Intrusion Detection System for Wireless Sensor Networks Using

Danger Theory Immune-Inspired Techniques

Helio Mendes Salmon

Claudio M. de Farias

Paula Loureiro

Luci Pirmez

Silvana Rossetto

Paulo Henrique de A. Rodrigues

Rodrigo Pirmez

Flavia C. Delicato

Luiz Fernando R. da Costa Carmo
Received: 14 May 2012 / Accepted: 9 June 2012
Springer Science+Business Media, LLC 2012
Abstract An IDS framework inspired in the Human
Immune System to be applied in the wireless sensor net-
work context is proposed. It uses an improved decentral-
ized and customized version of the Dendritic Cell
Algorithm, which allows nodes to monitor their neighbor-
hood and collaborate to identify an intruder. The work was
implemented and tested both in simulation and in real
sensor platform scenarios, comparing them to each other
and was also compared to a Negative Selection Theory
implementation in order to demonstrate its efciency in
detecting a denial-of-sleep attack and in energy consump-
tion. Results demonstrated the success of the proposal.
Keywords Wireless sensor networks Intrusion
Detection System Articial immune inspired system
Denial-of-sleep attack
1 Introduction
Recent advances in micro-electromechanical systems and
wireless communications technologies have enabled the
building of low-cost small-sized sensors capable of sens-
ing, processing and communicating through wireless links.
Wireless sensor networks (WSNs), composed of tens,
hundreds and sometimes thousands of these small devices,
are commonly used to monitor physical and environmental
variables as temperature, humidity, noise and motion of
objects. WSNs are used for a wide range of applications,
such as structural monitoring, natural resources mapping,
tracking and monitoring of military targets, and smart
environments control [22].
While bringing new broad perspectives for various
applications, WSNs offer unusual challenges and a vast
new research area. In addition to challenges related to
resource constraints, WSNs are subject to vulnerabilities
associated with wireless communication and ad-hoc orga-
nization, both inherent characteristics of this type of net-
work. Furthermore, in scenarios involving unprotected
hostile outdoor areas, WSNs are prone to different types of
attack, which can compromise reliability, integrity and
availability of the sensor data trafc and sensor lifetime as
well [22].
The adoption of an Intrusion Detection System (IDS) is
one way to deal with WSN vulnerabilities. Due to tech-
nological limitations, in a WSN environment, IDSs should
be kept simple and highly specialized by type of attack,
favoring algorithms that demand low computation, low
memory and low energy [20]. In WSNs, the use of regular
IDSs may be compromised by frequent detection aws and
false alarms. Improving IDS effectiveness can be achieved
by adopting Computational Intelligence methods [21],
Computational Intelligence techniques provide features as
H. M. Salmon C. M. de Farias (&) P. Loureiro L. Pirmez
S. Rossetto P. H. de A. Rodrigues
Programa de Pos-Graduacao em Informatica, Universidade
Federal do Rio de Janeiro, Rio de Janeiro, RJ, Brazil
e-mail: claudiofarias@nce.ufrj.br
R. Pirmez
Faculdade de Medicina, Universidade Federal do Rio de Janeiro,
Cidade Universitaria, Rio de Janeiro, RJ 21941-901, Brazil
F. C. Delicato
Departamento de Informatica e Matematica Aplicada,
Universidade Federal do Rio Grande do Norte, Campus
Universitario Lagoa Nova, Natal, RN 59078-970, Brazil
L. F. R. da Costa Carmo
Instituto Nacional de Metrologia, Normalizacao e Qualidade
Industrial, Av. N. S. das Gracas, 50, Xerem, Duque de Caxias,
RJ 25250-020, Brazil
1 3
Int J Wireless Inf Networks
DOI 10.1007/s10776-012-0179-z
perception, reasoning, learning, evolution and adaptation,
which can be explored to make more robust IDS, able to
handle unknown attacks and adapt to different application
scenarios. Our proposal takes advantage of the Articial
Immune Systems (AIS), a technique for designing IDSs
based on the concepts of the Human Immune System (HIS)
[3, 11].
AIS is considered a promising approach for IDS
implementation in WSNs, since network security tasks
have great similarities with AISs concerning the need of
maintaining system stability in a highly changing envi-
ronment [11, 13]. Some of HISs main features, such as
self-organization, adaptation, robustness and fault toler-
ance, are similar to some WSNs desired characteristics.
These networks should be able to adapt to continuous
changes in environmental conditions and application
requirements, and be fault-tolerant, since the sensor nodes
communicate over an unreliable and unstable medium.
Furthermore, WSN mechanisms and/or algorithms must be
distributed and self-organizing, since the existence of
centralized mechanisms is not appropriate for such net-
works, given their constrained resources and scalability
issues.
This paper presents the architecture of an IDS for WSN
using Danger Theory immune-inspired techniques [11].
Danger Theory uses a danger signal to classify as anom-
alous an antigen (attacker) that is causing damage to the
body, independently of it belonging (self) or not (non-self)
to the body. Cells known as dendritic cells (DCs) detect
and process different signals, including the danger signal,
to classify the collected antigens as normal or anomalous.
These cells can be seen as the AISs control mechanism,
determining whether the WSN is suffering an attack or not.
The proposed IDS was designed to be activated or deac-
tivated according to security requirements of applications
running on the WSN, thus contributing for saving the
WSNs constrained resources.
Our proposal is a decentralized and customized version
of the original Dendritic Cell Algorithm (DCA), which was
tailored to the WSN environment [11]. In this new version,
original algorithm procedures have been adapted to better
exploit WSNs high density characteristic and reduce both
processing and amount of data structures to be stored in
each sensor node. The algorithm was designed to: (i) be
generic and independent of attack type; (ii) allow compo-
nent reuse in different WSN applications; (iii) have its code
independent of WSN application codes and protocols; and
(iv) allow activation/deactivation according to security
requirements of current running WSN applications.
An application where sensors capture and periodically
send data to a base station (BS) connected to a computer
was considered as a case study in this paper. An IDS,
programmed to detect one of the greatest threads to a
WSN, namely the denial-of-sleep attack (through jamming
interference) [24], and to trigger appropriate countermea-
sures, was installed in all sensor nodes. This type of attack
aims at accelerating the depletion of energy sources of one
or more sensors and, eventually, disabling them. The attack
occupies the wireless medium and increases the probability
of packet collisions within the range of the interfering
signal. The attack keeps the affected nodes awaken for a
longer time trying to successfully transmit (the wireless
medium is occupied by the attacker node) or retransmit a
package (the application requests the retransmission of
non-received packets), causing, in both cases, an additional
consumption of sensor node energy.
The remainder of this paper is organized as follows.
Section 2 describes basic concepts on HIS and, in partic-
ular, DCA and Danger Theory. Section 3 discusses related
work. The proposed IDS is described in Sect. 4 and in Sect.
5, different experiments and their results are analyzed.
Finally, our conclusions and future work are presented in
Sect. 6.
2 Basic Concepts
Currently, a great interest has emerged in studying the
employment of HIS for intrusion detection and several
studies have focused on Negative Selection, Clonal
Selection and Immune Network theories, also known as the
Classical Theories [11]. However, the approach based on
Classical Theories has been questioned because it is neither
true that only external factors cause damage to the body,
nor that any outside organism can cause harm to the body.
This question arose in 1994 [18], when the Danger Theory
was rst introduced.
The human bodys defense system is mediated by early
reactions of innate immunity, and acquired immunity late
responses. The innate immune system represents the rst
line of defense of the organism, acting quickly and effec-
tively against invaders. This system consists of defense
mechanisms and cellular biochemistry that are present even
before a possible attack. Because they are congenital, they
respond promptly to infections. Main components are
physical barriers such as skin, chemical barriers, repre-
sented by antimicrobial substances produced by epithelial
surfaces, such as sweat and saliva, in addition to agents and
cellular proteins such as cytokines, complement compo-
nents, macrophages and DCs. These components respond
in much the same way to various infections, since the
aggressor recognition is through structure patterns common
to different pathogens (PAMPsPathogenic Associated
Molecular Patterns). [18].
The Adaptive Immune System is characterized by the
impressive ability to identify and distinguish different
Int J Wireless Inf Networks
1 3
types of offenders, known as specic immunity. Moreover,
once stimulated by a particular pathogen, the subsequent
responses to the same pathogen will be faster, growing in
magnitude and defensive ability, skill known as mem-
ory. The adaptive immune system is composed of B and T
cells and their products. Both AIS and innate system are
parts of an integrated defense system. The initial response
of innate immunity stimulates adaptive immunity, and the
latter uses many innate immunity components as effectors
of its response.
Applying the HIS concepts to several areas of comput-
ing gave rise to the Articial Immune System (AIS). In
recent decades, works on AIS using the Danger Theory are
becoming popular [2]. The incorporation of this theory in
intrusion detection techniques intended to produce a sys-
tem able to efciently respond both to known threats and
new types of attacks, thus reducing the number of false
positives (FP), which are common in IDSs [12]. The
Danger Theory takes into account whether the antigens are
dangerous or not as danger signals are being produced or
not by damaged tissue cells [18]. DCs are the main element
on this theory, acting as crime scene investigators, col-
lecting antigens produced by pathogens and tissue cells and
classifying them by means of a danger signal. In
Greensmith et al. [12], initial investigations on the use of
DCs in AIS applied to anomaly-based IDS were presented,
and the DCA was introduced for the rst time. The algo-
rithm was based on features of these cells, using input
signals and state differentiation from immature to semi-
mature (normal) or mature (anomalous) in order to build a
control mechanism for AIS.
DCA is divided into three phases: initialization, updat-
ing and aggregation [12]. In the initialization phase, the
algorithm parameters are congured and initialized, and
the immature state is attributed to DCs. In the updating
phase, a continuous process of updating data structures
from the input signals and the antigens is performed. In this
stage, the output signals are generated by changing the
state of the DCs to semi-mature (normal) or mature
(anomalous). The aggregation phase occurs in the lymph
node, which is a ganglion found throughout the lymphatic
system and has the function of receiving the DCs. At this
stage, antigens presented by the mature or semi-mature
DCs are analyzed and the index of abnormality of these
antigens, known by the acronym MCAV (Mature Context
Antigen Value) is calculated. MCAV ranges from zero (0)
to one (1) and represents how anomalous a specic antigen
is, being calculated using the following formula:
MCAV = (M)/(SM ? M), where M represents the
amount of a specic antigen found in mature cells and
SM the same amount of that antigen in semi-mature
cells. If the index is above a predetermined value (anomaly
threshold), antibodies are activated, starting the ght
against the invaders. Antigen evaluation is repeated a
certain number of cycles (events) or until all antigens have
been evaluated [21].
In the DCA, the input signals are classied as: (i) danger
signals, when the cells undergo necrosis (unscheduled cell
death); (ii) secure signals, when the cells undergo apoptosis
(programmed cell death); (iii) PAMP signals, substances
indicating the presence of an extra-entity body; and (iv)
inammation, which indicates the increase of blood ow
and temperature in an area affected by an invasion, whose
effect amplies the effects of the three earlier signals [11].
DCs process the input signals to generate output signals
according to Eq. 1. This equation is computed once for each
of the output signals: (i) migration signal (Costimulatory
MoleculesCSM), (ii) semi-mature and (iii) mature. Each
DC keeps storing the output signals while the migration
signal does not reach a predetermined threshold (migration
threshold). When the migration signal reaches the limit, the
DC compares the stored values for the semi-mature and
mature signals. The signal of greater value sets the state of
maturation for that DC. Then this DC migrates to the lymph
node. In Eq. 1, Pi represents the PAMP signal, Di the
danger signal, Si the secure signal and IC inammation
signal. The sumof each of these signals is multiplied by their
respective weights Wp, Wd and Ws.
Output
csm
semimature
mature
2
6
4
3
7
5
W
P
X
I
i0
P
i
W
D
X
I
i0
D
i
W
S
X
I
i0
S
i
!
1 IC
1
In HIS, DCs do not perform their function in isolation.
There is a population of DCs, each of which capture antigens
and input signals. The multiplicity of DCs is a key issue,
since it is the collective indication of several DCs on one
type of antigen that causes a HIS response. Thus, the DCA is
inherently error-tolerant, because the misclassication made
by a single DCis not sufcient to trigger a HIS false positive
error. As soon as DCs advertise the lymph node on the
presence of an invader, B and T cells are activated, being
responsible for the production of that pathogens specic
antibodies.
