leveraging fog computing and software defined systems for ...qmyaseen/ett1.pdf · station may form...

Received: 12 December 2016 Revised: 6 February 2017 Accepted: 10 March 2017

S P EC I A L I S S U E ART I C L E

DOI: 10.1002/ett.3183

Leveraging fog computing and software defined systems forselective forwarding attacks detection in mobile wireless sensornetworks

Qussai Yaseen1 | Firas Albalas2 | Yaser Jararwah2 | Mahmoud Al‐Ayyoub2

1Department of Computer InformationSystems, Jordan University of Science andTechnology, Irbid, Jordan2Department of Computer Science, JordanUniversity of Science and Technology, Irbid,Jordan

CorrespondenceQussai Yaseen, Department of ComputerInformation Systems, Jordan University ofScience and Technology, Irbid, Jordan,22110.Email: [email protected]

Funding informationJordan University of Science and Technol-ogy, Grant/Award Number: 74/2016

Trans Emerging Tel Tech. 2017;e3183.https://doi.org/10.1002/ett.3183

AbstractSelective forwarding is a major problem in wireless sensor networks (WSNs). The

nature of sensor environments and the sensitivity of collected measurements in some

fields such as war fields increase the need to prevent, detect, or mitigate the

problem. One of the most used countermeasures for such problem is the use of

voting system based on watchdogs' votes. However, this approach is not applicable

in the case of mobile sensors. Mobile WSNs (MWSNs) is growing immensely due

to the exposure of applications of mobile computing, vehicular networks, and

Internet of things. This exposure has shed light on the security of using mobile

sensors and raises the need to set appropriate methods for securing MWSNs against

many attacks such as selective forwarding attacks. This paper introduces the

problem of selective forwarding in MWSNs and discusses how the voting system

used for mitigation; this problem in WSNs is not applicable in handling the problem

in MWSNs due to sensors mobility. Therefore, the paper proposes a model that

provides a global monitoring capability for tracing moving sensors and detecting

malicious ones. The model leverages the infrastructure of fog computing to achieve

this purpose. In addition, the paper suggests using software defined systems to be

used along with the proposed model, which generalize the model to be used to

secure MWSNs against other types of attacks easily and flexibly. The paper provides

a complete algorithm, a comprehensive discussion and experiments that show the

correctness and importance of the proposed approach.

1 | INTRODUCTION

Wireless sensor networks (WSNs) consist of cheap, battery‐powered, and simple processing devices that are called sensornodes. Sensor nodes are equipped with wireless radio devicesthat are used to form highly distributed ad hoc networks.Typically, sensor nodes are used for monitoring weatherconditions such as temperature, humidity, etc. or monitoringphysical phenomenon. For example, WSNs are used in mili-tary, building and industrial monitoring, and automation.1

The data measured by sensors are sent to close basestations. However, since WSNs usually consist of large

wileyonlinelibrary.com/journ

number of highly distributed sensors with limited transmis-sion range (tens of meters), many sensors cannot directlycommunicate with a base station. Therefore, far sensors routetheir data to other neighbor sensors in a hope‐by‐hope (nodeto node) basis until reaching a base station. The routing pro-cess facilitates collecting measurements from sensors that arelocated far away from base stations.

Mobile WSNs (MWSNs) is a special class of WSNs inwhich sensors are mobile. The mobility of sensors bringsmany advantages to various applications, especially, real timeapplications such as traffic monitoring, healthcare monitor-ing, and social interaction.2 Furthermore, mobile sensors

Copyright © 2017 John Wiley & Sons, Ltd.al/ett 1 of 13

http://orcid.org/0000-0003-0777-1871

mailto:[email protected]

https://doi.org/10.1002/ett.3183


http://wileyonlinelibrary.com/journal/ett

2 of 13 YASEEN ET AL.

can be used to trace moving phenomenon like packages,vehicles, and chemical clouds.3 The mobility in MWSNshas 4 possible categories, which are mobile sensor nodes,mobile relay nodes, mobile base stations, and mobile clusterheads.2,4 In addition, the mobility has 3 paradigms, which arecontrollable movement, predictable movement, and unpre-dictable movement.2,4 In the controllable movement, an entityin MWSNs cannot move by its own; instead, it is guided andcontrolled to move to a specific location. In predictablemovement, the movement of an entity can be predicted sinceit has a clear track such as the movement of sensors inmoving vehicles. When the movement of sensors is randomsuch as sensors attached to animals and birds, the movementis called unpredictable movement.

Mobile WSNs have many advantages over traditionalWSNs. In static sensors, the sensors that are close to a basestation or a sink lose their energy quickly since they routethe data of all sensors to the base station. However, inMWSNs, the transmission of sensors data to base stationswill spread over large number of sensors due to the continu-ous mobility of sensors. Furthermore, in MWSNs, thechannel capacity increases 3 to 5 times more than staticWSNs when linearly increasing the number of mobile sinkswith the number of mobile sensors. Moreover, the mobilityincreases the probability of successful transmissions sincemobility reduces the number of hops. In addition, usingsensors mobility enables sensors to move for better locationsclose to targets in dynamic environments.5-7

The routing process that enables far sensors from basestation may form a big flaw in the structure of wireless sensornetworks. Attackers may exploit this model to injectmalicious sensors or malicious code in benign sensors. Theaforementioned process enables adversaries to launch varioustypes of attacks such delay delivering of packets that are sentby far sensors or drop some or all packets, where this prob-lem is called selective forwarding. The deployment areas ofsensors, which are often unattended, open or hostile environ-ments such as the wild or military fields make wireless sensornetworks highly vulnerable to attacks. In WSNs, a feasiblemethod for detecting selective forwarding is through monitor-ing sensors by their neighbors. The neighbors can computethe dropping rate of a monitored sensor, and using a simplevoting system (as will be discussed later), the neighbors candecide whether a monitored node is malicious or not.However, in MWSNs, the sensors are mobile, which makesthe watching process hard. Strictly speaking, a sensor couldbe a neighbor of a monitored node at a specific point of time,but due to mobility, the neighbor and/or the monitored nodemay move far away from each other, which prevent the oldneighbor from watching the traffic of the monitored node.This paper discusses this problem and proposes a model fordetecting selective forwarding in MWSNs. The contributionof the paper is as follows.

