Intrusion Detection System for Wireless Sensor Networks Using
Danger Theory Immune-Inspired Techniques
Helio Mendes Salmon
Claudio M. de Farias
Paula Loureiro
Luci Pirmez
Silvana Rossetto
Paulo Henrique de A. Rodrigues
Rodrigo Pirmez
Flavia C. Delicato
Luiz Fernando R. da Costa Carmo Received: 14 May 2012 / Accepted: 9 June 2012 Springer Science+Business Media, LLC 2012 Abstract An IDS framework inspired in the Human Immune System to be applied in the wireless sensor net- work context is proposed. It uses an improved decentral- ized and customized version of the Dendritic Cell Algorithm, which allows nodes to monitor their neighbor- hood and collaborate to identify an intruder. The work was implemented and tested both in simulation and in real sensor platform scenarios, comparing them to each other and was also compared to a Negative Selection Theory implementation in order to demonstrate its efciency in detecting a denial-of-sleep attack and in energy consump- tion. Results demonstrated the success of the proposal. Keywords Wireless sensor networks Intrusion Detection System Articial immune inspired system Denial-of-sleep attack 1 Introduction Recent advances in micro-electromechanical systems and wireless communications technologies have enabled the building of low-cost small-sized sensors capable of sens- ing, processing and communicating through wireless links. Wireless sensor networks (WSNs), composed of tens, hundreds and sometimes thousands of these small devices, are commonly used to monitor physical and environmental variables as temperature, humidity, noise and motion of objects. WSNs are used for a wide range of applications, such as structural monitoring, natural resources mapping, tracking and monitoring of military targets, and smart environments control [22]. While bringing new broad perspectives for various applications, WSNs offer unusual challenges and a vast new research area. In addition to challenges related to resource constraints, WSNs are subject to vulnerabilities associated with wireless communication and ad-hoc orga- nization, both inherent characteristics of this type of net- work. Furthermore, in scenarios involving unprotected hostile outdoor areas, WSNs are prone to different types of attack, which can compromise reliability, integrity and availability of the sensor data trafc and sensor lifetime as well [22]. The adoption of an Intrusion Detection System (IDS) is one way to deal with WSN vulnerabilities. Due to tech- nological limitations, in a WSN environment, IDSs should be kept simple and highly specialized by type of attack, favoring algorithms that demand low computation, low memory and low energy [20]. In WSNs, the use of regular IDSs may be compromised by frequent detection aws and false alarms. Improving IDS effectiveness can be achieved by adopting Computational Intelligence methods [21], Computational Intelligence techniques provide features as H. M. Salmon C. M. de Farias (&) P. Loureiro L. Pirmez S. Rossetto P. H. de A. Rodrigues Programa de Pos-Graduacao em Informatica, Universidade Federal do Rio de Janeiro, Rio de Janeiro, RJ, Brazil e-mail: claudiofarias@nce.ufrj.br R. Pirmez Faculdade de Medicina, Universidade Federal do Rio de Janeiro, Cidade Universitaria, Rio de Janeiro, RJ 21941-901, Brazil F. C. Delicato Departamento de Informatica e Matematica Aplicada, Universidade Federal do Rio Grande do Norte, Campus Universitario Lagoa Nova, Natal, RN 59078-970, Brazil L. F. R. da Costa Carmo Instituto Nacional de Metrologia, Normalizacao e Qualidade Industrial, Av. N. S. das Gracas, 50, Xerem, Duque de Caxias, RJ 25250-020, Brazil 1 3 Int J Wireless Inf Networks DOI 10.1007/s10776-012-0179-z perception, reasoning, learning, evolution and adaptation, which can be explored to make more robust IDS, able to handle unknown attacks and adapt to different application scenarios. Our proposal takes advantage of the Articial Immune Systems (AIS), a technique for designing IDSs based on the concepts of the Human Immune System (HIS) [3, 11]. AIS is considered a promising approach for IDS implementation in WSNs, since network security tasks have great similarities with AISs concerning the need of maintaining system stability in a highly changing envi- ronment [11, 13]. Some of HISs main features, such as self-organization, adaptation, robustness and fault toler- ance, are similar to some WSNs desired characteristics. These networks should be able to adapt to continuous changes in environmental conditions and application requirements, and be fault-tolerant, since the sensor nodes communicate over an unreliable and unstable medium. Furthermore, WSN mechanisms and/or algorithms must be distributed and self-organizing, since the existence of centralized mechanisms is not appropriate for such net- works, given their constrained resources and scalability issues. This paper presents the architecture of an IDS for WSN using Danger Theory immune-inspired techniques [11]. Danger Theory uses a danger signal to classify as anom- alous an antigen (attacker) that is causing damage to the body, independently of it belonging (self) or not (non-self) to the body. Cells known as dendritic cells (DCs) detect and process different signals, including the danger signal, to classify the collected antigens as normal or anomalous. These cells can be seen as the AISs control mechanism, determining whether the WSN is suffering an attack or not. The proposed IDS was designed to be activated or deac- tivated according to security requirements of applications running on the WSN, thus contributing for saving the WSNs constrained resources. Our proposal is a decentralized and customized version of the original Dendritic Cell Algorithm (DCA), which was tailored to the WSN environment [11]. In this new version, original algorithm procedures have been adapted to better exploit WSNs high density characteristic and reduce both processing and amount of data structures to be stored in each sensor node. The algorithm was designed to: (i) be generic and independent of attack type; (ii) allow compo- nent reuse in different WSN applications; (iii) have its code independent of WSN application codes and protocols; and (iv) allow activation/deactivation according to security requirements of current running WSN applications. An application where sensors capture and periodically send data to a base station (BS) connected to a computer was considered as a case study in this paper. An IDS, programmed to detect one of the greatest threads to a WSN, namely the denial-of-sleep attack (through jamming interference) [24], and to trigger appropriate countermea- sures, was installed in all sensor nodes. This type of attack aims at accelerating the depletion of energy sources of one or more sensors and, eventually, disabling them. The attack occupies the wireless medium and increases the probability of packet collisions within the range of the interfering signal. The attack keeps the affected nodes awaken for a longer time trying to successfully transmit (the wireless medium is occupied by the attacker node) or retransmit a package (the application requests the retransmission of non-received packets), causing, in both cases, an additional consumption of sensor node energy. The remainder of this paper is organized as follows. Section 2 describes basic concepts on HIS and, in partic- ular, DCA and Danger Theory. Section 3 discusses related work. The proposed IDS is described in Sect. 4 and in Sect. 5, different experiments and their results are analyzed. Finally, our conclusions and future work are presented in Sect. 6. 2 Basic Concepts Currently, a great interest has emerged in studying the employment of HIS for intrusion detection and several studies have focused on Negative Selection, Clonal Selection and Immune Network theories, also known as the Classical Theories [11]. However, the approach based on Classical Theories has been questioned because it is neither true that only external factors cause damage to the body, nor that any outside organism can cause harm to the body. This question arose in 1994 [18], when the Danger Theory was rst introduced. The human bodys defense system is mediated by early reactions of innate immunity, and acquired immunity late responses. The innate immune system represents the rst line of defense of the organism, acting quickly and effec- tively against invaders. This system consists of defense mechanisms and cellular biochemistry that are present even before a possible attack. Because they are congenital, they respond promptly to infections. Main components are physical barriers such as skin, chemical barriers, repre- sented by antimicrobial substances produced by epithelial surfaces, such as sweat and saliva, in addition to agents and cellular proteins such as cytokines, complement compo- nents, macrophages and DCs. These components respond in much the same way to various infections, since the aggressor recognition is through structure patterns common to different pathogens (PAMPsPathogenic Associated Molecular Patterns). [18]. The Adaptive Immune System is characterized by the impressive ability to identify and distinguish different Int J Wireless Inf Networks 1 3 types of offenders, known as specic immunity. Moreover, once stimulated by a particular pathogen, the subsequent responses to the same pathogen will be faster, growing in magnitude and defensive ability, skill known as mem- ory. The adaptive immune system is composed of B and T cells and their products. Both AIS and innate system are parts of an integrated defense system. The initial response of innate immunity stimulates adaptive immunity, and the latter uses many innate immunity components as effectors of its response. Applying the HIS concepts to several areas of comput- ing gave rise to the Articial Immune System (AIS). In recent decades, works on AIS using the Danger Theory are becoming popular [2]. The incorporation of this theory in intrusion detection techniques intended to produce a sys- tem able to efciently respond both to known threats and new types of attacks, thus reducing the number of false positives (FP), which are common in IDSs [12]. The Danger Theory takes into account whether the antigens are dangerous or not as danger signals are being produced or not by damaged tissue cells [18]. DCs are the main element on this theory, acting as crime scene investigators, col- lecting antigens produced by pathogens and tissue cells and classifying them by means of a danger signal. In Greensmith et al. [12], initial investigations on the use of DCs in AIS applied to anomaly-based IDS were presented, and the DCA was introduced for the rst time. The algo- rithm was based on features of these cells, using input signals and state differentiation from immature to semi- mature (normal) or mature (anomalous) in order to build a control mechanism for AIS. DCA is divided into three phases: initialization, updat- ing and aggregation [12]. In the initialization phase, the algorithm parameters are congured and initialized, and the immature state is attributed to DCs. In the updating phase, a continuous process of updating data structures from the input signals and the antigens is performed. In this stage, the output signals are generated by changing the state of the DCs to semi-mature (normal) or mature (anomalous). The aggregation phase occurs in the lymph node, which is a ganglion found throughout the lymphatic system and has the function of receiving the DCs. At this stage, antigens presented by the mature or semi-mature DCs are analyzed and the index of abnormality of these antigens, known by the acronym MCAV (Mature Context Antigen Value) is calculated. MCAV ranges from zero (0) to one (1) and represents how anomalous a specic antigen is, being calculated using the following formula: MCAV = (M)/(SM ? M), where M represents the amount of a specic antigen found in mature cells and SM the same amount of that antigen in semi-mature cells. If the index is above a predetermined value (anomaly threshold), antibodies are activated, starting the ght against the invaders. Antigen evaluation is repeated a certain number of cycles (events) or until all antigens have been evaluated [21]. In the DCA, the input signals are classied as: (i) danger signals, when the cells undergo necrosis (unscheduled cell death); (ii) secure signals, when the cells undergo apoptosis (programmed cell death); (iii) PAMP signals, substances indicating the presence of an extra-entity body; and (iv) inammation, which indicates the increase of blood ow and temperature in an area affected by an invasion, whose effect amplies the effects of the three earlier signals [11]. DCs process the input signals to generate output signals according to Eq. 1. This equation is computed once for each of the output signals: (i) migration signal (Costimulatory MoleculesCSM), (ii) semi-mature and (iii) mature. Each DC keeps storing the output signals while the migration signal does not reach a predetermined threshold (migration threshold). When the migration signal reaches the limit, the DC compares the stored values for the semi-mature and mature signals. The signal of greater value sets the state of maturation for that DC. Then this DC migrates to the lymph node. In Eq. 1, Pi represents the PAMP signal, Di the danger signal, Si the secure signal and IC inammation signal. The sumof each of these signals is multiplied by their respective weights Wp, Wd and Ws. Output csm semimature mature 2 6 4 3 7 5 W P X I i0 P i W D X I i0 D i W S X I i0 S i ! 