3 Related Work
Techniques used in natural computation, particularly those
based on the AIS, have been considered the most promising
approaches for implementation of WSNs for next genera-
tion safety systems [2].
Int J Wireless Inf Networks
1 3
Several HIS inspired IDS proposals based on the utili-
zation of the Danger Theory in regular networks can be
found in the literature like Aickelin and Cayzer [1],
Aickelin et al. [2], Greensmith et al. [12] and Twycross
[22], Greensmith [11], Bachmayer [3], Hong and Yang
[13] and Silva [21]. In WSN there are many works pro-
posing IDSs using a statistical-based approach, like: Da
Silva et al. [6], Onat and Miri [19] and Martynov et al. [17].
Among reviewed references, only Drozda et al. [9], Liu and
Yu [16], Kim et al. [14], Wallenta et al. [23] and Zamani
et al. [25] presented works using immune-inspired IDS for
WSN.
In Da Silva et al. [6], an anomaly detection IDS was
proposed. That IDS was divided into three phases and
based on promiscuous monitoring of the WSN. During the
rst phase the data acquisition is done. During this phase a
monitor node listens to the network in promiscuous mode
and stores the information using the available memory on
the sensor. The authors dened a set of rules that are
applied in the second phase, and when a message fails in
the verication of such a rule, a counter, relative to that
rule is increased. Finally, in the third phase, the counters
are compared with threshold values. If the number of
failures is greater than the predened threshold, an alarm is
activated. For the proposed IDS operation by Da Silva et al.
[6] it becomes necessary to include two new elds in the
message structure of the application (increase of 2 bytes in
size) for the use of rules proposed by the IDS, allowing the
collection of information needed by the sensors IDS. This
change makes the IDS specic for the application.
In Onat and Miri [19], an anomaly based IDS for WSNs
was proposed. This IDS uses a statistical algorithm. This
algorithm exploits the stability of a static large scale WSN.
In the proposed IDS, the sensors have the ability to store
simple statistics about the behavior of their neighboring
nodes, such as the messages transmission rate and the
power of the broadcast signal. The IDS proposed by them
was installed in all WSNs sensors, and although it indi-
cates an interesting and feasible methodology, no mecha-
nism for cooperation between the nodes was implemented.
Martynov et al. [17] proposed and implemented in a real
sensors platform an agent-based IDS that uses the anomaly
detection approach. This IDS is able to identify a Denial-
of-Service attack in WSNs. The agents are called Status
Nodes and Send and Receive Nodes. The Status Node has
the functionality to warn about the occurrence of an attack.
The Send and Receive Node has the functionality to send
and receive messages at different rates, simulating a nor-
mal network or a network under attack by varying the
transmission rate of the application messages. These agents
are distributed by different sensors where, the Send and
Receive Nodes, by comparing network trafc with a pre-
established baseline, can identify if the attack is occurring
or not. If the attack is identied, a message informing about
the attack is transmitted to all nodes in the network.
Despite the distributed agents, the nodes work indepen-
dently, and do not have any cooperation between them to
identify the attack.
Drozda et al. [9] proposed a misuse detection immune-
inspired IDS, based on the Negative Selection Theory for
WSNs. The authors show that the choice of the elements
that when concatenated compose and identify an antigen,
have a profound inuence on the performance of the AIS.
In the Negative Selection Theory, if the antigens are not all
mapped, there will be holes in the detection, which will
trigger the occurrence of FP and false negatives (FN). The
authors inform that the performance of the IDS depends on
the size of the antigens, i.e., the greater the antigen size,
greater the amount of detectors needed to a correct attack
identication. This goes against one of the basic charac-
teristics of the sensors, the scarcity of resources, memory in
this case.
In Liu and Yu [16], the authors applied the techniques of
Negative Selection and Clonal Selection in the creation of
an immune-inspired WSN IDS. The following conditions
were established for the IDS: (i) the nodes are static and no
new node is added to the network; (ii) data packets are
forwarded to the BS and the network uses a tree-based
structure for routing; (iii) tampered nodes function nor-
mally, except when conducting an attack; (iv) there was
sufcient training before the attack was started; and (v) all
nodes in the WSN are equipped with the extra module to
detect anomalies. To monitor the behavior of neighboring
nodes, a node listens for messages from its neighbors by its
detection module. This module is divided into four phases.
The rst phase is the self-acquisition, where, during a
training period, the node listens to the transmission/
reception of his neighbors, extracting information from
trafcked packets and storing them in sensors memory. By
adopting a learning period, the authors make the system
will not accept changes in WSN. As the sensors will have
exhausted its battery, features own the WSN are
changing. This creates the need for further training as they
can be issued FP or FN because the scenario has changed.
The second phase, called detectors generation occurs after
the system training. At this stage the detectors that will
identify the attacks are generated and stored in the sensors
memory. The third phase, called detection occurs when the
training ends and the system starts to detect the attack. At
this stage the packets sent by neighboring nodes are heard
by a node and parameters to be analyzed (called antigens)
are extracted. If the detector reaches its time limit of life
and the number of antigens that combined is less than the
threshold, the sensor die and a new detector is generated. If
the number of antigens is greater than the limit, the detector
will activate an intrusion alarm. When a switch is
Int J Wireless Inf Networks
1 3
activated, it passes to the next phase: Clonal selection. In
the fourth phase, called Clonal selection, active detectors
evolve and go to the memory starting to have a longer
lifespan and lower limits. This technique allows detectors
stored in memory to be activated quickly when similar
attacks occur. In order to reduce FP, a mechanism of co-
stimulation has been proposed. However, in this mecha-
nism, an operator must mark a string as self to correct a
false positive, making the IDS dependent on human
intervention, violating one of the basic principles of HIS:
autonomy. In the simulations, the authors found that, with a
mapped set of self antigens and a large set of detectors, the
IDS has achieved a rate of 100 % detection for all simu-
lated attacks. However, 92.3 % of FP were found in jam-
ming attack. The latter makes it appear that the network is
still being attacked.
Wallenta et al. [23] extended the work presented by Kim
et al. [14], which was the rst one to propose a DCA
implementation to a WSN. This IDS allowed to detect a
new type of attack called Interest Cache Poisoning
Attack that can occur in a WSN environment when
directed diffusion protocol is used. Unlike Wallenta et al.
[23], where DCA and directed diffusion protocol proce-
dures are intertwined, in the present work, the proposed
algorithm is designed to be code independent of WSN
applications and protocols, allowing components reuse in
different application scenarios.
Zamani et al. [25] proposed a generic architecture using
mobile agents for a Danger Theory immune-inspired IDS.
This architecture was applied in a WSN in order to identify
a Distributed Denial-of-Service attack (DDoS) when direct
diffusion protocol is used. According to the authors, agents
are used to collect data in various nodes and cooperate with
each other in order to detect an attack. The architecture was
split in static agents, which stay xed in pre-determined
sensors and simulate HIS tissues; and in mobile agents,
which are transmitted between sensors, simulating HIS
cells behavior. The static agents simulated the following
organs of the HIS: Thymus, Bone Marrow, Lymph Node
and tissues. The mobile agents simulated the characteristics
of B cells, T cells and DCs.
Unlike the related work, in this paper we used the
Danger Theory and a customized DCA to perform the
anomaly detection of attacks in WSNs. These two immune-
inspired techniques have a different approach from the
classical theories about the use of antigens in the identi-
cation of an attack. A generic and independent of the
application or type of routing protocol IDS was created and
implemented in a WSN. The IDS was distributed among
the sensors, which carried different and complementary
roles, not being necessary to install the IDS in all nodes of
the network. Thus, the sensors of a WSN can have
implemented or not TinyOS modules that have the IDS
implementation, allowing the inclusion of new sensors in
the WSN without any change in the application. It was
performed an evaluation of the energy expended by the
IDS, which was not done in related works.
4 Immune-Inspired Intrusion Detection Systems
This section describes: (i) the logical architecture of the
proposed IDS and its constituent elements; (ii) the mapping
of computational elements into immune-inspired elements;
(iii) the description of the phases that dene the workow
of the proposed IDS; (iv) the proposed DCA customization
for WSNs; and (v) a description of the IDS operation.
4.1 IDS Logical Architecture
The WSN we are dealing with consists of several sensor
nodes and a BS. A sensor node, on its turn, can play the
role of a DC (sensor-dc) or of a lymph node (sensor-
lymph).
WSN IDS logical architecture, shown in Fig. 1, follows
the architecture proposed by the Common Intrusion
Detection Framework (CIDF) [4, 7, 10] and consists of
several components, namely Monitoring, Intrusion Detec-
tion Manager, Context Manager, Decision Manager,
Parameters Base, Rules Base and Countermeasures. These
components are grouped into four subsystems: (i) Moni-
tored Environment (E-BOX); (ii) Intruder Detector (A-
BOX); (iii) Storage (D-BOX); and (iv) Countermeasures
(C-BOX).
The Monitoring, Intrusion Detection Manager, Context
Manager, Parameters Base and Rules Base components are
installed in the sensor-dc. The Decision Manager and the
Countermeasures components are located in the sensor-
lymph.
The Monitored Environment subsystem, consisting of
the Monitoring component, is responsible for capturing the
values of the parameters dened by the Context Manager,
such as the amount of sent and received messages and the
Received Signal Strength Information (RSSI), which rep-
resent inputs to the proposed IDS. These parameters are
used to determine a possible invasion.
The Intruder Detector subsystem analyzes the collected
information to take a decision regarding the presence or
absence of an intruder in the environment. The Intrusion
Detection Manager, Context Manager and Decision Man-
ager components are part of this subsystem.
The Intrusion Detection Manager, central component in
the architecture, is responsible for organizing tasks and
coordinating actions and responses of other managers.
During system instantiation, the Intrusion Detection Man-
ager indicates to the Context Manager which attacks are to
Int J Wireless Inf Networks
1 3
be monitored by the IDS. The Context Manager, upon
receiving the attack information, consults the Parameters
Base to nd out which parameters need to be monitored by
the Monitoring component. The Monitoring component
regularly collects parameter information and forwards most
recent measures to the Context Manager. Parameters values
received from the Context Manager are forwarded by the
Intrusion Detection Manager to the Decision Manager. The
Decision Manager uses the received information to identify
possible attacks in the monitored area, and, in the event of
an attack, its type and anomaly degree. Information about
existence, type and anomaly degree of an attack are
returned to the Intrusion Detection Manager, which for-
wards the report to the Countermeasures component for
countermeasure acting.
The Context Manager is responsible for two features:
(i) Monitoring Management; and (ii) Parameters Base
Management. The Monitoring Management functionality is
responsible for requesting and receiving parameters from
the Monitoring component, while the Parameters Base
Management functionality is responsible for comparing
received parameters with data in the Parameters Base and
for database maintenance. The Context Manager, after
receiving from the Intrusion Detection Manager informa-
tion about which attack(s) to monitor, accesses the
Parameters Base to nd out which parameters to monitor
and instructs the Monitoring component to collect param-
eters values.
The Decision Manager is responsible for performing
three functions: (i) managing the Rules Base; (ii) executing
the customized DCA; and (iii) identify an attack. The
Decision Manager needs to consult the Rules Base repos-
itory for each type of attack. Once identied a possible
attack, the Intrusion Detection Manager is warned. The
detection of various attacks can be carried out using a set of
distinct rules and evaluating the appropriate set of antigens.
Furthermore, adjusting the anomaly threshold (MCAV) in
the database is crucial for efcient attack detection.
The Storage subsystem stores: (i) the Parameters Base,
which is managed by the Context Manager and contains
collected parameter history, attack type, attack parameters
list and, for each parameter, a threshold value; and (ii) the
Rules Base, managed by the Decision Manager, which
contains rules that identify the types of attacks the IDS is
able to identify and the anomaly threshold (MCAV) set by
the administrator for each type of attack. Databases are
queried and input data compared with monitored data.
The Countermeasures subsystem contains the Counter-
measures component, which is responsible for combating
identied attacks. Countermeasures are direct actions per-
formed on a node or action demanding information sent to
the administrator.
4.1.1 Interactions Among Components for DC and Lymph
Nodes
Figures 2 and 3 present sequence diagrams specifying
component interactions for DC and lymph nodes,
respectively.
