, A. Amini, N. B. Anuar, M. L. M. Kiah, Y. W. Teh, and S. Fur-
nell, “D-FICCA A Density-Based Fuzzy Imperialist Competitive Clustering Al-
gorithm for Intrusion Detection in Wireless Sensor Networks,” Measurement,
vol. 55, pp. 212–226, 2014.
[121] S. Vijayal and M. Mittal, “Intrusion detection in iot based on neuro-fuzzy ap-
proach,” 2017.
[122] N. Berjab, H. H. Le, C.-M. Yu, S.-Y. Kuo, and H. Yokota, “Hierarchical Abnormal-
Node Detection Using Fuzzy Logic for ECA Rule-Based Wireless Sensor Net-
works,” in 2018 IEEE 23rd Pacific Rim International Symposium on Dependable
Computing (PRDC), pp. 289–298, IEEE, 2018.
[123] K. Thangaramya, K. Kulothungan, S. Indira Gandhi, M. Selvi, S. Santhosh Kumar,
and K. Arputharaj, “Intelligent fuzzy rule-based approach with outlier detection
for secured routing in wsn,” Soft Computing, vol. 24, pp. 16483–16497, 2020.
[124] A. Paul, S. Sinha, R. N. Shaw, and A. Ghosh, “A neuro-fuzzy based ids for
internet-integrated wsn,” Computationally Intelligent Systems and their Applica-
tions, pp. 71–86, 2021.
231
[125] S. Subramani and M. Selvi, “Intelligent IDS in Wireless Sensor Networks using
Deep Fuzzy Convolutional neural network,” Neural Computing and Applications,
pp. 1–20, 2023.
[126] R. Dong, L. Liu, J. Liu, and X. Xu, “Intrusion Detection System Based on Payoff
Matrix for Wireless Sensor Networks,” in Genetic and Evolutionary Computing,
2009. WGEC’09. 3rd International Conference on, pp. 3–6, IEEE, 2009.
[127] M. Estiri and A. Khademzadeh, “A Game-Theoretical Model for Intrusion De-
tection in Wireless Sensor Networks,” in Electrical and Computer Engineering
(CCECE), 2010 23rd Canadian Conference on, pp. 1–5, IEEE, 2010.
[128] E. Mohsen and K. Ahmad, “A Theoretical Signaling Game Model for Intrusion
Detection in Wireless Sensor Networks,” in 2010 14th International Telecommuni-
cations Network Strategy and Planning Symposium (NETWORKS), pp. 1–6, IEEE,
2010.
[129] S. Banerjee, C. Grosan, A. Abraham, and P. Mahanti, “Intrusion Detection on
Sensor Networks Using Emotional Ants,” International Journal of Applied Science
and Computations, vol. 12, no. 3, pp. 152–173, 2005.
[130] E. Soroush, J. Habibi, and M. S. Abadeh, “Intrusion Detection Using a Boost-
ing Ant Colony Based Data Miner,” in Proceedings of the 11th International CSI
Computer Conference, pp. 563–566, 2006.
[131] W. Xiong and C. Wang, “Feature Selection: A Hybrid Approach Based on Self-
Adaptive Ant Colony and Support Vector Machine,” in Computer Science and
Software Engineering, 2008 International Conference on, vol. 4, pp. 751–754, IEEE,
2008.
[132] L. Coppolino, S. D’Antonio, A. Garofalo, and L. Romano, “Applying Data Mining
Techniques to Intrusion Detection in Wireless Sensor Networks,” in P2P, Parallel,
Grid, Cloud and Internet Computing (3PGCIC), 2013 Eighth International Conference
on, pp. 247–254, IEEE, 2013.
[133] T. Alpcan and T. Basar, “An Intrusion Detection Game with Limited Observa-
tions,” in 12th Int. Symp. on Dynamic Games and Applications, Sophia Antipolis,
France, vol. 26, 2006.
[134] A. Agah and S. K. Das, “Preventing Dos Attacks in Wireless Sensor Networks: A
Repeated Game Theory Approach,” IJ Network Security, vol. 5, no. 2, pp. 145–153,
2007.
[135] L. Han, M. Zhou, W. Jia, Z. Dalil, and X. Xu, “Intrusion Detection Model of Wire-
less Sensor Networks Based on Game Theory and an Autoregressive Model,”
Information sciences, vol. 476, pp. 491–504, 2019.
[136] P. Pirozmand, M. A. Ghafary, S. Siadat, and J. Ren, “Intrusion Detection Into
Cloud-Fog-Based Iot Networks Using Game Theory,” Wireless Communications
and Mobile Computing, vol. 2020, pp. 1–9, 2020.
[137] M. Rouse, “Bio-Inspired Computing,” 2018.
232
[138] S. Schaust and H. Szczerbicka, “Misbehaviour Detection for Wireless Sensor
Networks-Necessary or Not?,” 6. Fachgespr¨ach Sensornetzwerke, p. 51, 2007.
[139] M. Drozda, S. Schaust, and H. Szczerbicka, “AIS for Misbehavior Detection in
Wireless Sensor Networks: Performance and Design Principles,” in Evolutionary
Computation, 2007. CEC 2007. IEEE Congress on, pp. 3719–3726, IEEE, 2007.
[140] H. A. Arolkar, S. P. Sheth, and V. P. Tamhane, “Ant Colony Based Approach
for Intrusion Detection on Cluster Heads in Wsn,” in Proceedings of the 2011
International Conference on Communication, Computing & Security, pp. 523–526,
ACM, 2011.
[141] A. H. Mohammad, T. Alwada’n, O. Almomani, S. Smadi, and N. ElOmari, “Bio-
inspired Hybrid Feature Selection Model for Intrusion Detection,” Computers,
Materials and Continua, vol. 73, no. 1, pp. 133–150, 2022.
[142] R. Singh and R. Ujjwal, “Hybridized Bio-inspired Intrusion Detection System for
Internet of Things,” Frontiers in Big Data, vol. 6, p. 1081466, 2023.
[143] R. Sekar, A. Gupta, J. Frullo, T. Shanbhag, A. Tiwari, H. Yang, and S. Zhou,
“Specification-Based Anomaly Detection: a New Approach for Detecting Net-
work Intrusions,” in Proceedings of the 9th ACM conference on Computer and com-
munications security, pp. 265–274, ACM, 2002.
[144] K. Flouri, B. Beferull-Lozano, and P. Tsakalides, “Distributed Consensus Al-
gorithms for SVM Training in Wireless Sensor Networks,” in Signal Processing
Conference, 2008 16th European, pp. 1–5, IEEE, 2008.
[145] Y. Zhang, N. Meratnia, and P. Havinga, “Adaptive and Online One-Class Sup-
port Vector Machine-Based Outlier Detection Techniques for Wireless Sensor
Networks,” in Advanced Information Networking and Applications Workshops, 2009.
WAINA’09. International Conference on, pp. 990–995, IEEE, 2009.
[146] C. D. McDermott and A. Petrovski, “Investigation of Computational Intelligence
Techniques for Intrusion Detection in Wireless Sensor Networks,” 2017.
[147] L. Liu, J. Yang, and W. Meng, “Detecting Malicious Nodes via Gradient De-
scent and Support Vector Machine in Internet of Things,” Computers & Electrical
Engineering, vol. 77, pp. 339–353, 2019.
[148] C. Ioannou and V. Vassiliou, “Network Attack Classification in IoT Using Support
Vector Machines,” Journal of sensor and actuator networks, vol. 10, no. 3, p. 58, 2021.
[149] A. Alsarhan, M. Alauthman, E. Alshdaifat, A.-R. Al-Ghuwairi, and A. Al-Dubai,
“Machine Learning-driven Optimization for SVM-based Intrusion Detection Sys-
tem in Vehicular ad hoc Networks,” Journal of Ambient Intelligence and Humanized
Computing, pp. 1–10, 2021.
[150] S. Amaran and R. M. Mohan, “Intrusion Detection System using Optimal Support
Vector Machine for Wireless Sensor Networks,” in 2021 International Conference
on Artificial Intelligence and Smart Systems (ICAIS), pp. 1100–1104, IEEE, 2021.
233
[151] N. B. Henda, A. Msolli, I. Hagui, A. Helali, H. Maaref, and R. Mghaieth, “A novel
svm based cfs for intrusion detection in iot network,” in 2023 IEEE International
Conference on Advanced Systems and Emergent Technologies (IC ASET), pp. 1–5,
IEEE, 2023.
[152] W. Li, P. Yi, Y. Wu, L. Pan, J. Li, et al., “A new Intrusion Detection System based on
KNN Classification Algorithm in Wireless Sensor Network,” Journal of Electrical
and Computer Engineering, vol. 2014, 2014.
[153] G. Liu, H. Zhao, F. Fan, G. Liu, Q. Xu, and S. Nazir, “An Enhanced Intrusion
Detection Model Based on Improved KNN in WSNs,” Sensors, vol. 22, no. 4,
p. 1407, 2022.