1 IC 1 In HIS, DCs do not perform their function in isolation. There is a population of DCs, each of which capture antigens and input signals. The multiplicity of DCs is a key issue, since it is the collective indication of several DCs on one type of antigen that causes a HIS response. Thus, the DCA is inherently error-tolerant, because the misclassication made by a single DCis not sufcient to trigger a HIS false positive error. As soon as DCs advertise the lymph node on the presence of an invader, B and T cells are activated, being responsible for the production of that pathogens specic antibodies. 3 Related Work Techniques used in natural computation, particularly those based on the AIS, have been considered the most promising approaches for implementation of WSNs for next genera- tion safety systems [2]. Int J Wireless Inf Networks 1 3 Several HIS inspired IDS proposals based on the utili- zation of the Danger Theory in regular networks can be found in the literature like Aickelin and Cayzer [1], Aickelin et al. [2], Greensmith et al. [12] and Twycross [22], Greensmith [11], Bachmayer [3], Hong and Yang [13] and Silva [21]. In WSN there are many works pro- posing IDSs using a statistical-based approach, like: Da Silva et al. [6], Onat and Miri [19] and Martynov et al. [17]. Among reviewed references, only Drozda et al. [9], Liu and Yu [16], Kim et al. [14], Wallenta et al. [23] and Zamani et al. [25] presented works using immune-inspired IDS for WSN. In Da Silva et al. [6], an anomaly detection IDS was proposed. That IDS was divided into three phases and based on promiscuous monitoring of the WSN. During the rst phase the data acquisition is done. During this phase a monitor node listens to the network in promiscuous mode and stores the information using the available memory on the sensor. The authors dened a set of rules that are applied in the second phase, and when a message fails in the verication of such a rule, a counter, relative to that rule is increased. Finally, in the third phase, the counters are compared with threshold values. If the number of failures is greater than the predened threshold, an alarm is activated. For the proposed IDS operation by Da Silva et al. [6] it becomes necessary to include two new elds in the message structure of the application (increase of 2 bytes in size) for the use of rules proposed by the IDS, allowing the collection of information needed by the sensors IDS. This change makes the IDS specic for the application. In Onat and Miri [19], an anomaly based IDS for WSNs was proposed. This IDS uses a statistical algorithm. This algorithm exploits the stability of a static large scale WSN. In the proposed IDS, the sensors have the ability to store simple statistics about the behavior of their neighboring nodes, such as the messages transmission rate and the power of the broadcast signal. The IDS proposed by them was installed in all WSNs sensors, and although it indi- cates an interesting and feasible methodology, no mecha- nism for cooperation between the nodes was implemented. Martynov et al. [17] proposed and implemented in a real sensors platform an agent-based IDS that uses the anomaly detection approach. This IDS is able to identify a Denial- of-Service attack in WSNs. The agents are called Status Nodes and Send and Receive Nodes. The Status Node has the functionality to warn about the occurrence of an attack. The Send and Receive Node has the functionality to send and receive messages at different rates, simulating a nor- mal network or a network under attack by varying the transmission rate of the application messages. These agents are distributed by different sensors where, the Send and Receive Nodes, by comparing network trafc with a pre- established baseline, can identify if the attack is occurring or not. If the attack is identied, a message informing about the attack is transmitted to all nodes in the network. Despite the distributed agents, the nodes work indepen- dently, and do not have any cooperation between them to identify the attack. Drozda et al. [9] proposed a misuse detection immune- inspired IDS, based on the Negative Selection Theory for WSNs. The authors show that the choice of the elements that when concatenated compose and identify an antigen, have a profound inuence on the performance of the AIS. In the Negative Selection Theory, if the antigens are not all mapped, there will be holes in the detection, which will trigger the occurrence of FP and false negatives (FN). The authors inform that the performance of the IDS depends on the size of the antigens, i.e., the greater the antigen size, greater the amount of detectors needed to a correct attack identication. This goes against one of the basic charac- teristics of the sensors, the scarcity of resources, memory in this case. In Liu and Yu [16], the authors applied the techniques of Negative Selection and Clonal Selection in the creation of an immune-inspired WSN IDS. The following conditions were established for the IDS: (i) the nodes are static and no new node is added to the network; (ii) data packets are forwarded to the BS and the network uses a tree-based structure for routing; (iii) tampered nodes function nor- mally, except when conducting an attack; (iv) there was sufcient training before the attack was started; and (v) all nodes in the WSN are equipped with the extra module to detect anomalies. To monitor the behavior of neighboring nodes, a node listens for messages from its neighbors by its detection module. This module is divided into four phases. The rst phase is the self-acquisition, where, during a training period, the node listens to the transmission/ reception of his neighbors, extracting information from trafcked packets and storing them in sensors memory. By adopting a learning period, the authors make the system will not accept changes in WSN. As the sensors will have exhausted its battery, features own the WSN are changing. This creates the need for further training as they can be issued FP or FN because the scenario has changed. The second phase, called detectors generation occurs after the system training. At this stage the detectors that will identify the attacks are generated and stored in the sensors memory. The third phase, called detection occurs when the training ends and the system starts to detect the attack. At this stage the packets sent by neighboring nodes are heard by a node and parameters to be analyzed (called antigens) are extracted. If the detector reaches its time limit of life and the number of antigens that combined is less than the threshold, the sensor die and a new detector is generated. If the number of antigens is greater than the limit, the detector will activate an intrusion alarm. When a switch is Int J Wireless Inf Networks 1 3 activated, it passes to the next phase: Clonal selection. In the fourth phase, called Clonal selection, active detectors evolve and go to the memory starting to have a longer lifespan and lower limits. This technique allows detectors stored in memory to be activated quickly when similar attacks occur. In order to reduce FP, a mechanism of co- stimulation has been proposed. However, in this mecha- nism, an operator must mark a string as self to correct a false positive, making the IDS dependent on human intervention, violating one of the basic principles of HIS: autonomy. In the simulations, the authors found that, with a mapped set of self antigens and a large set of detectors, the IDS has achieved a rate of 100 % detection for all simu- lated attacks. However, 92.3 % of FP were found in jam- ming attack. The latter makes it appear that the network is still being attacked. Wallenta et al. [23] extended the work presented by Kim et al. [14], which was the rst one to propose a DCA implementation to a WSN. This IDS allowed to detect a new type of attack called Interest Cache Poisoning Attack that can occur in a WSN environment when directed diffusion protocol is used. Unlike Wallenta et al. [23], where DCA and directed diffusion protocol proce- dures are intertwined, in the present work, the proposed algorithm is designed to be code independent of WSN applications and protocols, allowing components reuse in different application scenarios. Zamani et al. [25] proposed a generic architecture using mobile agents for a Danger Theory immune-inspired IDS. This architecture was applied in a WSN in order to identify a Distributed Denial-of-Service attack (DDoS) when direct diffusion protocol is used. According to the authors, agents are used to collect data in various nodes and cooperate with each other in order to detect an attack. The architecture was split in static agents, which stay xed in pre-determined sensors and simulate HIS tissues; and in mobile agents, which are transmitted between sensors, simulating HIS cells behavior. The static agents simulated the following organs of the HIS: Thymus, Bone Marrow, Lymph Node and tissues. The mobile agents simulated the characteristics of B cells, T cells and DCs. Unlike the related work, in this paper we used the Danger Theory and a customized DCA to perform the anomaly detection of attacks in WSNs. These two immune- inspired techniques have a different approach from the classical theories about the use of antigens in the identi- cation of an attack. A generic and independent of the application or type of routing protocol IDS was created and implemented in a WSN. The IDS was distributed among the sensors, which carried different and complementary roles, not being necessary to install the IDS in all nodes of the network. Thus, the sensors of a WSN can have implemented or not TinyOS modules that have the IDS implementation, allowing the inclusion of new sensors in the WSN without any change in the application. It was performed an evaluation of the energy expended by the IDS, which was not done in related works. 4 Immune-Inspired Intrusion Detection Systems This section describes: (i) the logical architecture of the proposed IDS and its constituent elements; (ii) the mapping of computational elements into immune-inspired elements; (iii) the description of the phases that dene the workow of the proposed IDS; (iv) the proposed DCA customization for WSNs; and (v) a description of the IDS operation. 4.1 IDS Logical Architecture The WSN we are dealing with consists of several sensor nodes and a BS. A sensor node, on its turn, can play the role of a DC (sensor-dc) or of a lymph node (sensor- lymph). WSN IDS logical architecture, shown in Fig. 1, follows the architecture proposed by the Common Intrusion Detection Framework (CIDF) [4, 7, 10] and consists of several components, namely Monitoring, Intrusion Detec- tion Manager, Context Manager, Decision Manager, Parameters Base, Rules Base and Countermeasures. These components are grouped into four subsystems: (i) Moni- tored Environment (E-BOX); (ii) Intruder Detector (A- BOX); (iii) Storage (D-BOX); and (iv) Countermeasures (C-BOX). The Monitoring, Intrusion Detection Manager, Context Manager, Parameters Base and Rules Base components are installed in the sensor-dc. The Decision Manager and the Countermeasures components are located in the sensor- lymph. The Monitored Environment subsystem, consisting of the Monitoring component, is responsible for capturing the values of the parameters dened by the Context Manager, such as the amount of sent and received messages and the Received Signal Strength Information (RSSI), which rep- resent inputs to the proposed IDS. These parameters are used to determine a possible invasion. The Intruder Detector subsystem analyzes the collected information to take a decision regarding the presence or absence of an intruder in the environment. The Intrusion Detection Manager, Context Manager and Decision Man- ager components are part of this subsystem. The Intrusion Detection Manager, central component in the architecture, is responsible for organizing tasks and coordinating actions and responses of other managers. During system instantiation, the Intrusion Detection Man- ager indicates to the Context Manager which attacks are to Int J Wireless Inf Networks 1 3 be monitored by the IDS. The Context Manager, upon receiving the attack information, consults the Parameters Base to nd out which parameters need to be monitored by the Monitoring component. The Monitoring component regularly collects parameter information and forwards most recent measures to the Context Manager. Parameters values received from the Context Manager are forwarded by the Intrusion Detection Manager to the Decision Manager. The Decision Manager uses the received information to identify possible attacks in the monitored area, and, in the event of an attack, its type and anomaly degree. Information about existence, type and anomaly degree of an attack are returned to the Intrusion Detection Manager, which for- wards the report to the Countermeasures component for countermeasure acting. The Context Manager is responsible for two features: (i) Monitoring Management; and (ii) Parameters Base Management. The Monitoring Management functionality is responsible for requesting and receiving parameters from the Monitoring component, while the Parameters Base Management functionality is responsible for comparing received parameters with data in the Parameters Base and for database maintenance. The Context Manager, after receiving from the Intrusion Detection Manager informa- tion about which attack(s) to monitor, accesses the Parameters Base to nd out which parameters to monitor and instructs the Monitoring component to collect param- eters values. The Decision Manager is responsible for performing three functions: (i) managing the Rules Base; (ii) executing the customized DCA; and (iii) identify an attack. The Decision Manager needs to consult the Rules Base repos- itory for each type of attack. Once identied a possible attack, the Intrusion Detection Manager is warned. The detection of various attacks can be carried out using a set of distinct rules and evaluating the appropriate set of antigens. Furthermore, adjusting the anomaly threshold (MCAV) in the database is crucial for efcient attack detection. The Storage subsystem stores: (i) the Parameters Base, which is managed by the Context Manager and contains collected parameter history, attack type, attack parameters list and, for each parameter, a threshold value; and (ii) the Rules Base, managed by the Decision Manager, which contains rules that identify the types of attacks the IDS is able to identify and the anomaly threshold (MCAV) set by the administrator for each type of attack. Databases are queried and input data compared with monitored data. The Countermeasures subsystem contains the Counter- measures component, which is responsible for combating identied attacks. Countermeasures are direct actions per- formed on a node or action demanding information sent to the administrator. 