In Fig. 2, Intrusion Detection Manager tells the Context
Manager that a particular attack must be monitored by
issuing the informTypeOfAttack command in step (1). In
step (2) the Context Manager accesses the Parameters Base
via the accessParametersBase command to identify which
parameter has to be monitored. Then, the Context Manager
forwards the request to the Monitoring component, issuing
the requestParameter command (3). The Monitoring com-
ponent then captures the most recent value of the requested
parameter from the environment via the readParameter
command in (4). If the read value needs further processing,
e.g. obtaining sent or received message rates, the Moni-
toring component executes a processing command (5) and
Fig. 1 IDS Logical
Architecture
Int J Wireless Inf Networks
1 3
afterwards passes the value to the Context Manager (6).
The Context manager, upon receiving a new value, com-
pares it to the Parameters Base with the verifyNormality
command (7) and stores this value with command store-
ParameterValue (8). Commands (7) and (8) are part of the
Parameters Base Management functionality of the Context
Manager. The value is then forwarded, via the sendPa-
rameter command (9), to the Intrusion Detection Manager
which forwards it to the Decision Manager (10). In the
Decision Manager, the received parameters are veried
against attack type according to the Rules Base (11) and the
processing of the DCAs functionality is started (12). The
Fig. 2 Sequence diagramnode playing DC role
Fig. 3 Sequence diagramnode playing lymph node role
Int J Wireless Inf Networks
1 3
Rules Base is consulted, representing the Rules Base
managing functionality. Once an attack is identied, the
Decision Manager invokes the adviceCell command in step
(13), informing the Intrusion Detection Manager. Finally,
the Intrusion Detection Manager of this node sends this
information to the node acting as lymph node by calling the
migrateCell command.
The node playing the role of a lymph node, in its step
(1), Fig. 3, listens to messages representing DCs, received
from nodes playing the role of DCs. The Decision Man-
ager, using the Attack Identication functionality, receives
migrated DC message data and calculates the MCAV value
for each identied attack, in step (2). The Decision Man-
ager informs MCAV value to the Intrusion Detection
Manager in step (3). The Intrusion Detection Manager
sends it to the Countermeasures component in step (4).
Inside the Countermeasures component the attack is iden-
tied (5) and procedures to restrain the attack are passed to
the Intrusion Detection Manager in step (6). So the
Countermeasures component instructs other network nodes
to trigger specic countermeasures to combat that attack
type, as shown in step (7). This node can also execute step
(8), informBaseStation, which is responsible for notifying
the BS about the attacks that are occurring on the wireless
network.
4.2 Mapping Computational Elements into
Immune-Inspired Elements
In this work, the WSN consists of several sensor nodes and
a BS where a sensor node can take the role of a DC (sensor-
dc) or a lymph node (sensor-lymph).
In this section, computational elements features are
mapped onto biological elements, as shown in Table 1.
Pathogens are the attacks themselves. Antigens represent a
way to identify an attack that we want to classify. This
identication is specic for each attack, i.e. each attack has
its own unique identier, and could be based, for example,
in transmitted or received messages, which would be
classied as self (messages from the system or application)
or non-self (messages not belonging to the system or
application) messages. Antibodies are mapped as counter-
measures. Tissue being evaluated for pathogen danger
presence is represented by the WSNs nodes. The Danger
area is represented by covering area of the wireless nodes.
Covering areas are controlled by the Monitoring compo-
nent and by Context Manager managing functionality.
DCs are represented by the component Intrusion
Detection Manager and the Parameters Base Management
functionality of the Context Manager. DCs have the fol-
lowing attributes: (i) identier, that associates the DC to
the node where it was created; (ii) antigen, that works like a
label identifying an specic attack; (iii) state, that contains
DC current state value: immature, semi-mature or mature;
(iv) migration time, that represents the maximum time a
DC keeps collecting antigens and input signals; (v) danger
signal; (vi) PAMP signal; (vii) secure signal; and (viii)
inammation signal. The signals (items v to viii) were
explained in Sect. 2.
Lymph node is represented by the decision mechanism
built in the Decision Manager component.
B cells and T cells, representing the adaptive immune
system, are represented by the Countermeasures compo-
nent. This component is responsible for ghting invaders,
and its actions are regarded as antibodies. Input signals
(danger signal, secure signal, PAMP signal and inam-
mation) are variable parameters and different for each
attack type. These signals will be discussed in subsequent
sections.
Parameters Base and Rules Base repositories were
modeled to provide a data storage computational func-
tionality without any biological inspiration. However, these
repositories are essential for attack identication.
4.3 Immune-Inspired Intrusion Detection System
Operation Phases
The proposed IDSs operation ow is divided into four
phases: (i) Collection Phase; (ii) Analysis Phase; (iii)
Decision Phase; and (iv) Reaction Phase. First and second
phases are related to DCA procedures, while the third
phase is related to lymph node decision-taking procedures.
The fourth phase represents the adaptive immune system
and its reaction against invaders.
Antigens and input signals are captured in the rst phase.
In the second phase, input signals and antigens are analyzed
to generate output signals. These output signals indicate DC
maturation state. In the third phase, DCs present and classify
the self and the non-self antigens, indicating their degree of
abnormality. In the fourth and nal phase, B and T cells
begin to produce antibodies which will ght against a
Table 1 Biological/computational mapping
Biologic elements Computational elements
Pathogens Attacks
Antigens Information that identies an attacker
Tissue Nodes composing WSN
Danger area Nodes covering area
DC Intrusion Detection Manager component and
Context Manager component (managing
database functionality) in sensor-dc
Lymph-node Decision Manager Component in sensor-lymph
B cell and T cell Countermeasures component
Antibody Countermeasures activated by nodes
Int J Wireless Inf Networks
1 3
specic invader. Table 2 illustrates computer components
location and functionality according to the phases of the
IDS. Phases are detailed below.
4.3.1 Collection Phase
DCA starts its execution in the Collection Phase. The
signals used for intrusion detection are collected by the
Monitoring component of the sensors-dc, which can oper-
ate in promiscuous mode, capturing all information trans-
mitted in the network, or in normal mode, capturing only
information directed to itself.
In this phase, nodes (sensor-dc) collect input signals
from the network. Signals are represented by a set of
parameters that have to be monitored in order to identify an
attack. The monitoring is realized by the message receiving
event of the application itself. There is no need to activate
radio component for a specic IDS monitoring, i.e., the
radio is on only when the sensor is active and a message is
being received, thus saving energy. Each attack has its
different input signals. The denition of each input signal
determines the attack type a sensor is monitoring.
Upon Collection Phase completion, the Analysis Phase
begins.
4.3.2 Analysis Phase
The Analysis Phase is responsible for identifying the attack
the node (sensor-dc) was congured for. The analysis is
based on comparison with parameters and rules previously
dened and stored in Parameters Base and in Rules Bases.
The Context manager receives a parameter value from
the Monitoring component and forwards this information to
the Intrusion Detection manager. The Intrusion Detection
Manager forwards the information to the Decision Manager
component.
In the Decision Manager component, the forwarded
information serves as input to the immune-inspired algo-
rithm. This procedure is repeated at each DC until it
migrates to the lymph node, i.e., a message is sent from the
DC to the Lymph node. During repetitions, DC monitored
values are being cumulatively processed by a utility func-
tion, detailed in Sect. 2, Eq. 1. The output of this function
will be the DCs maturation state: mature, in case of an
anomaly is detected, or semi-mature, otherwise. Upon
reaching the migration threshold, the DC migrates either to
the semi-mature state or to the mature state, depending on
the utility function output and the Decision phase starts.
4.3.3 Decision Phase
The Decision Phase occurs in the lymph node and is exe-
cuted within the Decision Manager, performing the func-
tionality of identifying if an attack is occurring or not. In
this component, migrated DCs are accounted and antigens
they have presented are classied as normal or anomalous,
generating the MCAV index. This index is passed to the
Intrusion Detection Manager, which forwards it to the
Countermeasures component, starting the fourth and nal
phase.
4.3.4 Reaction Phase
At this phase, which represents adaptive immune system
reaction, the Countermeasures component receives infor-
mation about type and intensity of the attack (MCAV
index) that is occurring on the network. The Countermea-
sures component is responsible for starting the antibodies
release in order to combat the invaders.
4.4 Custom Dendritic Cell Algorithm Applied to WSN
Figure 4 shows the pseudo code of the original DCA,
proposed by Greensmith [11]. The indexes and the data
structures used in the original algorithm are shown in
Tables 3 and 4, respectively.
For the original algorithm, in lines 1 and 2 all parame-
ters needed for implementation of ACD are initialized.
Line 3 runs a loop that controls the amount of refresh
cycles of antigen and signals. In line 4 the data structures
containing the antigens and the input signals, representing
the tissue being evaluated, are updated.
Table 2 Immune-inspired IDS phases and its composing elements
Innate immune system Adaptive immune system
Biological components DC Lymph node B and T cells
Collection Phase Analysis Phase Decision Phase Reaction Phase
Computational components Monitoring; and Context
Manager (Monitoring
Management)
Context Manager
(Parameters base managing);
and Decision Manager
(Rules base Management;
DCA processing)
Decision Manager
(attack identication)
Countermeasures
Int J Wireless Inf Networks
1 3
In line 5 a loop that will visit all the DCs of the popu-
lation begins, causing them to collect and evaluate the
antigens and the input signals. In the loop of lines 6-8 each
DC lls the data structure of antigens and in the loop of
lines 911 are collected their input signals (safe, danger
and PAMP). In lines 1214 each DC processes the antigens
vector. The loop of lines 15-18 calculates the three output
signals for that DC that cycle. The conditional test in lines
1923 removes the DC from the population migrating it to
the lymph node and clearing the antigens and the input
signals from its content, replacing this cell in the popula-
tion. Line 25 increments the execution cycle of the algo-
rithm. Finally, in line 27 the MCAV is calculated to
collected antigens.
In this work, the original DCA was adapted to better
exploit the density of WSNs and reduce processing and
data structures required in each sensor node (Figs. 5, 6).
Thus, the procedures of the original DCA were divided
between the sensor-dc and the sensor-lymph. Each sensor-
dc was responsible for the procedure of one DC, making
unnecessary any specic processing to create a DC, which
occurs in the rst line of the original algorithm. The loop of
line 5 was excluded from the sensors-dc. The features of
the loops of lines 68, 911, 1214 and 1518 remained
unchanged. The conditional test line 19 to line 23 has been
shifted out of the loop of line 5 and remained in the sen-
sors-dc. At the end of an execution cycle, i.e. after the
value of CSM reaches the threshold value, the sensor-dc
sends a control message to the sensor-lymph indicating its
nal state and which antigens were processed, restarting
the execution cycle (Fig. 5). Line 27, concerning the
Fig. 4 DCAs original pseudo code
Table 3 Original DCA indexes
Index Variation Description
i From 0 to I Number of input signals per category
j From 0 to J Number of input signals categories
k From 0 to K Number of antigens in tissues antigen vector
l From 0 to L Number of DCs cycles
m From 0 to M Number of DCs in the population
n From 0 to N Size of the DCs antigen vector
p From 0 to P Number of output signals per DC
q From 0 to Q Number of antigens sampled per DC, per
cycle
Tmax Tm Size of the antigen vector in the tissue
Table 4 Original DCAs data structures
Structure Description
T = {S, A} The tissue
S Matrix of tissue signals
Sij Signal of type i, category j in matrix of
signals S
A Antigen vector of the tissue
ak Antigen k in antigen vector of the tissue
DCm = {s(m), a(m),
op(m), tm}
One DC in population
s(m) Matrix of signals of the DCm
a(m) Antigen vector of the DCm
op(m) Output signal p of the DCm
tm Migration threshold of the DCm
wijp Weights of the input signals Sij
Fig. 5 Pseudo code of DCA customized to WSN (sensor-dc role)
Int J Wireless Inf Networks
1 3
calculation of the anomaly index (MCAV), was executed
only by lymph-node sensor, which uses data messages
received from sensors-dc as input, sending a message to the
BS containing the MCAV obtained (Fig. 6).
It is worth mentioning that on the original DCA,
increased reliability on the decision of whether there is an
attack was obtained by the existence of a set of DCs in a
single device. In our proposal, this reliability is achieved by
the existence of multiple nodes with the functionality of a
sensor-dc and a sensor-lymph (for each group of sensors
sensors-dc) that gathers the reports on the existence or not
of an attack. This decision aims to explore the fact that
WSNs are composed of several small nodes arranged close
to each other, thus allowing different viewing angles on the
same attack.