[154] O. U. ZH Abdaljabar and K. Alheeti, “An Intrusion Detection System for IoT us-
ing KNN and Decision-tree based Classification,” in 2021 International Conference
of Modern Trends in Information and Communication Technology Industry (MTICTI),
pp. 1–5, IEEE, 2021.
[155] R. Tekin, O. Yaman, and T. TUNCER, “Decision Tree Based Intrusion Detection
Method in the Internet of Things,” International Journal of Innovative Engineering
Applications, vol. 6, no. 1, pp. 17–23, 2022.
[156] K. Anand, S. Ganapathy, K. Kulothungan, P. Yogesh, and A. Kannan, “A Rule
Based Approach for Attribute Selection and Intrusion Detection in Wireless Sen-
sor Networks,” Procedia engineering, vol. 38, pp. 1658–1664, 2012.
[157] N. Lu, Y. Sun, H. Liu, and S. Li, “Intrusion Detection System based on Evolving
Rules for Wireless Sensor Networks,” Journal of Sensors, vol. 2018, 2018.
[158] S. O. Amin, M. S. Siddiqui, C. S. Hong, and S. Lee, “RIDES: Robust Intrusion
Detection System for IP-Based Ubiquitous Sensor Networks,” Sensors, vol. 9,
no. 5, pp. 3447–3468, 2009.
[159] Y. Ponomarchuk and D.-W. Seo, “Intrusion Detection Based on Traffic Analysis
in Wireless Sensor Networks,” in Wireless and Optical Communications Conference
(WOCC), 2010 19th Annual, pp. 1–7, IEEE, 2010.
[160] B. M. David and T. de Sousa Jr, “A Bayesian Trust Model for The MAC Layer in
IEEE 802.15. 4 Networks,” in I2TS 2010-9th International Information and Telecom-
munication Technologies Symposium, 2010.
[161] Q. Shi, J. Kang, R. Wang, H. Yi, Y. Lin, and J. Wang, “A Framework of Intrusion
Detection System Based on Bayesian Network in IoT,” International Journal of
Performability Engineering, vol. 14, no. 10, p. 2280, 2018.
[162] G. Kalnoor and S. Gowri Shankar, “A Model-Based System for Intrusion De-
tection Using Novel Technique-Hidden Markov Bayesian in Wireless Sensor
Network,” in Information and Communication Technology for Competitive Strategies
(ICTCS 2020) ICT: Applications and Social Interfaces, pp. 43–53, Springer, 2022.
[163] F. Huang, Z. Jiang, S. Zhang, and S. Gao, “Reliability Evaluation of Wireless
Sensor Networks Using Logistic Regression,” in Communications and Mobile Com-
puting (CMC), 2010 International Conference on, vol. 3, pp. 334–338, IEEE, 2010.
234
[164] T. He, C. Huang, B. M. Blum, J. A. Stankovic, and T. Abdelzaher, “Range-free
Localization Schemes for Large Scale Sensor Networks,” in Proceedings of the 9th
annual international conference on Mobile computing and networking, pp. 81–95, 2003.
[165] W. Dargie and C. Poellabauer, Fundamentals of Wireless Sensor Networks: Theory
and Practice. John Wiley & Sons, 2010.
[166] A. Kumar, N. Chand, V. Kumar, and V. Kumar, “Range Free Localization Schemes
for Wireless Sensor Networks,” International journal of Computer Networks & Com-
munications, vol. 3, no. 6, p. 115, 2011.
[167] H. Karl and A. Willig, Protocols and Architectures for Wireless Sensor Networks. John
Wiley & Sons, 2007.
[168] S.-Y. Kim and O.-H. Kwon, “Location Estimation Based on Edge Weights in
Wireless Sensor Networks,” The Journal of Korean Institute of Communications and
Information Sciences, vol. 30, no. 10A, pp. 938–948, 2005.
[169] C.-Y. Chong and S. P. Kumar, “Sensor Networks: Evolution, Opportunities, and
Challenges,” Proceedings of the IEEE, vol. 91, no. 8, pp. 1247–1256, 2003.
[170] X.-Y. Li, P.-J. Wan, and O. Frieder, “Coverage in Wireless ad hoc Sensor Net-
works,” IEEE Transactions on computers, vol. 52, no. 6, pp. 753–763, 2003.
[171] A. Ademuwagun, V. Fabio, et al., “Reach Centroid Localization Algorithm,”
Wireless Sensor Network, vol. 9, no. 02, p. 87, 2017.
[172] R. Nagpal, H. Shrobe, and J. Bachrach, “Organizing a Global Coordinate System
from Local Information on an ad hoc Sensor Network,” in Information processing
in sensor networks, pp. 333–348, Springer, 2003.
[173] L. Lazos and R. Poovendran, “SeRLoc: Secure Range-independent Localization
for Wireless Sensor Networks,” in Proceedings of the 3rd ACM workshop on Wireless
security, pp. 21–30, 2004.
[174] L. Cheng, C. Wu, Y. Zhang, H. Wu, M. Li, and C. Maple, “A Survey of Localization
in Wireless Sensor Network,” International Journal of Distributed Sensor Networks,
vol. 8, no. 12, p. 962523, 2012.
[175] N. B. Priyantha, A. Chakraborty, and H. Balakrishnan, “The Cricket Location-
Support System,” in Proceedings of the 6th annual international conference on Mobile
computing and networking, pp. 32–43, 2000.
[176] N. Bulusu, J. Heidemann, and D. Estrin, “GPS-less Low-cost Outdoor Localiza-
tion for Very Small Devices,” IEEE personal communications, vol. 7, no. 5, pp. 28–34,
2000.
[177] A. Kulaib, R. Shubair, M. Al-Qutayri, and J. W. Ng, “An Overview of Localization
Techniques for Wireless Sensor Networks,” in 2011 international conference on
innovations in information technology, pp. 167–172, IEEE, 2011.
235
[178] A. Ghelichi, K. Yelamarthi, and A. Abdelgawad, “Target Localization in Wireless
Sensor Network based on Time Difference of Arrival,” in 2013 IEEE 56th Interna-
tional Midwest Symposium on Circuits and Systems (MWSCAS), pp. 940–943, IEEE,
2013.
[179] P. Kułakowski, J. Vales-Alonso, E. Egea-L ´
opez, W. Ludwin, and J. Garc´
ıa-Haro,
“Angle-of-Arrival Localization based on Antenna Arrays for Wireless Sensor
Networks,” Computers & Electrical Engineering, vol. 36, no. 6, pp. 1181–1186,
2010.
[180] L. Pang, X. Chen, Z. Xue, and R. Khatoun, “A Novel Range-free Jammer Local-
ization Solution in Wireless Network by Using PSO Algorithm,” in International
Conference of Pioneering Computer Scientists, Engineers and Educators, pp. 198–211,
Springer, 2017.
[181] J. Blumenthal, R. Grossmann, F. Golatowski, and D. Timmermann, “Weighted
Centroid Localization in Zigbee-based Sensor Networks,” in 2007 IEEE interna-
tional symposium on intelligent signal processing, pp. 1–6, IEEE, 2007.
[182] H. Liu, X. Wenyuan, Y. Chen, and Z. Liu, “Localizing Jammers in Wireless Net-
works,” in 2009 IEEE International Conference on Pervasive Computing and Commu-
nications, pp. 1–6, IEEE, 2009.
[183] H. Liu, Z. Liu, Y. Chen, and W. Xu, “Determining the Position of a Jammer Using
a Virtual-force Iterative Approach,” Wireless Networks, vol. 17, no. 2, pp. 531–547,
2011.
[184] Y. Hong, S. Wang, H. Kang, and Y. Hu, “Iterative Virtual Force Localization Based
on Anchor Selection for Three-Dimensional Wireless Sensor Networks,” Tehniˇcki
vjesnik, vol. 29, no. 3, pp. 1048–1058, 2022.
[185] T. Cheng, P. Li, and S. Zhu, “An Algorithm for Jammer Localization in Wire-
less Sensor Networks,” in 2012 IEEE 26th International Conference on Advanced
Information Networking and Applications, pp. 724–731, IEEE, 2012.
[186] H. Inchana and S. K. BJ, “Double circle localization for the detection of jam-
ming attack in wireless sensor network,” in 2022 IEEE North Karnataka Subsection
Flagship International Conference (NKCon), pp. 1–5, IEEE, 2022.
[187] D. Midi, Security Techniques for Sensor Systems and the Internet of Things. PhD
thesis, Purdue University, 2016.
[188] A. Mpitziopoulos, D. Gavalas, C. Konstantopoulos, and G. Pantziou, “A Survey
on Jamming Attacks and Countermeasures in WSNs,” IEEE Communications
Surveys & Tutorials, vol. 11, no. 4, 2009.
[189] S. Jaitly, H. Malhotra, and B. Bhushan, “Security Vulnerabilities and Counter-
measures Against Jamming Attacks in Wireless Sensor Networks: A Survey,” in
Computer, Communications and Electronics (Comptelix), 2017 International Confer-
ence on, pp. 559–564, IEEE, 2017.