4.1.1 Interactions Among Components for DC and Lymph Nodes Figures 2 and 3 present sequence diagrams specifying component interactions for DC and lymph nodes, respectively. In Fig. 2, Intrusion Detection Manager tells the Context Manager that a particular attack must be monitored by issuing the informTypeOfAttack command in step (1). In step (2) the Context Manager accesses the Parameters Base via the accessParametersBase command to identify which parameter has to be monitored. Then, the Context Manager forwards the request to the Monitoring component, issuing the requestParameter command (3). The Monitoring com- ponent then captures the most recent value of the requested parameter from the environment via the readParameter command in (4). If the read value needs further processing, e.g. obtaining sent or received message rates, the Moni- toring component executes a processing command (5) and Fig. 1 IDS Logical Architecture Int J Wireless Inf Networks 1 3 afterwards passes the value to the Context Manager (6). The Context manager, upon receiving a new value, com- pares it to the Parameters Base with the verifyNormality command (7) and stores this value with command store- ParameterValue (8). Commands (7) and (8) are part of the Parameters Base Management functionality of the Context Manager. The value is then forwarded, via the sendPa- rameter command (9), to the Intrusion Detection Manager which forwards it to the Decision Manager (10). In the Decision Manager, the received parameters are veried against attack type according to the Rules Base (11) and the processing of the DCAs functionality is started (12). The Fig. 2 Sequence diagramnode playing DC role Fig. 3 Sequence diagramnode playing lymph node role Int J Wireless Inf Networks 1 3 Rules Base is consulted, representing the Rules Base managing functionality. Once an attack is identied, the Decision Manager invokes the adviceCell command in step (13), informing the Intrusion Detection Manager. Finally, the Intrusion Detection Manager of this node sends this information to the node acting as lymph node by calling the migrateCell command. The node playing the role of a lymph node, in its step (1), Fig. 3, listens to messages representing DCs, received from nodes playing the role of DCs. The Decision Man- ager, using the Attack Identication functionality, receives migrated DC message data and calculates the MCAV value for each identied attack, in step (2). The Decision Man- ager informs MCAV value to the Intrusion Detection Manager in step (3). The Intrusion Detection Manager sends it to the Countermeasures component in step (4). Inside the Countermeasures component the attack is iden- tied (5) and procedures to restrain the attack are passed to the Intrusion Detection Manager in step (6). So the Countermeasures component instructs other network nodes to trigger specic countermeasures to combat that attack type, as shown in step (7). This node can also execute step (8), informBaseStation, which is responsible for notifying the BS about the attacks that are occurring on the wireless network. 4.2 Mapping Computational Elements into Immune-Inspired Elements In this work, the WSN consists of several sensor nodes and a BS where a sensor node can take the role of a DC (sensor- dc) or a lymph node (sensor-lymph). In this section, computational elements features are mapped onto biological elements, as shown in Table 1. Pathogens are the attacks themselves. Antigens represent a way to identify an attack that we want to classify. This identication is specic for each attack, i.e. each attack has its own unique identier, and could be based, for example, in transmitted or received messages, which would be classied as self (messages from the system or application) or non-self (messages not belonging to the system or application) messages. Antibodies are mapped as counter- measures. Tissue being evaluated for pathogen danger presence is represented by the WSNs nodes. The Danger area is represented by covering area of the wireless nodes. Covering areas are controlled by the Monitoring compo- nent and by Context Manager managing functionality. DCs are represented by the component Intrusion Detection Manager and the Parameters Base Management functionality of the Context Manager. DCs have the fol- lowing attributes: (i) identier, that associates the DC to the node where it was created; (ii) antigen, that works like a label identifying an specic attack; (iii) state, that contains DC current state value: immature, semi-mature or mature; (iv) migration time, that represents the maximum time a DC keeps collecting antigens and input signals; (v) danger signal; (vi) PAMP signal; (vii) secure signal; and (viii) inammation signal. The signals (items v to viii) were explained in Sect. 2. Lymph node is represented by the decision mechanism built in the Decision Manager component. B cells and T cells, representing the adaptive immune system, are represented by the Countermeasures compo- nent. This component is responsible for ghting invaders, and its actions are regarded as antibodies. Input signals (danger signal, secure signal, PAMP signal and inam- mation) are variable parameters and different for each attack type. These signals will be discussed in subsequent sections. Parameters Base and Rules Base repositories were modeled to provide a data storage computational func- tionality without any biological inspiration. However, these repositories are essential for attack identication. 4.3 Immune-Inspired Intrusion Detection System Operation Phases The proposed IDSs operation ow is divided into four phases: (i) Collection Phase; (ii) Analysis Phase; (iii) Decision Phase; and (iv) Reaction Phase. First and second phases are related to DCA procedures, while the third phase is related to lymph node decision-taking procedures. The fourth phase represents the adaptive immune system and its reaction against invaders. Antigens and input signals are captured in the rst phase. In the second phase, input signals and antigens are analyzed to generate output signals. These output signals indicate DC maturation state. In the third phase, DCs present and classify the self and the non-self antigens, indicating their degree of abnormality. In the fourth and nal phase, B and T cells begin to produce antibodies which will ght against a Table 1 Biological/computational mapping Biologic elements Computational elements Pathogens Attacks Antigens Information that identies an attacker Tissue Nodes composing WSN Danger area Nodes covering area DC Intrusion Detection Manager component and Context Manager component (managing database functionality) in sensor-dc Lymph-node Decision Manager Component in sensor-lymph B cell and T cell Countermeasures component Antibody Countermeasures activated by nodes Int J Wireless Inf Networks 1 3 specic invader. Table 2 illustrates computer components location and functionality according to the phases of the IDS. Phases are detailed below. 4.3.1 Collection Phase DCA starts its execution in the Collection Phase. The signals used for intrusion detection are collected by the Monitoring component of the sensors-dc, which can oper- ate in promiscuous mode, capturing all information trans- mitted in the network, or in normal mode, capturing only information directed to itself. In this phase, nodes (sensor-dc) collect input signals from the network. Signals are represented by a set of parameters that have to be monitored in order to identify an attack. The monitoring is realized by the message receiving event of the application itself. There is no need to activate radio component for a specic IDS monitoring, i.e., the radio is on only when the sensor is active and a message is being received, thus saving energy. Each attack has its different input signals. The denition of each input signal determines the attack type a sensor is monitoring. Upon Collection Phase completion, the Analysis Phase begins. 4.3.2 Analysis Phase The Analysis Phase is responsible for identifying the attack the node (sensor-dc) was congured for. The analysis is based on comparison with parameters and rules previously dened and stored in Parameters Base and in Rules Bases. The Context manager receives a parameter value from the Monitoring component and forwards this information to the Intrusion Detection manager. The Intrusion Detection Manager forwards the information to the Decision Manager component. In the Decision Manager component, the forwarded information serves as input to the immune-inspired algo- rithm. This procedure is repeated at each DC until it migrates to the lymph node, i.e., a message is sent from the DC to the Lymph node. During repetitions, DC monitored values are being cumulatively processed by a utility func- tion, detailed in Sect. 2, Eq. 1. The output of this function will be the DCs maturation state: mature, in case of an anomaly is detected, or semi-mature, otherwise. Upon reaching the migration threshold, the DC migrates either to the semi-mature state or to the mature state, depending on the utility function output and the Decision phase starts. 4.3.3 Decision Phase The Decision Phase occurs in the lymph node and is exe- cuted within the Decision Manager, performing the func- tionality of identifying if an attack is occurring or not. In this component, migrated DCs are accounted and antigens they have presented are classied as normal or anomalous, generating the MCAV index. This index is passed to the Intrusion Detection Manager, which forwards it to the Countermeasures component, starting the fourth and nal phase. 4.3.4 Reaction Phase At this phase, which represents adaptive immune system reaction, the Countermeasures component receives infor- mation about type and intensity of the attack (MCAV index) that is occurring on the network. The Countermea- sures component is responsible for starting the antibodies release in order to combat the invaders. 