In this study, we observed that the calculation of the
CSM could be customized for different types of attacks, not
requiring the calculation performed by Eq. 1 of Chapter 2,
saving processing by the sensors. Thus, the loop of lines
1518 of Fig. 4 (Sect. 4.4) could have its processing
reduced to two repetitions. This procedure will be detailed
in the next chapter.
4.5 Description of the IDS Operation
Nodes playing DC role should collect the parameter values
requested by the Intrusion Detection Manager and, when
executing the DCA, send messages to the node playing the
lymph node role. These messages represent the migration
of a DC either in the mature or the semi-mature state.
When no attack is detected by the modied DCA running
on a node, no messages are sent, in order to save energy.
Received messages in a lymph node are processed to
identify attack type and calculate MCAV. For each attack
type, lymph node emits an alert message to the other nodes,
causing them to activate specic attack countermeasures.
Attack countermeasures are messages with instructions to
trigger actions to eliminate the identied threat. Actions
may include, e.g. enable encryption, start using authenti-
cation, exclude a node from the network, or even shut
down for a specic time. Actions depend on the type of
attack that the network is suffering.
Figure 7 shows two sets of ve sensor-dc (DC) com-
municating, each one, with its corresponding sensor-lymph
(LN). The arrows indicate events order: arrows with label
1 indicate a mature or semi-mature DC migrating to a
sensor-lymph. Arrows with label 2 indicate that sensor-
lymph identied an attack in the WSN and is commanding
the sensors-dc to activate their countermeasures. Arrows
with label 3 shows the message a sensor-lymph can send
to the BS in order to advise the administrator about an
ongoing attack.
Fig. 6 Pseudo code of DCA customized to WSN (sensor-lymph role)
DC
DC
DC
LN
DC
DC
1
1
1
1
1
2
2
2
2
2
3
Dendritic Cells migrating
Countermeasures
Alert to Admin
DC
DC
DC
LN
DC
DC
1
1
1
1
1
2
2
2
2
2
3
Base Station
BS
Fig. 7 Sensors-dc and sensors-
lymph interacting
Int J Wireless Inf Networks
1 3
5 Experiments with the Immune Inspired IDS Applied
to WSNs
In this Section, we describe simulations performed initially
to calibrate the proposed IDS and to analyze its efciency.
Next, we present descriptions of simulations conducted to
evaluate the IDS energy consumption. Following, a com-
parison between our proposal and another work, which
uses a different immune-inspired approach (Self-non-self
theory), was conducted, allowing assessing the efciency
of both approaches in terms of detection and energy con-
sumption. Next, we describe an experiment performed with
real sensor nodes. In such experiment, the phases of the
operation ow of the proposed IDS (collection, analysis,
decision and countermeasure) were implemented on a real
WSN platform in order to evaluate the in situ efciency of
the algorithm. Finally, the last experiment was repeated,
but this time with sensor nodes simulated using TOSSIM
(instead of using a real WSN platform), so that the real and
the simulated results could be compared.
In this work we considered only the Denial-of-Sleep
attack, which is characterized by the presence of an attacker,
called Jammer, which causes a noise in the wireless com-
munication. Such noise hampers the communication
between nodes in the network, preventing them to enter in
sleep mode due to ooding the medium with messages.
The Denial-of-Sleep attack is considered a major threat to
WSNs [17]. The calculation of the CSM was customized to
identify the Denial-of-Sleep attack. This calculation was not
done using Eq. 1 of Sect. 2, but directly by counting the
number of messages received by a node, allowing an econ-
omy of processing by the sensors. This calculation was done
by counting the number of messages received by the sensors-
dc. That is, instead of having an expensive constant pro-
cessing even if an attack is not occurring on the network, the
sensors-dc start to count the number of application messages
and only when they reach a certain number, send a message
to the sensor-lymph containing the result of processing the
information collected. It was left as future work the analysis
of the detection of other types of attacks in WSNs. However,
extending the IDS to incorporate newattacks is quite simple.
Since the IDS was designed to receive input signals and
these signals were associated to parameters which are dif-
ferent for each attack type, then only the following steps are
required to include a new type of attack:
In the Parameters Base, one needs to add (i) the new
attack type, (ii) parameters chosen for this new attack and
(iii) for each included parameter, a threshold value;
In the Rules Base, one needs to add rules which are able
to identify this new attack.
5.1 Experiment Environment
For all the performed experiments, either using real or
simulated nodes, the designed WSN was composed of
MICAz sensors, manufactured by Crossbow Technology
[5]. The sensors were programmed with the TinyOS
development environment [15], version 2.1.1, using nesC
[15], an extension of the C language, which implements a
model of event driven programming. TinyOS is a compo-
nent-based framework, designed specically for the
development of solutions for WSNs. The real experiments
were conducted in a closed environment (laboratory). The
simulated scenarios were performed with the TinyOS
TOSSIM simulator [15]. TinyOS offers several software
components, including components that implement the
communication protocol stack. Each TinyOS component
has a well dened interface, implemented by functions that
are characterized as event handlers or commands.
It is important to notice that we used only the standard Ti-
nyOS routing protocols, which are provided by the program-
ming environment and no sensing boards were used, as the
purpose of the experiments was to evaluate the proposed IDS.
The proposed IDS was evaluated along with the Blink-
ToRadio application from the TinyOS repository, which
was deployed in all nodes. In the BlinkToRadio application
nodes perform periodic readings at each one second. In
addition to the normal BlinkToRadio activities, each node
was enhanced with the role of sensor-dc or sensor-lymph.
5.1.1 Real Platform Architecture
The proposed IDS was implemented by dening two new
components to the TinyOS: the IDSDendriticCellC with
DC functionality, implemented in sensor-dc nodes; and
IDSLymphNodeC, with the functionality of the lymph
node, implemented in sensor-lymph nodes.
IDSDendriticCellC(Fig. 8) component was designed to be
used by applications replacing the default AMReceiverC
component. AMReceiverC is the TinyOS default component
Fig. 8 Application using
IDSDendriticCellC component
Int J Wireless Inf Networks
1 3
responsible for handling the reception of messages. Thus, all
messages arriving at the sensor node are evaluated by IDS-
DendriticCellC and reported in a transparent way to the
application running on the sensor. This component provides
the same interfaces of the default AMReceiverC component
and realizes the functionalities: (i) monitoring parameters that
identify an attack; (ii) activate and deactivate the radio of the
sensor; (iii) execute the DCA (collect and analysis phases).
The IDSLymphNodeC (Fig. 9) component needs only to
be connected to the application running in the sensor-
lymph node. This is an additional component that does not
interfere with the receiving of the messages of the appli-
cations. Its only role is to receive control messages from
the sensors-dc, representing the migrated DCs, and process
them. This component has the functionalities: (i) activate
or deactivate the radio of the sensor; (ii) receive messages
from the sensors with the IDSDendriticCellC component
installed, counting the mature and the semi-mature ones
(decision phase); (iii) control, according to a schedule
determined by the network administrator, when the sensor-
lymph will calculate the MCAV value; and (iv) activate the
elements responsible for countermeasures (reaction phase).
The malicious node (Jammer) was implemented as an
application that uses TinyOS standard communication com-
ponents, generating messages in the network at a predened
rate, alternating periods of activation and deactivation.
5.1.2 Simulation Architecture
The TOSSIM simulator has a limitation: it works only with
one deployment code image. That is, all the simulated
sensors are required to have the same code. Thus, in order
to meet this prerequisite and to enable the simulated
experiments, a single code was created for the simulated
environment containing all the previous implementations.
When the simulation starts, the simulated sensors by means
of programmed decision-making structures in its code,
assumes the roles of DC, lymph node or Jammer,
depending on the simulation that is running.
Thereby, the codes used in the real environment could be
reused in the simulations allowing comparisons and tests.
All the simulated experiments had the duration of 100 s
and each test was repeated 30 times, allowing results with a
condence interval of 95 %.
5.1.3 Memory Usage
The proposed IDS was deployed on the MICAz platform
(4 Kbytes of RAM and 128 Kbytes of ROM). With the role
of sensor-dc, it consumes 116 bytes (2.8 %) of RAM and
1054 bytes (0.8 %) of program memory; and with the role
of sensor-lymph, it consumes 99 bytes (2.4 %) of RAM
and 2956 bytes (2.3 %) of program memory.
The external ash memory is completely available for
the le system. Hence, it leaves the majority of the storage
resources for the Operational System and applications.
There are two control messages: the message sent from
sensor-dc to sensor-lymph, with 3 bytes length, and the
message sent by sensor-lymph, with 2 bytes length.
There are two types of control message: the messages
transmitted from sensor-dc to sensor-lymph with 3 bytes in
size, and the messages transmitted from a sensor-lymph,
2 bytes in size.
The data messages from the application BlinkToRadio
have 2 bytes long and have not been changed since the
IDS, in order to remain generic, should not cause any
alteration in the components and messaging applications.
5.1.4 Energy Model
To evaluate the energy consumption due to the IDS oper-
ation we devised a simple energy model and calibrated it
using several simulated scenarios. The energy cost was
considered in terms of the number of messages sent and
received by nodes.
The reason for choosing this denition was based on
results found in the literature which demonstrate that the
majority of sensors in WSNs spend most of energy with
communication [8].
We model the energy cost as: Q = QTX ? QRX, where
QTX is the energy consumed in transmitting and QRX is
the energy consumed in reception. In order to calculate
QTX and QRX, we take as reference the MICAz datasheet
[5]. The transmission rate of a sensor node is 4 ls/bit, and
the electric current owing through the node to receive a
packet is 18.8 mA and to send a packet is 17.4 mA.
In our experiments there are two types of messages:
application data message (16 bits length) and two types of
IDS control messages: those transmitted by a sensor-dc (24
Fig. 9 Application using IDSLymphNodeC component
Int J Wireless Inf Networks
1 3
bits length) and those transmitted by a sensor-lymph (16
bits length). For each type of message we calculated QTX
and QRX. The energy dissipated by application data
messages is obtained by applying Eqs. 1 and 2; and the
energy dissipated by IDS control messages is obtained
using Eqs. 3 and 4 for a sensor-dc and Eqs. 5 and 6 for a
sensor-lymph.
Energy cost of application data messages generated in a
sensor:
QTX 3 V 17:4 mA 4 ls=bit 16 bits
3:3408 mJ=message 1
QRX 3 V 18:8 mA 4 ls=bit 16 bits
3:6096 mJ=message 2
Energy cost of IDS control messages generated in a
sensor-dc:
QTX 3 V 17:4 mA 4 ls=bit 24 bits
5:0112 mJ=message 3
QRX 3 V 18:8 mA 4 ls=bit 24 bits
5:4144 mJ=message 4
Energy cost of IDS control messages generated in a
sensor-lymph:
QTX 3 V 17:4 mA 4 ls=bit 16 bits
3:3408 mJ=message 5
QRX 3 V 18:8 mA 4 ls=bit 16 bits
3:6096 mJ=message 6
We considered: Dissipated energy (Q) = Voltage
(V) 9 Electric current (mA) 9 Time (s), where
Time = Transmission rate 9 Message size.
5.1.5 Metrics
The metrics used in the experiments were FP, FN, true
positive (TP), true negatives (TN), Sensitivity and Speci-
city, dened as follows.
FP indicates the amount of false alarms when no attack
is occurring and FN indicates a normal condition when
in fact an attack is occurring. TP indicates a fault
condition when an attack is occurring and TN indicates a
normal condition when no attack is occurring.
Sensitivity represents the hit rate of the IDS and is
calculated as the ratio between the amount of TP and
the sum of TP and FN, i.e. Sensitivity = TP/
(TP ? FN).
Specicity represents the false alarm rate and is calcu-
lated as the ratio between the amount of TN and the sum
of TN and FP, i.e., Specicity = TN/(TN ? FP). These
two metrics are for simulated environments.
These metrics were generated by the IDS during its
execution considering an anomaly index (MCAV) equal to
50 % (congured in the sensor-lymph), as dened in the
literature [11, 22]. That is, for all MCAV issued by the
sensor-lymph greater than or equal to 50 %, the proposed
DCA indicated the presence of an intruder.
5.2 Scenario
For the performed experiments, both for the real imple-
mentation and for the simulations, we adopted a at net-
work topology with static nodes emitting one application
message per second. Only the denial-of-sleep attack was
considered, characterized by causing a noise in the envi-
ronment, disrupting communication between the nodes.
