Sage Journals: Discover world-class research

Abstract

During the past few years, we have seen a tremendous increase in various kinds of anomalies in Wireless Sensor Network (WSN) communication. Recently, researchers have shown a lot of interest in applying biologically inspired systems for solving network intrusion detection problems. Several solutions have been proposed using Artificial Immune System (AIS), Ant Colony Optimization (ACO), Artificial Bee Colony (ABC) algorithm, Genetic Algorithm (GA), Particle Swarm Optimization (PSO) and so forth. In this paper, we propose a bioinspired solution using Negative Selection Algorithm (NSA) of the AIS for anomalies detection in WSNs. For this purpose, we implement the enhanced NSA and make a detector set that holds anomalous packets only. Then the random packets are tested and matched with the detector set and anomalies are identified. Anomalous data packets are used for further processing to identify specific anomalies. In this way, the number of wormholes, packets delayed, and packets dropped are calculated and identified. Simulations are performed on a large dataset and the results show high accuracy of the proposed algorithm in detecting anomalies. The proposed NSA is also compared with Clonal Selection Algorithm (CSA) for the same dataset. The results show significant improvement of the proposed NSA over CSA in most of the cases.

1. Introduction

Wireless Sensor Networks (WSNs) consist of a set of distributed wireless devices known as sensors. Sensors are used to examine and check physical conditions and pass their data to a central location. In smart environments, sensors take input from the physical environment and work virtually in scenarios where wired networks are not usable. WSNs are used for several applications including greenhouse monitoring, forest fire detection, military, landslide detection, air pollution monitoring, industrial monitoring and so forth. The characteristics of WSNs include low energy usage, limited computational capability, dynamic and independent operation network, easy installation and maintenance, low memory, and susceptibility to attacks due to ad hoc communication. Due to these characteristics, it is necessary to develop a protection mechanism for WSNs that is light, reliable, and computationally inexpensive. Moreover, it is important to detect whether the data transferred from source nodes reach the gateway properly without any interruption. Sensors are vulnerable to attacks and their security is highly important as they communicate very sensitive data. There are many interruptions, also known as anomalies, which disrupt the normal flow of the sensor data. These anomalies disturb the normal network flow in many ways including delayed packets, packets destroyed, and wormhole attacks. Therefore, it is highly desirable to detect such anomalies that disrupt the normal flow of the data in order to make the sensor network communication more reliable and consistent [1, 2].

Over the past few years, researchers and scientists have shown great interest in developing biologically inspired algorithms and techniques for solving various real-world problems. Several techniques such as Artificial Immune System (AIS), Ant Colony Optimization (ACO), Artificial Bee Colony (ABC) algorithm, Genetic Algorithm (GA), and Particle Swarm Optimization (PSO) have been developed and successfully used for such problems. AIS is a well-known bioinspired technique, which is inspired by the principles and processes of Human Immune System (HIS), and takes advantage of the characteristics of the HIS such as memory and learning for solving problems. AIS basically abstracts the functions and structure of HIS into computational systems. It considers the application of these systems for solving different information technology, mathematical, and engineering problems. One of the most important benefits of AIS-based systems is that these systems are adaptive. AIS has been successfully used for solving anomaly detection problems, both in wired and in wireless networks.

This paper proposes an AIS-based solution for anomaly detection in WSNs. For our solution, we use Negative Selection Algorithm (NSA) of the AIS with some modifications and implement it for the anomaly detection problem. We perform learning of the system for a large dataset and generate a detector set. After this step, we propose an injection feature in the detector set, called vaccination. Through this feature, the detector set can be updated at any stage. In our experiments, we use AIS for detecting nodes that cause negative effect on actual working of the sensor network. We address anomalies including sensor network packets dropped, packets delayed, and wormholes. The results of our experiments are very encouraging and show that NSA can work efficiently for anomaly detection in WSNs and is really helpful for making sensor network flow more reliable. We also compare the proposed NSA with Clonal Selection Algorithm (CSA) of the AIS for the same dataset. The results show that NSA performs better than CSA in most of the cases.

The remainder of this paper is organized as follows: Section 2 introduces HIS and AIS in detail. Section 3 presents the related work in the area of anomaly detection in WSNs. Section 4 discusses the proposed NSA for anomaly detection. Section 5 shows experimental results as well as comparison. Section 6 concludes the paper with possible future directions.

2. Human and Artificial Immune Systems

The Human Immune System (HIS) has efficiently saved our bodies from harmful attacks of pathogens like bacteria, parasites, and viruses [15]. A complex biological immune system comprises of molecules, organs, and cells. It is an adaptive system and holds the detection method that is able to perceive and fight abnormalities from body's own cells. HIS protects a body from external pathogens. It classifies cells within a body as self-cells and nonself-cells. HIS has two main categories: innate immune system and adaptive immune system. These two types of immune systems are shown in Figure 1.

Figure 1

Adaptive and innate immune systems.

The static system that identifies and eliminates definite harmful organisms is known as innate immune system, whereas the system that remembers unknown foreign cells and reacts with them is known as adaptive immune system. They build a response to unknown foreign cells that reside in the body for a long time [16].

