Wireless sensor network security: A recent review based on state-of-the-art works

Jamming attacks

The radiofrequency of an attacker node interferes with the other legitimate nodes when the former launches a successful jamming attack on the latter. ⁷¹ The primary purpose of the jamming assault is to prevent valid nodes from communicating with low energy. Jamming assaults take advantage of the common structure of wireless networks to interfere with transmission by dropping the Signal to Noise Ratio (SNR). Santoro et al., 2017 ⁷² had made a distinction between two aspects of jamming assaults: physical jamming and virtual jamming. Physical jamming is typically attempted through the use of radio signals, whereas virtual jamming is usually executed and carried out by using request to send (RTS) and clear to send (CTS) signals. Del-Valle-Soto et al., 2019 ⁷³ propose Connected Mechanism and Extended Mechanism as two novel jamming detection techniques that can detect reactive jamming. The first is based on data from performance metrics obtained from nodes that are directly linked. While the second technique, a collector node has access to all of the network’s performance characteristics and can compare them. The results demonstrate that when using a proactive protocol such as MPH (Multi-Parent Hierarchical) in comparison to well-known reactive protocols such as AODV (ad hoc distance vector) and DSR, the first method has enhanced performance by 78% and the second method has enhanced performance by 86% in identifying the region impacted by an intervention node (dynamic origin routing).

Bengag et al., 2020 ⁷⁴ developed a new IDS method to identify jamming assaults in WBAN based on four critical metrics of the network: packet delivery ratio (PDR), energy consumption (ECA), signal strength indication received (RSSI) and bad packet ratios (BPR). As a first step, they presume that the WBAN system is in good working order, with no jamming or other issues. The network thresholds are then established for each sensor medical based on the parameters PDRth, ECAth, BPRth, and RSSIth. The starting parameters (PDRth, ECAth, BPRth, and RSSIth) are then contrasted with the present values to see whether there are any abnormalities in the WBAN. One of the parameters crossing the network threshold will trigger an alert for declaring the presence of a jammer node. Three forms of jamming assaults namely constant, deceptive, and reactionary are classified. The simulation for the suggested technique was carried out in two primary situations: one with jamming and the other without jamming, using the prominent WBAN simulator tools OMNET++ and Castalia. The result inductees that the utilized parameters have favourable benefits in detecting the existence of jamming with lower false alarms. However, this technology requires more development to make it more robust, as well as to optimize performance for detection and minimize false alarms.

Dell Valle Soto al., 2021 ⁷⁵ proposed a simple jamming detection system technique that uses a strategy to find sections of damaged nodes where energy is limited. The detection technique is evaluated by using four known clusters of protocols: PEGASIS (Power-Efficient Gathering in Sensor Information Systems), TEEN (Threshold-sensitive Energy Efficient), LEACH (Low Energy Adaptive Clustering Hierarchy), and HPAR (Hierarchical Power-aware Routing). These protocols are evaluated in Zigbee and LoRa, two well-known and widely used wireless technologies. Experiments are conducted on an actual network in a section of a college in Guadalajara, Mexico, and the identification method used is examined. The findings demonstrated the method’s ability to identify nodes displaying unusual activity. In these regions, PEGASIS has a 92% accuracy, TEEN has an 86% accuracy, LEACH has a 70% accuracy, and HPAR has a 61% accuracy. This accuracy aids in the identification of a potential jamming assault. For each wireless technology, they employ six sensors, as well as a controller node and a Cluster Head. According to findings, implementing the detection techniques in LoRa consumes 16% more electricity than in Zigbee. This is probably primarily caused by the fact that LoRa requires 7% more operations and updates to the nodes' route tables. The performance assessments of the nodes allow LoRa to send an indicator of a potential area of the damaged node more quickly.

Node tampering attack

In a tampering attack, the attacker can reconfigure a valid node to make it a compromised node. The adversary has access to sensitive data from the sensor node, such as security keys and data. Da-Wen Huang et al., 2021 ⁷⁶ propose an algorithm for hybrid diagnosis to detect attacks on dynamic WSNs. The suggested hybrid diagnostic method involves three stages: data comparison, distributed diagnosis, and global diagnosis. In the phase of distributed diagnostics, a general polling mechanism and a multi-round diagnosis technique are implemented. The authors offer a global diagnostic phase to alleviate the problem of the phase, which may result in inconsistent diagnosis outcomes across various sensor nodes. When used for the diagnosis of sparse networks, the technique suggested in this study, like many defects diagnostic systems have a high rate of false alarm (0.2–0.8). By appropriately setting the threshold values, the suggested method may achieve high accuracy [96% ± 0.02] since maintaining a low false alarm rate by raising the fraction of affected sensor nodes p and reducing the mean node grade of the WSN. The algorithm suggested in this paper is the high rate of false alarms when used to diagnose small networks. The method should be modified to operate with several types of networks, like mobile WSNs and mobile ad hoc networks. Several ways of improving the predictive efficiency of sparse networks must be provided.

Collision attacks

A collision assault occurs when two nodes broadcast data simultaneously and at the same frequency. It retransmits the collided packets after a packet collision. ⁷⁰ An attacker purposefully collides with certain packets, such as control packets, resulting in a massive back-off exponential. By violating the limitations of the network protocols and delivering messages indefinitely, an attacker induces a conflict.

Denial of sleep attack

An assault known as "denial of sleep" restricts the node’s ability to rest and increases the power required for data transmission and reception by sensor nodes. Wireless sensor networks’s MAC protocols keep the node in sleep mode if there is no data to send. The attacker trying to prevent sleep is transmitting messages to the genuine node all the time. Therefore, increasing node ECA. Fotohi et al., 2020 ⁷⁷ suggested two methods proposed ASDARSA (Abnormal Sensor Detection Accuracy) schema to safeguard the network from denial of sleep attacks and for decreasing energy usage by defeating denial of sleep. In ASDARSA, in order to reduce power consumption and improve network lifetime, a clustering technique based on power and range is used to choose the ideal cluster head. According to simulation studies, ASDARSA was incredibly resilient to attacks that denied sleep. In terms of average throughput (more than 29.5%), PDR (more than 16.33%), network lifetime (more than 27.16%), detection accuracy (more than 18.5%), and mean residual power (more than 16.5%), it outperforms current methods. In this work, they developed a solution for decreasing energy usage by preventing denial of sleep assaults using encryption and authentication. All sinks were fixed in the suggested technique, and that causes nodes to be near the sink to operate as the cluster head or as a middleman for the flow of data from other nodes to the source. As a result, the energy of these nodes is rapidly depleted, resulting in a shorter network lifetime.

