Internet of Things (IoT) comprises sensors and actuators included in embedded devices with the use of IPv4 and IPv6 technologies, enabling these electronic devices to connect and exchange data that can inter-operate within the existing Internet infrastructure. The IoT devices collect valuable data with the help of various technologies and then, autonomously, transfer these data between other devices . However, IoT devices and networks are often connected to critical infrastructure networks. As a result, security and protection are needed. IoT networks such as WSNs are vulnerable to several threats as the nature of such devices has many constraints, for example, limited storage, low computation power and limited power consumption . Additionally, the coordination of diverse technologies, heterogeneity and the distributed nature of the network magnifies the threats to the loT system . Due to the constraints involved in the IoT, not all existing security mechanisms can be applied to protect such devices. As a consequence, IoT devices remain exposed to various vulnerabilities, which keep the associated infrastructure and applications in danger .
There are so many attacks against IoT networks that can downgrade their performance and functionalities . However, one of the most common and dangerous attacks is a jamming attack . IoT systems based on wireless mesh technologies are vulnerable to jamming attacks which could drain the battery of target devices, by disrupting their data transmission and making them repeatedly re-transmit . Jamming in wireless networks has become a significant research problem due to the ease of its execution . Furthermore, jamming threats can only be prevented at the physical layer (PHY) but not at the MAC or network layer. When a wireless network suffers from jamming attacks, its wireless signals are typically overwhelmed by irregular or sophisticated radio jamming signals, making it hard for legitimate wireless devices to decode data packets. Consequently, any approaches at the MAC layer or above are incapable of preventing jamming threats, and innovative anti-jamming approaches are required at the physical layer .
A practical solution for detecting malicious behaviour within the network is an Intrusion Detection System. In this paper, we provide an intelligent and adaptive intrusion detection technique using Fuzzy logic algorithms in a distributed111The decision is executed at the Node. and centralised222The decision is executed at the Sink. manner, capable of performing detection locally (with the use of ETX, Retransmissions and PDPT as inputs) or centrally (with the help of PDR input) in a network. The main contributions of the paper relate to : i) method to perform local detection; ii) detection of Jamming attacks at the MAC and Network layer; iii) comparison of five different combinations of parameters as inputs to the Fuzzy controller, and iv) evaluation of different jammer settings (48 different locations of the jammer).
The rest of the paper is structured as follows. Section II provides background information on jamming attacks. It also provides related work on approaches addressing jamming attacks using fuzzy logic. The problem description is provided in Section III
. Specifically, the examined approaches of Anomaly Detection using Fuzzy Logic are provided in SectionIII-A. The efficiency of the investigated approaches is examined, evaluated and compared in Section IV. Finally, Section V includes concluding remarks.
Ii Background Knowledge and Related Work
This section provides a brief description of Jamming attacks and related work on using Fuzzy Logic algorithms for detecting jamming attacks.
Ii-a Jamming Attacks
This subsection provides background knowledge regarding the jamming attack.
Jamming is a type of attack that interferes with the radio frequencies the network nodes are using . A jamming source may either be powerful enough to disrupt the entire network or less powerful and only disrupt a smaller portion of the network. The most common and dangerous attack which can be proved harmful for wireless mesh WSN or IoT networks is jamming attack . Wireless networks are especially vulnerable to radio jamming attacks for the reason that the jamming attacks are straightforward to launch . An attacker can easily Generate a jamming attack without requiring any special hardware  and without requiring information about the internals of the control system .
Ii-A1 Types of Jamming Attacks
A Proactive Jammer attacks the network regardless of any data communication. It randomly transmits bits on the network, making all the functional nodes non-responsive. Finally, it functions only on a single channel and operates until its energy is depleted [18, 13]. Proactive Jammers can be categorized into Constant Jammers, Deceptive Jammers and Random Jammers.
Constant Jammer: A Constant Jammer continuously emits radio signals that interfere with the transmission of the network . Furthermore, the Constant Jammer emits random signals which do not follow any underlying MAC protocol . This type of jammer aims at keeping the channel busy and damaging the nodes’ communication . On the other hand, constant jammer attacks are energy inefficient and also can be easily detected . Moreover, this type of attack can be easily implemented, easily identified and works on single-channel .
Deceptive Jammer: Compared to a Constant Jammer, the Deceptive Jammer is more challenging to detect because it transmits legitimate packets instead of random bits. Similarly to the Constant Jammer, the Deceptive Jammer is also energy inefficient due to the continuous transmission; however, it has very easy implementation  and difficult detection .
Random Jammer: On the other hand, the random jammer alternates from the sleeping mode to the Jamming mode [13, 2]. It can either behave like a Constant Jammer or a Deceptive Jammer during its jamming phase. In contrast to the previous two jammers, this one reduces power consumption . However, it is less effective than the two abovementioned jammers and incapable of jamming during sleep mode.
A Reactive Jammer listens to the channel activity. If it identifies an action, it immediately sends out a random signal to collide with the existing signal on the channel . The amount of power required to listen to a channel is much less in comparison with the power needed for proactive jamming . Unfortunately, reactive jammers are difficult to detect, challenging to design, energy inefficient and work on a single-channel .