1. It proposes a model for detecting selective forwardingattacks in MWSNs, along with a complete algorithmand discussion.

2. It uses the infrastructure of fog computing to facilitateintrusion detection in mobile environment, selectiveforwarding as a case. To the best of our knowledge, weare the first to leverage the structure of fog computingin such purpose.

3. It provides a software defined systems that can be usedalong with the proposed approach to secure MWSNsagainst different types of attacks easily and flexibly.

4. It provides experiments that show the feasibility of theproposed approach in catching malicious mobile sensornodes and show the cost that may be paid using theproposed model.

The paper is an extension to a previous study.8 Thisversion provides complete and comprehensive details aboutthe contribution by extending the proposed model and allsections. Moreover, it adds 2 new sections, which are SectionIV (Software Defined Intrusion Detection Frame forMWSNs) and Section V (Experiments and Results). InSection IV, it provides a comprehensive details of the soft-ware defined system used in the proposed model. In SectionV, it conducts comprehensive experiments that show theeffectiveness of the proposed model and its performance.

The paper is organized as follows. Next section dis-cusses some related work. Section 3 discusses the infrastruc-ture of fog computing. Section 4 introduces the selectiveforwarding problem and its solution in WSNs. Section 5 dis-cusses how measuring the dropping rate and voting systemused for selective forwarding detection in WSNs is not fea-sible in MWSNs. In addition, it introduces and discussesthe proposed model and the algorithm for selectiveforwarding detection in MWSNs. Section 6 provides a soft-ware defined intrusion detection framework for MWSNs.Section 7 demonstrates and discusses the experiments andresults. The conclusions and future work are provided inSection 8.

2 | RELATED WORK

Intrusion detection in WSNs has been investigated by manyresearchers due to the sensitivity of this problem and itseffect on wireless communication. The attacks in WSNsrange over many types such as the propagation of incorrectrouting information, hindering or disabling services, andcausing congestion.9 Moreover, denial of service attacks,rushing attacks, and spoofing attacks are few examples ofserious attacks that may hinder the communication inWSNs. Furthermore, selective forwarding problem, whichis the discussed problem in this paper, poses large threat

YASEEN ET AL. 3 of 13

to the quality and trust of the communication in WSNs.10,11

Many intrusion detection systems (IDSs) have been intro-duced to prevent, detect, and mitigate intrusion attacks inWSNs. Intrusion detection systems in WSNs are classifiedinto 4 types, which are stand‐alone intrusion detection sys-tems, distributed and cooperative intrusion detection sys-tems (DCIDS), hierarchical intrusion detection systems,and mobile agent for intrusion detection systems.12 Instand‐alone intrusion detection systems, the IDS is installedand runs on each node independently with no cooperationbetween nodes in the network. Therefore, the decision ismade by the node only based on its own information.Although this model has serious limitations, it is suitablefor WSNs when not all nodes have IDS or cannot run IDSs.In DCIDS, as introduced by Zangh et al,13 all nodes have anIDS, and all of them participate in the intrusion detectionprocess based on the information exchanged among them.In hierarchical intrusion detection systems, the WSNs isdivided into clusters, where each cluster has a head withmore capabilities and functionalities than other nodes. Inthis model, each node runs an IDS that is responsible forlocally detected intrusions, while a cluster head is responsi-ble for monitoring network packets and issuing global deci-sion when a network intrusion is detected.14 Sterne et al14

proposed a dynamic intrusion detection hierarchy, where acluster head is responsible for data fusion/integration anddata reduction, intrusion detection computations, and secu-rity management. In the aforementioned model, other nodesin a cluster are responsible for intrusions detection andalerting their cluster head when there is enough evidenceabout an intrusion. In mobile agent for intrusion detectionsystems, mobile agents move through large networks toperform distributed intrusion detection tasks. Mobile agentfor intrusion detection systems is considered a type ofDCIDS, but with mobile agents.12 The models proposedby Albers et al15 and Kachirski and Guha16 are examplesof this type.

Many researchers dealt with the selective forwardingproblem in WSNs. Hai and Huh17 proposed an IDS that isimplemented in both base stations and wireless sensors,which enhances the probability of detecting attacks evenwhen base stations are compromised. The proposed approachuse multihop acknowledgement mode that issues alerts basedon the responses of intermediate nodes. Researchers in previ-ous studies1,18,19 proposed a distributed intrusion detectionmodel in WSNs. The sensors in the proposed models collab-orate and exchange information to issue a global decision ofwhether a monitored node is malicious or not. Hence, thispaper uses a similar approach, but for mobile wireless sensorsnetworks.

