Content uploaded by Naresh Kumar Voruganti
Author content
All content in this area was uploaded by Naresh Kumar Voruganti on Apr 01, 2025
Content may be subject to copyright.
A Random Forest-Based Method
for Effective and Robust Detection
of Wormhole Attacks in Wireless Sensor
Networks
Sukanya Konatam, Suryaprakash Nalluri, Murali Mohan Malyala,
Harsh Daiya, Voruganti Naresh Kumar, and K. Srujan Raju
Abstract Identification of wormhole attacks is essential in WSNs as such networks
can easily fall prey to various security threats. Wormhole attacks are particularly
threatening due to the fact that it opens other unauthorized channels between distant
nodes, which in turn brings about the insecurity and instability of the network func-
tion. The prevention of such schemes is important in order to provide integrity and
accessibility of WSNs which are widely used in the current society for purposes
of assessing environments, surveillance security, and automation industries. In this
paper, we consider a new and efficient approach using Random Forest (RF) algo-
rithm in order to detect wormhole attacks in WSNs. The RF method is chosen due
to its superior performance in terms of complexity of the classification process in
the present study. Random forest is an instance of ensemble learning where many
decision trees improve the classification accuracy of the network, and also deal with
the inherent noise in the WSN data. All the decision trees imposed in the forest help
come up with the final decision, and thus making the performance of the model more
powerful by voting. This combines the merits of decision tree classifiers but does
not inherit all the demerits like overfitting and vulnerability to noise of these classi-
fiers. The RF model of the proposed system is trained with normal and attack traffic
samples which allow the model to learn such characteristics as big differences in the
S. Konatam (B)
Department of Computer Science and the Machine Learning Laboratory, University of Texas at
Austin, Austin, Texas, USA
e-mail: sukanya.konatam@ieee.org
S. Nalluri
Department of Information Security, University of Cumberland, Williamsburg, USA
M. M. Malyala
Department of Computers, Osmania University, Telangana, India
H. Daiya
Department of Information and Technology, University of Nebraska, Omaha, USA
e-mail: harshdaiya@ieee.org
V. N. Kumar · K. S. Raju
Department of CSE, CMR Technical Campus, Hyderabad, Telangana, India
© The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025
K. S. Raju et al. (eds.), Intelligent Computing and Communication, Lecture Notes in
Networks and Systems 1241, https://doi.org/10.1007/978-981-96-1267-3_39
461
462 S. Konatam et al.
traffic pattern and other wormhole attack features. The effectiveness of the model is,
therefore, determined by measures such as accuracy, precision, recall, and F1-Score
as well as False Positive Rate. The results clearly show that the RF-based method
is exceptional in terms of accurately identifying wormhole attacks. It indicates that
the efficacy of participants for recall is as accurate for precision, and general false
positive rate shows that a low number of patients are misidentified from the negative
class.
Keywords Wireless sensor networks (WSNs) ·Wormhole attacks ·Attack
detection ·Security ·Machine learning
1 Introduction
Wireless Sensor Networks (WSNs) reflect large number of sophisticated sensor
nodes known as motes which are small in size, low cost, and energy aware. These
nodes although very crucial in the working of WSNs are characterized by a very
limited energy capability, minimal memory control and are often constrained by
low processing power [1]. Such limitations present acute difficulties in guaranteeing
sound security within these networks. Similar to other wireless networks, WSNs are
prone to a number of security threats such as eavesdropping, data manipulation, and
node capture. However, the problems associated with securing these networks tend to
be more pronounced because of the manner in which WSNs are deployed and used.
In most cases, the sensor nodes are placed in areas that are sometimes inaccessible,
dangerous, or insecure, and the nodes work independently without having anyone
attend to them [2]. This unattended installation raises the alarm of people physically
manipulating the wired aspect of the network and possible intrusion.
Moreover, due to the instability of communication over air link, these vulnera-
bilities are critical and hardly can be secured with normal network security means.
Indeed, security is one of the most pressing problems of wireless sensor networks
since the applicative nodes seem to be always burdened by severe limitations in terms
of power and memory, and since traditional security solutions based on the analysis
of signal waveforms through complex algorithms seem to be useless in this context.