Mohd et al., 2020 ⁷⁸ implement IDS to detect denial of sleep attacks via support vector machine learning in WSN. In this method, feature rating and cutting are important. The SVM performance analysis parameters include Overall Classification Accuracy (OCA), Overall Training Time (OTT), and Overall Testing Time (OTST). Following that, each feature may be classified as "significant (S)," "moderate (M)," and "trivial (T)." After utilising the Feature Selection method, a set of 19 features has been executed, and a secondary feature set of seven expressive features is chosen. Those extracted features are further examined by applying a supplied set of rules in an approach for the identification of sleep assaults in WSN. The result for Linear Kernel function OCA (87.30%), PPV(89.40%) and TPR(91.40%), while for radial Kernel function OCA (90.80%), PPV(89.50%) and TPR(97.49%) and finally for Sigmoid Kernel function OCA (65.23%), PPV(65.23%) and TPR(97.21%).

Fotohi and Firoozi, 2020 ⁷⁹ a hybrid strategy involving the mobility sink and the Firefly approach depending on LEACH and the Hopfield neural network was suggested in this research WSN-FAHN (WSN firefly algorithm Hopfield neural networks). Mobile sinks are utilised to decrease power consumption and increase network lifespan. To prevent sleep deprivation assaults, the Firefly approach was created, which clusters nodes and uses two levels of authentication. In order to give CH data, the Hopfield neural network also recognises the sink movement’s straight path. While all nodes that broadcast synchronisation messages should be checked before the messages are accepted if they are not already, the suggested technique successfully prevents DoSL attacks (it is a type of denial-of-service attack that prevents sensor nodes operated by batteries from entering into the sleep state). Their results showed that the WSN-FAHN model can provide excellent rates of safety and detection rate (93.92%). Furthermore, when compared to the other ways already in use, the suggested model has a higher PDR (over 91.52%), higher throughput (over 90.75%), higher average residual power (over 91.125%), and a high network lifespan (over 89.95%). It is recommended to use several mobile sinks to minimise energy usage in WSNs.

Exhaustion attack

An exhaustion assault repeats collision attacks until all of the nodes' energy is depleted. In other words, resource exhaustion attacks require establishing routing loops and extending the route during packet transfers to deplete the energy of the nodes. ⁸⁰ Hussain et al., 2019 ⁸¹ developed an IDS to recognize many forms of intruder assaults on WSN MAC protocols. A soft decision method has been built to identify Exhaustion and intrusions assaults. In addition, a preventive mechanism has been included to assist a node in avoiding these invasive attacks. In the intrusion detection section, they picked the following statistics as intrusion indicators: Collision Ratio (Rc) is specified as the measurement of a node’s collision duration in seconds. The probability that an information packet will be successfully transmitted is determined by the proportion of successful data packet transmissions to all information packets communicated. RTS packet arrival ratio (RRTS) is a measure of how many RTS packets are safely received by a node per second. They gathered all of the data and calculated the chance of an intrusion. After that, input the values of the RTS counts information packet arriving rate into the soft function to get the value of exhaustion. The threshold is divided by the probability of failure, multiplied by the probability of depletion. The assault has been found if the quantity surpasses the cutoff; else, there was no attack. They set the bar for their results higher than the likelihood of success. Individually, the likelihood of success is added to the probability of contact. The likelihood of success is multiplied by the probability of collision detection, and the outcome is contrasted with the threshold. After that, a threshold is determined, and summation results are compared to it.

Hristozov et al., 2020^82–84 presented a system that combines rate limiting and lightweight authentication with the help of a trustworthy backend. They use the rate limiting to fix the problems of battery fatigue assaults by obtaining capabilities at low levels within normally less active operating hours. They presented two rate techniques limiting – Leaky Bucket and EWMA (Exponentially Weighted Moving Average). They also suggest and formalize two authentication methods that are suited for a variety of frequently used IoT network topologies. Even if providers are experiencing battery fatigue, the mechanisms ensure that service is available to innocent requesters.

They used the ProVerif verifier Blanchet et al., 2019^85–87 for formal verification and made their verification models accessible online. Their solution may be applied in a battery-powered limited device in an energy-efficient manner, significantly lowering the attack surface for battery exhaustion. The simulation demonstrates that the accuracy rate varies from 86 to 99%, with an average false alert rate of 15%, while the percentage of attackers is between 5 and 15%. Additionally, it requires some time to get a ratio of 100% accuracy and a 0% false-positive ratio.

Premkumar and Sundararajan, 2020 ⁸⁸ suggested DLDM frame structure protects the network from DoS attacks in this article. An attacker is detected on a homogenous network based on clusters using a Deep Learning-based Defense Mechanism (DLDM). In light of the requirements for received signal intensity, packets processed per second, packet reception latency, the information modified, the information forwarded, and decreasing ratios for node activity, they are categorised as being benign or malicious by their DLDM method. If the node is determined to be malicious, it is going to be placed on the block table. The creation of a reliable network can lower the amount of power used by computer resources, such as bandwidth, processing speed, and battery. The key advantage of the approaches proposed is the right selection of routing protocols will generally extend the sensor’s lifespan. During interventions, the CH and base station include an impact on the sensor node’s power usage. By blocking various forms of assaults on CHs and base stations, the network may be improved over time.

Noorwali et al., 2021 ⁸⁹ proposed an adversary detection technique for the IEEE 802.15.4 standard, which is a central medium access protocol utilized in WSN-based IoT applications. A soft-decision-based method is employed to detect collisions and fatigue attacks by determining collisions and effectively transmitting probabilities using the soft function scale. The scaled values are compared to the threshold value. An assault is detected if the total value exceeds the threshold value; otherwise, no attack is detected. The chance of exhaustion and the probability of successful transmission is used to identify malicious exhaustion attempts. If the amount exceeds the threshold, an assault is detected; otherwise, no attack is detected. If the intruder detection method fails to identify the adversary’s involvement and the system still perceives a breach of QoS, the coordinator’s duty cycle must be changed to achieve the QoS specifications. Using this technique, the administrator can alter their duty schedule to meet QoS requirements. The active period grows as the node count rises and more data requests are needed. According to this, the active period has to be shortened when a network has less data. The IEEE 802.15.4 standard does not address duty cycle modification in response to QoS requirements. This method enables the coordinator to modify its duty cycle to suit the network’s QoS requirements. The technique increases data transfer by increasing performance and decreasing collisions. The technique enables the coordinator to evaluate QoS during the previous and make necessary modifications in the subsequent. The data that the coordinator will need to receive is projected to be half of its full capacity.