Reactive RTS/CTS Jammer: In this attack, the jammer begins the offensive when it senses a request-to-send (RTS) message to transmit from the sender. As a result, the receiver cannot send back a clear-to-send (CTS) reply because the RTS packet sent from the sender was destroyed. Finally, the sender will not send data because it believes that the receiver is busy with another ongoing transmission. Consequently, the sender is not sending data, and the receiver always waiting for the data packet .
Reactive Data Acknowledgement Jammer: In the Data/ACK attack, the jammer destroys the transmissions of data or acknowledgement (ACK) packets. The attacker does not respond until a data transmission begins at the transmitter end. This type of jammer can corrupt data packets or ACK packets. As a result, we can view an increase in retransmissions. That is happening because the data packets are not received correctly at the receiver in case of data transmissions. In the case of ACK, since the sender does not receive the ACKs, it believes something is going wrong at the receiver side .
These types of jammers are manufactured to achieve a specific function. For example, they can be used to interfere with a single channel, or they can cause the jamming of the whole network depending upon their purpose, which means they can minimize their energy consumption or can increase their maximum throughput .
Follow-on Jammer: This category of the jammer hops over all available channels very frequently and jams each channel for a short period . If a transmitter detects an attack at a specific frequency and hops to another frequency, then the follow-on jammer will scan the channel and hop in the spectrum where there is traffic, or they can randomly hop and jam in different frequencies. To conclude, the follow-on jammer is particularly effective against anti-jamming techniques such as the frequency hopping spread spectrum (FHSS), which uses a slow-hopping rate [18, 13].
Channel-hopping Jammer: In the Channel-hopping attack, the jammer interferes while hopping between different channels. Besides, a jammer has direct access to channels because it can override the CSMA algorithm of the MAC protocol. Furthermore, Channel-hopping jammers can jam multiple channels at the same time. Therefore, the jammer is quiet and invisible to its neighbours during the discovery phase, and it starts performing attacks on different channels at different times according to a predetermined pseudorandom sequence [18, 13].
Ii-A2 Parameters for Jamming Attack Detection
The jamming detection parameters that were applied in existing systems will be discussed in this section.
Packet Send Ratio (PSR): Xu et al.  defined PSR as the ratio of packets that are successfully sent out by a legitimate traffic source compared to the number of packets it intends to send out at the MAC layer.
Packet Delivery Ratio (PDR): Xu et al.  describe PDR as the ratio of packets that are successfully delivered to a destination compared to the number of packets that have been sent out by the sender. . From the outcomes, it was recognised that the PSR and PDR were difficult to decide about jamming and its types .
Average number of required transmissions per packet (ATX): Heo et al.  define the ATX metric as a total number of transmissions divided by the number of successfully received unique packets.
Number of hops for received packets: A Hop count referes to the number of routers that a packet goes through from its source to its destination .
Throughput: Agah and Das  define Throughput as the measure that characterises the total number of forwarded packets over the total number of received packets.
Bit Error Rate (BER): According to Strasser et al. 
, the BER is calculated as the ratio of the number of corrupted bits to the number of total bits received by a node during a transmission session. However, it is hard to measure the BER by a sensor node since it needs to collect a tremendous amount of data. Moreover, this method cannot classify different kinds of jamming attacks.
Packets Dropped per Terminal (PDPT): Misra et al. , Cakiroglu et al.  and Balarengadurai et al.  used PDPT for detection of Jamming attacks. PDPT refers to the ratio of the number of received packets that have not passed the Cyclic Redundancy Check (CRC) carried out by the node, to the total number of packets received by the node over a given period.
Signal-to-Noise Ratio (SNR): SNR measured as the ratio of the received signal power at a node to the received noise power at the node. Misra et al. , Balarengadurai et al.  and Sasikala and Rengarajan  used SNR as a metric to detect Jamming attacks. The SNR is a useful metric to identify the behaviour of jamming at the physical layer .
Delay: Delay in  is calculated as a total time from the transmission of a packet from a node to the sink, to the time when the sink received the packet.
Routing Overhead: Chen et al.  proposed routing overhead as the average number of routing packets (including DIS, DIO, and DAO packets) transmitted in the whole network every minute.
Expected Transmission Count (ETX): ETX  represents the expected number of transmissions required to successfully transmit and acknowledge a packet on a wireless link.
Our solution uses as parameters in the fuzzy logic the values of the ETX, Retransmissions, PDPT and PDR as inputs to a fuzzy inference system. The decision of choosing these values is based on selecting matrics where collected at the node or Sink node (PDR). Additionally, from our empirical experience and also from our experimental results, these values extremely increase when having a Jammer attack.
Ii-B Related Work on Using Fuzzy Logic Algorithms for Detecting Jamming Attacks
Fuzzy logic dealing with vagueness and imprecision has a capacity to describe imprecise forms of reasoning in areas where firm decisions have to be made in indefinite conditions and is found to be proper for intrusion detection . Following the literature, Detection frameworks based on fuzzy logic have the capability to calculate ambiguous information availability . Fuzzy logic can be making actual-time decisions, even with incomplete knowledge. Conventional control systems rely on an accurate representation of the environment, which commonly does not exist in reality. Fuzzy logic systems, which can handle the linguistic rules naturally, are suitable in this respect. Moreover, it can be used for context by blending different parameters – rules combined to produce a suitable result . Furthermore, Fuzzy rules leave us to efficiently and easily construct if-then rules that reflect general ways of describing security attacks . Thus, fuzzy logic can be an adequate means of defining network attacks 
. AI methods such as decision trees, neural networks and fuzzy logic are applied for detecting anomalies in a network, in which a fuzzy-based system presents important advantages over other AI techniques. Our approach uses a combination of the following metrics ETX, Retransmissions, PDPT and PDR as inputs to a Fuzzy inference system (Mamdani’s Fuzzy Inference System) to get Jamming Index (JI) as the output of the system. The JI value is between 0 and 1, signifying No Jamming to Absolute Jamming, respectively. According to the literature, the following works take into account the jamming attack and use Fuzzy logic algorithms to detect malicious activity in wireless mesh networks.