Some researchers discussed the problem in mobile adhoc network (MANET) and proposed some approaches tohandle it. Keung et al20 studied intrusion detection in mobile

sensor networks and used k‐barrier coverage probabilityagainst moving intruders. Zangh et al13 proposed a distrib-uted and cooperative intrusion detection system as men-tioned earlier. The proposed model is designed for mobilewireless networks. Their model focused on ad hoc routingprotocols and used trace analysis and anomaly detection‐based models for detecting moving intruders. However, theirapproach is not suitable for highly moving sensors acrosslarge geographical areas. Sun et al21 used a neighborhood‐based method to detect malicious sensors. Their approachis based on maintaining a metric called neighbor set for eachnode to define all nodes that are inside the radio transmis-sion range a node. This metric is considered as an identityfor the node. To detect a malicious sensor, the node com-pares between the requests that it sends across its neighborset nodes and the replies received from its neighbor setnodes when searching for a route to a destination. If thedifference is larger than a predefined threshold value, thenode knows that there is a malicious sensor. Kozma et al22

proposed a reactive approach, called REAct, to detect mali-cious sensors. The approach starts by an audit phase, wherea malicious drop ratio of packets is detected between thesender and the receiver nodes. Then, in the search phase,the sender uses a bloom filter to build a behavioral proofof malicious activities. Next, in identification phase, thesender identifies the location segment of the malicioussensor based on the comparison of the behavioral proofsof both the sender and the malicious sensors. The mainproblem of the aforementioned approach is it fails when amalicious sensor succeeds in changing its behavior continu-ously. Other researchers used Bayesian detection scheme,23

while others used approach that is based on modifying thead hoc on‐demand distance vector routing protocol.24-27

Malicious sensors detection using the existing approachesrequire high usability of sensors resources such as the pro-cessing power, RAM, and the storage, especially in highlymoving sensors across large graphical areas. Keeping tablesthat store information about neighbor sensors, sent packets,received packets, etc. pose high overhead on these resourcesand consume too much power from batteries. The proposedmethod in this paper eliminates this overhead by using fogcomputing services and leverages the close proximity offog layer to detect selective forwarding sensors using thevoting system. Next section discusses the fog computingstructure and its advantages.

3 | FOG COMPUTING

The needs of end users and business companies fromnetworking and telecommunication industry are growing rap-idly. Users' demands are focused on personalized services,better user experience, and better performance. However,


companies are interested in getting more flexibility in provi-sioning new services, highly secure access control to theirdevices and information. Furthermore, they need to collectmore valuable and detailed information about their cus-tomers. Therefore, service and equipment providers areheavily investing in this market to meet the growing demandsand needs by providing converged network infrastructure andinformation technology (IT).

Streaming video, consumer smart phones, messaging,and Peer to Peer applications are examples of emerginginvestments of service providers and are examples of leadingsources of mobile traffic. The growth in mobile traffic isexpected to increase immensely since enterprises expandtheir services and processes to be used in smart mobiledevices. Wireless networks and wireless sensors have keyroles in many critical applications, from smarter traffic tovideo analytics. The use of wireless sensors is expected togrow dramatically in the next few years due to the immensegrowth of wireless sensor‐based applications, which use thecellular network as a platform for integrating wirelessdevices. These devices have been converged along with theworlds of IT and telecommunications networking, which pro-vide new possibilities and capabilities that can be deployedinto the network. One of these capabilities is the ability torun IT‐based servers at network edge, applying the conceptsof cloud computing.28

Cloud computing provides large range of services andresources for users. This has been leveraged in emergingnew applications such as virtual reality and smart buildingcontrol. However, delay‐sensitive applications still havemajor issues in using cloud computing because of the prob-lem of large latency, especially when several smart devicesand objects are getting involved in human's life such as smartcities or Internet of Things (IoT). Thus, cloud computingcannot perfectly provide low latency, location awareness,and mobility support services. To solve this problem, Fogcomputing has been designed to leverage the advantages of

FIGURE 1 Fog computing architecture

cloud computing services and eliminate its drawbacks. Fogcomputing puts the services and resources of the cloud closerto users, which facilitates the leveraging of available servicesand resources at the edge networks. That is, the cloud core(cloud data centers) is moved to the edge of the networkcloser to users. This facility allows fog computing to serveheavy real‐time applications at the network edge directlyusing very large numbers of connected mobile devices. Manyfog computing features make fog computing a perfect para-digm to the aforementioned purpose, which are the densegeographical deployment of servers, supporting mobility,and the closeness to users.

Figure 1 shows the architecture of fog computing.28 Thearchitecture contains 3 basic layers, which are mobiledevices, fog nodes, and cloud infrastructure. The mobiledevice layer contains all types of mobile devices such asmobile phones and IoT devices. The fog layer has powerfulresources less than cloud resources. However, the resourcesin fog layer are capable of network traffic control and hostingmany applications such as image processing, smart tracking,and m‐gaming. Moreover, fog layer is responsible for theoptimization of mobile resources and big data received frommobile devices before sending it to the cloud. Furthermore,fog layer provides cloud services in the close proximity tomobile devices. The cloud layer contains powerful resourcesthat can be used for mining patterns, big data analytics, etc.

As in every new technology, some challenges face thevision of fog computing, which are the administrative poli-cies and security concerns. Several security challenges facethe growth of fog computing such as Rogue Fog Node, whichis a fake fog device or instance that plays as a legitimate andpersuades end users to connect to it, and the problem ofVerifiable Computing, which aims to preserve the securityand privacy of computation outsourced to fog nodes.28 Intru-sion detection is a problem that threatens many technologiesand systems, including fog computing and MWSNs, whichare the scope of this paper.