2.1. Purpose of HIS

HIS is used for the security of different organisms against external microorganisms known as pathogens such as bacteria, viruses, and funguses that might cause infections. The HIS has to guarantee the detection of each potentially harmful molecule or substance. HIS discriminates between the cells of organisms from unknown dangerous cells. Moreover, it removes harmful irrelevant cells and infected cells for avoiding the disease.

2.2. Immune System Entities

Different entities of HIS are given below: (1)

Antigen: any molecule that can excite the HIS.

(2)

Thymus: organs where a group of immune cells moves around and matures.

(3)

Lymphocytes: white blood cells that are dedicated in the detection of pathogens. It includes B-cells and T-cells. B-cells develop within a bone marrow, whereas T-cells develop and migrate within thymus.

(4)

Clone: it is a mathematical depiction of a range of B-cells and is also known as recognition agent.

2.3. Immune System Properties

An immune system has the following major properties: (i)

Foreigners recognition: the nonnative molecules of the body are identified and removed.

(ii)

Uniqueness: all individuals have their own immune system with their specific susceptibility and capability.

(iii)

Distributed detection: system cells are spread all over the body. Distributed control means that there is no central regulator and the immune system is controlled by local interaction between immune cells and antigens.

(iv)

Anomaly detection: it has a unique feature of detecting and responding to unseen pathogens.

(v)

Reinforcement learning and memory: the system has the ability to be trained in the structures of pathogens. In this way, the system will be able to react and respond to those pathogens faster and more efficiently in future.

(vi)

Imperfect Detection (noise tolerance): immune system is flexible because the absolute detection of pathogens is not required.

2.4. Immune System Process

Immune system has multilayered protection architecture including an adaptive immune system. This system has the ability to recognize specific types of pathogens and memorize them for accelerated future responses. This is the major motivation for AIS. The adaptive immune system is a combination of the range of atom cells and molecules spread all over the body. Two lymphocyte types among its cells, T-cells and B-cells, collaborate to discriminate between self and nonself (antigens). B-cells and T-cells are developed and matured inside thymus and bone marrow tissues.

T-cells and B-cells pass through a negative selection phase. Lymphocytes that match self-cells are destroyed. In this way, autoimmunity can be avoided. Earlier, T-cells go through positive selection and T-cells having weak bonds are removed. T-cells and B-cells, which stay alive in the negative selection, become grown-up and go into the blood stream for the purpose of detection. These mature lymphocytes never interact with antigens and are known as naive. There is a variety of subpopulation of T-cells. It includes T helper cells, T memory cells, and T suppressor cells. T-cells follow the same procedure for defense as B-cells but they also scan fragments of antigens that are present at the surface [15].

2.5. Artificial Immune System (AIS)

Computer security systems such as Intrusion Detection System (IDS) have received a lot of motivation from the HIS. Features collected from HIS fulfill the requirement for designing efficient IDSs [17]. AIS is inspired by the processes and principles of the HIS and takes advantage of its characteristics like memory and learning for solving various kinds of problems. AIS abstracts the structure and functions of HIS into computational systems. AIS systems do not create pattern for normal data but instead produce anomalous patterns by using normal data. These anomalous patterns are known as nonself. Hence, they perform only anomaly-based intrusion detection. Patterns that match with the nonself-patterns will be declared as anomalies.

Different entities of AIS are given below: (1)

Antigen: data that holds multiple variables of any type.

(2)

T-Cell: it decides the sequence and types of variables within an antigen and signifies a specific class and acts as a controlling agent.

(3)

B-Cell: it is an entity that represents the instance of a particular class during learning.

(4)

Clone: it is a mathematical depiction of a range of B-cells and is also known as recognition agent.

AIS uses the concepts of HIS and utilizes them for the computational problems. AIS has been widely used for anomaly detection because it discriminates between self- and nonself-data. AIS is efficient for small and medium domains of anomaly detection and in many cases, it is superior to other anomaly detection methods. AIS gives much flexibility in rules and principles due to the large number of constraints used for tuning its performance. It is difficult to handle large-scale problems because their multidimensional parameter space is infeasible to search with any rigor [18]. AIS is composed of antigen and antibody. The external intruder that attacks a system is known as antigen. Antibodies are a part of the system that is used to detect and remove antigens. Antibodies do a partial matching process to identify antigens. AIS-based system develops and keeps comparatively less antibodies, which are capable of detecting a large number of antigens reliably including antigens that have never been seen before [19].

AIS algorithm has many variations including NSA, CSA, and danger theory [20]. Two of the most popular AIS algorithms, that is, NSA and CSA, are discussed as follows: (a)

Negative Selection Algorithm: the NSA got its motivation from the negative selection process in natural immune system [21]. In thymus, if a T-cell detects any self-cell, it is removed and then immune functionality is performed in a T-cell maturation process. Mainly, it is utilized for anomaly detection. This algorithm creates a set of detectors, which includes self-strings only. Later, this detector set is used for the anomaly detection. The two main steps of the NSA algorithm are shown in Figure 2 [4]. The first step is censoring in which self-strings and randomly generated strings are matched. The strings that are matched are rejected. The strings that do not get matched are moved to the detector set. In the second step, protected strings are matched with those in the detector set. The strings that get matched are identified as nonself and the rest are matched again.