As such, protection of WSNs requires creation of optimized lightweight security
models that specifically suit the system requirements of WSNs [3]. These protocols
must be energy efficient, stateless, and must be capable of offering adequate protec-
tion against different types of attacks while supporting both the quality and the nature
of data being transmitted within the network, bearing in mind the constraints inherent
in such a network.
The security of WSNs is a research challenge since these networks are prone
to security threats and are constantly used in military, healthcare, environmental
monitoring, and smart cities. WSNs are crucial to these applications but they have
critical security flaws that can jeopardize the data gathered and communicated in
the network [4]. As it has been revealed above, one can point to several deficiencies
A Random Forest-Based Method for Effective and Robust Detection … 463
in these networks; the use of IDS is known to be one of the most effective ways of
combating these deficiencies, IDS is a second line of defense in security architecture
of these networks.
Unlike the more conventional security means that are employed with the view
of preventing the attacks, IDS are used to police or at least to identify the already
occurring or the already occurred attacks and thus are very important in making
and maintaining the security status of the network. But here in Intrusion Detection
in WSNs, there are several issues that differentiate it from wired network intrusion
detection or other types of wireless networks which do not possess energy constraints.
IDS for WSNs should be efficient because these networks have some limitations: less
processing power, small memory, and restricted energy supply.
Conventional IDS methods that either include detailed calculations and constant
scanning are not suitable for WSNs as these may drain most of the energy of a sensor
node and even reduce the anticipated life span of the whole network [5]. Moreover,
due to the distributed numerous nature of WSNs, where the numerous sensor nodes
are distributed in various geographic locations and often work independently, and
the deployment of normal IDS solutions that are normally central in control and
monitoring. In addition, the kinds of attack and security risks that WSNs are suscep-
tible to are dissimilar to ordinary networks and even stronger wired as well as other
forms of wireless networks. In WSNs, the enemy may physically control the access
to the nodes—capture them or replace, thus performing inside attacks, or injecting
inappropriate data into the network.
In particular, WSNs are prone to denial of service (DoS) attacks in which power
resources of the sensor nodes can be quickly exhausted and the network ceases to
function. Other kinds of attacks are the sinkhole attacks in which dishonest nodes
lure traffic to a sinkhole node for interference of communications and Sybil attacks
in which a single unfriendly node pretends to exist with multiple identities and aims
to eponymous others foiling the network. These specialized attacks are beyond the
scope of IDS that should preferably be capable of detecting the spectrum of threats
and tailored to the working conditions in WSNs.
Considering these limitations and problems [6], IDS for WSNs design requires the
usage of new strategies, where security efficiency makes significant improvements
with slight expenses of resources. Preventing methods that include anomaly detection
whereby the IDS identifies hosts that are not usual in the network, and signature-
based detection whereby the IDS identifies unusual patterns of attack must fit the
constraints of WSNs. Moreover, IDS in WSNs need to be auto distributed and each
node of the WSN needs to co-operate with another for the purpose of detecting and
handling security threats and that too without putting heavy load on the network
infrastructure. Thus, the problem of developing an effective IDS for WSNs remains
a very important and challenging work but is crucial for reliable WSN building in
critical applications. The current research being conducted in this area concerns the
development of IDS that is efficient and scalable, suitable for the requirements and
limitations of a WSN.
Wormhole attack is one of the most dangerous and difficult to mitigate for WSNs
since in this kind of attack the attacker is able to use the existing network paths without
464 S. Konatam et al.
modifying the integrity of the communication right through the network topology.
This type of attack can be very devastating since it doesn’t require the attacker to
break the code directly but work around the code to find the hole to exploit, hence it
is very hard to combat. In a wormhole attack, the attacker selects two nodes within
the network and then plants himself or herself in both nodes, thereby creating a
wormhole tunnel data forwarding, control of traffic, and information manipulation
as genuine nodes within the network. Due to this covert channel, the attacker is now a
part of the actual network of the legitimate organization, and can simply gain access
to information that should not be accessible to the outsider, and control traffic that is
supposed to only pass through the legitimate node.
The potential danger that wormhole attacks pose is that they make provision of a
fake routing path that is actually shorter than the real path between the two nodes of
the network. This misleading path interferes with the normal routing status whereby,
the distance between the nodes affects the right channel through which the message
is sent. When wormhole path is initiated, the routing algorithms of the network may
think that this path is the optimum one and use it more than any other path. In this
sense, data packets are channeled through the wormhole tunnel through which they
can be intercepted; altered, or even deleted by the attacker.