FIGURE 2 Watchdog sensors

FIGURE 3 Cooperative approach


4 | SELECTIVE FORWARDINGDETECTION IN WSN

Wireless sensor networks applications are growing immense-ly. Health care monitoring, environment monitoring, andvehicular networks are few examples of these applications.However, WSNs suffer some security concerns that may limitits success. The limited resources of wireless sensors andtheir unattended nature in most cases increase their vulnera-bility to attacks. Selective forwarding and delay attacks are2 of these dangerous attacks, where a malicious senor dropssome or all of the received packets, or delays sending them.

Detecting a malicious sensor in WSNs is usually per-formed by computing the rate of packets dropped by a nodeduring a time window. A high‐dropping rate may indicate amalicious activity by a sensor. Considering dropping raterather than the number of dropped packets by a node aimsto reduce false positives in intrusion detection in WSNs.Strictly speaking, some packets may be dropped due tolegitimate factors such as collisions. Therefore, counting thenumber of dropped packets would count irrelevant packetsand may mistakenly mark a sensor as malicious. Obviously,considering dropping rate is more accurate since highdropping rate in a sensor may indicate a malicious sensor thatperforms selective forwarding attack.

Measuring dropping rate in a sensor node is performed byits neighbors, where this approach is called watchdog.18 Thewatchdogs of a node are the nodes in its transmission rangethat can monitor the node transmission and can count thereceived and sent packets by the node. Classifying a node asmalicious or not can be performed by 2 approaches, whichare independent decision making system and cooperativeIDS system. In the first approach, specific nodes take the jobof decision‐making. They collect evidences from other nodes,and then they make decisions about possible intrusions. Othernodes in the network do not participate in the decision‐mak-ing process. Two major drawbacks limit this approach. Thefirst one is the decision‐making nodes may be attacked, whichmay lead to consider malicious nodes as benign sensors. Thesecond one is the problem of laying the computation overheadin discovering malicious nodes in the overall network to fewnodes. This process exhausts the energy of those nodes.18

In the cooperative approach, malicious nodes are discov-ered based on a voting system by watchdogs. In thisapproach, each sensor node, say nj, is monitored by its neigh-bors. The neighbors watch the received/sent packets by nj. Ifa neighbor suspects a malicious activity based on thedropping rate, it broadcasts an alert to other neighbors. A col-lector node (from neighbors) gathers the votes from nj'sneighbors and issues a decision regarding nj whether its mali-cious or not based on the major votes by watchdogs. Figure 2shows watchdog sensors. In this figure, the watchdog nodes,denoted by black circles, monitor packets received by ny and

packets that are sent by ny. In this scenario, sensor nx sendsdata to ny, and ny forwards these packets to its parent nz. Ifthe sensor node ny is malicious and chose to drop packetssent by nx, the watchdog nodes will discover this intrusion.As discussed earlier, no single node should have the soledecision about marking a node as malicious because thejudge node could be malicious and aim to discard benign sen-sors. Therefore, the cooperative approach uses a voting sys-tem. The watchdog nodes in this approach shouldcollaborate to take the decision. Figure 3 shows the collabo-ration process. In this approach, the node np discovers anintrusion in the node nY, therefore, it sends its decision toother watchdog nodes. np plays the collector role in thisexample. Therefore, other watchdog nodes send back theirdecision to the collector, which takes the final decision basedon the votes it receives and based on a threshold value such asthe majority of votes.

5 | SELECTIVE FORWARDINGMITIGATION IN MOBILE WIRELESSSENSOR NETWORKS

The rapid growth in wireless communication and networksand the recent emergence of mobile computing have led tothe exposure of MWSNs, where sensors are mobile. Mobilityin MWSNs benefits many applications such as health care


monitoring, firefighters monitoring, and many other applica-tions were sensors are attached to people, animals, unmannedvehicles, manned vehicles, autonomous vehicles, and in IoTapplications. However, mobility in MWSNs brought manysecurity challenges that do not exist in static sensors inWSNs. Countermeasures that are used in WSNs may not beapplicable in MWSNs.

Selective forwarding attack, which is the scope of thispaper, is considered a hard problem in MWSNs. Selectiveforwarding detection in MWSNs, where sensors may changetheir location continuously, needs new methods other thanthose used in WSNs. The cooperative approach and the vot-ing system used in WSNs are suitable for static sensors.The static watchdog sensors hold tables for incoming packetsand forwarded packets to/from monitored nodes. These tablesare used to compute packet dropping rates within timewindows in monitored nodes as discussed earlier. However,in MWSNs, when a monitored node moves, some or allwatchdog sensors become outside its transmission range.This process prevents watchdogs from detecting maliciousnodes. The same problem arises when watchdogs move out-side the transmission range of a monitored node. Therefore,a new or modified cooperative approach should be used fordetecting selective forwarding problem in MWSNs.

5.1 | The proposed model

In this paper, we propose a method that leverages the capabil-ities of fog computing to build a flexible and an efficient IDSthat mitigates the problem of selective forwarding in

FIGURE 4 The proposed model

MWSNs. Figure 4 shows the layers of the proposed model.The upper layer represents the cloud computing layer, whichmay receive information from the fog layer. This informationcan be used for different purposes such as big data miningand management. Furthermore, it can be used to extractintrusion patterns of attacks for detection purposes. This layerbeyond the scope of this paper and will be considered asfuture work.