(b)

Clonal Selection Algorithm: clonal selection is the method of antigen recognition, cell propagation, and discrimination into the memory cell. Clonal immune characteristic and feature are used for creating many AIS algorithms. C-cells basic model and its resulting antibodies could perform as a good primary metaphor. B-cells create specially configured antibodies that are diverse and get excited and stimulated when they meet a foreign antigen. Moreover, resulting clones of B-cells differ in their receptor configuration for performing local biological search to locate the best fitting receptor [22].

A detailed discussion on different AIS algorithms with their immunological aspects, computational problems, and typical applications is available in [23].

Figure 2

The two main steps in the Negative Selection Algorithm: (a) censoring, (b) detection [4].

3. Related Work

AIS can be considered as a strong candidate for anomaly detection as it discriminates between self and nonself-data. AIS was used in WSNs for detecting anomalies in [4]. It was a direct one-to-one mapping between a thymus and a node. Wälchli and Braun [10] proposed a system for office monitoring with WSN by using node level decision component of a self-learning anomaly detection system. A neural network approach of Adaptive Resonance Theory (ART) was used for creating node level decision unit. A fuzzy ART neural network was used as it can accumulate a fixed number of prototypes and also for receiving analog inputs. Each node would be able to respond to suspicious activity in the neighborhood by easy computation and later final decision was carried out at the base station. This system performed efficiently and with less time and memory consumption.

Livani and Abadi [7] proposed an energy-efficient distributed solution for detecting anomalies in WSNs for sensed data. Faulty or broken nodes can cause anomalies in the sensed data. A combination of fixed-width clustering (FWC) and Distributed Principal Component Analysis (DPCA) was used for detecting anomaly and for creating global profile name. Global profile name was updated periodically and was distributed to all nodes. Authors showed that this approach reduced energy consumption and communication overhead and gave similar accuracy like the centralized approach. Dereszynski and Dietterich [3] proposed a real-time automated data quality control that used the data temporal and spatial correlations to identify defective sensor observations from valid observations. The adaptability was obtained with Bayesian network structure that confines spatial relationships between neighboring sensors. Moreover, to handle temporal correlations, dynamic Bayesian network structure was extended. This model truly guessed the values of corrupt or missing readings and also detected defective observations. SensorScope Project data samples were used for evaluating the performance of this model. Experiments proved that using both temporal and spatial observations gave better results for identifying defective observations instead of using only spatial or only temporal observations.

Schaust and Szczerbicka [12] proposed an algorithm to alleviate detected faults by generating parallel responses in WSNs. The system was able to adapt with the changing situation by using costimulatory feedback and was able to respond accordingly. The concept was taken from degenerate receptor behavior and low-level response mechanism of T-cells in the biological immune system. Authors had explained its usability for WSNs by running a simulation model in OMNet++. Fu et al. [11] proposed an anomaly detection framework by combining the advantages of fuzzy theory and AIS to cope with DoS/DDoS attacks on WSNs. WSN was considered susceptible to this attack due to resource limitation of sensor nodes. The framework was based on three components that included global identification, local danger sensing, and costimulation. This method was found more adaptable and flexible. Authors proved with simulations that the proposed framework performed better than the watchdog method in detecting with low false positives.

Lim et al. [13] proposed an immune-inspired self-healing mechanism to tackle with repeated WSN problems like unreachable nodes and link failures due to interference. In this system, an individual node was able to identify network performance degradation and was able to carry out diagnostic tests. This node was able to give automatic instant response and recover the network to a secure and stable state. Authors tested this interference detection and recovery system and compared the performance of this system with others on a test bed environment. The system was found adaptable to its changing environment. Xie et al. [5] examined the lazy learning issue of KNN-based algorithms and the trouble for using them in a cost effective online communication. Authors presented a new KNN-based anomaly detection plan to overcome the laziness with hypergrid intuition. Details showed that the computational difficulty and the cost were considerably reduced with the proposed solution and resulted in a more valuable, scalable, efficient, and human independent solution for real WSNs. This solution was tested only for homogenous and static datasets. It needed to be tested with dynamic datasets to check its feasibility with the dynamic environments.

An IDS framework for WSNs based on HIS was presented by Salmon et al. [8]. Authors enhanced dendritic cell algorithm that detected intrusions by observing and collaborating with neighboring nodes. This customized algorithm was tested in real sensor scenarios and found efficient in energy utilization and in identifying denial of sleep attack. Abduvaliyev et al. [24] presented a detailed classification of different IDS techniques for WSNs according to their underlying mechanisms. Three major classes were discovered that included misuse detection, specification-based protocol, and anomalies. Authors explored the work with network structure of WSN and highlighted various critical areas that were currently underdeveloped. Moreover, the details of security attacks and their related proposed IDS protocols to cope with those attacks were also given. The paper was focused on a thorough survey on IDSs in WSNs with the explanation of different critical limitations in the current IDSs and gave a future track for researchers in this area.