4.4 Custom Dendritic Cell Algorithm Applied to WSN Figure 4 shows the pseudo code of the original DCA, proposed by Greensmith [11]. The indexes and the data structures used in the original algorithm are shown in Tables 3 and 4, respectively. For the original algorithm, in lines 1 and 2 all parame- ters needed for implementation of ACD are initialized. Line 3 runs a loop that controls the amount of refresh cycles of antigen and signals. In line 4 the data structures containing the antigens and the input signals, representing the tissue being evaluated, are updated. Table 2 Immune-inspired IDS phases and its composing elements Innate immune system Adaptive immune system Biological components DC Lymph node B and T cells Collection Phase Analysis Phase Decision Phase Reaction Phase Computational components Monitoring; and Context Manager (Monitoring Management) Context Manager (Parameters base managing); and Decision Manager (Rules base Management; DCA processing) Decision Manager (attack identication) Countermeasures Int J Wireless Inf Networks 1 3 In line 5 a loop that will visit all the DCs of the popu- lation begins, causing them to collect and evaluate the antigens and the input signals. In the loop of lines 6-8 each DC lls the data structure of antigens and in the loop of lines 911 are collected their input signals (safe, danger and PAMP). In lines 1214 each DC processes the antigens vector. The loop of lines 15-18 calculates the three output signals for that DC that cycle. The conditional test in lines 1923 removes the DC from the population migrating it to the lymph node and clearing the antigens and the input signals from its content, replacing this cell in the popula- tion. Line 25 increments the execution cycle of the algo- rithm. Finally, in line 27 the MCAV is calculated to collected antigens. In this work, the original DCA was adapted to better exploit the density of WSNs and reduce processing and data structures required in each sensor node (Figs. 5, 6). Thus, the procedures of the original DCA were divided between the sensor-dc and the sensor-lymph. Each sensor- dc was responsible for the procedure of one DC, making unnecessary any specic processing to create a DC, which occurs in the rst line of the original algorithm. The loop of line 5 was excluded from the sensors-dc. The features of the loops of lines 68, 911, 1214 and 1518 remained unchanged. The conditional test line 19 to line 23 has been shifted out of the loop of line 5 and remained in the sen- sors-dc. At the end of an execution cycle, i.e. after the value of CSM reaches the threshold value, the sensor-dc sends a control message to the sensor-lymph indicating its nal state and which antigens were processed, restarting the execution cycle (Fig. 5). Line 27, concerning the Fig. 4 DCAs original pseudo code Table 3 Original DCA indexes Index Variation Description i From 0 to I Number of input signals per category j From 0 to J Number of input signals categories k From 0 to K Number of antigens in tissues antigen vector l From 0 to L Number of DCs cycles m From 0 to M Number of DCs in the population n From 0 to N Size of the DCs antigen vector p From 0 to P Number of output signals per DC q From 0 to Q Number of antigens sampled per DC, per cycle Tmax Tm Size of the antigen vector in the tissue Table 4 Original DCAs data structures Structure Description T = {S, A} The tissue S Matrix of tissue signals Sij Signal of type i, category j in matrix of signals S A Antigen vector of the tissue ak Antigen k in antigen vector of the tissue DCm = {s(m), a(m), op(m), tm} One DC in population s(m) Matrix of signals of the DCm a(m) Antigen vector of the DCm op(m) Output signal p of the DCm tm Migration threshold of the DCm wijp Weights of the input signals Sij Fig. 5 Pseudo code of DCA customized to WSN (sensor-dc role) Int J Wireless Inf Networks 1 3 calculation of the anomaly index (MCAV), was executed only by lymph-node sensor, which uses data messages received from sensors-dc as input, sending a message to the BS containing the MCAV obtained (Fig. 6). It is worth mentioning that on the original DCA, increased reliability on the decision of whether there is an attack was obtained by the existence of a set of DCs in a single device. In our proposal, this reliability is achieved by the existence of multiple nodes with the functionality of a sensor-dc and a sensor-lymph (for each group of sensors sensors-dc) that gathers the reports on the existence or not of an attack. This decision aims to explore the fact that WSNs are composed of several small nodes arranged close to each other, thus allowing different viewing angles on the same attack. In this study, we observed that the calculation of the CSM could be customized for different types of attacks, not requiring the calculation performed by Eq. 1 of Chapter 2, saving processing by the sensors. Thus, the loop of lines 1518 of Fig. 4 (Sect. 4.4) could have its processing reduced to two repetitions. This procedure will be detailed in the next chapter. 4.5 Description of the IDS Operation Nodes playing DC role should collect the parameter values requested by the Intrusion Detection Manager and, when executing the DCA, send messages to the node playing the lymph node role. These messages represent the migration of a DC either in the mature or the semi-mature state. When no attack is detected by the modied DCA running on a node, no messages are sent, in order to save energy. Received messages in a lymph node are processed to identify attack type and calculate MCAV. For each attack type, lymph node emits an alert message to the other nodes, causing them to activate specic attack countermeasures. Attack countermeasures are messages with instructions to trigger actions to eliminate the identied threat. Actions may include, e.g. enable encryption, start using authenti- cation, exclude a node from the network, or even shut down for a specic time. Actions depend on the type of attack that the network is suffering. Figure 7 shows two sets of ve sensor-dc (DC) com- municating, each one, with its corresponding sensor-lymph (LN). The arrows indicate events order: arrows with label 1 indicate a mature or semi-mature DC migrating to a sensor-lymph. Arrows with label 2 indicate that sensor- lymph identied an attack in the WSN and is commanding the sensors-dc to activate their countermeasures. Arrows with label 3 shows the message a sensor-lymph can send to the BS in order to advise the administrator about an ongoing attack. Fig. 6 Pseudo code of DCA customized to WSN (sensor-lymph role) DC DC DC LN DC DC 1 1 1 1 1 2 2 2 2 2 3 Dendritic Cells migrating Countermeasures Alert to Admin DC DC DC LN DC DC 1 1 1 1 1 2 2 2 2 2 3 Base Station BS Fig. 7 Sensors-dc and sensors- lymph interacting Int J Wireless Inf Networks 1 3 5 Experiments with the Immune Inspired IDS Applied to WSNs In this Section, we describe simulations performed initially to calibrate the proposed IDS and to analyze its efciency. Next, we present descriptions of simulations conducted to evaluate the IDS energy consumption. Following, a com- parison between our proposal and another work, which uses a different immune-inspired approach (Self-non-self theory), was conducted, allowing assessing the efciency of both approaches in terms of detection and energy con- sumption. Next, we describe an experiment performed with real sensor nodes. In such experiment, the phases of the operation ow of the proposed IDS (collection, analysis, decision and countermeasure) were implemented on a real WSN platform in order to evaluate the in situ efciency of the algorithm. Finally, the last experiment was repeated, but this time with sensor nodes simulated using TOSSIM (instead of using a real WSN platform), so that the real and the simulated results could be compared. In this work we considered only the Denial-of-Sleep attack, which is characterized by the presence of an attacker, called Jammer, which causes a noise in the wireless com- munication. Such noise hampers the communication between nodes in the network, preventing them to enter in sleep mode due to ooding the medium with messages. The Denial-of-Sleep attack is considered a major threat to WSNs [17]. The calculation of the CSM was customized to identify the Denial-of-Sleep attack. This calculation was not done using Eq. 1 of Sect. 2, but directly by counting the number of messages received by a node, allowing an econ- omy of processing by the sensors. This calculation was done by counting the number of messages received by the sensors- dc. That is, instead of having an expensive constant pro- cessing even if an attack is not occurring on the network, the sensors-dc start to count the number of application messages and only when they reach a certain number, send a message to the sensor-lymph containing the result of processing the information collected. It was left as future work the analysis of the detection of other types of attacks in WSNs. However, extending the IDS to incorporate newattacks is quite simple. Since the IDS was designed to receive input signals and these signals were associated to parameters which are dif- ferent for each attack type, then only the following steps are required to include a new type of attack: In the Parameters Base, one needs to add (i) the new attack type, (ii) parameters chosen for this new attack and (iii) for each included parameter, a threshold value; In the Rules Base, one needs to add rules which are able to identify this new attack. 5.1 Experiment Environment For all the performed experiments, either using real or simulated nodes, the designed WSN was composed of MICAz sensors, manufactured by Crossbow Technology [5]. The sensors were programmed with the TinyOS development environment [15], version 2.1.1, using nesC [15], an extension of the C language, which implements a model of event driven programming. TinyOS is a compo- nent-based framework, designed specically for the development of solutions for WSNs. The real experiments were conducted in a closed environment (laboratory). The simulated scenarios were performed with the TinyOS TOSSIM simulator [15]. TinyOS offers several software components, including components that implement the communication protocol stack. Each TinyOS component has a well dened interface, implemented by functions that are characterized as event handlers or commands. It is important to notice that we used only the standard Ti- nyOS routing protocols, which are provided by the program- ming environment and no sensing boards were used, as the purpose of the experiments was to evaluate the proposed IDS. The proposed IDS was evaluated along with the Blink- ToRadio application from the TinyOS repository, which was deployed in all nodes. In the BlinkToRadio application nodes perform periodic readings at each one second. In addition to the normal BlinkToRadio activities, each node was enhanced with the role of sensor-dc or sensor-lymph. 5.1.1 Real Platform Architecture The proposed IDS was implemented by dening two new components to the TinyOS: the IDSDendriticCellC with DC functionality, implemented in sensor-dc nodes; and IDSLymphNodeC, with the functionality of the lymph node, implemented in sensor-lymph nodes. IDSDendriticCellC(Fig. 8) component was designed to be used by applications replacing the default AMReceiverC component. AMReceiverC is the TinyOS default component Fig. 8 Application using IDSDendriticCellC component Int J Wireless Inf Networks 1 3 responsible for handling the reception of messages. Thus, all messages arriving at the sensor node are evaluated by IDS- DendriticCellC and reported in a transparent way to the application running on the sensor. This component provides the same interfaces of the default AMReceiverC component and realizes the functionalities: (i) monitoring parameters that identify an attack; (ii) activate and deactivate the radio of the sensor; (iii) execute the DCA (collect and analysis phases). The IDSLymphNodeC (Fig. 9) component needs only to be connected to the application running in the sensor- lymph node. This is an additional component that does not interfere with the receiving of the messages of the appli- cations. Its only role is to receive control messages from the sensors-dc, representing the migrated DCs, and process them. This component has the functionalities: (i) activate or deactivate the radio of the sensor; (ii) receive messages from the sensors with the IDSDendriticCellC component installed, counting the mature and the semi-mature ones (decision phase); (iii) control, according to a schedule determined by the network administrator, when the sensor- lymph will calculate the MCAV value; and (iv) activate the elements responsible for countermeasures (reaction phase). The malicious node (Jammer) was implemented as an application that uses TinyOS standard communication com- ponents, generating messages in the network at a predened rate, alternating periods of activation and deactivation. 5.1.2 Simulation Architecture The TOSSIM simulator has a limitation: it works only with one deployment code image. That is, all the simulated sensors are required to have the same code. Thus, in order to meet this prerequisite and to enable the simulated experiments, a single code was created for the simulated environment containing all the previous implementations. When the simulation starts, the simulated sensors by means of programmed decision-making structures in its code, assumes the roles of DC, lymph node or Jammer, depending on the simulation that is running. Thereby, the codes used in the real environment could be reused in the simulations allowing comparisons and tests. All the simulated experiments had the duration of 100 s and each test was repeated 30 times, allowing results with a condence interval of 95 %. 5.1.3 Memory Usage The proposed IDS was deployed on the MICAz platform (4 Kbytes of RAM and 128 Kbytes of ROM). With the role of sensor-dc, it consumes 116 bytes (2.8 %) of RAM and 1054 bytes (0.8 %) of program memory; and with the role of sensor-lymph, it consumes 99 bytes (2.4 %) of RAM and 2956 bytes (2.3 %) of program memory. The external ash memory is completely available for the le system. Hence, it leaves the majority of the storage resources for the Operational System and applications. There are two control messages: the message sent from sensor-dc to sensor-lymph, with 3 bytes length, and the message sent by sensor-lymph, with 2 bytes length. There are two types of control message: the messages transmitted from sensor-dc to sensor-lymph with 3 bytes in size, and the messages transmitted from a sensor-lymph, 2 bytes in size. The data messages from the application BlinkToRadio have 2 bytes long and have not been changed since the IDS, in order to remain generic, should not cause any alteration in the components and messaging applications. 