Fog layer is a major player in this model. It is a highlyvirtualized platform that provides many services such as com-putation, storage, and networking services for end devicessuch as sensors. The capabilities of this layer spans over manyadvantages, such as providing low latency networking, sen-sors location awareness, serving widespread geographical dis-tribution, and mobility. Furthermore, it can serve very largenumber of nodes with strong wireless access. The main pur-pose of this layer in the proposed approach is as follows.

• The IDS in a fog server collects the information aboutmobile‐monitored nodes from mobile watchdogs. TheIDSs in fog servers cooperate and share their informationabout monitored nodes, which includes the received andforwarded packets by monitored nodes, to detect mali-cious mobile sensor nodes.

• The IDSs in fog servers analyzes the received informationfrom watchdogs and use the voting method to determinewhich nodes are malicious and which of them are benign.

The mobile wireless sensors layer consists of large numberofmobile sensors. Basically, a sensor node in this layer containsan IDS component to monitor the forwarding packets (FP) and


received packets (RP) in neighboring nodes according to itsmonitor table. These observations are sent to the fog IDS.

The proposed model builds a coherent intrusion detectionsystem that can be used in environments that consist of largenumber of moving sensors and changing scenarios. As shownin the figure, the monitored node and the watchdog nodes maymove continuously. At time t1, the monitored node is watchedby a group of watchdogs, which store the received andforwarded packets by the monitored node. However, sincethe monitored nodemoves out of the range of watchdogs whenit reaches time t2, thewatchdogs at time t1 send the informationthey have about the monitored node to the collector, whichsends the information to the base station, and then the base sta-tion forwards the information to its connected fog server.

The fog server holds a table of the mobile sensors thatcross by its connected base stations. The table contains thereceived and forwarded packets by monitored nodes. Whena monitored node leaves the transmission range of all basestations connected to a fog server, say server S1, and reachesthe transmission range of a base station connected to anotherfog server, say server S2, the server S2 sends a requestmessage to S1 asking for the information stored about themonitored node. The information should contain the arrivaland leaving time of the monitored node to/from S1 range(transmission range of all base stations connected to S1),and the recorded received and forwarded packets by themonitored node. This information will be used to calculate

Algorithm 1. Selective Forwarding Detection in Mobile Wirele

Input. A set of mobile wireless sensors MWS ={S1,S2,…Sn}, a setFS={FS1, FS2, …, FSx}, a set of monitored sensors MS = {MS1, MTime Window TW, dropping rate threshold value THOutput. Malicious Wireless Sensor

1. For each monitored sensor MSx ∈ MS2. Initialize a timer T ←0 //3. Set the set of Watchdogs WDt(MSx) ⊂ MWS at time t //4. For each watchdog Wi ∈ WDt(MSx)5. MTi ← MTi + Row(MSx) // insert a row to Wi's

// packets RPx and forw6. If MSx receives a packet Then7. RPx = RPx + 1 // update the counter of8. If MSx forwards a packet Then9. FPx = FP + 1 // update the counter of fo10. If Location(Wi ) ∉ Range(MSx) ∨ Location( MSx) ∉ Range( W

11. Wi.BSi ← Wi.MTi(Row(MSx)) //Wi send12. BSi.FSj ← Wi.MTi(Row(MSx)) // BSi forw13. While monitoring MSx14. Update WDt (MSx) continuously15. If Location(MSx) ∈ Range(BSJ) ∧ (BSJ ≠ BSi) Then

the dropping rate of the monitored node during a time frameto check whether it is a malicious node or not. Hence, amobile sensor may stay a long time in the range of a fogserver, and that time may be enough to check whether asensor is malicious or not.

5.2 | The algorithm

Algorithm 1 shows the complete steps for selective forwardingdetection in MWSNs using fog computing infrastructure. Asshown in the algorithm, when starting monitoring a sensor, atimer should be initialized for that sensor as stated by Step 2.The timer will be used to calculate the dropping rate of thatsensor. In Step 3, the algorithm determines the set of watchdogsensors that will be monitoring the monitored nodes at a spe-cific time. Notice that watchdog sensors change as the moni-tored node and/or watchdog nodes moves. However, as longas the monitored node is located in the transmission range ofawatchdog node, the watchdog node should record the incom-ing and forwarded packets to/by the monitored node as statedin Steps 4‐9. Step 5 shows that the watchdog node maintains amonitoring table for all nodes that it can monitor. Moreover,when the watchdog sensor hears an incoming packet to themonitored node, it increases the received packet counter RPof that monitored sensor (Step 7) and increases the forwardedpacket counter FP when that monitored

ss Sensor Networks using Fog Computing

of base stations BS ={BS1, BS2, …, BSn}, a set of Fog ServersS2,…, MSn}, Monitoring Tables MT = { MT1, MT2,…, MTn},

to determine the time windowwatchdogs that can monitor MSx

monitoring table that records the receivedarded packets FPx by MSx

received packets to MSx RPx in Wi monitoring table

rwarded packets by MSx FPx in Wi monitoring table

i) Then // Wi moves outside the range of MSx//OR MSx moves outside the range of Wi

s the Row(MSx) to the nearest Base Station BSiards Row(MSx) to its connected Fog Server FSj

// MSx moves to a new base station range

16. BSJ.Send(Location(MSx), FSi ) // The corresponding base station BSJ informs the//corresponding FSj about the new location of MSx