This manipulation does not only threaten the security of data but also the func-
tionality of the network may also be impacted resulting in delay, loss of data, and
congestion of the network. However, by creating a tunnel between two expressly
placed malicious nodes, the attacker is capable of controlling a lot of traffic within
the network. This subtlety dooms wormhole attacks as relatively difficult to locate
through traditional security measures most of which are designed to detect much
more conspicuous types of network disruption or intrusion.
The hidden way these assaults happen, along with their low demands for carrying
out the attack, is the reason they become one of the hardest network attack styles
to find and stop. That being said, persistent study on making WSNs more resistant
to wormhole attacks centers on making use of improved detection algorithms and
strong security protocols, which can efficiently locate and remove these dangers. It
provides the motivation for the proposed work based on the increasing demand for
improving security and dependability in WSNs.
On one hand, WSNs are applied in many sensitive and mission-critical applica-
tions; on the other hand, they still remain vulnerable to very sophisticated attacks
like wormhole attacks, which deeply affect network integrity and data confidentiality.
The usual security methods are not good enough since the sensor nodes have limited
resources, like less processing ability, memory, and energy storage. Hence, the prime
objective of this work is to design a robust and efficient security system that would
fit WSNs. It should be able to detect and reduce wormhole attacks without imposing
much additional overhead on the network. The proposed work seeks to surmount
such weaknesses so as to guarantee safety and reliability of WSN operations, hence
making them applicable in places where security for one’s data is paramount.
A Random Forest-Based Method for Effective and Robust Detection … 465
2 Related Works
Wormhole attacks are very dangerous against Wireless Sensor Networks, as they
create the illusion of routing paths, misleading the network communication proto-
cols. In all these years, a lot of research has been conducted on developing tech-
niques for the detection and prevention of such attacks, with different degrees of
success and efficiency [7]. The authors introduced two different leashes: geographic
and temporal. Geographical leashes introduce location information to restrict the
distance that a packet may travel, hence reducing the possibility of creating a worm-
hole. On the other hand, temporal leashes require strict timing constraints on the
transmission of packets; any packets that take a longer time than expected to reach the
destination are considered malicious. Again, such methods are effective but require
perfect synchrony and location awareness, which might be hard to achieve every
time, especially in resource-constrained WSNs.
If this measured time is far larger than it could possibly be for a legitimate path,
then there must be a wormhole. Although it has less resource overhead compared
to the packet leashes, it is inaccurate under environments with variable delays and
might not be able to detect those wormholes that do not significantly affect the RTT.
Graph-based methods have been used in wormhole detection. For example, a network
as a graph considers any path that grossly strays from the expected topology or tends
to raise abnormal graph structures, like loops or very short paths, as suspicious
for hosting a wormhole [8]. While these methods may be very good in relatively
stable topologies, in very dynamic scenarios, these methods are typically very bad
at learning the network structure.
Interest in applying machine learning techniques for wormhole attack detection
has grown over the past couple of years. Methods proposed by Latha et al. [9] consider
using supervised learning models trained on features extracted from network traffic,
such as packet arrival times, node density, and hop counts. These methods are then
able to identify patterns indicative of wormhole attacks and hence provide flexible,
adaptive solutions. However, such strategies are effective to a very great degree on
how good and representative the training data is and can also be computationally
very expensive, therefore possibly limiting in the case of WSNs.
Prevention has also been investigated with techniques aimed at making robust
routing protocols that would hence make them resistant to wormhole attacks by
design. In this respect, for example, a location-based routing protocol that restricts
route selection only to geographically logical paths has been proposed, hence the
risk of wormhole exploitation is low [10]. Another strategy in prevention operates
by using directional antennas or multipath routing so that no single path is depended
on hence reducing the impact of wormhole attack.