The detection of other types of attacks in WSNs was left as
future work.
The WSN was composed of: (i) sensor-dc nodes, with
the IDSDendriticCellC component installed; (ii) a sensor-
lymph, with the IDSLymphNodeC component; and (iii) a
Jammer node. We used an interval of 100 ms for the
Jammers message sending rate. The Jammer was posi-
tioned within 1 m of sensor-lymph during the experiments
conducted for purposes of calibration (see Sect. 5.4).
In order to apply the customized DCA for WSNs to
detect the denial-of-sleep attack, the input signals have
been dened and measured from the messages received by
the sensors-dc as follows: (i) the PAMP signal was dened
as the RSSI level in the environment when the sensor-dc
receives a message; (ii) the Danger Signal was obtained by
calculating the incoming messages rate received by the
sensor-dc; and (iii) the Safe Signal was dened as the
inverse of the variation of incoming messages rate received
by the sensor-dc. The DCAs efciency is closely related to
the input signals choice. According to Xu et al. [24], these
metrics (signal strength and packet delivery ratio) are used
for the purpose of detecting jamming attacks.
In Eq. 1 (Sect. 2), the weights were dened empirically
from immunological experiments conducted by immunol-
ogists of The Danger Project [21]. Thus, the semi-
mature output signal weights Wp, Wd and Ws assume
values 0, 0 and 1, respectively. Finally, the mature output
signal uses the values 2, 1 and -3 as the weights Wp, Wd
and Ws, respectively. The inammation is not considered
in this work.
5.3 Simulations
5.3.1 IDS Calibration
For the simulations where the IDS was calibrated, the
sensors-dc were arranged along a circle of 3 m in diameter
in order to remain equidistant from the sensor-lymph,
Int J Wireless Inf Networks
1 3
which was positioned in the center of this circle. Each node
was programmed to have a unique ID inside the WSN and
a xed omnidirecional radio range of 15 m.
During the calibration simulations the Jammer was
positioned within 1 m of sensor-lymph and behaved like a
step function, remaining active for 10 s and inactive for
another 10 s, and so on. It is important to note that, as the
threshold for migration controls the number of messages
received by the sensors, the delay related to the receipt of
these messages cannot exceed 10 s (time during which the
Jammer remains active).
Three sets of experiments were conducted. The rst set of
experiments determines the ideal number of sensors-dc a
sensor-lymph needs in terms of Sensibility and Specicity to
detect the Denial-of-sleep attack. The amount of sensors-dc
per lymph node was varied between 1 and 10 sensors-dc, one
by one, preserving the density of sensors per square meter.
The second set of experiments was used to determine the
best migration threshold in terms of number of messages
received by the sensor-dc. The threshold for DCs migration
was varied from 1 to 10 messages, one by one. The third set
of experiments aimed to determine the optimal MCAV scan
range, which represents the elapsed time to issue an MCAV
assessment by the sensor-lymph, in order to provide the best
accuracy in detecting an attacker. The MCAV scan range
was varied from 1 to 9 s, one by one.
5.3.1.1 Varying the Number of Sensors-dc per Sensor-
Lymph In this experiment, the number of sensors-dc per
sensor-lymph was varied from 1 to 10, one by one. Table 5
shows the values of FP and FN in percentages according to
the proposed variations of sensors-dc per lymph node with
migration threshold set to 1 and MCAV scan range set to
5 s (Sect. 5.4.3 discusses FN and FP different MCAV scan
range). We can note in Table 5 (values express percent-
ages) that increasing the number of sensors-dc for one
sensor-lymph implies the reduction of FN and FP values,
making the system more efcient.
The experiments with 1, 2 and 3 sensors-dc showed high
percentages of FN or FP and thus should not be considered.
According to Greensmith [11], the DCA needs to use a
population of some DCs in order to produce robust ranking
of the antigens collected. Whenever a cell classies an
antigen wrongly, the DCA will still have several other cells
in the population so that a correct response could be issued.
Thus, the cases for 1, 2 and 3 DCs per sensor-lymph were
discarded as they do not represent signicant numbers of
DCs in order to compose a reliable minimum amount for a
population of DCs [11].
5.3.1.2 Varying the Threshold for Migration of DCs At
this point, seven experiments were performed, one exper-
iment for each number of sensors-dc per sensor-lymph. The
rst experiment used 4 sensors-dc, the second trial used 5
sensors-dc and so on until the number of 10 sensors-dc. For
each experiment the threshold migration was varied from 1
to 10 messages, with a unitary step. It is important to
emphasize that a migration threshold greater than 10
should not be used for the experiments because of the
selected behavior of the simulated Jammer. The activity
period of 10 s of jamming, as explained above, limits the
maximum threshold of migration to this same value as it
would not make sense to use a larger range than the actual
period of jamming to harvest antigens.
The aim of these experiments was to determine,
according to the FN and FP, the optimal number of mes-
sages that a sensor-dc should consider before setting the
state of maturation of a DC to the sensor-lymph. Table 6
shows the results for the FN and FP emitted by the sensor-
lymph for evaluations triggered by a 5 s clock.
We assumed a 1 % incidence of FN or FP as a tolerable
value for the target implementation. Table 6 reveals that,
for the rst experiment, the best values for both FP and FN
were obtained with migration thresholds of 1 or 2 and for
experiments 24, the best values were obtained for both FP
and FN with migration thresholds in the range of 14.
Experiment 5 and experiment 6 show the best values of FN
and FP for migration thresholds in the range of 19 and
110, respectively. Experiment 7 shows the best values of
FN and FP (both equal to zero). For each experiment, an
increase in the migration threshold implies in an increase in
the percentages of FN, certainly due to a direct increase in
the number of antigens and input signals collected by
sensors-dc, belonging to both the attacker, and to the
WSNs sensors themselves. Moreover, by increasing the
number of sensors-dc, the DCA can count on the results
emitted by several others DCs to issue a correct response
whenever any sensor-dc wrongly classies an antigen.
It is important to note that assigning a high value for the
migration threshold causes a delayed detection of an
Table 5 FN and FP xing the migration threshold at 1 and MCAV scan range at 5 s
Metrics Sensors-dc
1DC 2DC 3DC 4DC 5DC 6DC 7DC 8DC 9DC 10DC
FN 31 % 13 % 3 % 1 % 0 % 0 % 0 % 0 % 0 % 0 %
FP 5 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
Int J Wireless Inf Networks
1 3
anomaly event, justifying the increase of FN and FP. In
contrast, assigning a low value implies the generation of a
greater number of control messages sent from sensor-dc to
sensor-lymph, causing greater energy consumption. Intui-
tively, if the time-to-detect is not an application require-
ment, a migration threshold of 10 is recommended.
Otherwise, a migration threshold of 1 message could be
used for faster detections.
5.3.1.3 Varying the MCAV Scan Range This parameter
was also evaluated from a set of seven experiments,
being an experiment for each number of sensors-dc per
sensor-lymph. The rst experiment used four sensors-dc,
the second used ve sensors-dc and so on until the number
of 10 sensors-dc. For each experiment the MCAV scan
range (time window) was varied from 1 to 9 s, with a
unitary step. The aim of these experiments was to deter-
mine, according to the FN and FP, the optimal MCAV scan
range to best identify an attack. For each amount of sen-
sors-dc, Table 7 shows the values of FP and FN in per-
centages for each MCAV scan range, for a xed migration
threshold of 1.
It is worth noting that the diversity of DCs is generated
through the migration of mature and semi-mature cells at
Table 6 FN and FP varying the migration threshold and keeping MCAV scan range xed at 5 s
Experiment Sensor-dc Metrics Migration threshold
1 2 3 4 5 6 7 8 9 10
1 4DC FN 1 % 1 % 3 % 3 % 6 % 7 % 7 % 7 % 7 % 7 %
FP 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
2 5DC FN 0 % 0 % 1 % 1 % 2 % 2 % 2 % 2 % 2 % 2 %
FP 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
3 6DC FN 0 % 1 % 1 % 1 % 3 % 4 % 6 % 6 % 7 % 8 %
FP 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
4 7DC FN 0 % 0 % 1 % 1 % 2 % 3 % 5 % 5 % 5 % 5 %
FP 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
5 8DC FN 0 % 0 % 0 % 0 % 0 % 1 % 1 % 1 % 1 % 2 %
FP 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
6 9DC FN 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 1 %
FP 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
7 10DC FN 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
FP 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 % 0 %
Table 7 FN and FP varying MCAV scan range and xing the migration threshold to 1
Experiment Sensor-dc Metrics MCAV scan range (s)
1 2 3 4 5 6 7 8 9
1 4DC FN 10 % 9 % 5 % 1 % 1 % 1 % 5 % 6 % 10 %
FP 1 % 1 % 1 % 0 % 0 % 32 % 49 % 48 % 63 %
2 5DC FN 7 % 4 % 2 % 0 % 0 % 0 % 5 % 7 % 9 %
FP 1 % 1 % 1 % 0 % 0 % 35 % 51 % 49 % 66 %
3 6DC FN 7 % 4 % 2 % 0 % 0 % 0 % 6 % 7 % 10 %
FP 1 % 0 % 0 % 0 % 0 % 34 % 49 % 49 % 64 %
4 7DC FN 5 % 4 % 2 % 0 % 0 % 0 % 6 % 7 % 10 %
FP 0 % 0 % 0 % 0 % 0 % 36 % 50 % 50 % 65 %
5 8DC FN 4 % 1 % 1 % 0 % 0 % 0 % 6 % 7 % 11 %
FP 0 % 0 % 0 % 0 % 0 % 37 % 51 % 50 % 66 %
6 9DC FN 3 % 1 % 1 % 0 % 0 % 0 % 6 % 7 % 11 %
FP 0 % 0 % 0 % 0 % 0 % 37 % 51 % 50 % 66 %
7 10DC FN 2 % 1 % 1 % 0 % 0 % 0 % 6 % 8 % 10 %
FP 0 % 0 % 0 % 0 % 0 % 38 % 52 % 50 % 67 %
Int J Wireless Inf Networks
1 3
different times, producing a time window effect [11]. In the
proposed IDS, the effect of the time window was achieved
by the presence of various DCs (sensors-dc) monitoring
and perceiving different conditions of the WSN area and by
determining the MCAV scan range of the sensor-lymph,
along with a collection of antigens and input signals from
each sensor-dc.
Table 7 shows a turning point of the FN behavior cen-
tered on the MCAV scan range of 6 s: (i) from 1 to 6 s, the
greater the MCAV scan range is, the lower the percentages
values of FN are; and (ii) from 7 to 9 s, the greater the
MCAV scan range is, the greater the percentages values of
FN are. Values under 6 s indicate that there was not a
migration of enough mature DCs (anomalous) for the
sensor-lymph, resulting in an incorrect evaluation by the
IDS on the presence of an attacker. Likewise, values of
the MCAV scan range over 6 s, indicate that there was
migration of a number of semi-mature (normal) DCs to the
sensor-lymph enough to overshadow the presence of
mature (anomalous) DCs, which implies in an incorrect
evaluation by the IDS about the existence of an attacker.
FP behavior is similar to the FN behavior, but the turning
point where FP starts to increase is over 5 s.
Considering 1 % as an acceptable value for the FN and
FP, the experiments in Table 7 reveal that the range of
410 sensors-dc concentrates the best values of FP and FN
when a MCAV scan range of 4 or 5 s produces the best
results of FP and FN for both 5 and 10 sensors-dc. Con-
sidering the same results for 4 and 5 s, we will choose 5 s
for the MCAV scan range in order to save sensor-lymph
energy.
5.3.2 IDS Efciency
IDSs evaluations are normally realized from specic
measures which intend to express their effectiveness. In
this work, the proposed DCA has its efciency evaluated
using the ROC curves (Receiver Operating Characteris-
tics). The fundamental characteristic of these curves is the
distinction between hit rate (sensitivity or TP percentage)
and false alarm rate (specicity or false positive percent-
age) as two different performance measures. These curves
are typically employed to measure effectiveness in intru-
sion detection based on anomalies [21]. The values of TP,
TN, FP and FN were used to make the sensitivity and the
specicity curves. The best values of MCAV were deter-
mined from the values of specicity and sensitivity.
The values of sensitivity and specicity are shown in
Figs. 10, 11 and 12 for the experiments carried out with 5,
7 and 10 sensors-dc, migration threshold equal to 1 and
MCAV scan range equal to 5 s. It is observed that the
specicity increases with the increasing value of the
anomaly threshold, meaning that a low threshold may
result in the increase of the FP. Moreover, the sensitivity
starts at 1 and decreases with increasing MCAV, causing
an increase in FN values.