236
[190] S. Vadlamani, B. Eksioglu, H. Medal, and A. Nandi, “Jamming Attacks on Wire-
less Networks: A Taxonomic Survey,” International Journal of Production Eco-
nomics, vol. 172, pp. 76–94, 2016.
[191] E. Stavrou and A. Pitsillides, “Vulnerability Assessment of Intrusion Recovery
Countermeasures in Wireless Sensor Networks,” in 2011 IEEE Symposium on
Computers and Communications (ISCC), pp. 706–712, IEEE, 2011.
[192] W. L. Stutzman and G. A. Thiele, Antenna Theory and Design. John Wiley & Sons,
2012.
[193] A. Aldarraji, L. Hong, and S. Shetty, “Polarized Beamforming for Enhanced
Countermeasure of Wireless Jamming Attacks,” in 2016 IEEE 35th International
Performance Computing and Communications Conference (IPCCC), pp. 1–2, IEEE,
2016.
[194] R. Ramanathan, “On the Performance of ad hoc Networks with Beamforming
Antennas,” in Proceedings of the 2nd ACM international symposium on Mobile ad hoc
networking & computing, pp. 95–105, 2001.
[195] C. Murthy and B. Manoj, “Transport Layer and Security Protocols for ad hoc
Wireless Networks,” Ad hoc wireless networks: Architectures and protocols, 2004.
[196] A. Spyropoulos and C. S. Raghavendra, “Energy Efficient Communications in ad
hoc Networks Using Directional Antennas,” in Proceedings. Twenty-First Annual
Joint Conference of the IEEE Computer and Communications Societies, vol. 1, pp. 220–
228, IEEE, 2002.
[197] L. Hu and D. Evans, “Using Directional Antennas to Prevent Wormhole At-
tacks.,” in NDSS, vol. 4, pp. 241–245, 2004.
[198] L. L and P. R, “SeRLoc: Robust Localization for Wireless Sensor Networks,” ACM
Transactions on Sensor Networks (TOSN), vol. 1, no. 1, pp. 73–100, 2005.
[199] L. Lazos and R. Poovendran, “HiRLoc: High-resolution Robust Localization for
Wireless Sensor Networks,” IEEE Journal on Selected Areas in Communications,
vol. 24, no. 2, pp. 233–246, 2006.
[200] I. C. Stavrou, “An Intrusion Recovery Security Framework in Wireless Sensor
Networks,” 2014.
[201] S. Bandyopadhyay, K. Hasuike, S. Horisawa, and S. Tawara, “An Adaptive MAC
and Idrectional Routing Protocol for ad hoc Wireless Network Using ESPAR
Antenna,” in Proceedings of the 2nd ACM international symposium on Mobile ad hoc
networking & computing, pp. 243–246, 2001.
[202] W. Xu, T. Wood, W. Trappe, and Y. Zhang, “Channel Surfing and Spatial Retreats:
Defenses Against Wireless Denial of Service,” in Proceedings of the 3rd ACM
workshop on Wireless security, pp. 80–89, ACM, 2004.
[203] W. Xu, W. Trappe, and Y. Zhang, “Channel Surfing: Defending Wireless Sensor
Networks from Interference,” in 2007 6th International Symposium on Information
Processing in Sensor Networks, pp. 499–508, IEEE, 2007.
237
[204] A. Ghosal, S. Halder, M. Mobashir, R. K. Saraogi, and S. DasBit, “A Jamming
Defending Data-Forwarding Scheme for Delay Sensitive Applications in WSN,”
in Wireless Communication, Vehicular Technology, Information Theory and Aerospace
& Electronic Systems Technology (Wireless VITAE), 2011 2nd International Conference
on, pp. 1–5, IEEE, 2011.
[205] S. K. Dhurandher, S. Misra, D. Agrawal, and A. Rayankula, “Using Honeynodes
Along with Channel Surfing for Defense Against Jamming Attacks in Wireless
Networks,” in 2008 Third International Conference on Systems and Networks Com-
munications, pp. 197–201, IEEE, 2008.
[206] X. Jiang, W. Hu, S. Zhu, and G. Cao, “Compromise-resilient Anti-jamming for
Wireless Sensor Networks,” in International conference on information and commu-
nications security, pp. 140–154, Springer, 2010.
[207] J. Heo, J.-J. Kim, S. Bahk, and J. Paek, “Dodge-jam: Anti-jamming Technique for
Low-power and Lossy Wireless Networks,” in 2017 14th Annual IEEE Interna-
tional Conference on Sensing, Communication, and Networking (SECON), pp. 1–9,
IEEE, 2017.
[208] Q. Liu, J. Yin, and S. Yu, “A Bio-inspired Jamming Detection and Restoration
for WMNs: in View of Adaptive Immunology,” in International Symposium on
Cyberspace Safety and Security, pp. 243–257, Springer, 2013.
[209] C. Sergiou and V. Vassiliou, “DAlPaS: A Performance Aware Congestion Control
Algorithm in Wireless Sensor Networks,” in Telecommunications (ICT), 2011 18th
International Conference on, pp. 167–173, IEEE, 2011.
[210] L. Shi, J. Zhang, Y. Shi, X. Ding, and Z. Wei, “Optimal Base Station Placement for
Wireless Sensor Networks with Successive Interference Cancellation,” Sensors,
vol. 15, no. 1, pp. 1676–1690, 2015.
[211] Q. M. Ashraf, M. H. Habaebi, and M. R. Islam, “Jammer Localization Using
Wireless Devices With Mitigation by Self-configuration,” Plos one, vol. 11, no. 9,
p. e0160311, 2016.
[212] Q. Yan, H. Zeng, T. Jiang, M. Li, W. Lou, and Y. T. Hou, “Jamming Resilient
Communication Using MIMO Interference Cancellation,” IEEE Transactions on
Information Forensics and Security, vol. 11, no. 7, pp. 1486–1499, 2016.
[213] S. Hu and X. Wang, “Game Theory on Power Control in Wireless Sensor Net-
works Based on Successive Interference Cancellation,” Wireless Personal Commu-
nications, vol. 111, no. 1, pp. 33–45, 2020.
[214] H. Pirayesh and H. Zeng, “Jamming Attacks and Anti-Jamming Strategies in
Wireless Networks: A Comprehensive Survey,” arXiv preprint arXiv:2101.00292,
2021.
[215] C. V. Cordero and A. Lisser, “Jamming Attacks Reliable Prevention in a Clus-
tered Wireless Sensor Network,” Wireless Personal Communications, vol. 85, no. 3,
pp. 925–936, 2015.
238
[216] M. Vanhoef and F. Piessens, “Advanced Wi-Fi Attacks Using Commodity Hard-
ware,” in Proceedings of the 30th Annual Computer Security Applications Conference,
pp. 256–265, 2014.
[217] K. Grover, A. Lim, and Q. Yang, “Jamming and Anti-Jamming Techniques in
Wireless Networks: a Survey,” International Journal of Ad Hoc and Ubiquitous
Computing, vol. 17, no. 4, pp. 197–215, 2014.
[218] S. D. Babar, “Security Framework And Jamming Detection For Internet Of
Things,” Videnbasen for Aalborg UniversitetVBN, Aalborg UniversitetAalborg Univer-
sity, Det Teknisk-Naturvidenskabelige FakultetThe Faculty of Engineering and Science,
2015.
[219] M. Strasser, B. Danev, and S. ˇ
Capkun, “Detection of Reactive Jamming in Sensor
Networks,” ACM Transactions on Sensor Networks (TOSN), vol. 7, no. 2, p. 16,
2010.
[220] K. Vijayakumar, P. Ganeshkumar, M. Anandaraj, K. Selvaraj, and P. Sivakumar,
“Fuzzy Logic–based Jamming Detection Algorithm for Cluster-based wireless
Sensor Network,” International Journal of Communication Systems, vol. 31, no. 10,
p. e3567, 2018.
[221] M. C¸ akiroˇ
glu and A. T. ¨
Ozcerit, “Jamming Detection Mechanisms For Wireless
Sensor Networks,” in Proceedings of the 3rd international conference on Scalable in-
formation systems, p. 4, ICST (Institute for Computer Sciences, Social-Informatics
and Telecommunications Engineering), 2008.
[222] C. Balarengadurai, S. Saraswathi, and J. Srikanth, “A Fuzzy Based Detection
Technique for Jamming Attacks in IEEE 802.15.4 Low Rate Wireless Personal
Area Network,” 2012.
[223] E. Sasikala and N. Rengarajan, “An Intelligent Technique to Detect Jamming At-
tack in Wireless Sensor Networks (WSNs),” International Journal of Fuzzy Systems,
vol. 17, no. 1, pp. 76–83, 2015.
[224] A. Cetinkaya, H. Ishii, and T. Hayakawa, “Secure Networked Control Under
Jamming Attacks: An SINR-based Approach,” in Security and Resilience of Control
Systems: Theory and Applications, pp. 63–91, Springer, 2022.