17. If Location(MSx)∈ Range(BSJ) ∧ (BSJ ≠ BSi) ∧ (BSJ.FogServer ≠ BSi.FogServer) Then // MSx moves to the transmissionrange

// of a base station of a new fog server18. BSi.FogServer.Send(Information(MSx),T, BSJ.FogServer ) //send Information(MSx) and Timer T to the new Fog

// Server BSJ .FogServer19. If T = TW Then // when the timer reaches the set time window20. FSx computes DRx = FPx/RPx // the corresponding Fog server computes the dropping rate of MSx DRx21. If DRx > TH Then //where TH is the dropping rate threshold22. Malicious(MSx) = True //MSx is malicious23. Else24. Malicious(MSx) = False //MSx is not malicious


node forwards the packet (Step 9). When a watchdog sensorbecomes out of the monitored node transmission rangebecause the watchdog sensor or the monitored sensor hasmoved (Step 10), the watchdog sensor sends what informationit has about the monitored sensor, which is stored in the moni-toring table, to the neighboring base station (Step 11). Next,the base station sends this information to its connected fogserver (Step 12). The processes in the aforementioned stepsare run in parallel with a continuous updating of the watchdogsensors of the monitored node due to the continuous mobilityof sensors (Step 14). Furthermore, during the monitoringprocess, when the monitored node moves to a new host basestation, the new base station should inform its connected fogserver about the new location of the monitored sensor asstated in Steps 15‐16. However, if the new host base stationis connected to a different fog server, both servers should com-municate, and the old fog server should send what informationit has about the monitored node (Steps 17‐18). In addition,when the timer reaches the time window value, the fog server,which has the monitored sensor in its base stations range, com-putes the dropping rate of the monitored node (Steps 19‐20).The monitored sensor is considered a malicious sensor if thedropping rate exceeds a preset threshold value.

5.3 | Analysis

The proposed model provides a high performance approach,with minimum processing overhead and small battery con-sumption in both watchdog sensors and collector sensors.Strictly speaking, the monitoring overhead of a monitoredmobile sensors is distributed among watchdog sensors, basestations, and fog servers. Watchdog sensors do not need totake a decision regarding a monitored node. Instead, theysend RP and FP counters to base stations, which eliminatethe need to compute the dropping rate and issue a decision.This process reduces the processing overhead and the batteryconsumption in watchdog sensors. Moreover, collector nodes

are not assigned the job of classifying sensors to eithermalicious or benign, which reduces too much processingand storage overhead on collector nodes, and decreases theirbattery consumption. The jobs of collector nodes in theproposed model are shortened to forwarding sensors informa-tion to base stations. The proposed model assigns the job ofstoring information about a huge number and highly distrib-uted mobile sensor nodes to fog servers, which have powerfulstorage and processing capabilities. Fog servers are in a closeproximity to mobile sensors, which provides real‐timemonitoring and very low delay decisions regarding malicioussensors. Cooperation among fog servers enables a global mon-itoring of mobile wireless sensors that are not achievable intraditional approaches. No power or computation limitationsmay hinder the monitoring process in fog servers as in watch-dog and collector sensors. Therefore, fog servers can performthe monitoring process effectively. Furthermore, based on thecapabilities of fog layer, fog servers may use other metrics tobetter detect malicious sensors such as measuring the noiseor traffic levels in sensors environment. Taking noise or trafficlevel into account enables fog servers to choose the correctthreshold of dropping rate that enhances the detection of mali-cious nodes and reduces false positives and false negatives.

The proposed model is more secure than the traditionalapproach in static sensors. Since wireless sensors are usuallylocated in unattended and wild environments, replacingsensors with malicious ones or injecting malicious codes inbenign sensors is not hard. Malicious watchdog sensors mayforward incorrect information about the dropped packets bymonitored sensors, which harden detection of malicioussensors. In addition, the problem may become severe whenattackers succeed in injecting malicious collector sensors,which enables attackers of preventing detection of malicioussensors. Using the proposed model, no sensor has the solejob of classifying sensors into malicious or benign. Strictlyspeaking, the monitoring process of a sensor is distributedamong many watchdog sensors and collector nodes due to sen-sors mobility. Therefore, injecting a malicious watchdogwould


have very small effect on the decision process. Similarly,collectors in the proposed model have no decision role andchange overtime due to mobility, which makes injecting ahigh‐effect malicious collector sensor a very hard job. Sensorsinformation security and location privacy are given to fogservers, which are capable of implementing high‐secure IDSsthat are least vulnerable to attacks in contrary to IDSs in sensornodes. Therefore, the proposed model provides a high‐securesensors monitoring approach for mobile wireless sensors.

6 | SOFTWARE DEFINEDINTRUSION DETECTIONFRAMEWORK FOR MWSNS

The proposed approach has been designed specifically todetect selective forwarding attacks. Sensors should be config-ured to send the required information only to detect suchattack. Discovering other attacks (ie, delay forwarding attacks)requires the reconfiguration of sensors to send different typeof information. Attending sensors onsite for reconfigurationis an inflexible and an impractical way especially whensensors are deployed in hostile environments. Moreover, inMWSNs, the reconfiguration of sensors on sites is even harderdue to the mobility of sensors. Furthermore, MWSNs havemany heterogeneous sensors with different features andvendors. Therefore, a lot of work and time is required formaintaining and managing these sensors; it is impractical toconfigure or update each sensor whenever an environmentchanges, especially when there are huge number of sen-sors.29,30 Using managed and programmable sensors wouldbe a better choice. Therefore, the paper proposes a softwaredefined intrusion detection system (SDIDS) for MWSNs,which is needed for many reasons such as the following.