Unfairness attack

Unfairness is a vulnerable type of DoS attack. ⁷⁰ This attack leads to the needless delay of WSN effectiveness using MAC protocols.

Blackhole attack

The adversary node in a blackhole assault reveals the smallest pathway between the source and destination nodes. As a result, the source node is tricked into sending data to the target node through the attacker node. Instead of sending the packets, the attacker node receives from the source node to the target node, it drops them.

Kalkha et al., 2019 ⁹¹ has devised a Black Hole attack and offered a protection mechanism for the AODV (Ad-hoc On-demand Distance Vector) routing protocol via WSN. They employ a preventative strategy that takes the fastest routes between a sender and a recipient. The suggested approach presupposes that neither the supplier nor the destination is malicious or hacked, and then it suggests that the process of identifying a malicious pathway be included in the path development step of AODV routing protocols. The use of a tree main stage can ensure the prevention of a black hole assault. The topology of the network is marked in the first stage by the deployment of nodes. Then, in the second step, the system uses Yen’s algorithm ⁹² to determine the four direct routes between the two points. The value of every path is considered as the HMM (Hidden Markov Model) state of their method as the black hole attack uses the fastest path among supplier and recipient as a parameter in its network assault. A Viterbi algorithm ⁹³ is employed in the decisive step to finding the path with the greatest risk of being harmful. This algorithm’s packet data ratio (PDR) is approximately 19% under assault, whereas end-to-end delivery is between 80–85%. All packets of data are taken by the black hole nodes, which purposefully drop packets. As a result, all nodes along the defined path are packet dropped and examined to identify the hostile node, preventing any further routing pathways from avoiding it.

Clement et al., 2020 ⁹⁴ proposed an algorithm to detect a Black-Holes Attack on the healthcare network of wireless sensors utilising a powerful machine learning method called PICA (Projected Independent Component Analysis). The PICA is a technology that has been successfully implemented in WSN to improve intrusion detection. The PICA method optimises memory as well as ECA. As the scale of the black hole attack increases, the WSN’s performance significantly degrades. As a consequence, principal component analysis is performed to discover the black hole node based on their behaviour analysis. Mutual information, according to the independence assumption, is a measure of the inherent reliance manifested in the mutual distribution of sensor nodes. Mutual information (MI) is a measurement of the mutual reliance between node behaviours in a WSN, such as packet reception capabilities, collaboration, and trust level, among other things. When compared to the current Channel-aware Reputation System with adaptive detection threshold (CRS-A) and Hybrid Intrusion Detection System (HIDS), the suggested PICA approach enhances BHADR (Black Hole Attack Detection Rate) by 7% and 18%, respectively. As a result, the suggested PICA approach reduces BHADT (Black Hole Attack Detection Time) by 29% in WSN when compared to CRS-A and 38% in the HIDS model. The PICA methodology improves the previous CRS-A and HIDS model methods, with FPR (False Positive Rate) decreasing by 37% and 27%, respectively. The PDR has been enhanced by 12 and 22%, respectively, over the prior CRS-A and HIDS versions.

Ifzarne et al., 2021 ⁹⁵ aim to create an intrusion detection model that is consistent with WSN’s properties. The IDS was developed as a machine learning technique which successfully classifies real-time detection data from several devices by utilising a trainable algorithm. Crammer et al., 2006 ⁹⁶ introduced the Online Passive-Aggressive Algorithm (PA), which is a category of algorithms for online education (for both classification and regression). It may be viewed as the online equivalent of a support vector machine classifier. The idea is straightforward, and they have outperformed several different approaches, such as the Online Perceptron and the Margin-infused Relaxed Algorithm (MIRA) method. The PA classifier searches for hyper-planes which will divide the instance in half while learning from streaming input. A WSN intrusion identification methodology called ID-GOPA is based on an online passive-aggressive methodology and information gain rate. The main goal of the proposed methodology is to utilise online classifiers for network streaming data. The online categorizer PA trains the model to be more familiar with and learnable about current network actions, while filtered and labelled knowledge recordings are provided to construct a trainable model that can be assessed online. In the online phase, the same superior engine is utilised to choose just the suitable characteristic using the data gain rate approach and identify every packet as likely normal or attacked in real-time detection. The suggested model, ID-GOPA, has a 96% detection accuracy in assessing if the network is stable or under assault. The detection accuracy for scheduled, grayhole, flooding, and blackhole assaults is 86%, 68%, 63%, and 46%, correspondingly, as compared to 99% of normal traffic. Their findings imply how an online learning strategy can offer robust anomaly detection for the WSN.

Alruhaily and Ibrahim, 2021 ⁹⁷ offer a multi-layer architecture for intrusion detection in WSNs which improve network security. The sensors are placed in the initial layer, which is at the periphery of the network, and the next layer is at the centre of the network. They used the Naive Bayes method, which is straightforward and efficient in terms of computing, as the classifier’s core. The initial layer will categorise observed data as being either normal or harmful, which has no further details on attack patterns. However, because the intermediate detection layer is located in the cloud and exclusively processes anomalous activity, it will have fewer resource constraints, allowing further complicated techniques and in-depth examination. As a consequence, harmful traffic was confirmed using the Random Forest (RF) with a multi-class classifier. The classification model was utilised to determine the type of attempted assault and provide recommendations for choosing an appropriate defence mechanism. The findings demonstrate that their suggested multi-layer protection approach increased TPR, TNR, FPR, and FNR values while also attaining a high accuracy rate, with values of 100%, 90.4%, 99.5%, 97%, and 99.9% for the normal, flooding, scheduling, grayhole, and blackhole assaults, correspondingly. In previous work, the values for normal, flooding, scheduling, grayhole, and blackhole attacks were 99.8%, 90.4%, 99.5%, 91.1%, and 73%, accordingly.