The best IDS conguration is the one with the highest
values of both sensitivity and specicity, i.e., whenever
both values are 1, causing an intersection between the
corresponding curves. Regarding the sensitivity, it can be
observed that, as the number of sensors-dc per for sensor-
lymph increases, the range of threshold anomaly equal to 1
also increases.
For example: for 5 sensors-dc, the MCAV values in the
range of 050 %have sensitivity equal to 1; for 10 sensors-dc,
Fig. 10 ROC curves for ve sensors-dc
Fig. 11 ROC curves for seven sensors-dc
Int J Wireless Inf Networks
1 3
the MCAV values in the range of 060 % have sensitivity
equal to 1. Concerning specicity, Fig. 10 shows that, for 5
sensors-dc, a maximal specicityis reached for MCAVvalues
greater than30 %and, for 7and10sensors-dc (Figs. 11, 12), a
maximal specicity may be reached for MCAV vales greater
than or equal to 20 %.
5.3.3 Evaluation of Energy Consumption
In order to measure the impact of the proposed IDS in
terms of energy consumption, we have conducted 12 dis-
tinct experiments, considering different requirements. In
the rst six experiments we used the following congura-
tion values: migration threshold (10 messages); MCAV
scan range (5 s); number of sensor-dc per sensor-lymph
(10). These values ensure high level of security (without
worrying about energy consumption) by reaching values of
FP and FN equal to zero (see results of Experiment 7 in
Table 6). In the last six experiments we changed the
number of sensor-dc per sensor-lymph (5) to accept an
error of 1 % for FN and FP, (see results of Experiment 2 in
Table 6), thus we are slightly relaxing the requirements of
precision of detection, but on the other hand, reducing the
energy consumption.
In the rst, second, seventh and eighth experiments, the
Jammer was deactivated. In the third, fourth, ninth and
tenth experiments, the Jammer operated uninterruptedly,
i.e. it was considered that the Jammer remained active from
the beginning to the end of the simulation. In the fth,
sixth, eleventh and twelfth experiments, the Jammer was
deactivated 50 % of the simulation time, i.e. it was con-
sidered that the Jammer was identied after a warning
issued by the IDS and removed from the network, allowing
the WSN to return to normal activity.
For each experiment, a different combination of
parameters was used, which are related to: (i) DCA; (ii)
period of jamming interference; and (iii) IDS enabled or
disabled.
DCA parameters include: DCs migration threshold
(MT); MCAV scan range interval (SR); and number of
sensors-dc per sensor-lymph (DC). These values were xed
and grouped into two cases, A1 and A2, where:
A1: MT = 10, SR = 5 s, and DC = 10.
A2: MT = 10, SR = 5 s, and DC = 5.
Settings related to jamming interference were denoted
by B1B3, where:
B1: jamming interference was disabled.
B2: jamming interference was full time (100 %)
enabled.
B3: jamming interference was partially (50 % of the
simulation time) enabled.
Conguration parameters related to IDS operation were
denoted by C1C4, where:
C1: Jamming interference and IDS disabledthis
scenario was considered the normal case (baseline)
(there is not jamming interference and sensor nodes do
not play sensor-dc or sensor-lymph roles).
C2: Jamming interference disabled and IDS enabled
in this case we are interested in analyzing the extra
energy consumption generated by sensor-dc and sensor-
lymph roles.
C3: Jamming interference enabled and IDS disabled
in this case we evaluate the increase in energy
consumption caused by an attacker (the BlinkToRadio
application is changed in one node to perform periodic
readings and sending messages 10 times faster).
C4: Jamming interference and IDS enabledin the last
scenario we measure energy consumption in the case
when jamming interference and IDS were enabled.
The results were grouped according to the conguration
A and generated two graphs, one following the A1 con-
guration (Fig. 13) and one according to the A2 congu-
ration (Fig. 14).
The rst bar represents energy consumption of WSN for
congurations B1 and C1 (No Attack, No IDS). The second
bar represents the energy consumption of WSN for con-
guration B1 and C2 (No Attack, With IDS). The third bar
represents the energy consumption of WSN settings for B2
and C3 (With Attack, No IDS and period of Jammer acti-
vation 100 %). The third bar assesses the impact in terms
of energy consumption of the application (No IDS) in the
WSN when the Jammer period of activation is 100 %. The
Fig. 12 ROC curves for 10 sensors-dc
Int J Wireless Inf Networks
1 3
fourth bar represents energy consumption of WSN for
conguration B2 and C4 (With Attack, With IDS and
period of Jammer activation 100 %). The fourth bar shows
the efciency of an IDS in the presence of a Jammer when
its period of activation is 100 %. The fth bar represents
the energy consumption of WSN for conguration B3 and
C3 (With Attack, No IDS and period of Jammer activation
50 %). The fth bar assesses the impact in terms of energy
consumption in WSN application when the period of
activation of the Jammer is 50 %. Finally, the sixth bar
represents and the energy consumption of WSN for con-
guration B3 and C4 (With Attack, With IDS and period of
Jammer activation 50 %). This bar represents the efciency
of the IDS in the presence of a Jammer when the period of
activation is 50 %. Table 8 shows the congurations and
the results obtained.
The rst bar (congurations B1 and C1) shows that the
energy consumption in the WSN refers only to the exe-
cution of the application during the simulation time. This
rst bar is the smallest of the six bars in terms of consumed
energy and it was used as a baseline for the other bars. In
the graph shown in Fig. 13A1, the energy consumed was
6.37 9 10
6
mJ. In the second graph, depicted in Fig. 14
A2, the energy consumed was 3.63 9 10
6
mJ. Analyzing
the rst bar in both graphs, the energy consumed by the
WSN in A1 was 57 % smaller than the energy consumed in
A2. The reduction of the energy consumption of the
network was already expected because there was less
Fig. 13 Energy curves A1
Fig. 14 Energy curves A2
Int J Wireless Inf Networks
1 3
sensors-dc per sensor-lymph in experiment A2, resulting in
a smaller number of messages sent to a sensor-lymph.
The second bar (congurations B1 and C2) shows how
the energy consumption of the IDS installed in the WSN. In
the rst graph (A1), the energy consumption in congu-
ration B1 and C2 was 9.38 % higher than that consumed by
conguration B1 and C1. In the second graph (A2), the
energy consumption of conguration B1 and C2 was 10 %
higher of that consumed by conguration B1 and C1. This
result shows the efciency of the IDS in terms of energy,
incurring in an overhead smaller than 10 % of energy to the
WSN.
The third bar (congurations B2 and C3) shows the
highest energy consumption of the WSN since the IDS was
not implemented in the sensors and thus no countermeasure
(radios of the sensors being turned off) was performed, in
order to prevent the Jammers attack that was active during
the entire simulation time. In the rst graph (A1), the
energy consumed in congurations B2 and C3 was
294.31 % higher than in congurations B1 and C1. In the
second graph (A2), the energy consumed in conguration
B2 and C3 was 285 % higher than in conguration B1 and
C1. These results show that in both simulations the Jammer
made the WSN expend nearly 3 times the energy of a WSN
operating in normal conditions.
The fourth bar (congurations C4 and B2) shows the
energy saved by the network if compared to congurations
B2 and C3 (third bar) when the countermeasures are acti-
vated by the IDS after the Jammer was identied. These
countermeasures consisted of turning off the radio of the
sensors affected by the Jammer for a pre-dened time, thus
protecting it against the high energy consumption resulting
from the attack and ensuring a longer lifetime for the
network. In the rst graph (A1), the energy consumed in
the fourth bar was 218.92 % lower than the in the third bar.
In the second graph (A2), the energy consumed in the
fourth bar was 204.00 % lower than in the third bar,
denoting that the IDS was able to prevent an enormous
waste of energy, by deactivating the radio of the sensors
when the Jammer was detected.
The fth bar (conguration B3 and C3) shows the
energy consumption of the WSN when the IDS was not
implemented in the sensors and the period of activation of
the Jammer is 50 %. In the rst graph (A1), the energy
consumed in conguration B3 and C3 was 118 % higher
than in conguration B1 and C1. In the second graph (A2),
the energy consumed in conguration B3 and C3 was
114 % higher than in conguration B1 and C1. This result
represents that, even when a Jammer does not operate full
time, the amount of energy consumed (as a consequence of
the attack) is still prejudicial to the WSN.
The sixth bar (congurations B3 and C4) shows the
action of the proposed IDS, enabling the countermeasures
after identifying the Jammer when its period of activation
was 50 %. Just like the fourth bar, these countermeasures
consisted of turning off the radio of the sensors affected by
the Jammer for a pre-dened time, thus protecting it
against the high energy consumption resulting from the
attack and ensuring a longer lifetime for the network.
Congurations B3 and C4 show the energy saved by the
network if compared with congurations B3 and C3 when
the countermeasures are activated by the IDS. In the rst
graph (A1), the energy consumed in congurations B3 and
C4 was 69.53 % lower than in congurations B3 and C3. In
the second graph (A2), the energy consumed in congu-
rations B3 and C4 was 77.00 % lower than in congura-
tions B3 and C3. Again, that happened because the
countermeasures were efcient to prevent a waste of
energy.
It is important to mention that, since the WSN is dense,
the IDS can be installed only in a few sensors in order to
save energy. Thus, in a dense network, not all sensors need
an IDS installed.
From the obtained results, all experiments with cong-
uration A2 showed an energy saving when compared to
conguration A1, proving the expected economy with
fewer sensors-dc.
5.3.4 Delay in Attack Identication
The delay in the identication of an attack is closely related
to the MCAV scan range performed by a sensor-lymph.
The shorter this interval is, the faster the sensor-lymph
identies the presence of an attack, acting in reverse
otherwise. That is, for a MCAV scan range equal to 1 s, the
sensor-lymph can identify the attack, as long as it receives
enough mature DCs for this. The greater the MCAV scan
range, the greater the time the network will be waiting for a
Table 8 Energy consumption
Experiment Congurations Results (kJ)
1 A1 B1 C1 6.37
2 C2 6.97
3 B2 C3 25.11
4 C4 11.17
5 B3 C3 13.89
6 C4 9.46
7 A2 B1 C1 3.63
8 C2 3.99
9 B2 C3 13.98
10 C4 6.56
11 B3 C3 7.77
12 C4 4.97
Int J Wireless Inf Networks
1 3
decision of a sensor-lymph, that is: to remain operating
normally or to activate any countermeasures.
The delay can be measured by verifying whether the
sensor-lymph was able to identify the attack in the rst
MCAV scan range. Table 9 shows the results obtained in
experiments when the rate of applications messages sent
by networks sensors varied between 1 and 5 s, one by one
second.
From the obtained results, for a messages transmission
interval equal to 1 s, the IDS had 0.17 s of delay (3.4 %).
Increasing this interval to 2 s the delay increases to 2.17 s
(43.4 %) and 5 s of delay for intervals greater than 3 s
(100 %).
5.3.5 Varying the Application Messages Transmission
Interval
In this section, the effect of increasing the transmission rate
of messages from the BlinkToRadio application by the
sensors was evaluated in order to compare the energy
consumed and the values of FN and FP from the IDS
proposed in this paper. By using the settings from Sect.
5.3.3.1 we performed 5 experiments for each one of the
following congurations: (i) A1B2C4; (ii) A1B3C4;
(iii) A2B2C4; and (iv) A2B3C4. The rate of applica-
tion messages transmission by the networks sensors was
varied from 1 to 5 s, one by one second.
From the results obtained and illustrated in Figs. 15, 16,
17 and 18 we can observe that when more application
messages are traveling in the network, more information
will be collected about the attacker. As this rate decreases,
the chance of identifying the attacker decreases, as the FN
curves show.
From the security point of view, the rate of one second
was considered as the best emission rate of application
messages experienced by the sensors as it resulted in better
values of FN. By increasing the range of application
messages transmission by the sensors, i.e., by reducing the
number of application messages per second, the chances of
identifying the attack decreases, because aside from having
less messages traveling on the network for the analysis of
the IDS, there will be a longer delay for the IDS to issue a
response. From the energy consumption point of view, the
decrease in the amount of messages exchanged in the
network generated a decrease in the energy consumed by
the network as a whole, as it was expected. This behavior
can be seen in Figs. 16, 17, 18 and 19.