Kumar and Reddy [6] identified that wireless networks had intrusions both at packet and signal levels and it could be simple and too complex unlike IP networks. Conventional techniques may be unsuccessful in wireless network due to the complexity of identifying intrusions at different levels and variation in credentials at different nodes. Authors proposed a unique technique based on agents. These agents collected information from different nodes and detected intrusions by using this information on an evolutionary AIS algorithm and presented the invasive path communication. It was experimentally proven that their system worked well for prevention and detection of intrusions in a wireless network and was also consistent for topological changes. Rajasegarar et al. [9] proposed a distributed hyperspherical cluster algorithm for detecting measured anomalies from WSNs. Authors implemented their algorithm on real WSN test bed and came up with reduced communication cost of the network by measuring sensor clustering and then combined clusters for sending them to the next nodes. A central node was responsible for processing of all the sensor node measurements. Assessments on different datasets showed similar correctness as that of the centralized system and also a decrease in communication cost was observed.

Lim et al. [14] proposed an immune-inspired detection and recovery system (IDRS) for irregular and unreliable communication of WSNs because the nodes used the same frequency range as other radio devices were using. It was a self-adaptive fault tolerant network that was able to retain service level in the presence of faults as well. Nodes were able to examine and update their routing protocols in a dependable and energy-efficient way due to the restricted resources. The system was composed of a combination of self-detection, self-diagnosis, and self-recovery. The reliability of the protocol was checked with Systematic Protocol Evaluation Technique (SPET) and the scalability and robustness of the IDRS were checked with the traces of simulation. The accuracy of the proposed system was validated and the system was found adaptable to the operating environment and was highly dependable.

4. Proposed NSA for Anomaly Detection in WSNs

NSA is used for detecting change based on the principles of self-nonself discrimination by (T-Cell) receptors in the immune system. The system is able to detect antigens. Originally, NSA was developed by Forrest et al. [25], which is a conceptually simple algorithm and has been widely used by the AIS community. NSA is famous due to its simplicity and different affinity-matching functions. In one of the commonly used affinity matching functions, adjacent attributes of an antigen vector and Artificial Lymphocytes (ALC) detector relationship are considered to check whether a particular region activates lymphocytes. Moreover, these affinity-matching rules are also used for detecting unknown strings or holes.

4.1. Significant Features of NSA

The most significant features of NSA are (1)

the information is represented negatively. It is different from other learning systems. Its strengths, usage, and applicability in different scenarios are widely being explored;

(2)

it uses some form of detector set as the detection system. This feature provides chances to expand this method to a distributed environment [26] especially the chances of generation distribution;

(3)

there is only a single classification. The purpose of NSA is to distinguish between two classes. However, training is done from the samples of one class only. Work is being done on generalizing it to multiple classes;

(4)

NSA includes space representation, matching rule, detector generation, and detector representation.

4.2. Components of NSA

NSA includes the following components: (1)

Detector (it is an antibody).

(2)

Self-samples (self-set, training set).

(3)

Arriving data occurrences (data item, new simple data).

(4)

Measurement of distance (affinity measure).

(5)

Matching rule (match rule).

4.3. Proposed Enhanced NSA

NSA has been used for detecting anomalies in different ways. We use NSA with some modification. The learning of the system is done for a large dataset and a detector set is generated. After this step, we propose an injection feature in the detector set. Through this feature, the detector set can be updated at any stage. This injection step is named as vaccination.

The proposed framework has learning and testing phases as shown in Figures 3 and 4, respectively. We first implement the basic NSA that is capable of doing a single classification. It detects anomalies from the dataset. At this stage, we have two classes, namely, self-set and nonself. Later, the rest of the processing is done on detected nonself and three different anomalies are classified; that is, sensor network packets delayed, packets dropped, and wormholes are detected.

Figure 3

Proposed NSA learning for anomaly detection.

Figure 4

Proposed NSA testing for anomaly detection.

In Figure 3, self-strings are matched with randomly generated strings using character-by-character matching. The strings that get matched are rejected. The strings that do not get matched are moved to the detector set. Detector set can be updated anytime using vaccination, which makes it more efficient. Vaccination allows a user to enter any nonself-pattern directly into the detector set, which makes the working of the detector set more competent [27].

In Figure 4, randomly generated strings are matched with the detector set using character-by-character matching. The strings that get matched are declared as nonself. Source and destination matching are performed on nonself and they are further classified as sensor network packets delayed, packets dropped, and wormholes.