5.1.4 Energy Model To evaluate the energy consumption due to the IDS oper- ation we devised a simple energy model and calibrated it using several simulated scenarios. The energy cost was considered in terms of the number of messages sent and received by nodes. The reason for choosing this denition was based on results found in the literature which demonstrate that the majority of sensors in WSNs spend most of energy with communication [8]. We model the energy cost as: Q = QTX ? QRX, where QTX is the energy consumed in transmitting and QRX is the energy consumed in reception. In order to calculate QTX and QRX, we take as reference the MICAz datasheet [5]. The transmission rate of a sensor node is 4 ls/bit, and the electric current owing through the node to receive a packet is 18.8 mA and to send a packet is 17.4 mA. In our experiments there are two types of messages: application data message (16 bits length) and two types of IDS control messages: those transmitted by a sensor-dc (24 Fig. 9 Application using IDSLymphNodeC component Int J Wireless Inf Networks 1 3 bits length) and those transmitted by a sensor-lymph (16 bits length). For each type of message we calculated QTX and QRX. The energy dissipated by application data messages is obtained by applying Eqs. 1 and 2; and the energy dissipated by IDS control messages is obtained using Eqs. 3 and 4 for a sensor-dc and Eqs. 5 and 6 for a sensor-lymph. Energy cost of application data messages generated in a sensor: QTX 3 V 17:4 mA 4 ls=bit 16 bits 3:3408 mJ=message 1 QRX 3 V 18:8 mA 4 ls=bit 16 bits 3:6096 mJ=message 2 Energy cost of IDS control messages generated in a sensor-dc: QTX 3 V 17:4 mA 4 ls=bit 24 bits 5:0112 mJ=message 3 QRX 3 V 18:8 mA 4 ls=bit 24 bits 5:4144 mJ=message 4 Energy cost of IDS control messages generated in a sensor-lymph: QTX 3 V 17:4 mA 4 ls=bit 16 bits 3:3408 mJ=message 5 QRX 3 V 18:8 mA 4 ls=bit 16 bits 3:6096 mJ=message 6 We considered: Dissipated energy (Q) = Voltage (V) 9 Electric current (mA) 9 Time (s), where Time = Transmission rate 9 Message size. 5.1.5 Metrics The metrics used in the experiments were FP, FN, true positive (TP), true negatives (TN), Sensitivity and Speci- city, dened as follows. FP indicates the amount of false alarms when no attack is occurring and FN indicates a normal condition when in fact an attack is occurring. TP indicates a fault condition when an attack is occurring and TN indicates a normal condition when no attack is occurring. Sensitivity represents the hit rate of the IDS and is calculated as the ratio between the amount of TP and the sum of TP and FN, i.e. Sensitivity = TP/ (TP ? FN). Specicity represents the false alarm rate and is calcu- lated as the ratio between the amount of TN and the sum of TN and FP, i.e., Specicity = TN/(TN ? FP). These two metrics are for simulated environments. These metrics were generated by the IDS during its execution considering an anomaly index (MCAV) equal to 50 % (congured in the sensor-lymph), as dened in the literature [11, 22]. That is, for all MCAV issued by the sensor-lymph greater than or equal to 50 %, the proposed DCA indicated the presence of an intruder. 5.2 Scenario For the performed experiments, both for the real imple- mentation and for the simulations, we adopted a at net- work topology with static nodes emitting one application message per second. Only the denial-of-sleep attack was considered, characterized by causing a noise in the envi- ronment, disrupting communication between the nodes. The detection of other types of attacks in WSNs was left as future work. The WSN was composed of: (i) sensor-dc nodes, with the IDSDendriticCellC component installed; (ii) a sensor- lymph, with the IDSLymphNodeC component; and (iii) a Jammer node. We used an interval of 100 ms for the Jammers message sending rate. The Jammer was posi- tioned within 1 m of sensor-lymph during the experiments conducted for purposes of calibration (see Sect. 5.4). In order to apply the customized DCA for WSNs to detect the denial-of-sleep attack, the input signals have been dened and measured from the messages received by the sensors-dc as follows: (i) the PAMP signal was dened as the RSSI level in the environment when the sensor-dc receives a message; (ii) the Danger Signal was obtained by calculating the incoming messages rate received by the sensor-dc; and (iii) the Safe Signal was dened as the inverse of the variation of incoming messages rate received by the sensor-dc. The DCAs efciency is closely related to the input signals choice. According to Xu et al. [24], these metrics (signal strength and packet delivery ratio) are used for the purpose of detecting jamming attacks. In Eq. 1 (Sect. 2), the weights were dened empirically from immunological experiments conducted by immunol- ogists of The Danger Project [21]. Thus, the semi- mature output signal weights Wp, Wd and Ws assume values 0, 0 and 1, respectively. Finally, the mature output signal uses the values 2, 1 and -3 as the weights Wp, Wd and Ws, respectively. The inammation is not considered in this work. 5.3 Simulations 5.3.1 IDS Calibration For the simulations where the IDS was calibrated, the sensors-dc were arranged along a circle of 3 m in diameter in order to remain equidistant from the sensor-lymph, Int J Wireless Inf Networks 1 3 which was positioned in the center of this circle. Each node was programmed to have a unique ID inside the WSN and a xed omnidirecional radio range of 15 m. During the calibration simulations the Jammer was positioned within 1 m of sensor-lymph and behaved like a step function, remaining active for 10 s and inactive for another 10 s, and so on. It is important to note that, as the threshold for migration controls the number of messages received by the sensors, the delay related to the receipt of these messages cannot exceed 10 s (time during which the Jammer remains active). Three sets of experiments were conducted. The rst set of experiments determines the ideal number of sensors-dc a sensor-lymph needs in terms of Sensibility and Specicity to detect the Denial-of-sleep attack. The amount of sensors-dc per lymph node was varied between 1 and 10 sensors-dc, one by one, preserving the density of sensors per square meter. The second set of experiments was used to determine the best migration threshold in terms of number of messages received by the sensor-dc. The threshold for DCs migration was varied from 1 to 10 messages, one by one. The third set of experiments aimed to determine the optimal MCAV scan range, which represents the elapsed time to issue an MCAV assessment by the sensor-lymph, in order to provide the best accuracy in detecting an attacker. The MCAV scan range was varied from 1 to 9 s, one by one. 5.3.1.1 Varying the Number of Sensors-dc per Sensor- Lymph In this experiment, the number of sensors-dc per sensor-lymph was varied from 1 to 10, one by one. Table 5 shows the values of FP and FN in percentages according to the proposed variations of sensors-dc per lymph node with migration threshold set to 1 and MCAV scan range set to 5 s (Sect. 5.4.3 discusses FN and FP different MCAV scan range). We can note in Table 5 (values express percent- ages) that increasing the number of sensors-dc for one sensor-lymph implies the reduction of FN and FP values, making the system more efcient. The experiments with 1, 2 and 3 sensors-dc showed high percentages of FN or FP and thus should not be considered. According to Greensmith [11], the DCA needs to use a population of some DCs in order to produce robust ranking of the antigens collected. Whenever a cell classies an antigen wrongly, the DCA will still have several other cells in the population so that a correct response could be issued. Thus, the cases for 1, 2 and 3 DCs per sensor-lymph were discarded as they do not represent signicant numbers of DCs in order to compose a reliable minimum amount for a population of DCs [11]. 5.3.1.2 Varying the Threshold for Migration of DCs At this point, seven experiments were performed, one exper- iment for each number of sensors-dc per sensor-lymph. The rst experiment used 4 sensors-dc, the second trial used 5 sensors-dc and so on until the number of 10 sensors-dc. For each experiment the threshold migration was varied from 1 to 10 messages, with a unitary step. It is important to emphasize that a migration threshold greater than 10 should not be used for the experiments because of the selected behavior of the simulated Jammer. The activity period of 10 s of jamming, as explained above, limits the maximum threshold of migration to this same value as it would not make sense to use a larger range than the actual period of jamming to harvest antigens. The aim of these experiments was to determine, according to the FN and FP, the optimal number of mes- sages that a sensor-dc should consider before setting the state of maturation of a DC to the sensor-lymph. Table 6 shows the results for the FN and FP emitted by the sensor- lymph for evaluations triggered by a 5 s clock. We assumed a 1 % incidence of FN or FP as a tolerable value for the target implementation. Table 6 reveals that, for the rst experiment, the best values for both FP and FN were obtained with migration thresholds of 1 or 2 and for experiments 24, the best values were obtained for both FP and FN with migration thresholds in the range of 14. Experiment 5 and experiment 6 show the best values of FN and FP for migration thresholds in the range of 19 and 110, respectively. Experiment 7 shows the best values of FN and FP (both equal to zero). For each experiment, an increase in the migration threshold implies in an increase in the percentages of FN, certainly due to a direct increase in the number of antigens and input signals collected by sensors-dc, belonging to both the attacker, and to the WSNs sensors themselves. Moreover, by increasing the number of sensors-dc, the DCA can count on the results emitted by several others DCs to issue a correct response whenever any sensor-dc wrongly classies an antigen. It is important to note that assigning a high value for the migration threshold causes a delayed detection of an Table 5 FN and FP xing the migration threshold at 1 and MCAV scan range at 5 s Metrics Sensors-dc 1DC 2DC 3DC 4DC 5DC 6DC 7DC 8DC 9DC 10DC FN 31 % 13 % 3 % 1 % 0 % 0 % 0 % 0 % 0 % 0 % FP 5 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % Int J Wireless Inf Networks 1 3 anomaly event, justifying the increase of FN and FP. In contrast, assigning a low value implies the generation of a greater number of control messages sent from sensor-dc to sensor-lymph, causing greater energy consumption. Intui- tively, if the time-to-detect is not an application require- ment, a migration threshold of 10 is recommended. Otherwise, a migration threshold of 1 message could be used for faster detections. 5.3.1.3 Varying the MCAV Scan Range This parameter was also evaluated from a set of seven experiments, being an experiment for each number of sensors-dc per sensor-lymph. The rst experiment used four sensors-dc, the second used ve sensors-dc and so on until the number of 10 sensors-dc. For each experiment the MCAV scan range (time window) was varied from 1 to 9 s, with a unitary step. The aim of these experiments was to deter- mine, according to the FN and FP, the optimal MCAV scan range to best identify an attack. For each amount of sen- sors-dc, Table 7 shows the values of FP and FN in per- centages for each MCAV scan range, for a xed migration threshold of 1. It is worth noting that the diversity of DCs is generated through the migration of mature and semi-mature cells at Table 6 FN and FP varying the migration threshold and keeping MCAV scan range xed at 5 s Experiment Sensor-dc Metrics Migration threshold 1 2 3 4 5 6 7 8 9 10 1 4DC FN 1 % 1 % 3 % 3 % 6 % 7 % 7 % 7 % 7 % 7 % FP 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 2 5DC FN 0 % 0 % 1 % 1 % 2 % 2 % 2 % 2 % 2 % 2 % FP 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 3 6DC FN 0 % 1 % 1 % 1 % 3 % 4 % 6 % 6 % 7 % 8 % FP 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 4 7DC FN 0 % 0 % 1 % 1 % 2 % 3 % 5 % 5 % 5 % 5 % FP 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 5 8DC FN 0 % 0 % 0 % 0 % 0 % 1 % 1 % 1 % 1 % 2 % FP 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 6 9DC FN 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 1 % FP 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 7 10DC FN 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % FP 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % Table 7 FN and FP varying MCAV scan range and xing the migration threshold to 1 Experiment Sensor-dc Metrics MCAV scan range (s) 1 2 3 4 5 6 7 8 9 1 4DC FN 10 % 9 % 5 % 1 % 1 % 1 % 5 % 6 % 10 % FP 1 % 1 % 1 % 0 % 0 % 32 % 49 % 48 % 63 % 2 5DC FN 7 % 4 % 2 % 0 % 0 % 0 % 5 % 7 % 9 % FP 1 % 1 % 1 % 0 % 0 % 35 % 51 % 49 % 66 % 3 6DC FN 7 % 4 % 2 % 0 % 0 % 0 % 6 % 7 % 10 % FP 1 % 0 % 0 % 0 % 0 % 34 % 49 % 49 % 64 % 4 7DC FN 5 % 4 % 2 % 0 % 0 % 0 % 6 % 7 % 10 % FP 0 % 0 % 0 % 0 % 0 % 36 % 50 % 50 % 65 % 5 8DC FN 4 % 1 % 1 % 0 % 0 % 0 % 6 % 7 % 11 % FP 0 % 0 % 0 % 0 % 0 % 37 % 51 % 50 % 66 % 6 9DC FN 3 % 1 % 1 % 0 % 0 % 0 % 6 % 7 % 11 % FP 0 % 0 % 0 % 0 % 0 % 37 % 51 % 50 % 66 % 7 10DC FN 2 % 1 % 1 % 0 % 0 % 0 % 6 % 8 % 10 % FP 0 % 0 % 0 % 0 % 0 % 38 % 52 % 50 % 67 % Int J Wireless Inf Networks 1 3 different times, producing a time window effect [11]. In the proposed IDS, the effect of the time window was achieved by the presence of various DCs (sensors-dc) monitoring and perceiving different conditions of the WSN area and by determining the MCAV scan range of the sensor-lymph, along with a collection of antigens and input signals from each sensor-dc. Table 7 shows a turning point of the FN behavior cen- tered on the MCAV scan range of 6 s: (i) from 1 to 6 s, the greater the MCAV scan range is, the lower the percentages values of FN are; and (ii) from 7 to 9 s, the greater the MCAV scan range is, the greater the percentages values of FN are. Values under 6 s indicate that there was not a migration of enough mature DCs (anomalous) for the sensor-lymph, resulting in an incorrect evaluation by the IDS on the presence of an attacker. Likewise, values of the MCAV scan range over 6 s, indicate that there was migration of a number of semi-mature (normal) DCs to the sensor-lymph enough to overshadow the presence of mature (anomalous) DCs, which implies in an incorrect evaluation by the IDS about the existence of an attacker. FP behavior is similar to the FN behavior, but the turning point where FP starts to increase is over 5 s. Considering 1 % as an acceptable value for the FN and FP, the experiments in Table 7 reveal that the range of 410 sensors-dc concentrates the best values of FP and FN when a MCAV scan range of 4 or 5 s produces the best results of FP and FN for both 5 and 10 sensors-dc. Con- sidering the same results for 4 and 5 s, we will choose 5 s for the MCAV scan range in order to save sensor-lymph energy. 