Misra et al.  proposed a fuzzy inference system for Jamming attack detection. In this approach, network nodes receive input values, while the base station does the jamming detection following a centralized methodology. The nodes send three inputs to the base station: the number of total packets received during a specified period, the number of packets dropped during the period, and the received signal strength (RSS). With these metrics, the base station can calculate the PDPT and SNR. Afterwards, the central node uses the values of PDPT and SNR as inputs to the fuzzy inference system to extract the jamming index. Finally, they make a confirmation of a Jamming Attack on a node. The validation is done through a 2-Means Clustering algorithm that constructs a confirmatory check through the study of the neighborhood of a node, to ascertain the correctness of the JI grade allotted to that node compared to the JI distributed to its neighbour nodes. This work is done using NS2, MATLAB and Simulink simulator and exanimated four types of jammers constant, deceptive, random, and reactive in 720 different simulations setups. In simulations, there are four positions for the jammer, two inside and two outside the grid, Six sets of inter-nodal distances: 5, 10, 15, 20, 25, and 30 meters and three sets of nodes: 25, 50, and 100. Finally, researchers have done simulations using standard power at the jammer node and high energy at the jammer node.
Balarengadurai and Saraswathi 
detect Jamming attacks at the PHY and MAC layers in IEEE 802.15.4 low rate wireless personal area network using Fuzzy logic systems. This system used three inputs being sent by the nodes to the base station. The inputs are a) the number of total packets received by it during a specified period, b) the number of packets dropped by it during the period, and c) the received signal strength (RSS). Afterwards, the base station calculates the PDPT and SNR from these values, and then the base station uses the metrics of PDPT and SNR as inputs to a fuzzy logic system to get Jamming Index as the output of the system. Finally, the confirmation of the Jamming attack Detection is done through the Fuzzy K-Means Clustering. In these experiments, used S-MAC protocol as the MAC standard. In simulations, the nodes sent one packet every 5 seconds for light traffic and two packages every 1 second for heavy traffic. In addition, the authors examined four types of jammers constant, deceptive, random, and reactive—the evaluation of this approach simulated in a Network Simulation environment.
Vijayakumar et al. 
proposed a fuzzy logic-based jamming detection algorithm (FLJDA) to detect the presence of jamming in downstream data communication for cluster‐based wireless sensor networks. FLJDA monitors the behaviour of nodes by computing the jamming probability using two inputs in a fuzzy logic system: the packet delivery ratio and the received signal strength indicator. The evaluation of this approach is simulated in MATLAB. The authors examined four types of jammers constant, deceptive, random, and reactive.
Meenalochani and Sudha  proposed a hybrid algorithm based on Fuzzy logic and Ant Colony Optimization for the detection of jamming attacks. The evaluation of this approach is simulated in MATLAB. The authors used fuzzy logic to detect the interference node and the ant colony to route the data even in the presence of jamming. The ant colony approach discards the congested node and identifies a path from source to destination for successful transmission. The fuzzy logic system used PDR, PLR, and RSSI as input to determine the node’s jamming percentage. The authors used 12 wireless Zigbee real nodes where node one was assigned as Base Station and connected to a Laptop to display the received data in real-time.
In contrast with existing solutions shown above, which also detect jamming attacks using a fuzzy logic algorithm, our approach uses only two metrics as input. It acts with a lightweight edition of an IDS to achieve a high-performance evaluation system. Our solution uses only one algorithm in comparison with Mirsa et al.  who used the 2-means clustering algorithm additionally in order to achieve the best results. Similarly, Balarengadurai and Saraswathi  used an additional K-means clustering algorithm. Finally, Meenalochani and Sudha  used three metrics as inputs, the PDR, PLR and RSSI and additionally used the Ant Colony Optimization algorithm. Overall, none of the researchers examined so comprehensively the position of the jammer. Our approach examines forty-eight different positions of the jammers with equivalent simulations in a distributed and centralised manner. More precisely, the identification of the jammer is executed at each node (with ETX, Retransmissions and PDPT parameters) and at sink (with PDR parameter). Moreover, all approaches use input metrics from the physical layer and make the detection decision centralised, unlike our solution where the input values are Network layer metrics and make the detection decision locally.