(1) Determining the type of information to be collectedfrom sensors based on the type of attack to be detected. Forexample, detecting selective forwarding attacks needscollecting the number received and forwarded packets by amonitored sensor, while detecting delay forwarding attacksneeds collecting the times of received and forwarded packetsby a monitored sensor. Determining a specific type of infor-mation to be sent by watchdog sensors, instead of differenttypes of information, would have a great impact in reducingthe processing time and the power consumption in sensors,and in reducing network traffic in MWSNs.

(2) Assigning watchdog sensors for a monitored sensorbased on environment type, attack type, and closeness tomonitored node. How many watchdogs should be assignedto monitor a sensor? How close a sensor should be from amonitored sensor to consider it a watchdog? The answers ofthese questions depend on the policy used and may changefrom time to time, or environment to environment. Therefore,using SDIDS, these parameters are set and updated easily.

Setting the threshold value that is used to consider a sensora malicious one, given the environment characteristics such asthe normal dropping rate. For example, a normal dropping ratein an environment may need to be changed due to the increasein the rate of dropping packets because of none maliciousconditions such as high traffic at some point of time andincreasing the frequency of data measurements. Keeping thepacket dropping threshold may severely increase the falsepositives. Therefore, SDIDS is used to update thresholdvalues according to environment conditions.

(3) Changing the frequency of data measurements. UsingSDIDS for MWSNs, increasing or decreasing the frequencyof data measurements will be an easy job instead of manualconfiguration onsite.

(4) Adding or deleting sensors and updating databases infog servers. The policies of adding and configuring new sen-sors as well as deleting malicious sensors from the databasesof fog servers will be set, implemented, and updated easilyusing SDIDS.

Figure 5 shows the proposed framework. The middlewaremain job is to set and broadcast the configurations to fogservers, which in turn format and translate the configurationsto a form understood by the relevant sensors. The middlewareconsists of 3 main components, which are Policies, APIs, andDatabases.

• The Policies part consists of the security policies that reg-ulate access control and protect all assets including thepolicies of identifying malicious sensors. As shown in fig-ure, administrators have access to these policies, and theycan update them according to the changing conditions.

• The APIs part supports different purposes such asconfiguration APIs and Data APIs.31 The configurationAPIs are responsible for reconfiguring sensors at runtimeand setting up many measurements and parameters suchas the threshold value of considering a sensor a maliciousone due to selective forwarding or delay forwarding attack.Furthermore, the configurations set up the type of informa-tion to be sent by sensors, the watchdog sensors rules, theirnumbers, and closeness to monitored sensors requirements.Data APIs are used to collect information about sensors andstore them in the corresponding databases. Furthermore, itcontinuously receives data about environment conditionsand measurements that may be used to update some param-eters such as threshold values as discussed earlier. More-over, it may be used to receive special purpose data fromfog servers and forward it to the cloud computing layer.We should mention here that the middleware should havepowerful capabilities to cope with large amount of receivedinformation and large number of sensors and to supportgood scalability and reduce the probability of bottleneck.

• The Databases part stores the configuration of eachsensor, vendor, sensor access point, and fog server, etc.

FIGURE 5 Software defined intrusion detection framework for mobile wireless sensor networks


7 | EXPERIMENTS AND RESULTS

We used an extended version of CloudExp32 simulation toolto implement our proposed approach. The threshold value ofconsidering a sensor malicious is 80% [RP/FP], whichmeans that any sensor drops more than 20% is consideredmalicious. The time window for calculating the thresholdis 30 seconds. That is a counter set for each sensor, and aftereach 30 seconds, the percentage [RP/FP] is calculated tocheck whether a sensor is malicious. Each sensor sends 1message per 3 seconds. The mobility of sensors is followingthe random way point. The aim of the simulations is to testthe correctness and the applicability of the proposedapproach. The following subsections discuss the experi-ments and evaluate the proposed model.

FIGURE 6 Overhead of the proposed model on fog servers and thenetwork

7.1 | Added overhead

The proposed model, as shown previously, provides an appli-cable method for mobile sensors monitoring and detection ofmalicious sensors. However, achieving this goal comes atsome cost. To evaluate the cost level that the proposed modeladds, the paper conducted an experiment that measures theoverhead level added at both fog and network components.The overhead was been measured by calculating the numberof extra messages that should be handled at fog servers and

network when using the proposed model. Figure 6 demon-strates the added overhead on fog servers and the networkat a time frame. The added overhead depends on the numberof mobile sensors and the number of messages forwardedby mobile sensors. Hence, when the number of sensors isvery large, a high quality network and good equipped fogservers are needed to handle the sensors traffic and detectmalicious sensors.

7.2 | Power consumption in collectors

This experiment compares between the power consumptionin collectors in both static WSNs and the proposed approach

FIGURE 8 Routing overhead on collectors on both static wirelesssensor networks and the proposed approach in mobile wireless sensornetworks


in MWSNs. Figure 7 shows the comparison, where the y‐axisrepresents the average power consumption in collectors inKilo Watt per Hour. As shown in the figure, as the numberof sensors increases, the power consumption in collectorsincreases as they need to serve increasing number of sensors.However, the power consumption in the proposed approachis less than that in the static WSNs. As discussed before,the collectors in static WSNs are fixed, therefore, as the num-ber of sensors increases, more routing activities are processedin collectors, which increase the power consumption. Mean-while, in the proposed approach, the collectors are not fixed,and many sensors may take the collecting and routing job dueto mobility. Therefore, the collecting and routing task over-head are divided among sensors, which decreases the averagepower consumption in collectors. One more notice, as thenumber of sensors increases, the difference in power con-sumption in collectors between the static approach and theproposed approach increases. The analysis of this notice isthat the increase in the number of sensors increases thenumber of messages that need to be collected and routed bycollectors in both models and increases the number of possi-ble collectors in the proposed approach due to mobility.While the same collectors have to handle all the messagesin the static approach, more number of collectors may takethe job of collecting and routing. This explains the aforemen-tioned notice.