[225] V. Manju and M. S. Kumar, “Detection of Jamming Style DoS Attack in Wireless
Sensor Network,” in Parallel Distributed and Grid Computing (PDGC), 2012 2nd
IEEE International Conference on, pp. 563–567, IEEE, 2012.
[226] A. Bengag, A. Bengag, and O. Moussaoui, “Intrusion Detection Based on Fuzzy
Logic for Wireless Body Area Networks: Review and Proposition,” Indonesian
Journal of Electrical Engineering and Computer Science (IJEECS), vol. 26, no. 2,
pp. 1091–1102, 2022.
[227] M. Meenalochani and S. Sudha, “Jammed Node Detection and Routing in a
Multihop Wireless Sensor Network Using Hybrid Techniques,” Wireless Personal
Communications, vol. 104, no. 2, pp. 663–675, 2019.
239
[228] H. I. Reyes and N. Kaabouch, “Jamming and Lost Link Detection in Wireless Net-
works with Fuzzy Logic,” International Journal of Scientific & Engineering Research,
vol. 4, no. 2, pp. 1–7, 2013.
[229] J. R. Renofio, M. E. Pellenz, E. Jamhour, A. Santin, M. C. Penna, and R. D.
Souza, “On the Dynamics of the RPL Protocol in AMI Networks Under Jamming
Attacks,” in 2016 IEEE International Conference on Communications (ICC), pp. 1–6,
IEEE, 2016.
[230] M. C¸ akıro˘
glu and A. T. ¨
Ozcerit, “Jamming Detection Mechanisms for Wireless
Sensor Networks,” in 3rd International ICST Conference on Scalable Information
Systems, 2010.
[231] B. Chen, Y. Li, and D. Mashima, “Analysis and Enhancement of RPL Under
Packet Drop Attacks,” in 2018 10th International Conference on Communication
Systems & Networks (COMSNETS), pp. 167–174, IEEE, 2018.
[232] P. S. Bhattacharjee and S. A. Begum, “Fuzzy Approach for Intrusion Detection
System: A Survey.,” International Journal of Advanced Research in Computer Science,
vol. 4, no. 1, 2013.
[233] J. E. Dickerson and J. A. Dickerson, “Fuzzy Network Profiling for Intrusion De-
tection,” in Fuzzy Information Processing Society, 2000. NAFIPS. 19th International
Conference of the North American, pp. 301–306, IEEE, 2000.
[234] R. Shanmugavadivu and N. Nagarajan, “Network Intrusion Detection System
Using Fuzzy Logic,” Indian Journal of Computer Science and Engineering (IJCSE),
vol. 2, no. 1, pp. 101–111, 2011.
[235] C. Balarengadurai and S. Saraswathi, “Detection of Jamming Attacks in IEEE
802.15. 4 Low Rate Wireless Personal Area Network Using Fuzzy Systems,”
in 2012 International Conference on Emerging Trends in Science, Engineering and
Technology (INCOSET), pp. 32–38, IEEE, 2012.
[236] N. R. Pal and S. Sheety, “Enhancing The Performance Of 6lowpan For WSN
Using Soft Computing ANFIS Technique,” Webology (ISSN: 1735-188X), vol. 18,
no. 6, 2021.
[237] K. Pelechrinis, I. Koutsopoulos, I. Broustis, and S. V. Krishnamurthy,
“Lightweight jammer localization in wireless networks: System design and im-
plementation,” in Global Telecommunications Conference, 2009. GLOBECOM 2009.
IEEE, pp. 1–6, IEEE, 2009.
[238] J. Fan, T. Liang, T. Wang, and J. Liu, “Identification and Localization of the
Jammer in Wireless Sensor Networks,” The Computer Journal, vol. 62, no. 10,
pp. 1515–1527, 2019.
[239] Z. Niu, H. Li, X. Zhou, and J. Huang, “Overview of Jammer Localization in Wire-
less Sensor Networks,” in 2020 IEEE 9th Joint International Information Technology
and Artificial Intelligence Conference (ITAIC), vol. 9, pp. 9–13, 2020.
240
[240] N. Alikh and A. Rajabzadeh, “Using a Lightweight Security Mechanism to Detect
and Localize Jamming Attack in Wireless Sensor Networks,” Optik, vol. 271,
p. 170099, 2022.
[241] Z.-m. Wang and Y. Zheng, “The Study of the Weighted Centroid Localization
Algorithm Based on RSSI,” in 2014 International Conference on Wireless Communi-
cation and Sensor Network, pp. 276–279, IEEE, 2014.
[242] M. B. Kilani, A. J. Raymond, F. Gagnon, G. Gagnon, and P. Lavoie, “RSSI-based
Indoor Tracking Using the Extended Kalman Filter and Circularly Polarized
Antennas,” in 2014 11th workshop on positioning, navigation and communication
(WPNC), pp. 1–6, IEEE, 2014.
[243] W. Aldosari, M. Zohdy, and R. Olawoyin, “Tracking the Mobile Jammer in Wire-
less Sensor Networks Using Extended Kalman Filter,” in 2019 IEEE 10th Annual
Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON),
pp. 0207–0212, IEEE, 2019.
[244] S. Jiang and Y. Xue, “Optimal Wireless Network Restoration Under Jamming
Attack,” in 2009 Proceedings of 18th International Conference on Computer Commu-
nications and Networks, pp. 1–6, IEEE, 2009.
[245] S. Jiang and Y. Xue, “Providing Survivability Against Jamming Attack for Multi-
radio Multi-channel Wireless Mesh Networks,” Journal of Network and Computer
Applications, vol. 34, no. 2, pp. 443–454, 2011.
[246] Y. Lim, H.-M. Kim, and T. Kinoshita, “Traffic Rerouting Strategy Against Jam-
ming Attacks in WSNs for Microgrid,” International Journal of Distributed Sensor
Networks, vol. 8, no. 4, p. 234029, 2012.
[247] C. A. Boano, T. Voigt, C. Noda, K. R¨
omer, and M. Z ´
u˜
niga, “Jamlab: Augmenting
Sensornet Testbeds with Realistic and Controlled Interference Generation,” in
Information Processing in Sensor Networks (IPSN), 2011 10th International Conference
on, pp. 175–186, IEEE, 2011.
[248] H. H. R. Sherazi, R. Iqbal, F. Ahmad, Z. A. Khan, and M. H. Chaudary, “DDoS
Attack Detection: A Key Enabler for Sustainable Communication in Internet of
Vehicles,” Sustainable Computing: Informatics and Systems, vol. 23, pp. 13–20, 2019.
[249] E. H. Mamdani and S. Assilian, “An Experiment in Linguistic Synthesis with a
Fuzzy Logic Controller,” International journal of man-machine studies, vol. 7, no. 1,
pp. 1–13, 1975.
[250] P. Hiremath, T. Anuradha, and P. Pattan, “Adaptive Fuzzy Inference System for
Detection and Prevention of Cooperative Black Hole Attack in MANETs,” in 2016
International Conference on Information Science (ICIS), pp. 245–251, IEEE, 2016.
[251] P. Kumari, M. Singh, and P. Kumar, “Survey of Clustering Algorithms Using
Fuzzy Logic in Wireless Sensor Network,” in 2013 International conference on
energy efficient technologies for sustainability, pp. 924–928, IEEE, 2013.
[252] M. Sugeno, Industrial Applications of Fuzzy Control. Elsevier Science Inc., 1985.
241
[253] K. Vijayakumar, K. P. M. Kumar, K. Kottilingam, T. Karthick, P. Vijayakumar, and
P. Ganeshkumar, “An Adaptive Neuro-Fuzzy Logic Based Jamming Detection
System in WSN,” Soft Computing, vol. 23, no. 8, pp. 2655–2667, 2019.
[254] E. Mamdani and S. Assilian, “An Experiment in Linguistic Synthesis with a
Fuzzy Logic Controller,” International journal of human-computer studies, vol. 51,
no. 2, pp. 135–147, 1999.
[255] A. Sadollah, “Introductory Chapter: Which Membership Function is Appropri-
ate in Fuzzy System?,” in Fuzzy logic based in optimization methods and control
systems and its applications, IntechOpen, 2018.
[256] D. Wu, “Twelve Considerations in Choosing Between Gaussian and Trapezoidal
Membership Functions in Interval Type-2 Fuzzy Logic Controllers,” in 2012 IEEE
International Conference on Fuzzy Systems, pp. 1–8, IEEE, 2012.
[257] D. Newman, K. M. Manalo, and E. Tittel, “Intrusion Detection Overview,” 2004.
[258] G. Kumar, “Evaluation Metrics for Intrusion Detection Systems-A Study,” Eval-
uation, vol. 2, no. 11, pp. 11–7, 2014.
[259] A. Javaid, Q. Niyaz, W. Sun, and M. Alam, “A Deep Learning Approach For
Network Intrusion Detection System,” in Proceedings of the 9th EAI International
Conference on Bio-inspired Information and Communications Technologies (formerly
BIONETICS), pp. 21–26, 2016.