Iii Problem Description and Detection Methodology
This paper tries to tackle the problem of identifying jamming attacks using Fuzzy logic algorithms in IoT networks. We implement experiments in various scenarios using the Contiki OS and the Cooja simulator tool. In our approach, node and network information was collected from the local nodes and from the sink and used as input to the fuzzy logic controller to implement jammer detection. Our work uses the following local metrics: the ETX, Retransmissions, PDPT and the PDR (central metric) as inputs to a fuzzy inference system to get Jamming Index (JI) as an output value. The input parameters examined for the fuzzy logic are selected because these values are network layer metrics and at the same time they can be collected and processed distributed at the node. The main purpose of this paper is to find the best input parameters for our Fuzzy controller. In order to achieve this, we made a comparison between five different combinations of inputs. The proposed method was evaluated based on the Accuracy, Precision, Specificity, FPR, Recall, FNR and ROC curve.
Iii-a Approaches of Anomaly Detection using Fuzzy logic
In this paper we examine five different combinations of the four metrics. Firstly, we get the results where the inputs of the Fuzzy controller are ETX and Retransmissions. Secondly, we used the combination of PDPT and Retransmissions. Thirdly, we used the combination of PDR and Retransmissions. Fourth, we used the combination of ETX and PDR. Finally, we used the combination of ETX and Drop. The combination of PDR and PDPT is not taken into consideration for the reason the two inputs are dependent variables.
We define three fuzzy sets each over the four universes of discourse (inputs), ETX, Retransmissions, PDPT and PDR : LOW, MEDIUM, and HIGH. In addition, we define four fuzzy sets over the universe of discourse (output), JI: NO attack, LOW, MEDIUM, and HIGH. We use Mamdani’s model , where combinations of ETX, Retransmissions, PDPT and PDR are the crisp inputs to the system, and JI is the crisp output obtained from the system after defuzzification using the centroid method.
As generated through the Cooja simulator, multiple sets of four crisp inputs, ETX, Retransmissions, PDPT and PDR, are first planned into fuzzy membership functions.
A trapezoid shape is preferred to define fuzzy membership functions because of two reasons: firstly, it can be mathematically manipulated to be very close to the most natural feature, the Gaussian or Bell function, and secondly, it can be easily manipulated to be an unsymmetrical function (as required in the instant case) where the same cannot be done so easily with the Gaussian or Bell functions. In this study, we chose trapezoidal shapes as an appropriate membership function for our fuzzy logic controller. The decision of which of the methods is going to use depends completely on the problem size and problem type . The choice of trapezoidal shapes depends on the distribution of our data. In comparison with Gaussian fuzzy sets, the Trapezoidal shapes are easy to implement and fast to calculate . Following the literature , there are two strategies for constructing the fuzzy sets: a) model-driven and b) knowledge-driven. Gaussian fuzzy sets can only be created from the model-driven approach, whereas trapezoidal fuzzy sets can be constructed from both model-driven and knowledge-driven approaches. As a result, working with the trapezoidal fuzzy sets gives the user more freedom in membership function construction . To conclude, Trapezoidal fuzzy logic controllers are simpler in analysis .
Iii-B Membership Functions
We designate the membership functions below:
Where the separate values of the variables are as provided in Table I. The values of the variables, as presented in Table I, have been fixed through by the improvement of these values through a feedback factor generated by contrasting the original result (the output, JI of the method) and the expected outcome (the JI value). A fuzzy logic system can be constructed using observed data 
. In order to find the ranges of the variables, we observe the values with the minimum value, the maximum value, the average value and the standard deviation. Furthermore, we observe the distribution of the values to build the membership functions. The graphical illustrations of these trapezoidal functions in respect of ETX, Retransmissions, PDPT, PDR and JI are shown in Figures1, 2, 3, 4 and 5, respectively. Additionally, in Figures 6, 7, 8, 9 and 10 we show the Input-output surface corresponding to the membership values of inputs.
|Universe of discourse (uod)||Set||a||b||c||d|
|Jamming Indicator (JI)||NO ATTACK||-0.05||0||0.25||0.3|
Iii-C Detection Algorithm
The algorithm for detecting the jamming node is shown below.
In the approach where the inputs are ETX and Retransmissions the fuzzy rule base is given below:
If ETX is LOW and Retransmissions is LOW then JI is No ATTACK.
If ETX is LOW and Retransmissions is MEDIUM then JI is LOW.
If ETX is LOW and Retransmissions is HIGH then JI is MEDIUM.
If ETX is MEDIUM and Retransmissions is LOW then JI is No ATTACK.
If ETX is MEDIUM and Retransmissions is MEDIUM then JI is LOW.
If ETX is MEDIUM and Retransmissions is HIGH then JI is MEDIUM.
If ETX is HIGH and Retransmissions is LOW then JI is LOW.
If ETX is HIGH and Retransmissions is MEDIUM then JI is MEDIUM.
If ETX is HIGH and Retransmissions is HIGH then JI is HIGH.
In the approach where the inputs are PDPT and Retransmissions, the fuzzy rule base is given below:
If PDPT is LOW and Retransmissions is LOW then JI is No ATTACK.
If PDPT is LOW and Retransmissions is MEDIUM then JI is LOW.
If PDPT is LOW and Retransmissions is HIGH then JI is MEDIUM.
If PDPT is MEDIUM and Retransmissions is LOW then JI is No ATTACK.
If PDPT is MEDIUM and Retransmissions is MEDIUM then JI is LOW.
If PDPT is MEDIUM and Retransmissions is HIGH then JI is MEDIUM.
If PDPT is HIGH and Retransmissions is LOW then JI is LOW.
If PDPT is HIGH and Retransmissions is MEDIUM then JI is MEDIUM.