5.3.2 IDS Efciency IDSs evaluations are normally realized from specic measures which intend to express their effectiveness. In this work, the proposed DCA has its efciency evaluated using the ROC curves (Receiver Operating Characteris- tics). The fundamental characteristic of these curves is the distinction between hit rate (sensitivity or TP percentage) and false alarm rate (specicity or false positive percent- age) as two different performance measures. These curves are typically employed to measure effectiveness in intru- sion detection based on anomalies [21]. The values of TP, TN, FP and FN were used to make the sensitivity and the specicity curves. The best values of MCAV were deter- mined from the values of specicity and sensitivity. The values of sensitivity and specicity are shown in Figs. 10, 11 and 12 for the experiments carried out with 5, 7 and 10 sensors-dc, migration threshold equal to 1 and MCAV scan range equal to 5 s. It is observed that the specicity increases with the increasing value of the anomaly threshold, meaning that a low threshold may result in the increase of the FP. Moreover, the sensitivity starts at 1 and decreases with increasing MCAV, causing an increase in FN values. The best IDS conguration is the one with the highest values of both sensitivity and specicity, i.e., whenever both values are 1, causing an intersection between the corresponding curves. Regarding the sensitivity, it can be observed that, as the number of sensors-dc per for sensor- lymph increases, the range of threshold anomaly equal to 1 also increases. For example: for 5 sensors-dc, the MCAV values in the range of 050 %have sensitivity equal to 1; for 10 sensors-dc, Fig. 10 ROC curves for ve sensors-dc Fig. 11 ROC curves for seven sensors-dc Int J Wireless Inf Networks 1 3 the MCAV values in the range of 060 % have sensitivity equal to 1. Concerning specicity, Fig. 10 shows that, for 5 sensors-dc, a maximal specicityis reached for MCAVvalues greater than30 %and, for 7and10sensors-dc (Figs. 11, 12), a maximal specicity may be reached for MCAV vales greater than or equal to 20 %. 5.3.3 Evaluation of Energy Consumption In order to measure the impact of the proposed IDS in terms of energy consumption, we have conducted 12 dis- tinct experiments, considering different requirements. In the rst six experiments we used the following congura- tion values: migration threshold (10 messages); MCAV scan range (5 s); number of sensor-dc per sensor-lymph (10). These values ensure high level of security (without worrying about energy consumption) by reaching values of FP and FN equal to zero (see results of Experiment 7 in Table 6). In the last six experiments we changed the number of sensor-dc per sensor-lymph (5) to accept an error of 1 % for FN and FP, (see results of Experiment 2 in Table 6), thus we are slightly relaxing the requirements of precision of detection, but on the other hand, reducing the energy consumption. In the rst, second, seventh and eighth experiments, the Jammer was deactivated. In the third, fourth, ninth and tenth experiments, the Jammer operated uninterruptedly, i.e. it was considered that the Jammer remained active from the beginning to the end of the simulation. In the fth, sixth, eleventh and twelfth experiments, the Jammer was deactivated 50 % of the simulation time, i.e. it was con- sidered that the Jammer was identied after a warning issued by the IDS and removed from the network, allowing the WSN to return to normal activity. For each experiment, a different combination of parameters was used, which are related to: (i) DCA; (ii) period of jamming interference; and (iii) IDS enabled or disabled. DCA parameters include: DCs migration threshold (MT); MCAV scan range interval (SR); and number of sensors-dc per sensor-lymph (DC). These values were xed and grouped into two cases, A1 and A2, where: A1: MT = 10, SR = 5 s, and DC = 10. A2: MT = 10, SR = 5 s, and DC = 5. Settings related to jamming interference were denoted by B1B3, where: B1: jamming interference was disabled. B2: jamming interference was full time (100 %) enabled. B3: jamming interference was partially (50 % of the simulation time) enabled. Conguration parameters related to IDS operation were denoted by C1C4, where: C1: Jamming interference and IDS disabledthis scenario was considered the normal case (baseline) (there is not jamming interference and sensor nodes do not play sensor-dc or sensor-lymph roles). C2: Jamming interference disabled and IDS enabled in this case we are interested in analyzing the extra energy consumption generated by sensor-dc and sensor- lymph roles. C3: Jamming interference enabled and IDS disabled in this case we evaluate the increase in energy consumption caused by an attacker (the BlinkToRadio application is changed in one node to perform periodic readings and sending messages 10 times faster). C4: Jamming interference and IDS enabledin the last scenario we measure energy consumption in the case when jamming interference and IDS were enabled. The results were grouped according to the conguration A and generated two graphs, one following the A1 con- guration (Fig. 13) and one according to the A2 congu- ration (Fig. 14). The rst bar represents energy consumption of WSN for congurations B1 and C1 (No Attack, No IDS). The second bar represents the energy consumption of WSN for con- guration B1 and C2 (No Attack, With IDS). The third bar represents the energy consumption of WSN settings for B2 and C3 (With Attack, No IDS and period of Jammer acti- vation 100 %). The third bar assesses the impact in terms of energy consumption of the application (No IDS) in the WSN when the Jammer period of activation is 100 %. The Fig. 12 ROC curves for 10 sensors-dc Int J Wireless Inf Networks 1 3 fourth bar represents energy consumption of WSN for conguration B2 and C4 (With Attack, With IDS and period of Jammer activation 100 %). The fourth bar shows the efciency of an IDS in the presence of a Jammer when its period of activation is 100 %. The fth bar represents the energy consumption of WSN for conguration B3 and C3 (With Attack, No IDS and period of Jammer activation 50 %). The fth bar assesses the impact in terms of energy consumption in WSN application when the period of activation of the Jammer is 50 %. Finally, the sixth bar represents and the energy consumption of WSN for con- guration B3 and C4 (With Attack, With IDS and period of Jammer activation 50 %). This bar represents the efciency of the IDS in the presence of a Jammer when the period of activation is 50 %. Table 8 shows the congurations and the results obtained. The rst bar (congurations B1 and C1) shows that the energy consumption in the WSN refers only to the exe- cution of the application during the simulation time. This rst bar is the smallest of the six bars in terms of consumed energy and it was used as a baseline for the other bars. In the graph shown in Fig. 13A1, the energy consumed was 6.37 9 10 6 mJ. In the second graph, depicted in Fig. 14 A2, the energy consumed was 3.63 9 10 6 mJ. Analyzing the rst bar in both graphs, the energy consumed by the WSN in A1 was 57 % smaller than the energy consumed in A2. The reduction of the energy consumption of the network was already expected because there was less Fig. 13 Energy curves A1 Fig. 14 Energy curves A2 Int J Wireless Inf Networks 1 3 sensors-dc per sensor-lymph in experiment A2, resulting in a smaller number of messages sent to a sensor-lymph. The second bar (congurations B1 and C2) shows how the energy consumption of the IDS installed in the WSN. In the rst graph (A1), the energy consumption in congu- ration B1 and C2 was 9.38 % higher than that consumed by conguration B1 and C1. In the second graph (A2), the energy consumption of conguration B1 and C2 was 10 % higher of that consumed by conguration B1 and C1. This result shows the efciency of the IDS in terms of energy, incurring in an overhead smaller than 10 % of energy to the WSN. The third bar (congurations B2 and C3) shows the highest energy consumption of the WSN since the IDS was not implemented in the sensors and thus no countermeasure (radios of the sensors being turned off) was performed, in order to prevent the Jammers attack that was active during the entire simulation time. In the rst graph (A1), the energy consumed in congurations B2 and C3 was 294.31 % higher than in congurations B1 and C1. In the second graph (A2), the energy consumed in conguration B2 and C3 was 285 % higher than in conguration B1 and C1. These results show that in both simulations the Jammer made the WSN expend nearly 3 times the energy of a WSN operating in normal conditions. The fourth bar (congurations C4 and B2) shows the energy saved by the network if compared to congurations B2 and C3 (third bar) when the countermeasures are acti- vated by the IDS after the Jammer was identied. These countermeasures consisted of turning off the radio of the sensors affected by the Jammer for a pre-dened time, thus protecting it against the high energy consumption resulting from the attack and ensuring a longer lifetime for the network. In the rst graph (A1), the energy consumed in the fourth bar was 218.92 % lower than the in the third bar. In the second graph (A2), the energy consumed in the fourth bar was 204.00 % lower than in the third bar, denoting that the IDS was able to prevent an enormous waste of energy, by deactivating the radio of the sensors when the Jammer was detected. The fth bar (conguration B3 and C3) shows the energy consumption of the WSN when the IDS was not implemented in the sensors and the period of activation of the Jammer is 50 %. In the rst graph (A1), the energy consumed in conguration B3 and C3 was 118 % higher than in conguration B1 and C1. In the second graph (A2), the energy consumed in conguration B3 and C3 was 114 % higher than in conguration B1 and C1. This result represents that, even when a Jammer does not operate full time, the amount of energy consumed (as a consequence of the attack) is still prejudicial to the WSN. The sixth bar (congurations B3 and C4) shows the action of the proposed IDS, enabling the countermeasures after identifying the Jammer when its period of activation was 50 %. Just like the fourth bar, these countermeasures consisted of turning off the radio of the sensors affected by the Jammer for a pre-dened time, thus protecting it against the high energy consumption resulting from the attack and ensuring a longer lifetime for the network. Congurations B3 and C4 show the energy saved by the network if compared with congurations B3 and C3 when the countermeasures are activated by the IDS. In the rst graph (A1), the energy consumed in congurations B3 and C4 was 69.53 % lower than in congurations B3 and C3. In the second graph (A2), the energy consumed in congu- rations B3 and C4 was 77.00 % lower than in congura- tions B3 and C3. Again, that happened because the countermeasures were efcient to prevent a waste of energy. It is important to mention that, since the WSN is dense, the IDS can be installed only in a few sensors in order to save energy. Thus, in a dense network, not all sensors need an IDS installed. From the obtained results, all experiments with cong- uration A2 showed an energy saving when compared to conguration A1, proving the expected economy with fewer sensors-dc. 5.3.4 Delay in Attack Identication The delay in the identication of an attack is closely related to the MCAV scan range performed by a sensor-lymph. The shorter this interval is, the faster the sensor-lymph identies the presence of an attack, acting in reverse otherwise. That is, for a MCAV scan range equal to 1 s, the sensor-lymph can identify the attack, as long as it receives enough mature DCs for this. The greater the MCAV scan range, the greater the time the network will be waiting for a Table 8 Energy consumption Experiment Congurations Results (kJ) 1 A1 B1 C1 6.37 2 C2 6.97 3 B2 C3 25.11 4 C4 11.17 5 B3 C3 13.89 6 C4 9.46 7 A2 B1 C1 3.63 8 C2 3.99 9 B2 C3 13.98 10 C4 6.56 11 B3 C3 7.77 12 C4 4.97 Int J Wireless Inf Networks 1 3 decision of a sensor-lymph, that is: to remain operating normally or to activate any countermeasures. The delay can be measured by verifying whether the sensor-lymph was able to identify the attack in the rst MCAV scan range. Table 9 shows the results obtained in experiments when the rate of applications messages sent by networks sensors varied between 1 and 5 s, one by one second. From the obtained results, for a messages transmission interval equal to 1 s, the IDS had 0.17 s of delay (3.4 %). Increasing this interval to 2 s the delay increases to 2.17 s (43.4 %) and 5 s of delay for intervals greater than 3 s (100 %). 