Suma and Harsoor, 2022 ⁹⁸ suggest solution combines an on-demand link and an energy-aware dynamic multipath (O-LEADM) routing system for MANETs to identify blackhole nodes using the baiting approach and distinguish between packet loss caused by congestion and malicious nodes. The suggested technique can readily distinguish between packet drops caused by link failure and malicious nodes. The findings are compared to the existing AODV-Blackhole routing system and analysed. Concerning packet delivery ratio, the suggested O-LEADM Black-hole identification approach outperforms the current AODV-Blackhole strategy, which has 84% of nodes moving at 20 m/s and decreases to 83% when mobility velocity grows, while the OLEADM-Blackhole has 87% at 20 m/s. In order to minimise congestion and preserve route reliability, OLEADM-Blackhole achieves a % delivery ratio as speed increases by accounting for connectivity faults and channel accessibility. In the inclusion of a black-hole node in the network, the average delay graph reveals that AODV-Blackhole has an average delay of 0.083 ms at higher mobility speeds, but O-LEADM Blackhole has an average delay of 0.050 ms. The ECA of the AODV Blackhole and the O-LEADM Blackhole In the presence of an adversary, the OLEADM-Blackhole expends an average of 6.0 J of energy while travelling at a higher speed. As a result, at greater mobility speeds, AODV-Blackhole consumes 11.2 J of energy. The overhead of the O-LeadM Blackhole is between 4.1 and 11.1, whereas the overhead of the AODV-Blackhole is between 5.9 and 16.6. When a blackhole is identified, O-LEADM Blackhole improves significantly with great movement and at a low expense in identifying other channels. On the other hand, route identification in AODV-Blackhole had a higher expense in terms of detecting other routes to the destination.

Misdirection attack

One form of DoS assault that can happen at the network layer is a misdirection assault. In a misdirection attack, the attackers change the route of the packet delivery to a node different from the target node. ⁹⁹ Sensor nodes along the path experience resource loss as a result of traffic being redirected in a particular way.

Mustafa et al., 2020 ¹⁰⁰ suggests an RL algorithm (Reinforcement Learning) for Misdirection Attack Detection and Prevention (RLMADP) in WSNs. In addition to the level architecture arrangement for WSN, the MDP (Markov Decision Process) from RL is estimated in their proposed approach. This strategy provides load distribution with more significant residual power to enhance the life of the network using an online technique with cheap computing costs. Their network is an RL or MDP process in which each node has an operator installed, and a Cluster Head (CH) has been tasked with maintaining surveillance on the network utilising criteria that are common to all of the nodes: Environment, Agent, Action, State, Policy, Value Function, and Reward Function. Air, sea, and cyber-physical are just a few of the realms in which this protocol functions. The random separation of clusters, which results in an unequal distribution and, in certain cases, an increase in ECA, is one of the disadvantages of the recommended protocols. The experimental outcomes demonstrate that the proposed method can efficiently identify the impacted node while simultaneously enhancing throughput and lowering delay. The proposed technique has not been utilised in real-time applications.

Singh et al., 2020^101,102 propose a unique approach for detecting misdirection attacks in WSN that does not employ cluster heads. The suggested detection method was evaluated using Omnetpp 5.4.1 on four diverse network sizes (10, 20, 30, and 40 nodes) with varying amounts of malicious nodes. The suggested method assigns a fixed unit of time (time slice) for nodes to send data to their next neighbouring node along a given path, along with a route for data transmission in a WSN. The experiment outcomes demonstrate that the proposed technique has greater detection accuracy and lower end-to-end latency (22.61 ms) than the cluster head detection method. The observations show that the suggested approach outperforms the frequently used cluster-based techniques in detecting misdirection attacks in WSN by using a smaller end-to-end delay parameter.

Selective forwarding attack

Selective forwarding is also known as a grayhole attack. A selective forwarding attack is a subtype of blackhole assault. In a black hole attack, the attacking node announces that it has the fastest route to the target over that node and discards every packet that passes through it. However, in selective forwarding, a hacked sensor node selectively denies data. Most studies assume that an attacker node ignores data based on the protocol being used, the sender or destination of the packets, or both (drops all UDP packets or drops all TCP (transmission control protocol) protocol).^103–105 There are several mechanisms to detect a selective forwarding attack in WSN. Mehetre et al., 2019 ¹⁰⁶ a twin security approach with a double assurance system was offered, along with two techniques for the data packet’s secure networking. In addition, this study identified the untrustworthy route and offered secure routing paths using the CS (Cuckoo search) method and active trustworthiness in cluster sensor nodes. The presented secure routing strategy would avoid black holes and selective forwarding attacks by maximising the packet delivery ratio. The offered secured route approach prevents black holes and selective forwarding attacks while optimising packet delivery rates. The proposed system features optimum accuracy, minimal power loss, simplicity, privacy, and durability. The experimental findings suggest that the proposed system exhibits these characteristics in terms of power usage, latency, route length, network lifespan in homogenous and heterogeneous networks, throughput, and packet drop (Network size 16, ECA 160 J, Latency 20,000 ms, Throughput 85, and Packet drop ratio 18%). The findings show that at the maximum network capacity, the suggested system performs better, with 20,000 ms of delay power and 85% throughput. As a result, the data flow for this method must be increased.

Zhang and Zhang, 2019 ¹⁰⁷ aim to improve selective forwarding attack detection accuracy using an e-watchdog system. Misbehaving can be detected by employing detective agents closer to the attacker, improving the detection rate and effectively reducing the fake alert rate. The fundamental disadvantage of the watchdog is that it relies on a quiet communication paradigm instead of paying attention to the initiator’s and receiver’s signal-to-noise ratios. When the initiator’s signal-to-noise ratio is higher than the receiver’s, detection accuracy is significantly increased since the false alarm rate is decreased. The enhanced watchdog (E-watchdog) presented in this article encourages one or more of the initiator’s nearby nodes that are closer to the target to identify SFA, resulting in accurate detection of the SFA node. In addition, E-watchdog uses reports from more than one detection agent to avoid collaborative selective transmission attacks. An elector algorithm filters fake reports from attackers. The false alarm rate of the E-watchdog is 25% lower than that of the Watchdog, and the network throughput is 10% higher.