If PDPT is HIGH and Retransmissions is HIGH then JI is HIGH.
In the approach where the inputs are PDR and Retransmissions, the fuzzy rule base is given below:
If PDR is LOW and Retransmissions is LOW then JI is No ATTACK.
If PDR is LOW and Retransmissions is MEDIUM then JI is LOW.
If PDR is LOW and Retransmissions is HIGH then JI is MEDIUM.
If PDR is MEDIUM and Retransmissions is LOW then JI is LOW.
If PDR is MEDIUM and Retransmissions is MEDIUM then JI is MEDIUM.
If PDR is MEDIUM and Retransmissions is HIGH then JI is HIGH.
If PDR is HIGH and Retransmissions is LOW then JI is NO ATTACK.
If PDR is HIGH and Retransmissions is MEDIUM then JI is LOW.
If PDR is HIGH and Retransmissions is HIGH then JI is MEDIUM.
In the approach where the inputs are ETX and PDR, the fuzzy rule base is given below:
If ETX is LOW and PDR is LOW then JI is LOW.
If ETX is LOW and PDR is MEDIUM then JI is MEDIUM.
If ETX is LOW and PDR is HIGH then JI is LOW.
If ETX is MEDIUM and PDR is LOW then JI is LOW.
If ETX is MEDIUM and PDR is MEDIUM then JI is NO ATTACK.
If ETX is MEDIUM and PDR is HIGH then JI is NO ATTACK.
If ETX is HIGH and PDR is LOW then JI is HIGH.
If ETX is HIGH and PDR is MEDIUM then JI is MEDIUM.
If ETX is HIGH and PDR is HIGH then JI is LOW.
In the approach where the inputs are ETX and PDPT, the fuzzy rule base is given below:
If ETX is LOW and PDPT is LOW then JI is LOW.
If ETX is LOW and PDPT is MEDIUM then JI is MEDIUM.
If ETX is LOW and PDPT is HIGH then JI is HIGH.
If ETX is MEDIUM and PDPT is LOW then JI is NO ATTACK.
If ETX is MEDIUM and PDPT is MEDIUM then JI is LOW.
If ETX is MEDIUM and PDPT is HIGH then JI is MEDIUM.
If ETX is HIGH and PDPT is LOW then JI is NO ATTACK.
If ETX is HIGH and PDPT is MEDIUM then JI is LOW.
If ETX is HIGH and PDPT is HIGH then JI is MEDIUM.
Iv Performance Evaluation
In order to evaluate this approach, we implement experiments in various scenarios with the use of Contiki OS and the Cooja simulator tool. In our study, we implement a Deceptive Jamming attack using the JamLab  suite, a Contiki-based library that allows repeatable experiments with radio interference. Our jammer continuously emits signals which include legitimate packets that interfere with the communication of the network.
Iv-B Simulation Environment
In our study, we made experiments with the jammer placed in predicted scenarios within a grid of 25 nodes. Our implementation was constructed and evaluated via Cooja O/S and Contiki simulator tool. We extracted the simulation data from the Cooja Simulator, and we processed the data in Python and Matlab.
We placed 25 nodes on a grid in an area of 160 * 160 meters including a central node as a Sink. All nodes have a distance of 40 meters from each other. All nodes are equivalent to TelosB nodes and have a 50-meter transmission range and 70-meter interference range. Each node transmits one data packet of 48 bytes every 10 seconds.
Additionally, we run three different scenarios regarding the position of the sink. The situations are a) sink in the middle of the grid b) sink on top middle of the grid and c) sink on top left edge of the network. Each scenario run 16 different jammer positions and a healthy (benign) scenario. In accordance with the literature, these three scenarios were used in published works [17, 16, 25]. The experimental parameters of the nodes are shown in Table II.
|No. of nodes||25|
|Area Size||160 * 160 meters|
|Sensor nodes||TelosB nodes|
|Sink Position||1. Sink Middle 2. Sink Top Middle 3. Sink Top left edge|
|Scenario duration||15 minutes|
|Transmission rate||Generate 1 packet of 48 bytes per 10 seconds|
|Propagation Model||Unit Disk Graph|
|Transmission range||50 m|
|Interference range||70 m|
|Channel Check Rate||8 Hz|
We used the Routing Protocol for Low power and Lossy links (RPL). For Medium Access Control (MAC) layer we used the CSMA and for Radio Duty Cycle (RDC) we used ContikiMAC with the Channel Check Rate of the 8 Hz.
The Jamming node is using nullmac and nullrdc protocols with the Channel Check Rate of the 128 Hz. The experimental parameters of the jammer are shown in Table III.
|No. of nodes||1|
|Sensor nodes||TelosB nodes|
|Type of Jammer||Deceptive|
|Transmission range||50 m|
|Interference range||70 m|
|Channel Check Rate||128 Hz|
Figure 11 shows the simulation set-up and configuration where the Sink is located in the middle of the grid. The green area shows the transmission range of a node. More specifically, each node can communicate with all other nodes within the green circle. For instance, the Sink node, which has number 1, can communicate with nodes 9, 13, 14 and 18. Additionally, the grey circle around the green area displays the interference range. For example, when node 1 sends packets, nodes 8, 17, 10 and 19 in the grey area cannot receive packets and they are not able to receive packets from other nodes when the node 1 communicates simultaneously .