5.3.5 Varying the Application Messages Transmission Interval In this section, the effect of increasing the transmission rate of messages from the BlinkToRadio application by the sensors was evaluated in order to compare the energy consumed and the values of FN and FP from the IDS proposed in this paper. By using the settings from Sect. 5.3.3.1 we performed 5 experiments for each one of the following congurations: (i) A1B2C4; (ii) A1B3C4; (iii) A2B2C4; and (iv) A2B3C4. The rate of applica- tion messages transmission by the networks sensors was varied from 1 to 5 s, one by one second. From the results obtained and illustrated in Figs. 15, 16, 17 and 18 we can observe that when more application messages are traveling in the network, more information will be collected about the attacker. As this rate decreases, the chance of identifying the attacker decreases, as the FN curves show. From the security point of view, the rate of one second was considered as the best emission rate of application messages experienced by the sensors as it resulted in better values of FN. By increasing the range of application messages transmission by the sensors, i.e., by reducing the number of application messages per second, the chances of identifying the attack decreases, because aside from having less messages traveling on the network for the analysis of the IDS, there will be a longer delay for the IDS to issue a response. From the energy consumption point of view, the decrease in the amount of messages exchanged in the network generated a decrease in the energy consumed by the network as a whole, as it was expected. This behavior can be seen in Figs. 16, 17, 18 and 19. For the energy curves of 10 sensors-dc (A1), from 5 s the FN values become greater than 99 %, making the use of the IDS for this range of sending messages not viable. As for the curves of 5 sensors-dc (A2), this behavior arises from 4 s. This difference is due to the reduced number of sensors-dc, reecting in the rates of FN and FP, which increase the values of FN and FP. Table 9 Delay in attack identication Application messages transmission interval 1 s 2 s 3 s 4 s 5 s Delay 5.17 7.17 10 10 10 Fig. 15 Energy curves A1B2C4 and FN from 1 to 5 s Fig. 16 Energy curves A1B3C4 and FN from 1 to 5 s Int J Wireless Inf Networks 1 3 5.4 Comparison of Danger Theory Versus Self-Non-Self Theory In order to verify the efciency of the proposed IDS an experiment was simulated where we compared the rates of FP and FN found in this work and in the work presented by Liu and Yu [16]. All experiments conducted in this section adopted the same scenario presented by Liu and Yu [16] in terms of topology (where the nodes were kept static throughout the simulation), in terms of number of nodes present in the WSN, in terms of routing of packets in the network (which ow to the BS through a routing mechanism based on tree), and in terms of the functioning of the attacker node, which operates normally, like a WSN node sending and receiving messages, until the attack starts (Fig. 19). The scenario presented by Liu and Yu [16] consisted of 50 sensor nodes randomly distributed over an area of 100 9 100 m 2 . Each of these sensors had a sensing range of 50 m radius. Liu and Yu [16] used the TOSSIM sim- ulator to simulate sensors model Mica2 endower with a CC1000 radio [5]. In the study conducted by Liu and Yu [16], all sensors have the IDS module installed and it is active for the whole simulation. In our work, not all nodes had the IDS installed. In our study, we also used the TOSSIM simulator, however, instead of Mica2 we used MICAz model for sensors endowed with a CC2420 radio model [5]. The application used in all WSN sensors was BlinkToRadio, with a periodic reading every 1 s, according to the per- formed calibration (described in previous sections). The sensors are placed following a random uniform distribu- tion over a geographical area of 100 9 100 m 2 . Our work differs from the work of Liu and Yu [16] in terms of number of roles the sensors play. In [16] there is only one role considered in the IDS and the functionality if such role was installed in all sensors. In our work, on the other hand, we proposed the use of only few sensors with different roles of the DCA (sensor-dc and sensor-lymph), not requiring the installation of these roles in all sensors. For all experiments in this section, the MCAV scan range was kept equal to 5 s, the migration threshold equal to 10 messages and the number of sensors-dc ranged between 5 and 10 sensors. In some experiments, part of the sensors-dc was outside of the range of the Jammer, thereby contributing in a negative way to the identication of attacks because they were sending messages representing only semi-mature DCs. For all experiments a node with ID 50 was randomly chosen to assume the role of Jammer. It is important to notice that the nodes identied with 0, 1, 2, 3, 4, 10, 11, 13, 14, 19, 20, 31, 32, 37, 40, 41, 47, 48 and 49 were outside the Jammers radius of action due to the distance they were from the Jammer. Below, are described the 4 experiments that were performed. In experiment 1 the node with ID 16 was chosen to assume the role of sensor-lymph. The nodes with ID 7, 12, 22, 28, 35, 4, 10, 18, 36 and 41 were randomly chosen to assume the role of sensors-dc. In experiment 2 the nodes with ID 22 and 27 were chosen to assume the role of sensors-lymph. The nodes with ID 0, 7, 12, 15, 5, 28, 33, 35, 23 and 44 were randomly chosen to assume the role of sensors-dc and to issue to the node 22. Nodes 1, 2, 10, 17, 20, 30, 41, 36, 47 and 45 Fig. 17 Energy curves A2B2C4 and FN from 1 to 5 s Fig. 18 Energy curves A2B3C4 and FN from 1 to 5 s Int J Wireless Inf Networks 1 3 assumed the role of sensors-dc emitting messages to the node 27. In experiment 3 the nodes 16, 22 and 27 were selected to assume the role of sensors-lymph. The nodes with ID 0, 7, 8, 17, 23, 29, 35, 42, 44 and 45 were randomly chosen to assume the role of sensors-dc and emitting messages to node 16. Nodes 5, 6, 12, 15, 21, 28, 38, 33, 34 and 43 took on the role of sensors-dc emitting messages to node 22. Nodes 1, 2, 3, 10, 11, 14, 31, 37, 41 and 49 took on the role of sensors-dc emitting messages to node 27. In experiment 4, nodes 6, 10, 30 and 34 were chosen to assume the role of sensors-lymph. The nodes with ID 0, 5, 7, 8, 12, 15, 16, 22, 9 and 17 were randomly chosen to assume the role of sensors-dc and emitting messages to node 6. Nodes 1, 2, 3, 4, 11, 13, 14, 18, 19 and 20 were randomly chosen to assume the role of sensors-dc emitting messages to node 10. The nodes 25, 26, 27, 31, 32, 36, 37, 39, 40 and 41 were randomly chosen to assume the role of sensors-dc emitting messages to node 30. The nodes 28, 21, 33, 38, 35, 23, 42, 43, 44 and 29 were randomly chosen to assume the role of sensors-dc emitting messages to node 34. In Liu and Yu [16], the authors achieved a score of 100 % accuracy in identifying an attack (VP) of jamming, but also showed 92.3 % error in the indication of an attack when it was not occurring (FP), as can be seen in Table 10. It is observed from Table 10 that the results obtained in all experiments of our study were lower than the results obtained by Liu and Yu [16] in terms of VP. In the per- formed simulations, the VP values are lower because not all sensors of the network use the IDS and the sensors- lymph were placed at locations far from the Jammer. It was also observed in Table 10 that the results obtained by the experiments of our work were better in terms of FP since they have lower values than those obtained by Liu and Yu [16]. The values presented for the rst, second, third and fourth experiments were 1.00, 2.33, 3.67 and 3.67 % respectively. I.e., much lower than that obtained by Liu and Yu [16], who obtained a rate of 92.3 %. Fig. 19 Comparison scenario Table 10 Comparison results (in percentages) MCAV Metrics Liu and Yu 1 2 3 4 50 TP 100 % 98.67 % 98.79 % 96.67 % 93.67 % FN 0 % 1.33 % 1.21 % 3.33 % 6.33 % TN 7.7 % 99.00 % 97.67 % 96.33 % 96.33 % FP 92.3 % 1.00 % 2.33 % 3.67 % 3.67 % Int J Wireless Inf Networks 1 3 Regarding the energy assessment, Liu and Yu [16] did not evaluate the impact in terms of energy that their pro- posed IDS instilled in the WSN. In our proposal, although with lower results for VP, the networks lifetime is higher since only a few sensors have the IDS installed, and con- sequently, consuming less of the networks energy. 5.5 Comparison Between a Simulated Scenario and Its Implementation on a Real WSN Platform In this section a new scenario was implemented on a real sensor node platform. This same experiment was simulated in TOSSIM, so the results of the real implementation could be compared to the simulated one. The real implementation was conducted in a laboratory environment. The nodes were kept stationary and disposed on the oor. A total of 30 sensors were used, which were placed in a grid of x and y coordinates measured in meters. In this grid, the BS was located at coordinates (0;1) and had an node ID (NodeId) 0. Sensors-lymph were positioned at coordinates (1;2) (2;0) (3;2) (4;0) and (5;2) and had the NodeIds 1, 2, 3, 4 and 5, respectively. The sensors-lymph with positions (2;0) and (4;0) were responsible for receiving information from four sensors-dc. The other sensors-lymph were responsible for receiving information from 5 sensors-dc. The Jammer was placed at coordinates (6;1) and was assigned the NodeId 99. Each sensor-dc had its radio congured to send and receive messages within a radius of 50 cm. Therefore, these sensors-dc were limited to com- municate with only one sensor-lymph, which was respon- sible for receiving the messages from those sensors-dc. It also limited the sensors-dc to communicate with the other sensors-dc of the same sensor-lymph. The goal of such constraint was to simulate a WSN where there is no communication between all the sensors in the network. Figure 20 illustrates the adopted topology. Both experiments used a migration threshold of 10 messages in all sensors-dc; MCAV scan range of 5 s and MCAV threshold equal to 50 % in all sensors-lymph. A total of three sensors-lymph (NodeIds 1, 3 and 5) using ve sensors-dc and two sensors-lymph (NodeIds 2 and 4) using four sensors-dc were implemented. Tables 11 and 12 shows the results obtained in simulated and in real imple- mentations, respectively. The values represent the per- centage of the metrics TP, FN, TN and FP. Comparing Tables 11 and 12, one can observe that in the simulated and real experiments sensors closer to the Jammer identied the attacker while those far from it did not. Analyzing the tables, we nd that the results on TP obtained by the sensors-lymph become more accurate as they are positioned closer to the Jammer. Thus, the sensor- lymph 3 obtained results on TP for real and simulated experiments of 10.33 and 13.73 % respectively. Sensor 4 was able to identify the Jammer with greater accuracy than sensor 3, where the results obtained for the TP of simulated and real experiments were 71.00 and 79.21 %, respectively. Sensor 5, if compared to all other sensors, was able to identify more precisely the Jammer, obtaining 94.67 and 95.62 % for TP in the simulated and real experiments, respectively. The closer distance of the sensor 5 in relation to the Jammer, and consequently the presence of a higher RSSI value, allowed the Jammer to be identied more accurately. There was a difference between the simulated and the actual results. The occurrence of such differences in the experiment was assigned to the use of TOSSIM simulator. The choice of attenuation values between the nodes, which LN 1 DC 11 DC 15 DC 14 DC 13 DC 12 LN 3 DC 31 DC 35 DC 34 DC 33 DC 32 LN 5 DC 51 DC 55 DC 54 DC 53 DC 52 LN 2 DC 21 DC 24 DC 23 DC 22 LN 4 DC 41 DC 44 DC 43 DC 42 Jammer 99 Base Station 0 Fig. 20 Real sensors distribution Int J Wireless Inf Networks 1 3 dene the distances between sensors are the causes of the differences in the results. In TOSSIM simulator these values, once dened, do not change, whereas in the real environment there are several factors that may generate noise, affecting the nal result. 