[260] M. Elhamahmy, H. N. Elmahdy, and I. A. Saroit, “A new Approach for Evaluat-
ing Intrusion Detection System,” CiiT International Journal of Artificial Intelligent
Systems and Machine Learning, vol. 2, no. 11, pp. 290–298, 2010.
[261] C. Ioannou and V. Vassiliou, “Accurate Detection of Sinkhole Attacks in IoT Net-
works Using Local Agents,” in 2020 Mediterranean Communication and Computer
Networking Conference (MedComNet), pp. 1–8, 2020.
[262] T. Voigt, “Based on Previous Versions by Fredrik Oster-lind and Adam Dunkels,”
Contiki COOJA Hands-on Crash Course: Session Notes. CONET Summer School, 2009.
[263] H. Shi, “A New Weighted Centroid Localization Algorithm based on RSSI,” in
2012 IEEE International Conference on Information and Automation, pp. 137–141,
IEEE, 2012.
[264] J. Du, Indoor Localization Techniques for Wireless Sensor Networks. PhD thesis,
universit´
e de Nantes, 2018.
[265] I. Chivers, J. Sleightholme, I. Chivers, and J. Sleightholme, “An Introduction to
Algorithms and the Big O Notation,” Introduction to Programming with Fortran,
pp. 391–396, 2018.
[266] J. W. Hui, “The Routing Protocol for Low-Power and Lossy Networks (Rpl)
Option for Carrying Rpl Information in Data-Plane Datagrams,” 2012.
[267] A. Dunkels, “The ContikiMAC Radio Duty Cycling Protocol,” 2011.
242
[268] M. Wolenetz, R. Kumar, J. Shin, and U. Ramachandran, “A Simulation-based
Study of Wireless Sensor Network Middleware,” International Journal of Network
Management, vol. 15, no. 4, pp. 255–267, 2005.
[269] Y.-Q. Zhou and N.-W. Lin, “A Study on Optimizing Execution Time and Code
Size in Iterative Compilation,” in 2012 Third International Conference on Innovations
in Bio-Inspired Computing and Applications, pp. 104–109, IEEE, 2012.
[270] W.-N. Chin, H. H. Nguyen, S. Qin, and M. Rinard, “Memory Usage Verification
for oo Programs,” in International Static Analysis Symposium, pp. 70–86, Springer,
2005.
[271] P. M. K. Kanagasabapathy, V. Kedalu Poornachary, S. Murugan, A. Natesan, and
V. Ponnusamy, “Rapid Jamming Detection Approach Based on Fuzzy in WSN,”
International Journal of Communication Systems, vol. 35, no. 2, p. e4205, 2022.
[272] T. Cheng, P. Li, S. Zhu, and D. Torrieri, “M-cluster and x-ray: Two methods
for multi-jammer localization in wireless sensor networks,” Integrated Computer-
Aided Engineering, vol. 21, no. 1, pp. 19–34, 2014.
[273] C. Ioannou and V. Vassiliou, “The Impact of Network Layer Attacks in Wireless
Sensor Networks,” in 2016 International Workshop on Secure Internet of Things
(SIoT), pp. 20–28, 2016.
[274] C. Adjih, E. Baccelli, E. Fleury, G. Harter, N. Mitton, T. Noel, R. Pissard-Gibollet,
F. Saint-Marcel, G. Schreiner, J. Vandaele, et al., “FIT IoT-LAB: A Large Scale
Open Experimental IoT Testbed,” in 2015 IEEE 2nd World Forum on Internet of
Things (WF-IoT), pp. 459–464, IEEE, 2015.
[275] O. Fambon, E. Fleury, G. Harter, R. Pissard-Gibollet, and F. Saint-Marcel, “FIT
IoT-LAB Tutorial: Hands-on Practice With a Very Large Scale Testbed Tool for the
Internet of Things,” 10`emes journ´ees francophones Mobilit´e et Ubiquit´e, UbiMob2014,
2014.
[276] H.-M. Sun, S.-P. Hsu, and C.-M. Chen, “Mobile Jamming Attack and its Coun-
termeasure in Wireless Sensor Networks,” in 21st International Conference on
Advanced Information Networking and Applications Workshops (AINAW’07), vol. 1,
pp. 457–462, IEEE, 2007.
[277] L. Zhiping and L. Hui, “Mobile Jamming Attack in Clustering Wireless Sensor
Network,” in 2010 International Conference on Computer Application and System
Modeling (ICCASM 2010), vol. 9, pp. V9–5, IEEE, 2010.
[278] D. Darsena, G. Gelli, I. Iudice, and F. Verde, “Detection and Blind Channel Esti-
mation for UAV-aided Wireless Sensor Networks in Smart Cities Under Mobile
Jamming Attack,” IEEE Internet of Things Journal, vol. 9, no. 14, pp. 11932–11950,
2021.
[279] S. Malebary, W. Xu, and C.-T. Huang, “Jamming Mobility in 802.11 p Networks:
Modeling, Evaluation, and Detection,” in 2016 IEEE 35th International Performance
Computing and Communications Conference (IPCCC), pp. 1–7, IEEE, 2016.
243
[280] C. Bajracharya, “Performance Evaluation for Secure Communications in Mobile
Internet of Vehicles with Joint Reactive Jamming and Eavesdropping Attacks,”
IEEE Transactions on Intelligent Transportation Systems, vol. 23, no. 11, pp. 22563–
22570, 2021.
[281] E. Aljarrah, M. B. Yassein, and S. Aljawarneh, “Routing Protocol Of Low-Power
And Lossy Network: Survey And Open Issues,” in Engineering & MIS (ICEMIS),
International Conference on, pp. 1–6, IEEE, 2016.
[282] T. Salman and R. Jain, “Networking Protocols and Standards for Internet of
Things,” Internet of Things and Data Analytics Handbook (2015), pp. 215–238, 2015.
[283] L. K. Karthisha, R. Mathew, D. Sahoo, and Y. R. Krishna, “ContikiMAC for
Wireless Sensor Network Monitoring Application,”
[284] K. Gupta and V. Sikka, “Design Issues and Challenges in Wireless Sensor Net-
works,” International Journal of Computer Applications, vol. 112, no. 4, pp. 0975–
8887, 2015.
[285] A. S. Mary, R. Kotteeswaran, and C. Pandeeswaran, “Design of Wireless Sensor
Network Protocol Using Contiki OS,” Int. J. Pure Appl. Math., vol. 118, no. 18
Special Issue E, pp. 4671–4678, 2018.