Hao Fu et al., 2019 ¹⁰⁸ proposes a Data Clustering Algorithm (DCA) for identifying Selective Forwarding assaults (DCA-SF). The DCA-SF approach has been upgraded by adaptively changing the variables Epsilon and Minimum Points (Eps, Minpts). The simulation results show that the DCA-SF uses little energy with a low loss detection accuracy of 1.04% and a low false alarm rate of 0.42%. To confirm that the detection approach is precise, and analyses dispersed WSNs, this technique has to be assessed on the WSN platform. They want to cluster the information collected in the sensor node using DPC and SNN-DPC in order to assess their effects.

UmaRani and Somasundaram, 2020 ¹⁰⁹ developed Beta Distribution Reputation Model (BDRM) based on the beta distribution in this research to defend networks from selective forwarders. It detects selective forwarding attacks rapidly by using the sensor node’s packet forwarding and packet dropping behaviour. By evaluating reputation BDRM discovers the shifting behaviour of selective forwarders. As a result, the network’s throughput and message delivery rate are increased through the routing process. The connection delay and storage requirements for the BDRM paradigm are modest. To enhance security collaboration in WSNs, the BDRM model will be used in the future to assist cluster head selection.

Singh and Saini, 2021 ¹¹⁰ suggested a technique for detecting selective forwarding assaults through the WSN. A node may ignore some or all of the data packets after being subjected to a selective forwarding attack. The node may even discard the entire data packet. To group the nodes collectively, the LEACH method is utilised. The suggested method splits the total number of cluster nodes into Investigator nodes (IN), Member nodes (MN), and Cluster Heads (CH) depending on the functioning of the nodes. A CH is the main controller that manages all transmissions. When the CH is assaulted, the entire cluster turns malicious over all communications. The IN is intended to observe communications between CH and MNs that a training module is under consideration and the IN is intended to keep a check out for CH behaviour that might be damaging. The entire proposed process is modelled utilizing NS2 for ECA (21 mj), and there is a variation in energy use of roughly 40%. The same number of nodes has shown a substantial variance in delay duration using the LBST technique. The suggested solution has a comparatively short delay duration (7000 ms). In the proposed method, there are 8% more packet drops.

Wormhole attack

A wormhole assault compromises two sensor nodes in distinct sections of the WSN. To access the sensor node packets, the attacker establishes a high-bandwidth channel between two compromised nodes. ¹¹¹ Sensor nodes tend to choose this compromised channel for routing data packets and thus are exposed to wormhole attacks in this channel. Patel et al., 2019 ¹¹² proposed an alternative path length calculation based on neighbourhood information with two assumptions. The first assumption they make is that all of the sensor nodes are stationary. The second assumption is that malicious nodes are not present in the network at some initial interval at the time of deployment. All genuine sensor nodes securely establish their neighbour’s information during the first period. Two malicious nodes launch a high-speed tunnel. The packet delivery ratio in a normal scenario is 99.88%, 36% in an assault scenario, and 98.10% after using the suggested technique. Similarly, throughput is 86 kbps in the normal situation, 34 kbps in the assault scenario, and 84.70 kbps after using the proposed technique. Packet delivery ratio and throughput both drop dramatically in the event of an assault. The suggested method dramatically increased both the packet delivery rate and throughput. The possibility of a false positive is eliminated. A wormhole that is propelled for a brief distance might provide a wrong result. The detection accuracy is very close to 100% if a wormhole is deployed across a significant distance. The bulk of the methods needs hardware, which increases the cost of manufacturing the sensor node. Present identification methods are usually resource-intensive and have limitations in terms of efficiency. The challenge of detecting secure neighbours in a mobile WSN is tough to solve. This approach will not identify attacks if the nodes are moving.

Tamilarasi and Santhi, 2020 ¹¹³ proposed a technique for the detection of wormhole attacks using PSO (Particle Swarm Optimization). The suggested method is being implemented using the Network Simulator NS2. Several intermediate nodes in the route pathways between the various paths may provide fake routes that are shorter than the actual paths throughout the transmission. Wormhole pathways are the paths that have been assaulted. The DP (Detection Packet) is used to detect the wormhole attack. An origin node must select the optimum route among the route table’s assaulter paths for safe routing. Moreover, AD (Attack Detection)-time PSO is reduced by 50% compared to TESRP (Trust and Energy aware Secure Routing Protocol) by recognising and avoiding wormhole attacked pathways. The delivery ratios of AD-PSO and TESRP are compared. The suggested AD-delivery PSO ratio is raised by 33% over the present strategy due to optimum path selection employing PSO. The sent data is retrieved from misbehaviour by picking the secure path from the attacker-free pathways. As a result, the suggested AD-throughput of PSO is 66% higher than TESRP. The suggested PSO is utilised to choose the optimal route from the assaulter paths, cutting the consumption of the proposed AD-energy PSO by 10% and the proposed AD-drop PSO by 16% compared to TESRP. Assaulter paths between the source and the destination are constructed by identifying the wormhole-attacked pathways. Using the PSO method, the best path for threat data transmission is selected among the assaulter paths. The network’s lifetime is increased by 32% as a consequence, in comparison to the old approach.

Singh et al., 2021 ¹¹⁴ provide a method for identifying wormhole assaults in WSNs by employing artificial neural networks (ANNs), with connection data serving as the detection component. The suggested method detects any two sensor nodes using connection information. The suggested approach was used in the WSN area with the following probability distributions: uniform, Poisson, gaussian, exponential, gamma, and beta. Train the ANN by using the data calculated from the network before evaluating it. A wormhole attack exists if the output is 0.8. Otherwise, wormhole attacks do not exist if the training output is less than 0.8. When the train has finished uploading for continued ANN training, replace the training data with testing data. The experiment results for each applied method show high detection accuracies, such as uniform (90%), Poisson (90%), gaussian (100%), exponential (96%), gamma (97%) and beta (99%).