6 Conclusion This paper presented an architecture for a generic WSN IDS based on the Danger Theory and the DCA. These two techniques are inspired by the HIS. This architecture was applied and customized for WSNs, where the sensors assumed different roles from the features of HIS. The main objective was to increase the safety levels of the WSN through the observation and use of parameters found in these networks. These parameters were used to feed the customized DCA. The use of these techniques in WSNs is facilitated by the similarities found in the characteristics of the WSNs and the HIS. As in the HIS, WSNs are self-organized, i.e. more sensors executing distinct functions work together to iden- tify and combat attacks in the WSN. In HIS, various organs and cells perform this work in order to eliminate pathogens. HIS is autonomous because it does not need another system controlling it. Likewise, a WSN, once initialized and released/installed in the environment which will be moni- tored, operates independently of being controlled by another system. Another characteristic considered was the robust- ness of the HIS, where the presence of several detection points allows the identication of a pathogen bearing pos- sible failures in some parts of the system and consequently generating redundancy. That is, the whole body knows it was invaded and measures should be taken to eliminate that pathogen. In WSNs, the presence of several sensors (tens or even hundreds) on the network, allows redundancy in the identication of an attack, also generating redundancy in case of some sensors do not have the IDS installed or cannot use it because of energy constraints. Finally, the HIS can identify substances from the body, preventing a reaction against itself, thus creating a tolerance of these substances. In WSNs, this feature has also been obtained, since the sensors were able to identify the messages generated by them from those produced by the Jammer. The proposed architecture was based on these characteristics. Several experiments were conducted where the pro- posed IDS was calibrated and tested to meet the interest of the application running on the network, opting for security at the expense of saving energy or vice versa. Through these tests the IDS was proven to be efcient for WSNs. The memory resources consumed by the different roles played by the sensors were also analyzed. In the experi- ments, the proposed work with the aforementioned tech- niques and other work, which used another theory of HIS, called the Negative Selection Theory were compared. This comparison showed that, despite reaching lower values of rates of identication of the attack while it was occurring (TP), the error rates generated by the IDS during a normal condition of the system were much smaller (FP), showing the efciency of the proposed customized algorithm. Another experiment was conducted to compare a real sensor platform implementation and its equivalent via simulation. The results demonstrated the efciency of the proposed IDS. In the future, different attacks will be analyzed, simply by choosing appropriate input signals for their identica- tion. When using more than one type of attack, the administrator could choose to identify more than one type of attack by a sensor-lymph. We also intend to investigate the use of other ways to control the migration of the DCs to the lymph nodes in order to obtain a reduction in power consumption imposed by the transmission of messages between sensors-dc and sensors-lymph. Another investi- gation could be the study of an implementation of the Adaptive Immunologic System, using its memory capa- bilities in accelerating the intrusion detection. Table 11 Simulated scenario results MCAV Metrics LN 1 LN 2 LN 3 LN 4 LN 5 50 TP 0.00 % 0.00 % 10.33 % 71.00 % 94.67 % FN 100.00 % 100.00 % 89.67 % 29.00 % 5.33 % TN 100.00 % 100.00 % 100.00 % 100.00 % 100.00 % FP 0.00 % 0.00 % 0.00 % 0.00 % 0.00 % Table 12 Real platform scenario results MCAV Metrics LN 1 LN 2 LN 3 LN 4 LN 5 50 TP 0.00 % 0.00 % 13.73 % 79.21 % 95.62 % FN 100.00 % 100.00 % 86.27 % 20.79 % 4.38 % TN 100.00 % 100.00 % 99.21 % 92.33 % 97.33 % FP 0.00 % 0.00 % 0.79 % 7.67 % 2.67 % Int J Wireless Inf Networks 1 3 Acknowledgments This work is partly supported by the National Council for Scientic and Technological Development (CNPq) through processes 481638/2007-5 for Luci Pirmez and Flavia C. Delicato; 4781174/2010-1 and 309270/2009-0 for Luci Pirmez; 311363/2011-3, 470586/2011-7 and 201090/2009-0 for Flavia C. Delicato; 480359/2009-1 and 311515/2009-6 for Paulo F. Pires; by the Financier of Studies and Projects (FINEP) through processes 01.10.0549.00 and 01.10.0064.00 for Luci Pirmez; and by the Foundation for Research of the State of Rio de Janeiro (FAPERJ) through processes E26/101.360/2010 for Luci Pirmez; E-26/100.428/ 2010 for Claudio M. de Farias. References 1. U. Aickelin and S. Cayzer, The danger theory and its application to articial immune systems, 1st International Conference on Articial Immune Systems, Canterbury, pp. 141148, 2002. 2. U. Aickelin, Articial immune system and intrusion detection tutorial, Introductory Tutorials in Optimization, Search and Decision Support Methodologies, Nottingham, UK, 2003. 3. S. Bachmayer, Articial Immune Systems, Department of Com- puter Science, University of Helsinki, Helsinki, 2008. 4. A. Barbosa, Intrusion Detection SystemsSeminaries Ravel CPS760, 2000, http://www.lockabit.coppe.ufrj.br/downloads/ academicos/IDS.pdf. 5. CROSSBOW, Crossbow Technology, http://www.xbow.com/, Accessed April, 2010. 6. A. Da Silva et al., Decentralized intrusion detection in wireless sensor networks, Proceedings of the 1st ACM International Workshop on Quality of Service & Security in Wireless and Mobile Networks, New York, 2005. 7. H. Debar, et al., Towards a taxonomy of intrusion-detection systems, Computer Networks, Vol. 31, pp. 805822, 1999. 8. I. Dietrich and F. Dressler, On the lifetime of wireless sensor networks, ACM Transactions on Sensor Networks, Vol. 5, No. 1, pp. 139, 2009. 9. M. Drozda et al., AIS for misbehavior detection in wireless sensor networks: performance and design principles, IEEE Congress on Evolutionary Computation, Singapore, pp. 37193726, 2007. 10. P. Garc a-Teodoro, et al., Anomaly-based network intrusion detection: techniques, systems and challenges, Computers & Security, Vol. 28, pp. 1828, 2008. 11. J. Greensmith, The dendritic cell algorithm, PhD thesis, Uni- versity of Nottingham, 2007. 12. J. Greensmith et al., Detecting danger: applying a novel immu- nological concept to intrusion detection systems, 4th Interna- tional Conference on Articial Immune Systems (ICARIS-05), 2005. 13. L. Hong and J. Yang, Danger theory of immune systems and intrusion detection systems, International Conference on Indus- trial Mechatronics and Automation, Chengdu, pp. 208211, 2009. 14. J. Kim et al., Danger is ubiquitous: detecting malicious activities in sensor networks using the dendritic cell algorithm, Articial Immune Systems, Vol. 4163, Springer, Berlin, pp. 390403, 2006. 15. P. Levis and D. Gay, TinyOS Programming, Cambridge Uni- versity PressCambridge, 2009. 16. Y. Liu and F. Yu, Immunity-based intrusion detection for wireless sensor networks, Neural Networks, IJCNN, pp. 439444, 2008. 17. D. Martynov et al., Design and implementation of an intrusion detection system for wireless sensor networks, IEEE Interna- tional Conference on Electro/Information Technology, Chicago, pp. 507512, 2007. 18. P. Matzinger, The danger model: a renewed sense of self, Sci- ence, Vol. 296, No. 5566, pp. 301305, 2002. 19. I. Onat and A. MIRI, An intrusion detection system for wireless sensor networks, Proceeding of IEEE International Conference on Wireless and Mobile Computing, Networking and Communi- cations, Vol. 3, Canada, pp. 253259, 2005. 20. R. Roman et al., Applying intrusion detection systems to wireless sensor networks, 3rd Consumer Communications and Networking Conference, Vol. 1, pp. 640644, 2006. 21. G. Silva, Intrusion detection in computer networks: immune- inspired algorithm based in the danger theory and the dendritic cells, Master Thesis, Federal University of Minas Gerais, March 2009. 22. J. Twycross, Immune Systems, Danger Theory and Intrusion Detection, University of NottinghamNottingham, 2004. 23. C. Wallenta, et al., Detecting interest cache poisoning in sensor networks using an articial immune algorithm, Applied Intelli- gence, Vol. 32, No. 1, pp. 126, 2010. 24. W. Xu et al., The feasibility of launching and detecting jamming attacks in wireless networks, 6th ACM International Symposium on Mobile Ad Hoc Networking and Computing, Urbana-Cham- paign, pp. 4657, 2005. 25. M. Zamani et al., A DDoS-Aware IDS model based on danger theory and mobile agents, Proceedings of the 2009 International Conference on Computational Intelligence and Security, Vol. 1, 2009. Author Biographies Helio Mendes Salmon is a student of the Federal Univer- sity of Rio de Janeiro (UFRJ), Brazil. He received his B.Sc. degrees in Computer Systems Engineering from the State University of Rio de Janeiro (UERJ), Brazil, in 1999 and his M.Sc. degrees in Computer Science form the Federal Uni- versity of Rio de Janeiro in 2010. He enrolled in the Bra- zilian Navys Engineering Corps as a Lieutenant in 2000. His research interests are in wireless networks, wireless sensor networks, network security and intrusion detection systems. Claudio Miceli de Farias received a M.Sc. degree on Computer Science in 2010 from the Federal University of Rio de Janeiro, Brazil. His research interests include smart grids, ambient intelligence, wireless sensor networks, network secu- rity, VOIP, real-time communi- cations and video processing. Int J Wireless Inf Networks 1 3 Paula Soares Loureiro is a student in the Computer Science course of the Federal University of Rio de Janeiro (UFRJ), Bra- zil. Currently she participates in the laboratory called LabNet which 2 studies sensor networks in UFRJ. Her research interests are in wireless sensor networks and intrusion detection systems. Luci Pirmez is a Professor at the Institute of Informatics of the Federal University of Rio de Janeiro (UFRJ), Brazil. She received her M.Sc. and Ph.D degree, both in computer sci- ence from the Federal Univer- sity of Rio de Janeiro, Brazil in 1986 and 1996, respectively. She is a member of research staff of the Computer Center of Federal University of Rio de Janeiro. Her research interests include wireless networks, wireless sensor networks, net- work management and security. She is one of 300 researchers in computer science from all over Brazil selected to be CNPq researchers (CNPq is the technology research branch of the Brazilian government). She is currently involved in a number of research projects with funding from Brazilian government agencies, in the areas of wireless networks, wireless sensor networks, network man- agement and security. Silvana Rossetto graduated in Computer Science from Federal University of Espirito Santo (1998), Master in Computer Science from Universidade Federal do Espirito Santo (2001) and D.Sc. in Computer Science from the Catholic Uni- versity of Rio de Janeiro (2006). Her current areas of interest are distributed systems and wireless sensor networks. She holds the position of Professor in the Department of Computer Sci- ence (DCC), Institute of Math- ematics (IM), Federal University of Rio de Janeiro (UFRJ). Paulo Henrique de A. Rodri- gues received his Ph.D. in Com- puter Sciences from University of California, Los Angeles (1984) and for the last years has been focusing his research on multi- media protocols (SIP, H.323), QoS, analytical video and voice quality models, conference ser- vices, improvements and mea- surements in Asterisk, trafc engineering, performance model- ingandmonitoring. His laboratory has been responsible for develop- ing the fone@RNP service archi- tecture, a national he has also devoted attention to adaptive systems inspired in bio mechanisms. He holds a VoIPsystems been operated by the Brazilian Education and Research Network -RNP. Recently scholarship in technology innovation from CNPq Brazilian Research Council. Rodrigo Pirmez, MD gradu- ated as a Medical Doctor at the Federal University of Rio de Janeiro (UFRJ), in 2010. Cur- rently, he is a Dermatology Res- ident at the Department of Dermatology of Hospital Uni- versitario Clementino Fraga Fil- ho, an afliated hospital of UFRJ. Flavia C. Delicato received her PhD form Federal University of Rio de Janeiro in 2005. She is an associate Professor of the Federal University of Rio de Janeiro, Brazil, where she teaches for undergraduate and post-graduate courses and works as a researcher. In 2009 she was a Visitor Researcher at the Malaga Univer- sity, Spain. In 2010 she was a visitingacademic at the University of Sydney, Australia. She partici- pates in several research projects with funding from International andBraziliangovernment agencies. Her researchinterests are middleware, wireless sensor networks and Software Engineering techniques applied to ubiquitous systems. She is a Researcher Fellowof the National Council for Scientic and Technological Development. She integrates the Centre for Distributed and High Performance Computing at University of Sydney. Int J Wireless Inf Networks 1 3 Luiz Fernando Rust da Costa Carmo received a B.S. degree on Electronic Engineering in 1984, and a M.Sc. degree on Computer Science in 1988, both from the Federal University of Rio de Janeiro, Brazil, and the Ph.D. degree on Computer Sci- ence in 1994, from the Labora- tory for Analysis and Architecture of Systems of the French National Organization for Scientic Research (LAAS/ CNRS) in Toulouse. From 2002 to 2003, he spent a sabbatical period at the Research Center of The United Technologies Company in ConnecticutUSA. From 1986 to 2008 Luiz Fernando was an active member of the research staff of the Computer Center of Research Center of the United Technologies Company in Connecti- cutUSA. From 1986 to Sciences of the Brazilian Institute of Metrology and Quality (INMETRO). His research interests include formal description techniques, communication networks, embedded systems and information security. Int J Wireless Inf Networks 1 3