244
Appendix A
List of Tables
Table A.1: Sink in the Middle of the grid nodes positions
Node x y
Sink 0 0
2-80 -80
3-40 -80
40 -80
540 -80
680 -80
7-80 -40
8-40 -40
90 -40
10 40 -40
11 80 -40
12 -80 0
13 -40 0
14 40 0
15 80 0
16 -80 40
17 -40 40
18 0 40
19 40 40
20 80 40
21 -80 80
22 -40 80
23 0 80
24 40 80
25 80 80
245
Table A.2: Sink in the Middle of the grid nodes positions Random
Node X Position Y Position
1 0 0
2 -30 -90
3 -70 -78
4 30 -70
5 69 -89
6 -99 -56
7 -59 -40
8 0 -50
9 37 -29
10 80 -50
11 -91.1 -19.3
12 -41 1
13 0 -10
14 20 11
15 80 -10
16 -71.8 43.9
17 -96 55.43
18 0 40
19 89 10
20 80 50
21 -59.5 72.68
22 -31.1 63.9
23 -10 90
24 20.24 74.81
25 90 70
246
Table A.3: Jammers Positions
Jammer Position x y
1 -60 -60
2 -20 -60
3 20 -60
4 60 -60
5 -60 -20
6 -20 -20
7 20 -20
8 60 -20
9 -60 20
10 -20 20
11 20 20
12 60 20
13 -60 60
14 -20 60
15 20 60
16 60 60
247
Table A.4: Sink on Top Middle of the grid Nodes Positions
Node x y
Sink 0 -80
2 -80 -80
3 -40 -80
4 40 -80
5 80 -80
6 -80 -40
7 -40 -40
8 0 -40
9 40 -40
10 80 -40
11 -80 0
12 -40 0
13 0 0
14 40 0
15 80 0
16 -80 40
17 -40 40
18 0 40
19 40 40
20 80 40
21 -80 80
22 -40 80
23 0 80
24 40 80
25 80 80
248
Table A.5: Sink on Top Middle of the grid Nodes Positions Random
Node X Position Y Position
1 0 -80
2 -30 -90
3 -70.2 -78.6
4 30 -70
5 69.25 -89.4
6 -99 -56.7
7 -59.9 -40.6
8 0 -50
9 37.86 -29
10 80 -50
11 -110 -19.1
12 -41.2 1.015
13 0 -10
14 20 11
15 80 -10
16 -109 50.5
17 -122 21.75
18 0 40
19 89 10
20 80 50
21 -80 80
22 -40 70
23 -10 90
24 30 80
25 90 70
249
Table A.6: Sink on Top left edge of the grid Nodes Positions
Node x y
Sink -80 -80
2 -40 -80
3 0 -80
4 40 -80
5 80 -80
6 -80 -40
7 -40 -40
8 0 -40
9 40 -40
10 80 -40
11 -80 0
12 -40 0
13 0 0
14 40 0
15 80 0
16 -80 40
17 -40 40
18 0 40
19 40 40
20 80 40
21 -80 80
22 -40 80
23 0 80
24 40 80
25 80 80
250
Table A.7: Random Sink on Top left edge of the grid Nodes Positions
Node X Position Y Position
1 -80 -80
2 -40.6 -79.9
3 -41 -60.6
4 29.69 -80.3
5 69 -89
6 -99 -56
7 -59 -40
8 -0.6 -70.4
9 48.88 -49.7
10 80 -50
11 -89.8 -19
12 -47.4 -4.48
13 -10.9 0.057
14 20 11
15 80 -10
16 -109 50
17 -99.7 19.78
18 0 40
19 89 10
20 80 50
21 -80 80
22 -40 70
23 -10 90
24 30 80
25 90 70
Table A.8: Euclidean Distance Error (in m) for a Predicted Topology with the Sink in
the Middle of the Grid
MMLAW
Retransmissions
MMLAW
ETX Centroid SC DC VFIL
Deceptive Jammer 3.38 1.41 7.18 5.45 32.42 43.60
Constant Jammer 6.28 3.68 11.62 14.80 37.12 44.43
Random Jammer 6.07 6.23 17.37 17.59 38.23 39.58
Reactive Jammer 5.19 0.81 11.88 10.11 35.27 38.61
251
Table A.9: Execution Time (in ms) for a Predicted Topology with the Sink in the Middle
of the Grid
MMLAW
Retransmissions
MMLAW
ETX Centroid SC DC VFIL
Deceptive Jammer 0.01 0.02 0.00 0.03 0.02 0.04
Constant Jammer 0.01 0.02 0.00 0.02 0.02 0.05
Random Jammer 0.01 0.02 0.00 0.03 0.02 0.04
Reactive Jammer 0.01 0.01 0.00 0.01 0.01 0.04
Table A.10: Euclidean Distance Error (in m) for a Predicted Topology with the Sink in
the Top Middle of the Grid
MMLAW
Retransmissions
MMLAW
ETX Centroid SC DC VFIL
Deceptive Jammer 4.94 4.83 8.94 9.48 34.36 49.81
Constant Jammer 7.29 5.94 13.22 16.29 38.11 50.66
Random Jammer 7.72 5.21 14.61 20.92 40.67 47.02
Reactive Jammer 4.64 1.18 9.85 28.57 50.05 47.16
Table A.11: Execution Time (in ms) Predicted topology Sink in the Top Middle of the
Grid
MMLAW
Retransmissions
MMLAW
ETX Centroid SC DC VFIL
Deceptive Jammer 0.0058 0.0059 0.0009 0.0207 0.0183 0.0542
Constant Jammer 0.0059 0.0058 0.0005 0.0244 0.0158 0.0364
Random Jammer 0.0083 0.0058 0.0003 0.0141 0.0107 0.0368
Reactive Jammer 0.0063 0.0074 0.0003 0.0287 0.0116 0.0515
Table A.12: Euclidean Distance Error (in m) for a Predicted Topology with the Sink in
the Top Left Edge of the Grid
MMLAW
Retransmissions
MMLAW
ETX Centroid SC DC VFIL
Deceptive Jammer 9.34 10.27 11.67 12.34 35.84 48.33
Constant Jammer 13.93 6.51 13.22 19.44 39.67 50.25
Random Jammer 6.34 6.36 14.31 20.56 39.56 46.94
Reactive Jammer 8.86 8.61 11.56 16.09 37.93 46.14
252
Table A.13: Execution Time (in ms) for a Predicted Topology with the Sink in the Top
Left Edge of the Grid
MMLAW
Retransmissions
MMLAW
ETX Centroid SC DC VFIL
Deceptive Jammer 12.88 10.85 0.28 24.20 14.32 50.65
Constant Jammer 11.31 9.06 0.28 9.56 12.97 36.03
Random Jammer 9.49 8.87 0.58 20.28 18.77 52.46
Reactive Jammer 14.29 8.68 0.38 22.18 13.47 51.69
Table A.14: Euclidean Distance Error (in m) for a Random Topology with the Sink in
the Middle of the Grid
MMLAW
Retransmissions
MMLAW
ETX Centroid SC DC VFIL
Deceptive Jammer 18.32 18.90 20.72 28.95 40.56 43.86
Constant Jammer 22.74 23.82 22.41 31.26 43.98 43.93
Random Jammer 19.30 22.86 27.88 41.21 48.61 42.25
Reactive Jammer 17.76 20.86 23.33 37.67 45.66 34.52
Table A.15: Execution Time (in ms) for a Random Topology with the Sink in the Middle
of the Grid
MMLAW
Retransmissions
MMLAW
ETX Centroid SC DC VFIL
Deceptive Jammer 0.0534 0.0094 0.0003 0.0244 0.0138 0.0387
Constant Jammer 0.0052 0.0114 0.0002 0.0127 0.0141 0.0522
Random Jammer 0.0085 0.0062 0.0002 0.0127 0.0141 0.0522
Reactive Jammer 0.0100 0.0088 0.0003 0.0255 0.0167 0.0409
Table A.16: Euclidean Distance Error (in m) for a Random Topology with the Sink in
the Top Middle of the Grid
MMLAW
Retransmissions
MMLAW
ETX Centroid SC DC VFIL
Deceptive Jammer 18.25 21.45 22.30 33.15 40.57 48.31
Constant Jammer 17.01 18.59 19.25 18.14 38.97 49.51
Random Jammer 20.13 25.30 28.29 49.17 51.11 45.27
Reactive Jammer 25.48 25.82 22.44 28.74 38.09 46.02
253
Table A.17: Execution Time (in ms) for a Random Topology with the Sink in the Top
Middle of the Grid
MMLAW
Retransmissions
MMLAW
ETX Centroid SC DC VFIL
Deceptive Jammer 0.0084 0.0060 0.0004 0.0250 0.0105 0.0398
Constant Jammer 0.0082 0.0054 0.0003 0.0256 0.0173 0.0460
Random Jammer 0.0127 0.0068 0.0003 0.0070 0.0221 0.0349
Reactive Jammer 0.0099 0.0072 0.0004 0.0103 0.0179 0.0437
Table A.18: Execution Time (in ms) for a Random Topology with the Sink in the Top
Left Edge of the Grid
MMLAW
Retransmissions
MMLAW
ETX Centroid SC DC VFIL
Deceptive Jammer 11.46 8.68 0.33 15.41 17.07 49.09
Constant Jammer 14.28 9.04 12.19 189.63 23.45 223.46
Random Jammer 9.66 9.86 0.45 32.48 20.08 57.54
Reactive Jammer 12.50 8.78 0.35 11.82 7.17 43.47
Table A.19: Euclidean Distance Error (in m) for a Random Topology with the Sink in
the Top Left Edge of the Grid
MMLAW
Retransmissions
MMLAW
ETX Centroid SC DC VFIL
Deceptive Jammer 15.24 19.09 21.02 27.19 40.74 44.82
Constant Jammer 17.84 17.61 22.28 27.41 41.88 44.29
Random Jammer 17.86 19.39 22.52 27.17 41.57 45.84
Reactive Jammer 16.32 20.44 25.90 38.76 45.46 42.62
Table A.20: Results when the inputs are ETX and Retransmission in Predicted Scenarios
Attack Accuracy Rate Precision Rate Recall
Middle Top Middle Top-left Edge Middle Top Middle Top-left Edge Middle Top Middle Top-left Edge
Constant Jammer 98.44% 99.48% 98.96% 100.00% 98.39% 98.36% 90.00% 98.39% 95.24%
Deceptive Jammer 100% 99.22% 96.35% 100.00% 95.38% 81.82% 100.00% 100.00% 100.00%
Random Jammer (Specific Shape) 95.31% 97.14% 98.18% 97.73% 100.00% 96.67% 71.67% 82.26% 92.06%
Random Jammer (Random Shape) 97.66% 96.88% 98.96% 100.00% 93.10% 100.00% 85.00% 87.10% 93.65%
Reactive Jammer 97.92% 97.92% 98.96% 100.00% 100.00% 100.00% 86.67% 87.10% 93.65%
254
Table A.21: Results when the inputs are PDPT and Retransmission in Predicted Sce-
narios
Attack Accuracy Rate Precision Rate Recall
Middle Top Middle Top-left Edge Middle Top Middle Top-left Edge Middle Top Middle Top-left Edge
Constant Jammer 98.44% 99.48% 98.96% 100.00% 98.39% 98.36% 90.00% 98.39% 95.24%
Deceptive Jammer 99.74% 96.61% 94.01% 98.36% 82.67% 73.26% 100.00% 100.00% 100.00%