Singh and Saini, 2022 ¹¹⁵ new routing approach Intelligent Ad-Hoc-On-Demand Multipath Distance Vector (I-AOMDV) is given which aims to ensure a secure way for data transfer in the Underwater WSN. The suggested technique is validated using Measures of WSN performance including power consumption, end-to-end latency, throughput, and packet delivery ratios. It proposes a wormhole detection approach that involves forming a cluster in the WSN. Many paths have begun with a network connecting the sender and receiver. It creates several paths using the AOMDV routing protocol (Ad-Hoc-On Demand Multipath Distance Vector). Cluster formation is considered during the initial phase of node deployment, for which the LNCA (Local Negotiated Clustering Algorithm) technique is used in the research methodology, which groups the nodes into clusters head and sensors node. Every node in the cluster should have RTT (Round Trip Time), ETD (Estimated Time of Departure), Th (Threshold value), PSent (packet sent), PReceived (packet received), DP (Detection Packet), and FP (Feedback packet) information stored in the routing table, which is determined by the number of hops and several initializations. The approach used NS2 and its performance to calculate associated measures such as energy efficiency (21 mj), packet delivery ratio (96%), throughput (65 kbps), and end-to-end latency (7 ms). This approach gives high results for avoiding wormhole attacks by increasing the packet delivery ratio. However, the throughput ratio must still be increased.

Alajlan, 2022 ¹¹⁶ introduces a novel multi-step detection (MSD) technique for WSNs that can efficiently identify wormhole attacks. The MSD uses three techniques to identify and prevent simplex (where two nodes in the network which has tunnels between them but in different places of the network) and duplex (three nodes are in different locations and thus are not one-hop neighbours) wormhole attacks: the neighbour node validation process (NNVP), the fake link reduction process (FLRP), and wormhole separation. The Poisson distribution was used to distribute data throughout the network. Furthermore, the suggested MSD may be used to remove any false connections. Finally, the effectiveness of the separation module’s performance guarantees highly successful identification and recuperation, effectively cutting off the wormhole from the network. Research should take into account the limitations of assessing after reconfiguring and rescheduling actual traffic control for the identification framework. Unconventional methods must be used to study distributed network scenarios in order to discover the most effective means of protecting the WSN from wormhole assaults. The recommended MSD displays fewer false detection and false toleration rates, as shown by simulation data acquired in OMNET++. Additionally, as shown by the simulation findings, the proposed MSD can effectively identify wormhole attacks in a genuinely scattered network setting with a 99.944% accuracy rate.

Sybil attack

The Sybil assault is often referred to as a spoofing attack. In a Sybil assault, an adversary hacks a network node, and the compromised node pretends to be numerous nodes using false identities. ¹⁰⁰ The effect of the Sybil attack on the performance of IDS in WSN was considered by Jamshidi et al., 2019 ¹¹⁷ a novel Sybil attack model for cluster based WSNs such as LEACH is suggested. The given method is built on cluster head node collaboration and RSSI (Received Signal Strength Indicator). Numerous experiments were carried out to assess the effectiveness of the suggested method in terms of real DR (detection rate), FDR (false detection rate), and communication latency. Studies show that the proposed method can detect 99.8% of Sybil nodes with a false identification ratio of 0.008%. The ECA of the proposed method for sensor networks is a major factor in considering the energy constraints of sensor nodes. The number of transferred packets is an important parameter for evaluating the algorithm’s performance since transmitting packets uses more power than analysing or receiving information. The new attack strategy is built for cluster networks. However, the suggested method is executed after clustering, thus it does not increase the communication cost of the clustering phase.

Angappan et al., 2021 ¹¹⁸ present a new Sybil attack detection methodology known as (NoSad) for detecting and isolating Sybil attacks in WSN. This technique is based on intercommunication and RSSI measurement as a localised method of locating the Sybil node. The proposed protocol has undergone extensive simulation with different topologies, and the results demonstrate that the protocol is extremely effective in terms of detecting rates, power use, storage use, processing, and communication requirements (the TDR of the NoSad algorithm is over 99.85%). This protocol may be used in any infrastructure WSN to get decent results. This study proposes a solution for various Sybil node location circumstances to mitigate the Sybil attack in WSN.

Mounica et al., 2021 ¹¹⁹ Design a machine learning technique that is designed to assess the effectiveness and accuracy of machine learning methods in order to identify Sybil and other vulnerabilities. On the basis of unprocessed Internet traffic information, a machine learning technique is intended to recognise a Sybil assault. By applying the NSL-KDD dataset, they trained the technique in their machine learning model. Four distinct models were used to identify various Sybil assaults. The first model used was Random Forest had a 79% average efficiency rate (This method combines decision trees with all of the features available in each decision tree. It could be used for both classification and regression.). The second model devised was logistic regression, which had an average efficiency of 84%. The third support vector machine model had a precision of 93%, whereas the fourth decision tree model had an accuracy of 83%. As a result, 93% of users are expected to use the support vector machine model with the highest accuracy and strongest occurrence indicators (DDOs, R2L, Probe, Sybil, and Normal) in the supplied data from the various evaluation graphs. By creating a real-time Web site where nodes pass through identification and reject clear network information, it is easy to prevent anything from occurring till it alters the current state of nodes in networks, allowing for the achievement of a prediction strategy for various attacks under examination.

Sinkhole attack

In a sinkhole assault, an attacker hacks any nodes around the sink node or the sink node itself to capture all the information in the WSN. ¹²⁰ Nadeem and Alghamdi, 2019 ¹²¹ suggest a sinkhole attack detection system that uses data aggregation, approach distance, and energy-related information to identify sinkhole attacks in Wireless Body Area Sensors Networks (WBASN). The attack by the sinkhole might significantly harm the network’s functionality in terms of low throughput, higher delay, and message breakage. In simulations, their detection technique works effectively, with a great detection rate and a lower false alarm rate. Researchers must investigate the security and privacy issues with the multi-BAN scenario being implemented in a real-world hospital ward. This feature, which makes use of the multi BAN and wearable shimmer sensors, allows all of the patients in the award to be monitored autonomously. Then investigate, identify, and provide solutions to privacy and security concerns.