4.3.1. Protocols and Assumptions

In a sensor network, $N = (n (t), e (t))$ , where $n (t)$ and $e (t)$ are the set of nodes and edges at any time t. Two nodes A and B will be able to communicate only if A is in the range of the radio transmission of B. The route between two nodes in an ad hoc network is established with the help of any routing protocol. In our case, the Ad Hoc On-demand Distance Vector (AODV) routing protocol is used. This protocol establishes a connection only when there is a need for routing to the destination. In this case, a Route Request (RREQ) is sent to all nodes in the network. Any intermediate node or the destination node replies with a Route Reply (RREP) control packet. This RREP will go through the same path towards the source as that of RREQ. If in case, while moving towards the source, the next node does not reply, a Request Error (RERR) packet is sent to the connection initiator. In ad hoc communication, each node maintains its own routing table, which holds information about the destination node, all known routes, and hop count for a given destination. Since the transmission is ad hoc, wireless medium should be highly synchronized and is done on the basis of medium contention. In IEEE 802.11 MAC protocol, carrier sensing is done by RTS-CTS-DATA-ACK handshake. This handshake can be disabled for cases where packet size is equal or smaller than RTS threshold. The default value for RTS threshold is 2347 bytes. This threshold can be adjusted by a data traffic pattern. The maximum data transformation rate for IEEE 802.11b and IEEE 802.11g is 11 and 54 Mbit/s. There is another MAC protocol named 802.15.4, which does not use RTS-CTS-DATA-ACK handshake and uses carrier sensing for accessing the medium. Drozda et al. [28] used different MAC layer and transport layer features in data generation of the dataset that we have used in our experiments.

In WSNs, there is a promiscuous mode in which a node is able to listen to the data communication in the neighboring nodes. It saves information of overheard packets in the neighborhood. This mode is costly, as it has to analyze all overheard packets. Moreover, this mode is energy inefficient, as it will not allow the network to operate in sleep mode. Wireless interface will operate either in idle or receiving mode and power consumption will be 12–20% higher as compared to the sleep mode [29].

4.3.2. Classification and Anomaly Detection

Anomalies can be due to intrusions, which can be software or hardware failure. In our experiments, we check three different kinds of anomalies. Data packet dropping is a qualitative misbehavior; data packet delaying is a quantitative misbehavior, and wormholes are topological misbehavior: (1)

Data delaying: in data packet delaying, the anomalous node postpones and delays in the transfer of a given data packet in a random and uniform way with probability and delaying by a fixed amount.

(2)

Data dropping: in data dropping, the anomalous node drops a given data packet in a uniform and random manner with alpha probability.

(3)

Wormholes: wormholes are added by external attackers to redirect data traffic. Attackers will get control on the sensor network packet routing. Wormholes are associations between one pair or several pairs of nodes.

5. Experiments and Results

5.1. Performance Metrics

Different performance measures are used for our experiments using the proposed algorithm. Here we consider only the performance measures specific to NSA. The most popular measures for analyzing the performance of NSA and other AIS algorithms are false positives, true positives, false negatives, and true negatives. These measures are defined as follows: (i)

False positives (FPs) are found when self-patterns are mistakenly identified as nonself.

(ii)

True positives (TPs) are found when self-patterns are correctly classified as self.

(iii)

True negatives (TNs) are found when nonself-patterns are correctly identified as nonself.

(iv)

False negatives (FNs) are found when nonself-patterns are identified as self.

These measures can be used to calculate the detection rate (DR), false positive rate (FPR), and accuracy [21], which are defined as follows:

\begin{matrix} DR = \frac{TP}{TP + FN}, \\ FPR = \frac{FP}{FP + TN}, \\ Accuracy = \frac{TP + TN}{TP + FP + TN + FN} . \end{matrix}

(1)

5.2. Experiment 1

In our first experiment, we implemented NSA for a small dataset having normal packets only. We inserted anomalies at runtime and then detected the anomalies. Total anomalies inserted are 10. Simulations are executed in Matlab 2009 and it took 8–10 seconds to run. A screenshot for the basic NSA simulation with random anomalies is given in Figure 5, and the average results calculated for this simulation are shown in Table 1.

Table 1

Results of Experiment 1.

Number of iterations	Anomalies detected
Iteration 1	10
Iteration 2	10
Iteration 3	9
Iteration 4	8
Iteration 5	9
Iteration 6	10
Iteration 7	8
Iteration 8	10
Iteration 9	8
Iteration 10	10

Figure 5

Basic NSA simulation with random anomalies.

5.3. Experiment 2

In the second experiment, we used the sensor network dataset provided by Drozda [30]. We implemented the enhanced NSA, and self and nonself-network packets were identified. First, incoming network strings are matched with self-strings. Those strings that get matched are rejected and others are moved to the detector set. In the next step, random strings are matched with the detector set and those strings that get matched are identified as nonself. Next, nonself-patterns are considered to identify specific anomalies. Wormholes, packets delayed, and packets dropped are found as shown in Figure 6. Average results calculated for this simulation are shown in Table 2. All the values are in 10³. These results are then compared with the original dataset and the values for TP, FN, FP, and TN are calculated. The detection rate for this experiment is 97.3%, whereas the FPR is ±2.6%. Here, DR is the intermediate result, which includes false positives and true negatives as well. Accuracy of the system is found to be 89.1%.

Table 2

Results of Experiment 2 (all values are in 10³).

Sr. number	Normal packets	Packets delayed	Packets dropped	Wormholes
1	89	20	31	18
2	87	22	38	19
3	84	25	22	20
4	88	22	22	19
5	89	20	30	18

Figure 6

Anomalies detected.