Random Jammer (Specific Shape) 95.31% 97.14% 97.92% 97.73% 100.00% 95.08% 71.67% 82.26% 92.08%
Random Jammer (Random Shape) 97.66% 96.35% 97.14% 100.00% 90.00% 89.39% 85.00% 87.10% 93.65%
Reactive Jammer 97.92% 97.92% 98.70% 100.00% 100.00% 98.33% 86.67% 87.10% 93.65%
Table A.22: Results when the inputs are ETX and Retransmission in Random Scenarios
Attack Accuracy Rate Precision Rate Recall
Middle Top Middle Top-left Edge Middle Top Middle Top-left Edge Middle Top Middle Top-left Edge
Constant Jammer 94.53% 96.61% 96.35% 95.24% 85.71% 92.00% 67.80% 90.57% 82.14%
Deceptive Jammer 95.31% 95.05% 96.09% 82.54% 76.56% 88.68% 88.14% 92.45% 83.93%
Random Jammer (Specific Shape) 87.24% 91.93% 89.84% 100.00% 100.00% 100.00% 16.95% 41.51% 41.07%
Random Jammer (Random Shape) 90.63% 94.79% 91.41% 100.00% 97.14% 100.00% 38.98% 64.15% 41.07%
Reactive Jammer 95.31% 97.14% 96.61% 100.00% 95.65% 100.00% 69.49% 83.02% 76.79%
Table A.23: Results when the inputs are PDPT and Retransmission in Random Scenar-
ios
Attack Accuracy Rate Precision Rate Recall
Middle Top Middle Top-left Edge Middle Top Middle Top-left Edge Middle Top Middle Top-left Edge
Constant Jammer 94.53% 96.35% 97.14% 95.24% 91.49% 97.87% 67.80% 81.13% 82.14%
Deceptive Jammer 96.61% 96.35% 96.61% 88.33% 85.45% 92.16% 89.83% 88.68% 83.93%
Random Jammer (Specific Shape) 87.24% 91.67% 88.54% 100.00% 92.00% 77.27% 16.95% 43.40% 30.36%
Random Jammer (Random Shape) 90.36% 94.53% 91.15% 100.00% 94.44% 95.83% 37.29% 64.15% 41.07%
Reactive Jammer 95.31% 96.35% 95.05% 100.00% 93.33% 87.76% 69.49% 79.25% 76.79%
255
Table A.24: Multiple Jammer Coordinates table
Jammer Position First Jammer Second Jammer
X Y X Y
1 -60 -60 60 60
2 -20 -60 -20 20
3 20 -60 -20 -60
4 60 -60 60 60
5 -60 -20 -20 60
6 -20 -20 -20 20
7 20 -20 -60 60
8 60 -20 60 20
9 -60 20 -60 -60
10 -20 20 -60 60
11 20 20 -20 -20
12 60 20 -60 60
13 -60 60 -20 60
14 -20 60 -60 -60
15 20 60 -60 60
16 60 60 -20 -20
256
Table A.25: Multiple Jammer Sink in the Middle of the Grid Predicted Scenarios
Metric/Position Accuracy (%) Precision (%) Recall (%) Specificity (%) F-score (%)
190.48 77.27 98.08 87.07 86.44
288.99 86.49 70.33 95.92 77.58
353.57 23.29 43.59 56.59 30.36
497.62 95.28 97.12 97.84 96.19
592.56 92.47 82.69 96.98 87.31
698.21 98.36 92.31 99.63 95.24
799.70 98.91 100.00 99.59 99.45
889.29 95.65 56.41 99.22 70.97
980.06 82.46 45.19 95.69 58.39
10 57.44 24.41 39.74 62.79 30.24
11 98.51 100.00 93.59 100.00 96.69
12 98.51 99.01 96.15 99.57 97.56
13 62.50 31.82 53.85 65.12 40.00
14 99.70 100.00 99.04 100.00 99.52
15 82.44 94.12 46.15 98.71 61.94
16 98.81 97.80 97.80 99.18 97.80
Table A.26: Multiple Jammer Sink in the Top Middle of the Grid Predicted Scenarios
Metric/Position Accuracy (%) Precision (%) Recall (%) Specificity (%) F-score (%)
169.94 51.46 50.96 78.45 51.21
279.76 72.55 40.66 94.29 52.11
397.62 98.31 89.23 99.63 93.55
495.83 100.00 86.54 100.00 92.78
590.77 100.00 70.19 100.00 82.49
669.94 42.86 88.46 64.34 57.74
799.40 98.11 100.00 99.14 99.05
855.95 0.00 0.00 72.87 N/A
973.81 61.43 41.35 88.36 49.43
10 76.19 62.22 30.77 93.06 41.18
11 72.92 50.00 27.47 89.80 35.46
12 99.40 100.00 98.08 100.00 99.03
13 77.68 51.49 66.67 81.01 58.10
14 96.73 92.66 97.12 96.55 94.84
15 83.93 100.00 48.08 100.00 64.94
16 98.51 100.00 95.19 100.00 97.54
257
Table A.27: Multiple Jammer Sink in the Top Left Edge of the Grid Predicted Scenarios
Metric/Position Accuracy (%) Precision (%) Recall (%) Specificity (%) F-score (%)
179.76 100.00 25.27 100.00 40.35
280.65 88.24 43.27 97.41 58.06
351.49 26.52 61.54 48.45 37.07
499.40 100.00 98.08 100.00 99.03
586.01 89.04 62.50 96.55 73.45
651.79 30.00 80.77 43.02 43.75
797.92 98.99 94.23 99.57 96.55
873.81 46.58 87.18 69.77 60.71
986.61 91.07 56.04 97.96 69.39
10 77.08 60.29 45.05 88.98 51.57
11 82.74 70.37 62.64 90.20 66.28
12 99.70 99.05 100.00 99.57 99.52
13 57.44 29.56 60.26 56.59 39.66
14 98.21 100.00 93.41 100.00 96.59
15 82.74 100.00 44.23 100.00 61.33
16 91.37 100.00 72.12 100.00 83.80
Table A.28: Multiple Jammer Sink in the Middle of the Grid Random Scenarios
Metric/Position Accuracy (%) Precision (%) Recall (%) Specificity (%) F-score (%)
191.37 83.70 84.62 93.88 84.15
280.06 100.00 35.58 100.00 52.48
385.12 70.27 40.00 95.94 50.98
493.75 94.87 81.32 98.37 87.57
588.10 93.24 66.35 97.84 77.53
684.82 100.00 43.96 100.00 61.07
779.46 100.00 33.65 100.00 50.36
884.52 65.48 70.51 88.76 67.90
972.32 46.67 15.38 93.47 23.14
10 85.42 77.78 74.04 90.52 75.86
11 93.75 100.00 73.08 100.00 84.44
12 78.27 80.39 39.42 100.00 52.90
13 66.37 19.44 7.69 88.16 11.02
14 81.85 96.67 49.57 99.09 65.54
15 64.58 32.93 29.67 77.55 31.21
16 87.20 73.08 83.52 88.57 77.95
258
Table A.29: Accuracy Sink in the top Middle of the grid random scenarios
Metric/Position Accuracy (%) Precision (%) Recall (%) Specificity (%) F-score (%)
186.90 80.68 72.45 92.86 76.34
282.44 93.33 42.86 98.74 58.74
393.75 100.00 70.00 100.00 82.35
491.07 100.00 69.39 100.00 81.93
575.60 51.25 48.81 84.52 50.00
657.74 22.12 27.38 67.86 24.47
792.26 100.00 73.47 100.00 84.71
890.18 81.48 78.57 94.05 80.00
962.50 7.14 26.67 66.01 11.27
10 81.25 13.79 38.10 84.13 20.25
11 86.61 91.49 51.19 98.41 65.65
12 89.58 87.95 74.49 95.80 80.66
13 78.87 49.25 47.14 87.22 48.18
14 89.88 89.02 74.49 96.22 81.11
15 77.68 87.10 27.55 98.32 41.86
16 85.42 100.00 56.25 100.00 72.00
Table A.30: Multiple Jammer Sink in the top left edge of the random scenarios
Metric/Position Accuracy (%) Precision (%) Recall (%) Specificity (%) F-score (%)
170.54 52.34 53.85 78.02 53.08
271.13 53.68 49.04 81.03 51.26
393.75 82.76 92.31 94.19 87.27
491.96 100.00 70.33 100.00 82.58
586.61 91.07 56.04 97.96 69.39
661.61 34.16 70.51 58.91 46.03
783.33 71.15 47.44 94.19 56.92
882.14 70.45 39.74 94.96 50.82
975.00 54.22 49.45 84.49 51.72
10 83.04 78.33 51.65 94.69 62.25
11 74.40 45.92 57.69 79.46 51.14
12 87.50 100.00 53.85 100.00 70.00
13 75.60 39.51 49.23 81.92 43.84
14 81.85 79.45 55.77 93.53 65.54
15 77.38 57.58 62.64 82.86 60.00
16 82.44 88.10 40.66 97.96 55.64
259
Table A.31: Comparison table between FLIDS and FLJDA approach
Position 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 AVG
FLIDS
Accuracy (%) 69.35 95.54 99.70 97.92 94.35 96.13 99.70 100.00 100.00 99.11 100.00 100.00 97.32 100.00 100.00 98.51 96.73
Precision (%) 14.44 95.12 100.00 100.00 86.67 80.00 98.11 100.00 100.00 94.55 100.00 100.00 87.72 100.00 100.00 96.08 90.79
Recall (%) 33.33 75.00 98.08 86.54 75.00 100.00 100.00 100.00 100.00 100.00 100.00 100.00 96.15 100.00 100.00 94.23 91.15
FLJDA
Accuracy (%) 12.50 25.00 87.50 100.00 25.00 37.50 100.00 100.00 87.50 100.00 100.00 100.00 95.83 100.00 100.00 100.00 79.43
Precision (%) 5.00 15.00 57.14 100.00 15.00 21.05 100.00 100.00 57.14 100.00 100.00 100.00 80.00 100.00 100.00 100.00 71.90
Recall (%) 33.33 75.00 100.00 100.00 75.00 100.00 100.00 100.00 100.00 100.00 100.00 100.00 100.00 100.00 100.00 100.00 92.71
Table A.32: Comparison table between FLIDS and FLJDA approach with different
types of jammers
Type of Jammers Approach Accuracy (%) Precision (%) Recall (%)
Constant Jammer FLIDS 97.30 88.45 97.82
FLJDA 75.00 55.42 89.06
Deceptive Jammer FLIDS 96.73 90.79 91.15
FLJDA 79.43 71.90 92.71
Random Jammer FLIDS 95.48 87.91 81.93
FLJDA 76.82 69.86 94.79
Reactive Jammer FLIDS 97.51 93.62 91.51
FLJDA 78.39 67.54 89.58
Complex Jammer FLIDS 82.76 51.13 91.03
FLJDA 64.58 18.98 15.63
260
Appendix B
List of Protocols
Routing Protocol for Low-Power and Lossy Networks (RPL) is a routing protocol
specifically designed for resource-constrained devices that utilize IPv6. This is called
the Routing Protocol for low-power and lossy links because it is intended for nodes
with limited power and unreliable connections.