Nwankwo, 2019 ¹²² provide a structure for enhancing sinkhole detection mechanisms by using Ant Colony Optimization with a swarm intelligence method using the network emulator NS3. There are two parts to the suggested framework. The first step entails issue conception and planning, as well as dataset specification and architecture. The second stage entails implementation, which includes EACO detection (Enhanced Ant Colony Optimization) on the NS-3.29 simulator, as well as flowcharts and pseudocode. Before comparing it to another accepted technique, they must increase the effect of the detecting ratio and false alarm reducing ratio. Dhivya et al., 2021 ¹²³ proposed solution presented a novel way of identifying and avoiding sinkhole attacks in WSN. The large number of terminals may be handled using the AODV (Ad hoc On-Demand Distance Vector) routing protocol. An Armstrong number and the GAN network are used to lessen the impact of sinkhole attacks. To identify and isolate sinkhole attacks no further communication is used for that. The proposed method may also be used if sinkhole nodes promote a high-quality link with high transmitted power. They must employ other strategies to cut energy usage even more, as well as concentrate on evaluating and understanding sinkhole attacks in the context of other routing protocols.

Byzantine attack

The network layer is exposed to the risk of the byzantine attack. Byzantine attacks are defined as actions taken randomly to disrupt a network by attackers who have total control over a collection of authorised devices. ¹²⁴ A Byzantine threat entails one or more affected nodes working together to carry out a variety of attacks, such as sending packets down inefficient paths, establishing routing loops, or picking and choosing which packets to drop. All of these actions impair network performance, interfere with network routing services, and consume network component resources. ¹²⁵ Once attackers have yielded the active group of insider nodes in the network hostile, the entire network will be under their control, and further safe data transfer will be impossible.

Subhashini et al., 2019 ¹²⁶ present a viable approach for identifying information insertion and Byzantine attacks utilising the proposed unpredictable network coding scheme. These attackers are in complete control of some of the authorised nodes and are capable of acting irregularly to cause systemic disruption. Through the use of network coding, neighbouring intermediary nodes in a network can encrypt data packets that are sent to them. The priority scheduling approach is then employed as an improvisation tactic to successfully schedule data transmission. The Priority Algorithm includes changing the threshold to achieve the optimal false alarm, fault detection, or error rate. By aspects of packet delivery rate, throughput, and delay, simulated findings in the NS2 scenario show that using the priority scheduling strategy produces successful outcomes. Furthermore, when the priority scheduling approach is utilised, attack identification measures such as the false positive ratio and detection ratio improve. A novel priority technique for an uplink scheduler in a WSN has been created in order to increase efficiency and detection measures.

Routing attacks

Routing assaults are one of the most successful network layer attacks because they target the network’s routing capabilities. There are various forms of routing attacks, including Routing Table Poisoning, Route Cache Poisoning, Routing Table Overflow, Packet Replication, and Rushing assaults. ¹²⁷ The attacker node transmits a fake route or tries to modify the route data in the packet in routing table poisoning. A routing table attack aims to clog up networks, degrade functionality, or severely damage route functions. Reactive routing techniques employ caches to store freshly discovered routes for faster processing, whereas initiative-taking routing approaches rely on routing tables. The adversary may try to flood the cache with fake routes in order to stop the creation of new genuine entries. Caches are used by routing protocols to save the newly discovered routes for better execution. On the other hand, proactive routing protocols seek to implement routing access in the absence of dependent route discovery. This implementation gives the malicious node the way to send massive fake routing advertisements to nodes to overcome the routing table, which leads to the implementation stops. The adversary node uses packet replication to repeatedly send the same message, confusing the routing process and using up all available bandwidth and energy. The request RREQ packet will be received by the adversary node in a rushed assault that is situated along the route path of the source node. With "PUSH," this node attempts to transfer the packet quickly to the target node. The repeated RREQ from the origin node will be dumped by the target node because it is mistaken for a duplicate packet. However, these security procedures can only detect pathways that are less than two jumps away and are only useful against rushing assaults. ¹²⁷

Packet replay attack

In the packet replay assault, the adversary attempts to intercept the packet being sent from the source node and, if successful, delays the packet transmission before sending it to the receiving node. The delay will result in receiving an erroneous location due to the wrong time and fluctuating transmission power provide a more advanced deep learning system for identifying and blocking replay attacks. ¹²⁸ On the dataset, decision trees are used with the help of a support vector machine (SVM) to demonstrate their effectiveness. Many studies have shown that SVM has a success rate of over 98% in identifying and blocking WSN assaults. During a replay assault, the whole route from the sensing node to the basis station is filled with bogus packets. As a consequence, on the receiver side, a fictitious distance and a fictitious location are estimated depending on the signal’s arrival time, resulting in a simulated time of propagation and false signal strength.

TCP SYN flooding attack

Transmission control protocol SYN flooding is a kind of denial-of-service assault. Transmission control protocol is a transport layer protocol that employs a handshake to communicate between two nodes. During the handshake, three messages (SYN, SYN-ACK, and ACK) are transmitted between sensor nodes to assess whether the nodes are suitable for communication and to transmit data using serial codes. The malicious node will send an increased number of SYN packets to start an SYN attack. Once the flood of SYN packets was received, the victim node has to reply with the SYN + ACK packet and waited for the corresponding ACK packets. As a result, the victim node has half-open connections. The victim node can only begin to communicate again with other nodes after a TCP half-open connection is timed out, with much time already wasted for unnecessary waiting. ¹²⁹

Burmaka et al., 2019 ¹³⁰ proposed a method for detecting DDoS attacks (TCP SYN Flood, HTTP Flood), as well as several types of system resource usage, including miner scripts, botnet scripts, and malware. A proposed approach involves tracking system resources, extracting traits, and spotting abnormalities through critical selection detection. Accurate detection relies on the immune mechanism technique, in which any sample of parameters that is "nonself" causes an alarm. This method also enables to detection of unknown threats or system resource abuses. This approach has a few advantages, including minimal platform resource use since it checks a small amount of data and continuous system resource usage that is independent of the load on the monitored system. The second advantage is portability; this technique may be applied to a variety of devices, such as central servers, routers, and switches, as well as desktops and integrated ones. This approach has the limitation that it can only find problems that affect CPU and memory use. As a result, it cannot replace a typical IDS, but it can be a helpful addition to an IDS that uses signatures. Finding the optimal set of parameters for spotting anomalies and minimising the effects of a variety of factors is the key issue that still has to be resolved. It may accelerate the search for that match. Making an unsupervised machine learning method that can calculate the optimal range of system resource utilisation for a typical system state is an additional option. This will assist in lowering the number of false positives. Additionally, this method has to be examined for various DDoS excesses and assaults on diverse structures.