Even with all these tremendous advances, wormhole attack detection and preven-
tion in WSNs has remained very challenging. Much more belongs to the low-resource
and highly dynamic environments. As far as existing techniques are concerned,
466 S. Konatam et al.
while quite effective in some scenarios, they typically exact an accuracy-versus-
complexity-versus-resource-consumption trade-off. Because WSNs are continu-
ously evolving toward more integral applications, advanced and adaptive solutions
are urgently needed so that robust protection can be realized without putting undue
burdens on the resources of the network in case of attacks from wormholes. Future
research would focus on hybrid approaches that combine the power of different
detection and prevention strategies, probably augmented by artificial intelligence
and distributed computing advancements in order to build even more resilient WSN
security frameworks.
This makes wormhole attack intrusion detection in the Internet of Things an
imperative area of research due to the huge and heterogeneous nature of challenges
it brings. The IoT is typically composed of a large number of interconnected devices
that are able to wirelessly communicate with each other. These devices vary from
simple sensing devices to complex computing units. This makes them extremely
susceptible to many advanced attacks, simply by the very nature that most of these
randomly deployed and largely intermittent networks use, such as wormhole attacks.
By performing a wormhole attack, an attacker can establish a link between two remote
points within the network characterized by a low latency [11], acting as a shortcut
for the purpose of interrupting normal protocol routes and eventually allowing some
form of unauthorized interception of data, traffic manipulation, or even network
breakdown.
The conventional security measures fail to be effective because of the volume
and diversity in IoT environments. Specialized intrusion detection systems are hence
required in order to function with the peculiar characteristics of IoT networks. There
are several critical challenges that intrusion detection systems have to deal with in
wormhole attacks in IoT networks. Energy efficiency is the first challenge. Most IoT
devices use only limited battery supply. This can easily be imposed as the monitoring
and computation in traditional IDS mechanisms have to be continuous and complex,
fast using up those resources of the devices to provide network reliability by lowering
their operational lifespan.
Hence, in IoT intrusion detection methods, there has been a traditionally focused
effort on lightweight solutions that will most effectively detect wormhole attacks
without causing a high computational or energy overhead. It generally applies
methods such as anomaly detection, in which the IDS is detects changes from estab-
lished patterns of behavior in the monitoring network traffic. In this regard, since
IoT networks are dynamic—that is, the devices within may frequently join or leave
the network—plus communication patterns may vary hugely depending on the type
of application, it becomes very hard to pinpoint what “normal” constitutes thereby
causing difficulty in identifying the correct anomaly.
Advanced techniques [12], such as machine learning and artificial intelligence,
have recently been resorted to by researchers in an effort to enhance the effective-
ness of IDSs in detecting wormhole attacks within IoT networks. Such approaches
can dissect voluminous data about network traffic in search of very minute patterns
indicative of wormhole attacks, which traditional rule-based systems would other-
wise miss. In particular, machine learning models trained with supervised learning
A Random Forest-Based Method for Effective and Robust Detection … 467
can be fed datasets containing normal and attack traffic to learn the features of
wormhole attacks [13]. However, there exist challenges in implementing machine
learning-based IDS in IoT networks. This makes the majority of IoT devices render
models highly optimized due to their limited computational resources. Most of the
time, there is a need to balance the accuracy of detection with resource consumption
of the IDS.
The other promising approach in the detection of wormhole attacks in IoT
networks involves the use of distributed detection mechanisms. Since the nature
of the IoT is such that devices are usually spread over wide areas and many devices
operate autonomously, in most cases centralized intrusion detection can be quite
impractical. Distributed IDS [14], where every device gets a say in the detection
process in such cases, could be more scalable and resilient. However, distributed
IDS should be implemented with some care so that it remains efficient and is not
overwhelmed with false alarms and extra communications on the network. Preven-
tion of wormhole attacks in IoT networks is also ensured through the development
of robust routing protocols, resistant to such attacks by design.
3 Proposed Method
The proposed work is mainly mounted on a RF-based detection system for detecting
wormhole attacks in WSNs especially. Wormhole attacks pose a rather serious threat
to WSNs simply because through deceptive routing paths, it is possible for them to
deceive the overall communication of the network, thereby allowing unauthorized
access to data, huge disruption of communication, and sometimes a total collapse
of the whole network [15]. Most of the conventional detectors fail to detect these
attacks adequately because WSNs have constrained resources including processing
power, memory, and energy. The main objective of this work is thus to propose
a detection approach that detects wormhole attacks while being suited to WSNs
without compromising the network performance and energy consumption.