5.4. Experiment 3

For our third experiment, CSA is implemented. It models the production of antigens, which are then bound to specific antigens. A key lock mechanism can be used in some cases for binding processes. Here the idea is established that those antibodies, which recognize the antigen, are selected for matching. After matching, a detector set is generated. The CSA works as follows: (i)

Generate an initial population of antibodies.

(ii)

Perform clonal selection for high affinity matches (threshold taken is 76%).

(iii)

Only those antibodies are selected that match the threshold and detector set is generated.

(iv)

Randomly generated antibodies are then introduced in a system.

(v)

Clonal selection generated detector set is then used for identifying self and nonself.

5.5. Comparison of NSA with CSA

The experiments are performed to compare the performance of NSA with CSA on different dataset subsets and the results of both for anomaly detection and false positives are compared, as shown in Table 3. In Table 3, the number of anomalies detected and false positive ratio shows the performance of both the algorithms on particular dataset parts. It is clear from the table that, for dataset parts 1, 2, 4, 5, 7, 9, and 10, NSA gives better results. For dataset parts 3, 6, and 8, CSA performs better.

Table 3

Comparison of NSA and CSA.

Dataset	Total packets	Negative Selection Algorithm		Clonal Selection Algorithm
Dataset	Total packets	Anomalous packets	False positives	Anomalous packets	False positives
Dataset Part-1	5619	3549	±1.8%	3453	±2.20%
Dataset Part-2	4275	2710	±1.50%	2693	±2.80%
Dataset Part-3	1212	643	±2.10%	657	±1.20%
Dataset Part-4	9435	5821	±2.50%	5863	±3.10%
Dataset Part-5	1263	866	±1.90%	852	±1.50%
Dataset Part-6	3008	1089	±2.20%	1002	±1.77%
Dataset Part-7	4540	1653	±1.2%	1640	±2.32%
Dataset Part-8	1429	463	±2.60%	496	±2.20%
Dataset Part-9	821	283	±1.23%	246	±1.67%
Dataset Part-10	4763	1389	±2.60%	345	±2.1%

Comparison is also performed for the whole dataset. In the first case, only some of the files of the same dataset are used for comparison. In the second comparison, results of both the algorithms for the whole dataset are produced, as shown in Figure 7. Normal and anomalous sensor network packets, undetected packets, and false positive rate for both the algorithms are shown. The results of the experiments show that the detection rate of NSA is 97.3% and the false positive rate is ±2.6%, whereas, for CSA, the detection rate is 88% and false positive rate is 3.4%. This clearly shows that NSA performs better than CSA in terms of both detection rate and false positive rate.

Figure 7

Comparison of NSA and CSA for complete dataset.

5.6. Comparison with Other State-of-the-Art Techniques

A theoretical comparison of the proposed technique is also performed with other state-of-the-art techniques available in the literature for anomaly detection in WSNs. The comparison is based on the algorithm used, characteristics, and usability of these techniques, which is presented in Table 4.

Table 4

Comparison of techniques for Anomaly detection in WSNs.

Approach	Algorithm	Characteristics	Usability
Real-time automated data quality control [3]	Data temporal and spatial correlations	Better identification of faulty observations	Recreate estimate of missing or defective data from individual sensors

Misbehavior detection in WSNs [4]	Artificial Immune System (AIS)	The performance of AIS is influenced by the choice of genes. A useful MAC layer-based gene was identified	Highly effective for anomaly detection in WSNs

KNN-based anomaly detection scheme [5]	KNN-based detection	Complexity is independent of number of dimensions	Valuable, scalable, efficient, and human independent solution

Agent based intrusion detection [6]	Evolutionary AIS	Consistent for topological changes	Efficient for prevention and detection of intrusion in wireless network

Energy-efficient distributed solution [7]	Fixed-width clustering and distributed principal component	Accuracy is same as that of centralized approach	Reduced energy consumption and communication overhead

IDS framework [8]	Enhanced dendritic cell algorithm	Observe and collaborate neighboring nodes	Efficient in energy utilization and in identifying denial of sleep attack

Detection of measured anomalies in WSN [9]	Distributed hyperspherical cluster algorithm	Accuracy is same as that of centralized scheme	Decrease in communication cost

Office monitoring with WSN [10]	Neural network approach	Each node can respond to suspicious activity	Less time and memory consumption

Anomaly detection framework [11]	Combination of AIS and fuzzy theory	Framework is adaptable and flexible	Better detection with low false positives

Fault detection by parallel response in WSN [12]	Algorithm created from behavior of T-cell in HIS	Adaptable to changing conditions	Mitigate detected fault and misbehavior

Self-healing mechanism for WSN problems [13]	Immune-inspired self-healing algorithm	Automatic instant response generation and adaptable	Recover the network to a secure and stable state

Immune-inspired detection and recovery systems (IDRS) [14]	Immune-based self-adaptive fault tolerant algorithm	Adaptable to environment, dependable, and scalable	Self-detection, self-diagnosis, and self- recovery

Proposed technique	Negative Selection Algorithm with vaccination	Distributed detection with self-nonself discrimination process	Better detection rate and low false positive rate as compared to CSA