For the energy curves of 10 sensors-dc (A1), from 5 s
the FN values become greater than 99 %, making the use
of the IDS for this range of sending messages not viable.
As for the curves of 5 sensors-dc (A2), this behavior arises
from 4 s. This difference is due to the reduced number of
sensors-dc, reecting in the rates of FN and FP, which
increase the values of FN and FP.
Table 9 Delay in attack identication
Application messages transmission
interval
1 s 2 s 3 s 4 s 5 s
Delay 5.17 7.17 10 10 10
Fig. 15 Energy curves A1B2C4 and FN from 1 to 5 s
Fig. 16 Energy curves A1B3C4 and FN from 1 to 5 s
Int J Wireless Inf Networks
1 3
5.4 Comparison of Danger Theory Versus
Self-Non-Self Theory
In order to verify the efciency of the proposed IDS an
experiment was simulated where we compared the rates of
FP and FN found in this work and in the work presented by
Liu and Yu [16].
All experiments conducted in this section adopted the
same scenario presented by Liu and Yu [16] in terms of
topology (where the nodes were kept static throughout the
simulation), in terms of number of nodes present in the
WSN, in terms of routing of packets in the network
(which ow to the BS through a routing mechanism based
on tree), and in terms of the functioning of the attacker
node, which operates normally, like a WSN node sending
and receiving messages, until the attack starts (Fig. 19).
The scenario presented by Liu and Yu [16] consisted of 50
sensor nodes randomly distributed over an area of
100 9 100 m
2
. Each of these sensors had a sensing range
of 50 m radius. Liu and Yu [16] used the TOSSIM sim-
ulator to simulate sensors model Mica2 endower with a
CC1000 radio [5]. In the study conducted by Liu and Yu
[16], all sensors have the IDS module installed and it is
active for the whole simulation. In our work, not all nodes
had the IDS installed.
In our study, we also used the TOSSIM simulator,
however, instead of Mica2 we used MICAz model for
sensors endowed with a CC2420 radio model [5]. The
application used in all WSN sensors was BlinkToRadio,
with a periodic reading every 1 s, according to the per-
formed calibration (described in previous sections). The
sensors are placed following a random uniform distribu-
tion over a geographical area of 100 9 100 m
2
. Our work
differs from the work of Liu and Yu [16] in terms of
number of roles the sensors play. In [16] there is only one
role considered in the IDS and the functionality if such role
was installed in all sensors. In our work, on the other hand,
we proposed the use of only few sensors with different
roles of the DCA (sensor-dc and sensor-lymph), not
requiring the installation of these roles in all sensors.
For all experiments in this section, the MCAV scan
range was kept equal to 5 s, the migration threshold equal
to 10 messages and the number of sensors-dc ranged
between 5 and 10 sensors. In some experiments, part of the
sensors-dc was outside of the range of the Jammer, thereby
contributing in a negative way to the identication of
attacks because they were sending messages representing
only semi-mature DCs. For all experiments a node with ID
50 was randomly chosen to assume the role of Jammer. It is
important to notice that the nodes identied with 0, 1, 2, 3,
4, 10, 11, 13, 14, 19, 20, 31, 32, 37, 40, 41, 47, 48 and 49
were outside the Jammers radius of action due to the
distance they were from the Jammer. Below, are described
the 4 experiments that were performed.
In experiment 1 the node with ID 16 was chosen to
assume the role of sensor-lymph. The nodes with ID 7, 12,
22, 28, 35, 4, 10, 18, 36 and 41 were randomly chosen to
assume the role of sensors-dc.
In experiment 2 the nodes with ID 22 and 27 were
chosen to assume the role of sensors-lymph. The nodes
with ID 0, 7, 12, 15, 5, 28, 33, 35, 23 and 44 were randomly
chosen to assume the role of sensors-dc and to issue to the
node 22. Nodes 1, 2, 10, 17, 20, 30, 41, 36, 47 and 45
Fig. 17 Energy curves A2B2C4 and FN from 1 to 5 s
Fig. 18 Energy curves A2B3C4 and FN from 1 to 5 s
Int J Wireless Inf Networks
1 3
assumed the role of sensors-dc emitting messages to the
node 27.
In experiment 3 the nodes 16, 22 and 27 were selected to
assume the role of sensors-lymph. The nodes with ID 0, 7,
8, 17, 23, 29, 35, 42, 44 and 45 were randomly chosen to
assume the role of sensors-dc and emitting messages to
node 16. Nodes 5, 6, 12, 15, 21, 28, 38, 33, 34 and 43 took
on the role of sensors-dc emitting messages to node 22.
Nodes 1, 2, 3, 10, 11, 14, 31, 37, 41 and 49 took on the role
of sensors-dc emitting messages to node 27.
In experiment 4, nodes 6, 10, 30 and 34 were chosen to
assume the role of sensors-lymph. The nodes with ID 0, 5, 7,
8, 12, 15, 16, 22, 9 and 17 were randomly chosen to assume
the role of sensors-dc and emitting messages to node 6.
Nodes 1, 2, 3, 4, 11, 13, 14, 18, 19 and 20 were randomly
chosen to assume the role of sensors-dc emitting messages to
node 10. The nodes 25, 26, 27, 31, 32, 36, 37, 39, 40 and 41
were randomly chosen to assume the role of sensors-dc
emitting messages to node 30. The nodes 28, 21, 33, 38, 35,
23, 42, 43, 44 and 29 were randomly chosen to assume the
role of sensors-dc emitting messages to node 34.
In Liu and Yu [16], the authors achieved a score of
100 % accuracy in identifying an attack (VP) of jamming,
but also showed 92.3 % error in the indication of an attack
when it was not occurring (FP), as can be seen in Table 10.
It is observed from Table 10 that the results obtained in
all experiments of our study were lower than the results
obtained by Liu and Yu [16] in terms of VP. In the per-
formed simulations, the VP values are lower because not
all sensors of the network use the IDS and the sensors-
lymph were placed at locations far from the Jammer.
It was also observed in Table 10 that the results obtained
by the experiments of our work were better in terms of FP
since they have lower values than those obtained by Liu
and Yu [16]. The values presented for the rst, second,
third and fourth experiments were 1.00, 2.33, 3.67 and
3.67 % respectively. I.e., much lower than that obtained by
Liu and Yu [16], who obtained a rate of 92.3 %.
Fig. 19 Comparison scenario
Table 10 Comparison results
(in percentages)
MCAV Metrics Liu and Yu 1 2 3 4
50 TP 100 % 98.67 % 98.79 % 96.67 % 93.67 %
FN 0 % 1.33 % 1.21 % 3.33 % 6.33 %
TN 7.7 % 99.00 % 97.67 % 96.33 % 96.33 %
FP 92.3 % 1.00 % 2.33 % 3.67 % 3.67 %
Int J Wireless Inf Networks
1 3
Regarding the energy assessment, Liu and Yu [16] did
not evaluate the impact in terms of energy that their pro-
posed IDS instilled in the WSN. In our proposal, although
with lower results for VP, the networks lifetime is higher
since only a few sensors have the IDS installed, and con-
sequently, consuming less of the networks energy.
5.5 Comparison Between a Simulated Scenario and Its
Implementation on a Real WSN Platform
In this section a new scenario was implemented on a real
sensor node platform. This same experiment was simulated
in TOSSIM, so the results of the real implementation could
be compared to the simulated one. The real implementation
was conducted in a laboratory environment. The nodes
were kept stationary and disposed on the oor.
A total of 30 sensors were used, which were placed in a
grid of x and y coordinates measured in meters. In this grid,
the BS was located at coordinates (0;1) and had an node ID
(NodeId) 0. Sensors-lymph were positioned at coordinates
(1;2) (2;0) (3;2) (4;0) and (5;2) and had the NodeIds 1, 2, 3,
4 and 5, respectively. The sensors-lymph with positions
(2;0) and (4;0) were responsible for receiving information
from four sensors-dc. The other sensors-lymph were
responsible for receiving information from 5 sensors-dc.
The Jammer was placed at coordinates (6;1) and was
assigned the NodeId 99. Each sensor-dc had its radio
congured to send and receive messages within a radius of
50 cm. Therefore, these sensors-dc were limited to com-
municate with only one sensor-lymph, which was respon-
sible for receiving the messages from those sensors-dc. It
also limited the sensors-dc to communicate with the other
sensors-dc of the same sensor-lymph. The goal of such
constraint was to simulate a WSN where there is no
communication between all the sensors in the network.
Figure 20 illustrates the adopted topology.
Both experiments used a migration threshold of 10
messages in all sensors-dc; MCAV scan range of 5 s and
MCAV threshold equal to 50 % in all sensors-lymph. A
total of three sensors-lymph (NodeIds 1, 3 and 5) using ve
sensors-dc and two sensors-lymph (NodeIds 2 and 4) using
four sensors-dc were implemented. Tables 11 and 12
shows the results obtained in simulated and in real imple-
mentations, respectively. The values represent the per-
centage of the metrics TP, FN, TN and FP.
Comparing Tables 11 and 12, one can observe that in the
simulated and real experiments sensors closer to the Jammer
identied the attacker while those far from it did not.
Analyzing the tables, we nd that the results on TP
obtained by the sensors-lymph become more accurate as
they are positioned closer to the Jammer. Thus, the sensor-
lymph 3 obtained results on TP for real and simulated
experiments of 10.33 and 13.73 % respectively. Sensor 4
was able to identify the Jammer with greater accuracy than
sensor 3, where the results obtained for the TP of simulated
and real experiments were 71.00 and 79.21 %, respectively.
Sensor 5, if compared to all other sensors, was able to
identify more precisely the Jammer, obtaining 94.67 and
95.62 % for TP in the simulated and real experiments,
respectively. The closer distance of the sensor 5 in relation to
the Jammer, and consequently the presence of a higher RSSI
value, allowed the Jammer to be identied more accurately.
There was a difference between the simulated and the
actual results. The occurrence of such differences in the
experiment was assigned to the use of TOSSIM simulator.
The choice of attenuation values between the nodes, which
LN
1
DC
11
DC
15
DC
14
DC
13
DC
12
LN
3
DC
31
DC
35
DC
34
DC
33
DC
32
LN
5
DC
51
DC
55
DC
54
DC
53
DC
52
LN
2
DC
21
DC
24
DC
23
DC
22
LN
4
DC
41
DC
44
DC
43
DC
42
Jammer
99
Base Station
0
Fig. 20 Real sensors distribution
Int J Wireless Inf Networks
1 3
dene the distances between sensors are the causes of the
differences in the results. In TOSSIM simulator these
values, once dened, do not change, whereas in the real
environment there are several factors that may generate
noise, affecting the nal result.
6 Conclusion
This paper presented an architecture for a generic WSN
IDS based on the Danger Theory and the DCA. These two
techniques are inspired by the HIS. This architecture was
applied and customized for WSNs, where the sensors
assumed different roles from the features of HIS. The main
objective was to increase the safety levels of the WSN
through the observation and use of parameters found in
these networks. These parameters were used to feed the
customized DCA.
The use of these techniques in WSNs is facilitated by the
similarities found in the characteristics of the WSNs and the
HIS. As in the HIS, WSNs are self-organized, i.e. more
sensors executing distinct functions work together to iden-
tify and combat attacks in the WSN. In HIS, various organs
and cells perform this work in order to eliminate pathogens.
HIS is autonomous because it does not need another system
controlling it. Likewise, a WSN, once initialized and
released/installed in the environment which will be moni-
tored, operates independently of being controlled by another
system. Another characteristic considered was the robust-
ness of the HIS, where the presence of several detection
points allows the identication of a pathogen bearing pos-
sible failures in some parts of the system and consequently
generating redundancy. That is, the whole body knows it was
invaded and measures should be taken to eliminate that
pathogen. In WSNs, the presence of several sensors (tens or
even hundreds) on the network, allows redundancy in the
identication of an attack, also generating redundancy in
case of some sensors do not have the IDS installed or cannot
use it because of energy constraints. Finally, the HIS can
identify substances from the body, preventing a reaction
against itself, thus creating a tolerance of these substances.
In WSNs, this feature has also been obtained, since the
sensors were able to identify the messages generated by
them from those produced by the Jammer. The proposed
architecture was based on these characteristics.
Several experiments were conducted where the pro-
posed IDS was calibrated and tested to meet the interest of
the application running on the network, opting for security
at the expense of saving energy or vice versa. Through
these tests the IDS was proven to be efcient for WSNs.