For each topology, we defined two types of scenarios: a malicious situation in which a compromised node is placed in the network, and a no attack scenario in which all nodes are in healthy condition. We run in total 160 malicious scenarios for each topology and one in the reasonable condition where we repeat the normal state ten times to view the deviation of the results. The average costs were used to compare states between normal conditions and attack conditions. We choose the grid scenario to do our experiments because its simplicity helps us build the security framework and understand its weaknesses.
The network topology with the Sink in the middle shows the best case scenario of all three, in which there are four nodes that can be used to reach the Sink and the maximum number of hops from the Sink is four. Additionally, the network topology with the Sink in the top-middle of the grid has three nodes that can directly access the Sink and the maximum number of hops is six. The network topology with the Sink at the top edge indicates the worst-case scenario of all three, has only two nodes that can directly access the Sink and the maximum number of hops is eight . We performed the 16 different scenarios and placed a jammer in each one.
Figure 12 shows a jammer in position 6 with coordinates (-20,-20) when the sink is located in the middle of the grid. From the Figure it can be observed that the attacker jams the nodes with number 8, 9, 13, and the sink. Additionally, the malicious node attacks the nodes with numbers 3, 4, 7, 10, 12, 14, 17, and 18.
Iv-C Jamming attack strategy
In this study we used jammers from the JamLab implementation. More specifically, we used a modified proactive deceptive jammer, with an ON-OFF pattern. The jammer is ON for one second and OFF for 333ms. When ON, the jammer continuously emits interference signals. The attacker sends packets with data that are not recognised by the nodes. The length of the transmitted data sequence is 8 kilobytes. Therefore, the nodes can transfer packets to the other nodes when the intrusion signal is off. The selection of the specific jamming attack is based on the attributes of the jammer, because it is a simpler jammer without a lot of abequites therefore the usage is simple and straightforward. Finally, each malicious node is placed in the centre of four nodes of the network.
In this study, we use the Confusion Matrix as shown in TableIV for the description of the performance.
where: TP = True Positive, FP = False Positive, TN = True Negative, FN = False Negative .
The confusion matrix is a matrix that represents true and false classification results . From the Confusion Matrix, we calculate the indicators of Accuracy, Precision, Specificity, FPR, Recall and FNR.
The True Positive state is when the IDS identifies an activity as an attack, and the event is an attack. A real positive is a successful identification of an attack .
The True Negative state is similar. This state is when the IDS identifies an activity as acceptable behaviour, and the activity is acceptable. A true negative is successfully ignoring acceptable behaviour. Neither of these states is harmful as the IDS is performing as expected .
The False Positive state is when the IDS identifies an activity as an attack, but the action is acceptable behaviour. A false positive is a false alarm .
The False Negative state is the most severe and dangerous state. This situation is when the IDS identifies an activity as acceptable when the event is an attack .
Accuracy defined as the percentage of correctly classified records over the total number of records. The equation for Accuracy is shown below.
Additionally, Precision is the ratio of correctly predicted positive observations to the total predicted positive observations. Equation 3 shows how the Precision is calculated.
Furthermore, the Specificity is the proportion of true negative points to negative elements, as calculated using the equation:
The false positive rate (FPR), represents the ROC curve ”X-axis”, as calculated using the equation:
In addition, Recall or true positive rate is the ratio of correctly predicted positive observations to all observations in the actual class. True positive rate represents the ROC curve’s ”Y-axis”
The equation for Recall is shown below.
The false negative rate (FNR) is calculated using the equation:
Finally, the area under the curve (AUC) - receiver operating characteristics (ROC) (AUC - ROC) plot is another indicator that is used to evaluate the performance of classification models. The Receiver Operating Characteristics (ROC) of a classifier shows its performance as a trade off between False Positive Rate and True Positive Rate.
In this study, we performed a total of 160 different simulations for each scenario. We performed simulations with changes to the ranges of membership functions of combination ETX and Retransmissions, combination of PDPT & Retransmissions, combinations of PDR and Retransmissions, combinations of ETX and PDR, combinations of ETX & PDPT and finally, we performed corrections into the fuzzy rules of the model. In the following paragraphs we demonstrate the positions that the Sink is placed, the attacks that are executed in the selected place and the resulting attach identification accuracy rate.
Iv-E Results of the Different Approach
According to the performance measure of TP, TN, FP and FN we calculated the Accuracy rate, the Precision rate, the Specificity, the FPR rate, Recall rate and the FNR rate where shown in the table V.
Iv-F Comparison of Results Between each Investigated Approach
In order to find the optimum combination of the input metrics, we evaluate each solution based on the accuracy rate, the Precision rate, the Specificity, the FPR rate, Recall rate and, the FNR rate. Based on the results, the three combinations 1) ETX & Retransmissions, 2) PDPT & Retransmissions and 3) PDR & Retransmissions are the optimum inputs for the fuzzy controller. Figure 13 shows the Detection Accuracy of the different scenarios of each combination of input metrics. The combinations of ETX & Retransmissions and PDPT & Retransmissions achieve the best accuracy of 95%. Furthermore, we generate the ROC curve of our approach.
|Approach||Detection Rate||False Alarm Rate|
|Middle||Top middle||Top-left edge||Middle||Top middle||Top-left edge|
Figure 14 shows the ROC Curve when the sink is placed in the middle of the grid. In figure 14, the combination of ETX & Retransmissions, PDPT & Retransmissions and PDR & Retransmissions are better than the combination of ETX & PDR and ETX & PDPT, because at all cut-offs the true positive rate is higher and the false positive rate is lower. The area under the curve for the combination of ETX & Retransmissions, PDPT & Retransmissions and PDR & Retransmissions is larger than the area under the curve for the combinations ETX & PDR and ETX & PDPT.