Random Forest algorithm is ideal for this job because it can handle massive data,
and is not very sensitive to overfitting, which is essential in the variable and often
noisy WSN environment. In this regard, the proposed RF-based detection system
works under the precept that a wormhole attack may alter numerous parameters like
arrival time of packets, hop count, and node density. The RF algorithm is classified
into the data set with normal and attack traffic so that it can distinguish normal traffic
of the network from others associated with wormhole attacks. Indeed, once trained,
the RF model can be used for monitoring the traffic within the WSN to identify cases
of abnormal traffic that may indicate a wormhole.
Among these, one of the major contributions of this work is the process of fine-
tuning the RF model that would help it operate within the restricted framework of
WSNs. RF is a strong machine learning algorithm but, its conventional usage in
traditional models has a strong computational complexity, which creates problems
while using WSNs, as nodes of these systems are generally low on computational
468 S. Konatam et al.
power. To counter this, the work proposed here consists of the creation of a lightweight
variant of the RF algorithm that has been designed to work under low computational
and memory demands but with the same level of detection performance. This includes
choosing a limited number of features that contain the greatest amount of information,
the selection of a limited number of trees, and the improvement of the decision-
making in every tree. In this way, the RF model can function effectively in the SNs,
and the wormhole attack can be detected in real time while preserving the energy of
the network and its performance.
The last and, perhaps, the most important contribution of this work is the ability
to integrate the RF-based detection system with the existing network infrastructure
with relatively low interference. The detection system has to be easily deployable
means one does not have to change the routing algorithm of the networks or the
way they communicate. This will also guarantee that the integration of the RF-based
detection system does not bring about changes that will lead to new vulnerabilities
or changes in the network behavior.
The proposed RF-based detection system also includes mechanisms for adaptive
learning, through which it will further update and fine-tune its model for detec-
tion with time. Since WSN normally operates in a dynamic environment where the
network conditions and attack vectors keep changing, the detection system itself must
evolve with new threats and variations in the behavior of a network. In a nutshell,
the RF-based wormhole attack detection system proposed in this work is a break-
through in securing WSNs against one of the most complex and harmful kinds of
cyber-attacks.
The approach is powered by the power of the Random Forest algorithm and,
moreover, optimized with regard to unique constraints of WSNs to provide a strong,
effective, and scalable solution for wormhole attack detection and mitigation. This
work is mainly aimed at providing a reliable security mechanism for the enhance-
ment of WSN while maintaining its operational efficiency. Contributions of the work
include the design of a lightweight RF model tailored for WSNs, ease of integration
of the detection system with already set infrastructure of the network, and addition
of adaptive learning to ensure its continued protection against evolving threats. The
innovations that will be proposed will largely enhance the security and reliability of
WSNs against wormhole attacks and other cyber threats.
As shown in Fig. 1 this work comprises several important phases: the essential of
the work carried out in these phases is to totally eliminate wormhole attacks, which
may exist in a WSN while working under certain limitations. Stages in the system
are data collection and preparation, and feature selection, model updating, detection,
decision, and system learning. All the stages aim at making the RF-based detection
system reliable and effective, providing a strong line of security while maintaining
the network capacity and power over-utilization to the minimum.
A Random Forest-Based Method for Effective and Robust Detection … 469
Fig. 1 Flow of the proposed
RF-based wormhole attack
detection system
3.1 Data Collection
Data acquisition is the initial phase in the wormhole detection system based on RF
which entails monitoring both the traffic within a network and the behavior of nodes
in a view to amassing and analyzing data that will otherwise be utilized in training
as well as running the RF model. In a WSN, the sensor nodes send data through
data packets in different paths in an attempt to get to the destination node that is
often the base station or sink. Some of the factors that may be logged include packet
arrival time, number of hops, ID of the node, signal strength, and routing path. This
is a significant stream of data because it forms the core of normal and anomalous
behavior, useful in detection of wormhole attacks. Some of the networks, particularly
those with limited resources, are designed to collect only the most critical data in a
way that does not affect the network’s nodes and their energy consumption.