6. Conclusion

Artificial Immune System (AIS) is an active research area and researchers have been using AIS for network intrusion detection as well as other optimization problems. In this paper, we presented an enhanced Negative Selection Algorithm (NSA) for anomaly detection in Wireless Sensor Networks (WSNs). We first implemented simple NSA and tested on the dataset having random anomalies, and results were calculated. Then, the enhanced NSA is implemented for a large dataset having normal and anomalous packets. Experiments are performed to check the accuracy, detection rate (DR), and false positive rate (FPR) of the proposed algorithm. According to the results of our experiments, the accuracy of the proposed NSA is found to be 89.1% with a DR of 97.3% and FPR of ±2.6%. For comparison, another immune-based technique known as Clonal Selection Algorithm (CSA) is used. CSA is implemented for the detector generation, and anomalies are identified using the detector set. Simulations of both the algorithms are performed on different parts of the dataset, and the results for anomaly detection and false positive rates are calculated and compared. The experiments showed that the proposed NSA exhibited better results as compared to CSA for most of the cases. Comparison on the complete dataset also showed that NSA had a low FPR and high DR as compared to CSA. NSA is, therefore, a good candidate for real-world problems such as anomaly detection in WSNs. The advantage of using this technique is that it gives more efficiency in terms of detection and is easy to implement. Future work includes accommodating some other anomalies for detection in WSNs. FPR can be further reduced by incorporating other variations of the AIS algorithm.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgment

The authors would like to extend their sincere appreciation to the Deanship of Scientific Research at King Saud University for its funding of this research through the Research Group Project no. RGP-VPP-214.

References

Farooqi

A. H.

Khan

F. A.

A survey of intrusion detection systems for wireless sensor networks

International Journal of Ad Hoc and Ubiquitous Computing 2012 9 2 69 83

10.1504/IJAHUC.2012.045549

2-s2.0-84857692970

Farooqi

A. H.

Khan

F. A.

Wang

Lee

A novel intrusion detection framework for wireless sensor networks

Personal and Ubiquitous Computing 2013 17 5 907 919

10.1007/s00779-012-0529-y

2-s2.0-84883460598

Dereszynski

E. W.

Dietterich

T. G.

Spatiotemporal models for data-anomaly detection in dynamic environmental monitoring campaigns

ACM Transactions on Sensor Networks 2011 8 1, article 3

10.1145/1993042.1993045

2-s2.0-80053007309

Drozda

Schaust

Szczerbicka

AIS for misbehavior detection in wireless sensor networks: performance and design principles

Proceedings of the IEEE Congress on Evolutionary Computation (CEC ′07)

September 2007

Singapore

3719 3726

10.1109/cec.2007.4424955

2-s2.0-79955281664

Xie

Han

Chen

H.-H.

Scalable hyper-grid k-NN-based online anomaly detection in wireless sensor networks

IEEE Transactions on Parallel and Distributed Systems 2013 24 8 1661 1670

10.1109/tpds.2012.261

2-s2.0-84880077006

Kumar

G. V. P.

Reddy

D. K.

An agent based intrusion detection system for wireless network with artificial immune system (AIS) and negative clone selection

Proceedings of the International Conference on Electronic Systems, Signal Processing, and Computing Technologies (ICESC ′14)

January 2014

Nagpur, India

429 433

10.1109/icesc.2014.73

2-s2.0-84896796314

Livani

M. A.

Abadi

Distributed PCA-based anomaly detection in wireless sensor networks

Proceedings of the International Conference for Internet Technology and Secured Transactions (ICITST ′10)

November 2010

London, UK

1 8

2-s2.0-79951496285

Salmon

H. M.

de Farias

C. M.

Loureiro

Pirmez

Rossetto

De A. Rodrigues

P. H.

Pirmez

Delicato

F. C.

Da Costa Carmo

L. F. R.

Intrusion detection system for wireless sensor networks using danger theory immune-inspired techniques

International Journal of Wireless Information Networks 2013 20 1 39 66

10.1007/s10776-012-0179-z

2-s2.0-84878499429

Rajasegarar

Leckie

Palaniswami

Hyperspherical cluster based distributed anomaly detection in wireless sensor networks

Journal of Parallel and Distributed Computing 2014 74 1 1833 1847

10.1016/j.jpdc.2013.09.005

2-s2.0-84890562284

10.

Wälchli

Braun

Efficient signal processing and anomaly detection in wireless sensor networks

Applications of Evolutionary Computing 2009 5484

Springer

81 86 Lecture Notes in Computer Science

11.

Zheng

Zhang

Yang

Biologically inspired anomaly detection for hierarchical wireless sensor networks

Journal of Networks 2012 7 8 1214 1219

10.4304/jnw.7.8.1214-1219

2-s2.0-84866051331

12.

Schaust

Szczerbicka

Applying antigen-receptor degeneracy behavior for misbehavior response selection in wireless sensor networks

Proceedings of the 10th International Conference Artificial Immune Systems (ICARIS ′11)

July 2011

Cambridge, UK

212 225

13.