The memory resources consumed by the different roles
played by the sensors were also analyzed. In the experi-
ments, the proposed work with the aforementioned tech-
niques and other work, which used another theory of HIS,
called the Negative Selection Theory were compared. This
comparison showed that, despite reaching lower values of
rates of identication of the attack while it was occurring
(TP), the error rates generated by the IDS during a normal
condition of the system were much smaller (FP), showing
the efciency of the proposed customized algorithm.
Another experiment was conducted to compare a real
sensor platform implementation and its equivalent via
simulation. The results demonstrated the efciency of the
proposed IDS.
In the future, different attacks will be analyzed, simply
by choosing appropriate input signals for their identica-
tion. When using more than one type of attack, the
administrator could choose to identify more than one type
of attack by a sensor-lymph. We also intend to investigate
the use of other ways to control the migration of the DCs to
the lymph nodes in order to obtain a reduction in power
consumption imposed by the transmission of messages
between sensors-dc and sensors-lymph. Another investi-
gation could be the study of an implementation of the
Adaptive Immunologic System, using its memory capa-
bilities in accelerating the intrusion detection.
Table 11 Simulated scenario
results
MCAV Metrics LN 1 LN 2 LN 3 LN 4 LN 5
50 TP 0.00 % 0.00 % 10.33 % 71.00 % 94.67 %
FN 100.00 % 100.00 % 89.67 % 29.00 % 5.33 %
TN 100.00 % 100.00 % 100.00 % 100.00 % 100.00 %
FP 0.00 % 0.00 % 0.00 % 0.00 % 0.00 %
Table 12 Real platform
scenario results
MCAV Metrics LN 1 LN 2 LN 3 LN 4 LN 5
50 TP 0.00 % 0.00 % 13.73 % 79.21 % 95.62 %
FN 100.00 % 100.00 % 86.27 % 20.79 % 4.38 %
TN 100.00 % 100.00 % 99.21 % 92.33 % 97.33 %
FP 0.00 % 0.00 % 0.79 % 7.67 % 2.67 %
Int J Wireless Inf Networks
1 3
Acknowledgments This work is partly supported by the National
Council for Scientic and Technological Development (CNPq)
through processes 481638/2007-5 for Luci Pirmez and Flavia C.
Delicato; 4781174/2010-1 and 309270/2009-0 for Luci Pirmez;
311363/2011-3, 470586/2011-7 and 201090/2009-0 for Flavia C.
Delicato; 480359/2009-1 and 311515/2009-6 for Paulo F. Pires; by
the Financier of Studies and Projects (FINEP) through processes
01.10.0549.00 and 01.10.0064.00 for Luci Pirmez; and by the
Foundation for Research of the State of Rio de Janeiro (FAPERJ)
through processes E26/101.360/2010 for Luci Pirmez; E-26/100.428/
2010 for Claudio M. de Farias.
References
1. U. Aickelin and S. Cayzer, The danger theory and its application
to articial immune systems, 1st International Conference on
Articial Immune Systems, Canterbury, pp. 141148, 2002.
2. U. Aickelin, Articial immune system and intrusion detection
tutorial, Introductory Tutorials in Optimization, Search and
Decision Support Methodologies, Nottingham, UK, 2003.
3. S. Bachmayer, Articial Immune Systems, Department of Com-
puter Science, University of Helsinki, Helsinki, 2008.
4. A. Barbosa, Intrusion Detection SystemsSeminaries Ravel
CPS760, 2000, http://www.lockabit.coppe.ufrj.br/downloads/
academicos/IDS.pdf.
5. CROSSBOW, Crossbow Technology, http://www.xbow.com/,
Accessed April, 2010.
6. A. Da Silva et al., Decentralized intrusion detection in wireless
sensor networks, Proceedings of the 1st ACM International
Workshop on Quality of Service & Security in Wireless and
Mobile Networks, New York, 2005.
7. H. Debar, et al., Towards a taxonomy of intrusion-detection
systems, Computer Networks, Vol. 31, pp. 805822, 1999.
8. I. Dietrich and F. Dressler, On the lifetime of wireless sensor
networks, ACM Transactions on Sensor Networks, Vol. 5, No. 1,
pp. 139, 2009.
9. M. Drozda et al., AIS for misbehavior detection in wireless sensor
networks: performance and design principles, IEEE Congress on
Evolutionary Computation, Singapore, pp. 37193726, 2007.
10. P. Garc a-Teodoro, et al., Anomaly-based network intrusion
detection: techniques, systems and challenges, Computers &
Security, Vol. 28, pp. 1828, 2008.
11. J. Greensmith, The dendritic cell algorithm, PhD thesis, Uni-
versity of Nottingham, 2007.
12. J. Greensmith et al., Detecting danger: applying a novel immu-
nological concept to intrusion detection systems, 4th Interna-
tional Conference on Articial Immune Systems (ICARIS-05),
2005.
13. L. Hong and J. Yang, Danger theory of immune systems and
intrusion detection systems, International Conference on Indus-
trial Mechatronics and Automation, Chengdu, pp. 208211, 2009.
14. J. Kim et al., Danger is ubiquitous: detecting malicious activities
in sensor networks using the dendritic cell algorithm, Articial
Immune Systems, Vol. 4163, Springer, Berlin, pp. 390403, 2006.
15. P. Levis and D. Gay, TinyOS Programming, Cambridge Uni-
versity PressCambridge, 2009.
16. Y. Liu and F. Yu, Immunity-based intrusion detection for wireless
sensor networks, Neural Networks, IJCNN, pp. 439444, 2008.
17. D. Martynov et al., Design and implementation of an intrusion
detection system for wireless sensor networks, IEEE Interna-
tional Conference on Electro/Information Technology, Chicago,
pp. 507512, 2007.
18. P. Matzinger, The danger model: a renewed sense of self, Sci-
ence, Vol. 296, No. 5566, pp. 301305, 2002.
19. I. Onat and A. MIRI, An intrusion detection system for wireless
sensor networks, Proceeding of IEEE International Conference
on Wireless and Mobile Computing, Networking and Communi-
cations, Vol. 3, Canada, pp. 253259, 2005.
20. R. Roman et al., Applying intrusion detection systems to wireless
sensor networks, 3rd Consumer Communications and Networking
Conference, Vol. 1, pp. 640644, 2006.
21. G. Silva, Intrusion detection in computer networks: immune-
inspired algorithm based in the danger theory and the dendritic
cells, Master Thesis, Federal University of Minas Gerais, March
2009.
22. J. Twycross, Immune Systems, Danger Theory and Intrusion
Detection, University of NottinghamNottingham, 2004.
23. C. Wallenta, et al., Detecting interest cache poisoning in sensor
networks using an articial immune algorithm, Applied Intelli-
gence, Vol. 32, No. 1, pp. 126, 2010.
24. W. Xu et al., The feasibility of launching and detecting jamming
attacks in wireless networks, 6th ACM International Symposium
on Mobile Ad Hoc Networking and Computing, Urbana-Cham-
paign, pp. 4657, 2005.
25. M. Zamani et al., A DDoS-Aware IDS model based on danger
theory and mobile agents, Proceedings of the 2009 International
Conference on Computational Intelligence and Security, Vol. 1,
2009.
Author Biographies
Helio Mendes Salmon is a
student of the Federal Univer-
sity of Rio de Janeiro (UFRJ),
Brazil. He received his B.Sc.
degrees in Computer Systems
Engineering from the State
University of Rio de Janeiro
(UERJ), Brazil, in 1999 and his
M.Sc. degrees in Computer
Science form the Federal Uni-
versity of Rio de Janeiro in
2010. He enrolled in the Bra-
zilian Navys Engineering
Corps as a Lieutenant in 2000.
His research interests are in
wireless networks, wireless sensor networks, network security and
intrusion detection systems.
Claudio Miceli de Farias
received a M.Sc. degree on
Computer Science in 2010 from
the Federal University of Rio de
Janeiro, Brazil. His research
interests include smart grids,
ambient intelligence, wireless
sensor networks, network secu-
rity, VOIP, real-time communi-
cations and video processing.
Int J Wireless Inf Networks
1 3
Paula Soares Loureiro is a
student in the Computer Science
course of the Federal University
of Rio de Janeiro (UFRJ), Bra-
zil. Currently she participates in
the laboratory called LabNet
which 2 studies sensor networks
in UFRJ. Her research interests
are in wireless sensor networks
and intrusion detection systems.
Luci Pirmez is a Professor at
the Institute of Informatics of
the Federal University of Rio de
Janeiro (UFRJ), Brazil. She
received her M.Sc. and Ph.D
degree, both in computer sci-
ence from the Federal Univer-
sity of Rio de Janeiro, Brazil in
1986 and 1996, respectively.
She is a member of research
staff of the Computer Center of
Federal University of Rio de
Janeiro. Her research interests
include wireless networks,
wireless sensor networks, net-
work management and security. She is one of 300 researchers in
computer science from all over Brazil selected to be CNPq
researchers (CNPq is the technology research branch of the Brazilian
government). She is currently involved in a number of research
projects with funding from Brazilian government agencies, in the
areas of wireless networks, wireless sensor networks, network man-
agement and security.
Silvana Rossetto graduated in
Computer Science from Federal
University of Espirito Santo
(1998), Master in Computer
Science from Universidade
Federal do Espirito Santo
(2001) and D.Sc. in Computer
Science from the Catholic Uni-
versity of Rio de Janeiro (2006).
Her current areas of interest are
distributed systems and wireless
sensor networks. She holds the
position of Professor in the
Department of Computer Sci-
ence (DCC), Institute of Math-
ematics (IM), Federal University of Rio de Janeiro (UFRJ).
Paulo Henrique de A. Rodri-
gues received his Ph.D. in Com-
puter Sciences from University of
California, Los Angeles (1984)
and for the last years has been
focusing his research on multi-
media protocols (SIP, H.323),
QoS, analytical video and voice
quality models, conference ser-
vices, improvements and mea-
surements in Asterisk, trafc
engineering, performance model-
ingandmonitoring. His laboratory
has been responsible for develop-
ing the fone@RNP service archi-
tecture, a national he has also devoted attention to adaptive systems
inspired in bio mechanisms. He holds a VoIPsystems been operated by the
Brazilian Education and Research Network -RNP. Recently scholarship in
technology innovation from CNPq Brazilian Research Council.
Rodrigo Pirmez, MD gradu-
ated as a Medical Doctor at the
Federal University of Rio de
Janeiro (UFRJ), in 2010. Cur-
rently, he is a Dermatology Res-
ident at the Department of
Dermatology of Hospital Uni-
versitario Clementino Fraga Fil-
ho, an afliated hospital of UFRJ.
Flavia C. Delicato received her
PhD form Federal University of
Rio de Janeiro in 2005. She is an
associate Professor of the Federal
University of Rio de Janeiro,
Brazil, where she teaches for
undergraduate and post-graduate
courses and works as a researcher.
In 2009 she was a Visitor
Researcher at the Malaga Univer-
sity, Spain. In 2010 she was a
visitingacademic at the University
of Sydney, Australia. She partici-
pates in several research projects
with funding from International
andBraziliangovernment agencies. Her researchinterests are middleware,
wireless sensor networks and Software Engineering techniques applied to
ubiquitous systems. She is a Researcher Fellowof the National Council for
Scientic and Technological Development. She integrates the Centre for
Distributed and High Performance Computing at University of Sydney.
Int J Wireless Inf Networks
1 3
Luiz Fernando Rust da Costa
Carmo received a B.S. degree
on Electronic Engineering in
1984, and a M.Sc. degree on
Computer Science in 1988, both
from the Federal University of
Rio de Janeiro, Brazil, and the
Ph.D. degree on Computer Sci-
ence in 1994, from the Labora-
tory for Analysis and
Architecture of Systems of the
French National Organization
for Scientic Research (LAAS/
CNRS) in Toulouse. From 2002
to 2003, he spent a sabbatical
period at the Research Center of The United Technologies Company
in ConnecticutUSA. From 1986 to 2008 Luiz Fernando was an
active member of the research staff of the Computer Center of
Research Center of the United Technologies Company in Connecti-
cutUSA. From 1986 to Sciences of the Brazilian Institute of
Metrology and Quality (INMETRO). His research interests include
formal description techniques, communication networks, embedded
systems and information security.
Int J Wireless Inf Networks
1 3