470 S. Konatam et al.
3.2 Feature Selection
The next stage after data collection is feature selection, in which relevant or infor-
mative attributes or ‘features’ of the network traffic data are determined. Feature
selection is very important in WSNs since it determines the capability of the RF
model. The aim here is to establish a basis of features that can best be correlated with
wormhole attacks for instance instability in the hop counts, sudden increase in signal
strength between different nodes or geographical disparities in nodes. Hence, by
concentrating on these features, the RF model can run more effectively, and decrease
computational load on the devices of the sensor node, and eventually, enhance the
detection ratio. Features selected are fed into the RF model during the training as
well as during the detection stage.
3.3 Model Training
The model training stage is the process in which the RF algorithm is built using the
computed features. In this stage, the learning of the model is performed by feeding it
with two sets of data: the normal network traffic and the wormhole attack traffic. In
the process of training, each decision tree in the RF model takes training data as input,
and makes a decision on the selected features, and then vote to determine whether
the observed behavior is normal or wormhole attack. The training process includes
the process of tuning the parameters of the constructed RF model, for example, the
number of trees and the depth of a tree. The outcome is a high-powered detection
algorithm, which, having been trained to identify the wormhole attack patterns, will
be able to detect such an attack.
3.4 Detection
This model is then employed in the WSN in the detection stage once training is
complete in the RF model. In this stage, the RF model is always looking for network
traffic in real-time analyzing the data using the decision trees gained in the previous
stage in the hunt for any worrisome signs of wormhole attack. When network traffic
goes through the system, the RF model examines those features that users choose, and
each of the decision trees will decide if the traffic is normal or has malicious potential.
Hypothesis can be made by majorities’ votes on or across the trees depending on
the kind of problem being solved. This real-time detection is paramount in WSNs
because wormhole attacks can happen anyhow at any given time and in a very short
span of time, the WSN can be trashed.
A Random Forest-Based Method for Effective and Robust Detection … 471
3.5 Decision-Making and Response
After RF model automatically indicates a wormhole attack then the subsequent step
is to make a decision and act accordingly. In this stage, it is essential to find out
the right course of action to take in order to counter the threat that was identified at
the previous stage. In WSNs this implies redirecting the flow of data packets around
the interfering nodes, containing or eliminating the wormhole, and bringing such
an incident to the attention of the network managers. The decision-making process
may also encompass activation of other security measures on the firm’s network or
raising the level of supervision and vigilance on the affected parts of the network. It
has to be quick and effective to reduce the consequences of the attack on the work
of the network and that the network continues to work actively.
3.6 System Adaptation
The last of the steps deployed in the detection system of RF-based wormhole attack
is system adaptation, which makes the detection system constant. Since WSNs are
deployed in highly dynamic networks, which are subject to constant changes in the
network structure, traffic intensity, and attack methodologies, the RF model is best
used in a dynamic fashion, that is, periodically. The last type of adaptation namely
system adaptation entails the training of the RF model with new data gathered from
the network in a bid to adapt to the new features of normal and attacker traffic
patterns. It may also involve fine-tuning the selection of features used in the models
or tweaking of the parameters of the RF model for efficiency.
4 Results and Discussion
Figure 2 depicts the assessment of the level of accuracy of each of the machine
learning techniques. Detection accuracy is defined as the ratio of total number of
instances classified correctly normal traffic as well as attacks to the total instances.
The precision in the proposed RF model is determined to be as high as 98% in terms
of detection. 5%, proving that the proposed system performs better than the initial
system in issues of classifying more of the network traffic correctly. However, the
Support Vector Machine (SVM) and Neural Network (NN) models follow with 96.
7% and 97. It was remarkably good but slightly below that of the RF model. The
Decision Tree, K-Nearest Neighbors, and Naïve Bayes displayed a lower detection of
fake accounts, where the K-NN had the lowest at 95%. 4%, DT at 94. The percentage
achieved: CN at 92%, CQ at 10%, RB at 10%, ‘Other’ at 8%, and NB at 92. 3%,
meaning the patrolling nodes waste more time, and in doing so, they are less accurate
in identifying wormhole attacks.