RPL works as a distance vector and source routing protocol and is built on top
of several link-layer mechanisms, including IEEE 802.15.4 physical (PHY) and media
access control layers (MAC) [281].
One of the strengths of RPL is that it supports different traffic flow patterns, includ-
ing point-to-point (P2P) communication between nodes, point-to-multipoint (P2MP)
for configuration purposes, and multipoint-to-point (MP2P) for data collection pro-
cesses.
The RPL uses destination-oriented acyclic graphs (DODAGs) [266] to determine
the best path based on objective functions and metrics. DODAGs are constructed such
that there is only one route from each leaf node to the root, and all traffic from the node
is routed to it. The process begins with each node sending a DODAG Information
Object (DIO) to advertise itself as the root. This message is transmitted in the network,
and the entire DODAG is constructed gradually.
261
When communicating, the node sends a Destination Advertisement Object (DAO)
to its parents and the DAO message is transmitted to the root. The root then decides
where to send the message based on the destination. If a new node wants to join the
network, it sends a DODAG Information Solicitation (DIS) request to join the network,
and the root replies with a DAO Acknowledgment (DAO-ACK), confirming the join.
The RPL nodes can be stateless or stateful. Stateless nodes keep track of their
parents only, whereas stateful nodes keep track of their children and parents. Only
the root had complete knowledge of the entire DODAG. Therefore, all communication
goes through the roots in every case. However, when communicating inside a subtree
of the DODAG, a stateful node does not have to pass through the root [86,282].
The RPL protocol offers different security levels using the “Security” field found in
its header. This field indicates the level of security and the cryptography algorithms
used to encrypt the message. RPL ensures data authenticity, semantic security, con-
fidentiality, and key management, as well as protection against replay attacks. The
security levels available in the RPL include unsecured, preinstalled, and authenticated
levels. However, RPL is vulnerable to various attacks such as selective forwarding,
sinkholes, Sybil, hello flooding, wormholes, and Denial of Service attacks.
In the WSN protocol stack, the data link layer is known as the MAC layer. It is
responsible for wireless-medium-sharing issues in 1-hop neighbors, whereas the data
link layers handle error detection and data framing [283]. The MAC layer design is
separated into three primary parts: a) the MAC layer, b) the Framer layer, and c)
the RDC layer. The MAC layer considers collisions, retransmissions, and addresses.
Framer is used to create and read the frames that are sent and received. The RDC layer
is responsible for waking up and sleep mechanisms [283].
262
ContikiOS has two different MAC drivers available: CSMA and NullMAC. CSMA
stands for Carrier-Sense Medium Access. This protocol maintains a list of packets to
each of the neighbors and calculates statistics such as the number of retransmissions,
collisions, and deferrals. Currently, CSMA is the only MAC layer that retransmits
packets if a collision is detected [283]. It keeps the packet and performs carrier sensing
before sending it, only sending it when the medium is free.
On the other hand, NullMAC is a minimalistic driver that simply forwards traffic
to the appropriate part of the RDC. Unlike CSMA, it does not transmit packets if a
collision is detected [283].
RDC Driver The RDC drivers available for ContikiOS include ContikiMAC, Cx-
MAC, and NullRDC. The RDC driver is significant in this context because it determines
when the radio should be turned on or off[283].
ContikiMAC is a radio-duty cycling protocol that uses periodic wake-up for
data transmission from neighboring nodes. To achieve a long battery life, the ra-
dio transceiver must be turned offfor an extended period. However, this means that
the node cannot send or receive any data during this time. Therefore, while receiving
data, the radio should be turned on, and it should be turned offwhen not in use. In
ContikiMAC, the nodes communicate while keeping their radio off. It uses precise
timing between data transmission and fast sleep optimization, which allows the re-
ceiver to go to sleep when the wake-up is due to noise, and phase-lock optimization,
which enables the node to know the wake-up period of a neighbor [267].
CxMAC is a MAC protocol that uses a technique called short preamble. Ordinary
low-power listening (LPL) uses a long preamble, which can waste energy as the sender
will send the entire preamble before the receiver can respond that it is awake [284]. In
263
contrast, a short preamble sends shorter preambles with a pause between them, during
which the receiver may respond that it has woken. Another problem with a long
preamble is that it wakes up all nodes until the preamble ends, and the sender specifies
which node should receive the message. This is called an overhearing problem. With
a short preamble, the preamble contains information about the receiver so that other
nodes may sleep earlier [283].
The NullRDC is similar to NullMAC, a simplistic driver used to develop new
drivers. NullRDC has two main tasks: creating a header using Framer functions and
checking whether the packet was received or if a collision occurred. As it keeps the
radio always on, it does not consider energy savings [285]. The NullRDC is a ”null”
RDC layer that never switches offthe radio and can, therefore, be used for testing or
compared to RDC drivers.
Contiki is an open-source operating system designed for the IoT. It implements
the RPL to meet the unique requirements of such networks. RPL creates a Destination
Oriented Directed Acyclic Graph (DODAG) to optimize routing. Objective Functions
(OFs) are a critical aspect of RPL that dictate how routes are selected and optimized.
In Contiki, two notable OFs are used: Objective Function Zero (OF0) and Minimum
Rank with Hysteresis Objective Function (MRHOF).
OF0 is a simple and straightforward objective function defined in RFC 6552. It is
suitable for basic RPL deployments as it is easy to implement and understand. OF0
selects parent nodes based on minimizing the rank, which is a measure of the node’s
position within the DODAG. The rank increases as the distance from the root increases.
OF0 does not consider link quality, energy consumption, or bandwidth.
MRHOF, defined in RFC 6719, is more sophisticated than OF0. It optimizes for
264
paths with the lowest expected transmission count (ETX), a metric reflecting the link
quality. The ETX measures the number of transmissions required, on average, to send a
packet across a link successfully, including retransmissions. Lower ETX values indicate
higher quality links. MRHOF uses ETX as its primary metric for selecting routes and
incorporates a hysteresis mechanism to prevent frequent route flapping in response
to minor changes in link quality. MRHOF is better suited for environments where
maintaining high-quality links is crucial for network reliability and performance.
The choice between OF0 and MRHOF depends on the specific requirements and
constraints of the network. OF0 is advantageous in networks with limited compu-
tational resources or uniform high link qualities. MRHOF is preferable in dynamic
environments or when link quality varies significantly, where optimizing for link reli-
ability and transmission efficiency is vital.
Contiki enables the configuration and customization of these OFs, providing devel-
opers with the flexibility to tailor the RPL behavior to their needs. This capability makes
Contiki a versatile tool for building IoT solutions across a wide range of scenarios.
265