Session hijacking

Another name for an impersonated assault is a session hijacking assault. The assailant assumes the identity of the victim’s sensor node’s IP address, ascertains the pattern of packets that the receiver sensor node anticipates, and executes a denial-of-service attack.^131,132 Hu et al., 2019 ¹³³ analyse the ability to launch the PHY-UIR hijacking attack to enable an aggressor to control the common key. They also suggest that when devices exchange information simultaneously on the shared keys established, they can detect whether a third party agrees to different keys. Through human interactions, the hijacking session attack manipulates the key agreement and compels genuine devices to carry out the attacker’s PHY UIR protocol. Conclusions from simulation and testing validate the attack and provide excellent attack performance for the key produced.

Singh, 2020 ¹³⁴ Token and Session ID Reset strategies were created and put into use to avoid session hijacking brought on by cookie duplication. The suggested approach makes use of session-id, tokens, IP, and browser fingerprinting to authenticate the user on the web server. This method saves the token in local storage on the client’s side, rather than in cookies. With this strategy, Man-in-the-middle (MITM), Cross-Site Scripting (XSS), Session fixation, Cookie-stealing malware, Predictable token and session id, Physical data theft, and Cookie Cloning attacks are all less likely. The suggested method takes around 6 milliseconds longer than the OTC method. The attacker can impersonate the user before the token and session ID expire. To solve this problem, establish a brief period for the token and session id to be renewed.

Prapty et al., 2020 ¹³⁵ provide a novel approach to protect cookie privacy, authenticity, and integrity and to guard against replaying and cookie toxin assaults that can hijack sessions. To produce and verify one-time session cookies, they employed reverse proxy servers. To handle the encryption one-time cookies, they built a custom cryptographic procedure system. They performed a security analysis to validate their proposed system. By utilising OTC rather than pricey HTTPS connections, they may avoid cookie toxicity threats and replay attacks that hijack sessions.

Desynchronisation attack

Desynchronization is the breakdown of established connectivity among network elements. An attacker will provide false communication with false sequence numbers and control flags to disrupt normal communication between nodes, forcing the nodes to request retransmission of the lost packets. ¹⁷ Once the assault is executed properly, it may prevent the nodes continue transferring files, consuming additional power while the transmission is being resynchronized and errors are fixed. Desynchronization assaults may be extremely harmful when combined with other attacks like wormholes, Sybil, or replay, which affect the round duration among nodes and hence break the duration integration.

Trinh et al., 2020 ¹³⁶ suggested that LBCbAP (Lightweight Block Cipher-Based Mutual Authentication Protocol) is a unique security protocol relying on lightweight block cyphers. The primary security primitive in this protocol is CRAFT. CRAFT is a tweakable block cypher that was recently proposed, and its security has been proven by an independent security study. Their in-depth security examination of LBCbAP, conducted both covertly and overtly utilising a GNY concept and the Scyther program, shows that it is protected against several assaults, including dangers from interruptions and secret exposure. An expense examination of the designed protocol and contrast to similar lightweight protocols shows that LBCbAP is cost-effective. Designing a multiple-reader RIFD system based on LBCbAP is also an intriguing area for future research. In that study, it may be possible to solve the concerns of how the viewer initialises its dataset if communication could be retrieved if the writer’s dataset is destroyed and the way the label interacts among many readers while being private and synchronous. Before the proposed protocol can be implemented in any operational environment, it must first undergo extensive community study and evaluation (it has not yet been used in a practical context).

DoS attack

A DoS (Denial of Service) occurs when an adversary interferes with the legal node’s ability to provide functions by transmitting additional meaningless signals to the recipient sensor node in an attempt to use up broadband and power. ⁴¹ Al-issa et al., 2019 ¹³⁸ proposed to use decision trees and support vector machines to identify assault behaviours for a certain dataset. The dataset was developed to distinguish between Blackhole, Grayhole, Flooding, and Scheduling, four types of DoS assaults. Using machine learning techniques, decision trees and support vector algorithms were used to evaluate the effectiveness of DoS identification on the WSN dataset. The floods and grayhole assaults were assessed, with the whole dataset being used first. SVM performed worse than decision trees in terms of classification. On the other hand, their approach failed to detect various forms of DoS attack scenarios. According to the experimental results, decision trees outperformed Support Vector Machines in terms of both true-positive rates and false-positive rates, with 99.86% vs. 99.62% and 0.05% vs. 0.09%, correspondingly.

Nagamuthu, 2019 ¹³⁹ presented a hierarchical clustering technique to detect node compromise in a WSN related to DoS assaults. The strategy makes use of multiple representation sites (nodes) by selecting nodes that are widely dispersed and then centring them by a fractional amount to enable efficient DoS assault identification and spread. The clusters thus come in a variety of geometrical forms. For a larger number of nodes, segmentation and irregular sampling are used more quickly to detect attacks. Outliers were successfully filtered using irregular sampling. The main advantage of the clustering algorithm-based identification approach is its scalability for high numbers of nodes without sacrificing cluster quality. The authors have to think about utilising a different clustering strategy which enhances the spread and dispersion of nodes in a network to speed up attack identification and prevention.

Prabakaran et al., 2020 ¹⁴⁰ introduced an SVM-based ID approach. They use a feature vector to characterise nodes in the ID algorithm. The SVM parameter vectors and feature values are generated using the optimal feature subset. By examining the vector with the best features and characteristic weights, as well as the one with the highest classification precision, the most perfect chromosome may be identified. Limit value and score are two crucial factors that they used. The sum value of the closest neighbouring nodes is used to calculate the score. The limit value is the limit or threshold that separates aberrant nodes from the base station. As a result, the SVM detection algorithm distinguishes between irregular nodes that broadcast RREQ signals more frequently than normal nodes. In this case, the Ant Colony Optimization (ACO) method employs to choose the best path for sending data from the origin to the receiving node. A proposed method increases network lifetime and WSN intrusion node detection. Uneven nodes will be shown as a result. The evaluation’s results led to the recommended technique having a higher accuracy rate.

Deluge attack

Deluge assaults are another name for reprogramming attacks. Applications and software platforms used by the adversary’s sensor node are infected with malicious software (viruses, spyware, Trojan horses, and worms). The sensor node’s harmful malware propagates throughout the network, slowing it down or even damaging it. ⁴¹