472 S. Konatam et al.
88 90 92 94 96 98 100
SVM
KNN
DT
NB
NN
Proposed
96.7
95.4
94.8
92.3
97.1
98.5
Detection Accuracy (%)
Fig. 2 Comparison with existing machine learning techniques based on detection accuracy
Figure 3 depicts the precision of each technique since this accuracy is the ratio of
correct identification of an individual to total identification of individual as per the
intended model. With the precision of 97%, banking on the RF model, the following
moves out in front. 8%, which proves high efficiency of the algorithm in wormhole
attack detection minimizing the number of false alarms. The next is the SVM model
with 96. It was found to have 0% error rate which signifies a good performance in
classification and a slightly higher FPR, compared to RF. The precision results are
also a bit lower for the KNN and NN models, where it took the values of 94. 7%
and 96. 5%, respectively. DT model with the precision of 93% has been developed.
7%, while AB has the superior recall, at 67%, and NB has the lowest, at 63%.
They provided 5% classification accuracy for the positive features, primarily due to
enhanced chances of obtaining type II errors.
With respect to the capability of each technique to detect all the actual wormhole
attacks, this is depicted in Fig. 4. High recall is an indication that the model to a large
extent accurately identifies actual attacks. The RF model once more performs well
with the recall of 98. 2% of the actual wormhole attacks; the algorithm is therefore
efficient in identifying most of the wormhole attacks.
The F1-Score takes into consideration both precision and recall as it is depicted
in Fig. 5. The highest F1-Score stands at 98 achieved by the RF model. This is
true with the F-measure which has an average of 0% given that there is almost
equal compromise between precision and recall. The NN model is in line with the
subsequent table with an F1-Score of 96. 6%, while the F1-Score of the SVM is
exactly 95. 9%. F1-Scores of KNN and DT models are somewhat lower and equal
to 94. 6% and 94. 0%, respectively.
A Random Forest-Based Method for Effective and Robust Detection … 473
88 90 92 94 96 98
SVM
KNN
DT
NB
NN
Proposed
96
94.7
93.9
91.5
96.5
97.8
Precision (%)
Fig. 3 Comparison with existing machine learning techniques based on precision
86 88 90 92 94 96 98 100
SVM
KNN
DT
NB
NN
Proposed
95.8
94.5
94.2
91
96.7
98.2
Recall (%)
Fig. 4 Comparison with existing machine learning techniques based on recall
The False Positive Rate is illustrated in Fig. 6 and it represents the relative ratio
of normal that have been identified as wormhole attacks. Out of the proposed RF
model, the least FPR is recorded as 1. Yielding a rate of 2%, this method produced the
lowest False Positive rate among all techniques analyzed here. SVM has a slightly
higher FPR of 3. 1% for FNR and 2% for FPR Of these, NN has higher FNR and
FPR values than the other three algorithms. 8%. The FPR at 4 is higher in KNN and
474 S. Konatam et al.
86 88 90 92 94 96 98
SVM
KNN
DT
NB
NN
Proposed
95.9
94.6
94
91.2
96.6
98
F1-score %)
Fig. 5 Comparison with existing machine learning techniques based on f1-score
the overall performance appears to be almost equally good as the other algorithms.
DT has FPR of 5%, and PT = 2%. 0%. Different textbooks have different FPR levels
ranging from 1 to 7%; NB has the highest FPR at 7. 5%, therefore, makes the most
false positives and which are upsetting to the normal running of the network.
012345678
SVM
KNN
DT
NB
NN
Proposed
3.1
4.2
5
7.5
2.8
1.2
FPR (%)
Fig. 6 Comparison with existing machine learning techniques based on FPR
A Random Forest-Based Method for Effective and Robust Detection … 475
5 Conclusion
In this paper, therefore, an RF-based approach will be established in an attempt
to diagnose wormhole attacks in WSN, due to the fact that the existing security
mechanisms have major setbacks in these surroundings. Based on the performance
of RF model for detection accuracy, precisions, recalls, F1-Score, and FPR since
these are important in the preservation of WSN’s reliability and effectiveness. The
presented RF-based detection s ystem exhibited very remarkable performance in
detecting wormhole attacks as it yielded an average detection rate of 98%. 5%;
sensitivity of 99% and specificity of 97%. 7% of assigned tasks, an average of 8% of
time was spent on non-productive activities and overall recall of assigned tasks was
at the level of 98%. 2%. These metrics speak for the high level of accuracy of the
model in correctly identifying traffic types and minimizing false alarms as well as
false negatives. Hence when compared with other machine learning techniques like
SVM, KNN, DT, NB, and NN the proposed RF model performed better and signifi-
cantly in key performance matrix. Although, other models such as SVM and NN will
also classify with high accuracy, yet RF stands out due to their accuracy, precision,
and FPR in context of WSNs and their limitations and demands. The fact that the
computation complexity required for RF is relatively lower than what is required by
the SVM and NN makes it ideal for implementation in the WSNs which are character-
istically constrained in terms of the resources necessary for their optimal operation.