Lim

Lau

Timmis

Bate

Immune-inspired self healing in wireless sensor networks

Proceedings of the 11th International Conference Artificial Immune Systems (ICARIS ′12)

August 2012

Taormina, Italy

42 56

14.

Lim

T. H.

Bate

Timmis

A self-adaptive fault-tolerant systems for a dependable Wireless Sensor Networks

Design Automation for Embedded Systems 2014 18 3-4 223 250

10.1007/s10617-013-9126-1

2-s2.0-84891788782

15.

S. X.

Banzhaf

The use of computational intelligence in intrusion detection systems: a review

Applied Soft Computing Journal 2010 10 1 1 35

10.1016/j.asoc.2009.06.019

2-s2.0-70350134739

16.

de Castro

L. N.

Zuben

F. J. V.

Artificial immune systems: part I—basic theory and applications

1999 TR-DCA 01/99

Campinas, Brazil

School of Computing and Electrical Engineering, State University of Campinas

17.

Watkins

Timmis

Exploiting parallelism inherent in AIRS, an artificial immune classifier

Artificial Immune Systems: Third International Conference, ICARIS 2004, Catania, Sicily, Italy, September 13–16, 2004. Proceedings 2004 3239

Berlin, Germany

Springer

427 438 Lecture Notes in Computer Science

10.1007/978-3-540-30220-9_34

18.

Hang

Computational immunology for anomaly detection [Ph.D. dissertation] 2006

Deakin University

19.

Seredynski

Bouvry

Anomaly detection in TCP/IP networks using immune systems paradigm

Computer Communications 2007 30 4 740 749

10.1016/j.comcom.2006.08.016

2-s2.0-33846588283

20.

Aickelin

Cayzer

The danger theory and its application to artificial immune systems

Proceedings of the 1st International Conference on Artificial Immune Systems (ICARIS ′02)

2002

Canterbury, UK

141 148

21.

Stibor

Mohr

Timmis

Eckert

Is negative selection appropriate for anomaly detection?

Proceedings of the 7th Genetic and Evolutionary Computation Conference (GECCO ′05)

June 2005

ACM

321 328

10.1145/1068009.1068061

2-s2.0-32444436687

22.

Gendreau

Potvin

Handbook of Metaheuristics 2010

Springer

23.

Dasgupta

Nino

Recent advances in artificial immune systems: models and applications

Applied Soft Computing Journal 2011 11 2 1574 1587

10.1016/j.asoc.2010.08.024

2-s2.0-78751618182

24.

Abduvaliyev

Pathan

A.-S. K.

Zhou

Roman

Wong

W.-C.

On the vital areas of intrusion detection systems in wireless sensor networks

IEEE Communications Surveys and Tutorials 2013 15 3 1223 1237

10.1109/SURV.2012.121912.00006

2-s2.0-84881313532

25.

Forrest

Perelson

A. S.

Allen

Cherukuri

Self-nonself discrimination in a computer

Proceedings of the IEEE Symposium on Research in Security and Privacy

May 1994

Oakland, Calif, USA

202 212

2-s2.0-0027961889

26.

Forrest

Beauchemin

Computer immunology

Immunological Reviews 2007 216 1 176 197

10.1111/j.1600-065X.2007.00499.x

2-s2.0-33947193447

27.

Woldemariam

K. M.

Yen

G. G.

Vaccine-enhanced artificial immune system for multimodal function optimization

IEEE Transactions on Systems, Man, and Cybernetics, Part B: Cybernetics 2010 40 1 218 228

10.1109/tsmcb.2009.2025504

2-s2.0-74049162509

28.

Drozda

D. M.

Schildt

Schaust

Szczerbicka

An immuno-inspired approach to misbehavior detection in ad hoc wireless networks

Computing Research Repository (CoRR), http://arXiv.org/abs/1001.3113

29.

Feeney

L. M.

Nilsson

Investigating the energy consumption of a wireless network interface in an ad hoc networking environment

Proceedings of the 20th Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM ′01)

April 2001

Anchorage, Alaska, USA

1548 1557

2-s2.0-0035015898

30.

Dataset for Immune Inspired Misbehavior Detection, 2014, https://www.sim.uni-hannover.de/de/Data-sets/datasets.html

Anomaly Detection in Wireless Sensor Networks Using Immune-Based Bioinspired Mechanism

Abstract

1. Introduction

2. Human and Artificial Immune Systems

2.1. Purpose of HIS

2.2. Immune System Entities

2.3. Immune System Properties

2.4. Immune System Process

2.5. Artificial Immune System (AIS)

3. Related Work

4. Proposed NSA for Anomaly Detection in WSNs

4.1. Significant Features of NSA

4.2. Components of NSA

4.3. Proposed Enhanced NSA

4.3.1. Protocols and Assumptions

4.3.2. Classification and Anomaly Detection

5. Experiments and Results

5.1. Performance Metrics

5.2. Experiment 1

5.3. Experiment 2

5.4. Experiment 3

5.5. Comparison of NSA with CSA

5.6. Comparison with Other State-of-the-Art Techniques

6. Conclusion

Footnotes

Conflict of Interests

Acknowledgment

References