Figure 15 shows the ROC Curve when Sink is placed in the top middle of the grid. Also, in figure 15 the combination of ETX & Retransmissions, PDPT & Retransmissions and PDR & Retransmissions are the best, for the same reasons as in the previous topology.
Figure 16 shows the ROC Curve when Sink is placed in the Top Edge of the grid. Additionally, in figure 16 the combination of ETX & Retransmissions, PDPT & Retransmissions and PDR & Retransmissions are still the best.
Overall, results show that the Retransmissions metric, locally collected at the nodes, is the most suitable value as an input for the fuzzy controller. From the results, we observe that the combination of ETX & Retransmissions and PDPT & Retransmissions have the best accuracy achieve at 95%. These set of parameters are having better performance because these parameters are heavily affected by the jamming attacks. Note that both approaches are based on distributed data and decision can be executed at node. Additionally, ROC curves show that the combination of ETX & Retransmissions, PDPT & Retransmssions and PDR & Retransmissions are more useful from the combinations ETX & PDR and ETX & PDPT. Based on the results of the ongoing work, we have identified several open issues that will be studied as part of this research for future work.
Preventing Dos Attacks in Wireless Sensor Networks: A Repeated Game Theory Approach. IJ Network Security 5 (2), pp. 145–153. Cited by: 4th item, 5th item.
-  (2015) Security Framework And Jamming Detection For Internet Of Things. Videnbasen for Aalborg UniversitetVBN, Aalborg UniversitetAalborg University, Det Teknisk-Naturvidenskabelige FakultetThe Faculty of Engineering and Science. Cited by: item 3, 10th item, 9th item.
-  (2012) A Fuzzy Based Detection Technique for Jamming Attacks in IEEE 802.15.4 Low Rate Wireless Personal Area Network. Cited by: 7th item, 8th item, §II-B.
-  (2012) Detection of Jamming Attacks in IEEE 802.15. 4 Low Rate Wireless Personal Area Network Using Fuzzy Systems. In 2012 International Conference on Emerging Trends in Science, Engineering and Technology (INCOSET), pp. 32–38. Cited by: §II-B, §II-B.
-  (2013) Fuzzy Approach for Intrusion Detection System: A Survey.. International Journal of Advanced Research in Computer Science 4 (1). Cited by: §II-B.
-  (2011) Jamlab: Augmenting Sensornet Testbeds with Realistic and Controlled Interference Generation. In Information Processing in Sensor Networks (IPSN), 2011 10th International Conference on, pp. 175–186. Cited by: §IV-A, §IV-C.
-  (2008) Jamming Detection Mechanisms For Wireless Sensor Networks. In Proceedings of the 3rd international conference on Scalable information systems, pp. 4. Cited by: 7th item, 9th item.
-  (2018) Analysis and Enhancement of RPL Under Packet Drop Attacks. In 2018 10th International Conference on Communication Systems & Networks (COMSNETS), pp. 167–174. Cited by: 12nd item, 13rd item.
-  (2015) Jamming Attacks Reliable Prevention in a Clustered Wireless Sensor Network. Wireless Personal Communications 85 (3), pp. 925–936. Cited by: §II-A.
-  (2017) Security Attacks in IoT: A Survey. In 2017 International Conference on I-SMAC (IoT in Social, Mobile, Analytics and Cloud)(I-SMAC), pp. 32–37. Cited by: §I.
-  (2000) Fuzzy Network Profiling for Intrusion Detection. In Fuzzy Information Processing Society, 2000. NAFIPS. 19th International Conference of the North American, pp. 301–306. Cited by: §II-B.
-  (2010) A new Approach for Evaluating Intrusion Detection System. 2 (11), pp. 290–298. Cited by: §IV-D, §IV-D.
-  (2014) Jamming and Anti-Jamming Techniques in Wireless Networks: a Survey. International Journal of Ad Hoc and Ubiquitous Computing 17 (4), pp. 197–215. Cited by: §I, item 1, item 2, item 3, item 1, item 2, item 1, item 2, item 3, §II-A1.
-  (2015) The Trouble with the Internet of Things. London Datastore. Greater London Authority. Retrieved 10. Cited by: §I.
-  (2017) Dodge-jam: Anti-jamming Technique for Low-power and Lossy Wireless Networks. In 2017 14th Annual IEEE International Conference on Sensing, Communication, and Networking (SECON), pp. 1–9. Cited by: 3rd item.
-  (2017) An Intrusion Detection System for Wireless Sensor Networks. In Telecommunications (ICT), 2017 24th International Conference on, pp. 1–5. Cited by: §IV-B.
-  (2020) Accurate Detection of Sinkhole Attacks in IoT Networks Using Local Agents. In 2020 Mediterranean Communication and Computer Networking Conference (MedComNet), pp. 1–8. Cited by: §IV-B, §IV-B.