Crossing the strengths of the RF algorithm, the proposed system effectively provides
a sound way to tackle the significant issues of wormhole attacks and provide effi-
cient protection to the network and further functionality of the sensor networks. As
a potential line of development for future work, it is possible to continue refining the
RF model with regards to the model parameters and its ability to integrate in a wider
array of other security mechanisms to function in a more varied range of networks.
References
1. Zhang K (2023) A wormhole attack detection method for tactical wireless sensor networks.
Peer J C omput Sci 9:e1449
2. Garg R, Gulati T, Kumar S (2023) Wormhole attack detection and recovery for secure range free
localization in large-scale wireless sensor networks. Peer-to-Peer Netw Appl 16:2833–2849
3. Garg R, Gulati T (2023) Issues and challenges of wormhole attack detection for secure
localization in WSNs. Int Conf Adv Comput Comput Technol InCACCT 2023:628–633
4. Garg R, Gulati T, Kumar S (2023) Range free localization in WSN against wormhole attack
using Farkas’ Lemma. Wireless Netw 29:2029–2043
5. Dhama P, Prashanth K (2023) Genetic algorithm-based wormhole attack detection in WSN.
Int J Sci Res Arch 9:795–802
6. Shanmugaraja P, Bhardwaj M, Mehbodniya A, Vali S, Reddy PCS (2023) An efficient clustered
M-path sinkhole attack detection (MSAD) algorithm for wireless sensor networks, Adhoc
Sensor Wireless Netw, vol 55
476 S. Konatam et al.
7. Javed S, Sajid A, Kiren T, Khan IU, Dewi C, Cauteruccio F et al (2023) A subjective logical
framework-based trust model for wormhole attack detection and mitigation in low-power and
Lossy (RPL) IoT-networks. Information 14:478
8. Shrivastava S, Johari PK (2022) Analysis of wormhole attack detection in customized Ad hoc
network. Proceed Int Conf Data Sci Appl ICDSA 1(2023):831–842
9. Latha DJ, Rameswaran N, Bharathraj M, Raj RV (2023) Prevention of wormhole attack using
mobile secure neighbour discovery protocol in wireless sensor networks, IoT Based control
networks and intelligent systems: proceedings of 4th ICICNIS 2023, Vol 789, p 215
10. Bashir M, Tahir S, Almufareh MF, Hamid B, Qamar F (2023) Wormhole attack detection
technques in MANET, in. Int Conf Bus Anal Technol Secur (ICBATS) 2023:1–7
11. Schweitzer N, Dvir A, Stulman A (2023) Network wormhole attacks without a traditional
wormhole. Ad Hoc Netw 151:103286
12. Amirthayogam G, Kumaran N, Gopalakrishnan S, Brito KA, RaviChand S, Choubey SB (2024)
Integrating behavioral analytics and intrusion detection systems to protect critical infrastructure
and smart cities. Babylonian J Netw 2024:88–97
13. Ezhilarasi M, Gnanaprasanambikai L, Kousalya A, Shanmugapriya M (2023) A novel imple-
mentation of routing attack detection scheme by using fuzzy and feed-forward neural networks.
Soft Comput 27:4157–4168
14. Sheela MS, Suganthi R, Gopalakrishnan S, Karthikeyan T, Jyothi KJ, Ramamoorthy K (2024)
Secure routing and reliable packets transmission in MANET using fast recursive transfer
algorithm. Babylonian J Netw 2024:78–87
15. Sheela MS, Gopalakrishnan S, Begum IP, Hephzipah JJ, Gopianand M, Harika D (2024)
Enhancing energy efficiency with smart building energy management system using machine
learning and IOT. Babylonian J Mach Learn 2024:80–88