-  (2017) Security Vulnerabilities and Countermeasures Against Jamming Attacks in Wireless Sensor Networks: A Survey. In Computer, Communications and Electronics (Comptelix), 2017 International Conference on, pp. 559–564. Cited by: §I, item 1, item 2, item 3, item 1, item 2, item 3, §II-A1, §II-A1, §II-A1, §II-A.
A Deep Learning Approach For Network Intrusion Detection System. In Proceedings of the 9th EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS), pp. 21–26. Cited by: §IV-D.
-  (2014) Evaluation Metrics for Intrusion Detection Systems-A Study. Evaluation 2 (11), pp. 11–7. Cited by: §IV-D.
-  (2019) An extensive validation of a sir epidemic model to study the propagation of jamming attacks against iot wireless networks. Computer Networks 165, pp. 106945. Cited by: §I.
-  (1999) An Experiment in Linguistic Synthesis with a Fuzzy Logic Controller. International journal of human-computer studies 51 (2), pp. 135–147. Cited by: §II-B, §III-A.
-  (2012) Detection of Jamming Style DoS Attack in Wireless Sensor Network. In Parallel Distributed and Grid Computing (PDGC), 2012 2nd IEEE International Conference on, pp. 563–567. Cited by: 11st item, 2nd item, 9th item.
-  (2019) Jammed Node Detection and Routing in a Multihop Wireless Sensor Network Using Hybrid Techniques. Wireless Personal Communications 104 (2), pp. 663–675. Cited by: 11st item, 12nd item, §II-B, §II-B, §III-B.
-  (2010) Information Warfare-Worthy Jamming Attack Detection Mechanism for Wireless Sensor Networks Using a Fuzzy Inference System. Sensors 10 (4), pp. 3444–3479. Cited by: 7th item, 8th item, §II-B, §II-B, §III-A, §IV-B.
-  (2009) A Survey on Jamming Attacks and Countermeasures in WSNs. IEEE Communications Surveys & Tutorials 11 (4). Cited by: item 1, item 1, §II-A1, §II-A1.
-  (2016) Jamming in the Internet of Things: A Game-Theoretic Perspective. arXiv preprint arXiv:1607.06255. Cited by: §I.
-  (2004) Intrusion Detection Overview. Cited by: §IV-D, §IV-D, §IV-D, §IV-D, §IV-D.
-  (2021) Jamming Attacks and Anti-Jamming Strategies in Wireless Networks: A Comprehensive Survey. arXiv preprint arXiv:2101.00292. Cited by: §I, §II-A.
-  (2016) On the Dynamics of the RPL Protocol in AMI Networks Under Jamming Attacks. In 2016 IEEE International Conference on Communications (ICC), pp. 1–6. Cited by: 14th item.
-  (2018) Introductory Chapter: Which Membership Function is Appropriate in Fuzzy System?. In Fuzzy logic based in optimization methods and control systems and its applications, Cited by: §III-A.
-  (2015) An Intelligent Technique to Detect Jamming Attack in Wireless Sensor Networks (WSNs). International Journal of Fuzzy Systems 17 (1), pp. 76–83. Cited by: 8th item.
-  (2011) Network Intrusion Detection System Using Fuzzy Logic. Indian Journal of Computer Science and Engineering (IJCSE) 2 (1), pp. 101–111. Cited by: §II-B.
-  (2019) DDoS Attack Detection: A Key Enabler for Sustainable Communication in Internet of Vehicles. Sustainable Computing: Informatics and Systems 23, pp. 13–20. Cited by: §II-B.
-  (2010) Detection of Reactive Jamming in Sensor Networks. ACM Transactions on Sensor Networks (TOSN) 7 (2), pp. 16. Cited by: 6th item.
-  (2016) InDReS: An Intrusion Detection and Response System for Internet of Things with 6LoWPAN. In 2016 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), pp. 1903–1908. Cited by: §I.
-  (2016) Jamming Attacks on Wireless Networks: A Taxonomic Survey. International Journal of Production Economics 172, pp. 76–94. Cited by: item 1, §II-A1.
-  (2014) Advanced Wi-Fi Attacks Using Commodity Hardware. In Proceedings of the 30th Annual Computer Security Applications Conference, pp. 256–265. Cited by: §II-A.
-  (2018) Fuzzy Logic–based Jamming Detection Algorithm for Cluster-based wireless Sensor Network. International Journal of Communication Systems 31 (10), pp. e3567. Cited by: 11st item, 2nd item, 6th item, 8th item, §II-B.
-  (2009) Based on previous versions by fredrik oster-lind and adam dunkels. Contiki COOJA Hands-on Crash Course: Session Notes. CONET Summer School. Cited by: §IV-B.
-  (2006) A Survey of Security Issues in Wireless Sensor Networks. Cited by: §II-A.
-  (2012) Twelve Considerations in Choosing Between Gaussian and Trapezoidal Membership Functions in Interval Type-2 Fuzzy Logic Controllers. In 2012 IEEE International Conference on Fuzzy Systems, pp. 1–8. Cited by: §III-A.
-  (2005) The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks. In Proceedings of the 6th ACM international symposium on Mobile ad hoc networking and computing, pp. 46–57. Cited by: 1st item, 2nd item, §II-A1.