Figure 8, which shows the routing overhead on collectorsin the 2 models, confirms the results and analysis of Figure 8.As shown in the figure, the difference in the number of routedmessages by collectors in both models increases as thenumber of sensors increases.

7.3 | Detected malicious sensors

The purpose of this experiment is to show the effectiveness ofthe proposed model in detecting malicious sensors inMWSNs. To achieve this goal, 2 models were implemented.The first model is the proposed model, where mobile sensors,mobile collectors, and fog node are used. The second model

FIGURE 7 Power consumption in collectors in both environmentsstatic wireless sensor networks and the proposed approach in mobilewireless sensor networks

does not use fog layer and sensors that are mobile. The goalof designing the aforementioned model is to show the needand the effectiveness of using the fog layer in detecting mali-cious mobile wireless sensors. A total of 1000 sensors and 5fog nodes were used in both models. Initially, 200 sensorswere created in a fog node area before they are allowed tomove randomly. The closest 5 sensors to a monitored sensorwere set as watchdogs for the monitored sensor. Figure 9shows the results of the experiments, where 5 experimentswere conducted using different percentages of malicioussensors. Obviously, the effectiveness of the proposed modelin detecting malicious sensors is much better than the secondmodel in all experiments (almost doubled). This refers to thefact that the proposed model stores the information aboutsensors when they move from one fog node area to another.Therefore, malicious sensors are detected regardless theirposition. However, in the second model, when a sensor movesfrom the area of a fog node to another, its information is lost.This enables sensors frommoving to different areas before fognodes collect enough votes to consider it as malicious.

Another finding in this experiment is that the percentageof detected malicious sensors does not change when increas-ing the percentage of malicious sensors, which reflect thestability of the proposed model. However, although the pro-posed model detected most malicious sensors, some mali-cious sensors were not detected. According to the model

FIGURE 9 The percentage of detected malicious sensors using theproposed model in mobile wireless sensor networks and the staticwireless sensor networks


design, this result may refer to the required number of votesto consider a sensor as malicious. In the proposed model, 3votes out of 5 votes are needed to consider a sensor asmalicious. However, due to continuous and random move-ment of sensors, some monitored sensors cannot get therequired number of watchdogs. Therefore, some malicioussensors were not detected.

8 | CONCLUSION AND FUTUREWORK

Mobile wireless sensor networks have gotten too much atten-tion due to exposure of cloud computing, IoT, vehicular net-works, etc, and their applications. The immense growth inthis field has brought security and privacy challenges.Securing MWSNs against various attacks is a key demandfor their success. One of the serious attacks that threaten thisimportant field is the Selective Forwarding attack. A com-mon voting system countermeasure is used to defend WSNsagainst the aforementioned attack. The voting system is basedon using neighboring sensors, called watchdogs, to monitorthe traffic to/from a sensor and vote whether the monitorednode is malicious or not. However, this approach is not appli-cable in MWSNs due to the continuous mobility of moni-tored sensors and watchdogs. This paper has proposed amodel for detection selective forwarding attacks in MWSNs.The model leverages the infrastructure of fog computing andits close proximity from sensors layers to provide a globalIDSs that can trace and monitor mobile wireless sensors intheir movement and detect malicious ones. The paper hastested the proposed model using CloudExp simulator. Theresults have shown the proposed model overhead on fogservers and network. Moreover, the results have shown thatthe proposed approach reduces the routing overhead andpower consumption in collectors. Furthermore, the proposedapproach has high accuracy in catching malicious sensors.

The cloud computing layer in the model can be used tostore a complete history of information about all sensors.Therefore, the cloud layer can be used for mining attackspatterns, big data analytics, attacks prediction, etc. We planto implement this layer in the future work.

ACKNOWLEDGEMENT

This work was supported in part by Jordan University ofScience and Technology, Grant #74/2016.

REFERENCES

1. Stehlik M, Matyas V, Stetsko A. Towards better selective forwardingand delay attacks detection in wireless sensor networks, in proceed-ings of the 13th IEEE International Conference on Networking,Sensing and Control (ICNSC´2016), 2016, Mexico.

2. Zhu C. A survey on communication and data management issues inmobile sensor networks. J Wirel Commun Mob Comput.2014;14:19‐36.

3. Sardar A, Sahoo R, Singh M, Sarkar S, Singh J, Majumder K. Intel-ligent intrusion detection system in wireless sensor network, inproceedings of the 3rd International Conference on Frontiers of Intel-ligent Computing: Theory and Applications (FICTA), 2014, India.

4. L Shu, Y Chen, T Hara, M Hauswirth, S Nishio. The new challenge:mobile multimedia sensor networks. J Multimed Intell Secur.2011;2:107‐119.

5. B Ren, J Ma, C Chen, The hybrid mobile wireless sensor networksfor data gathering, in Proceedings of International Conference onWireless Communications and Mobile Computing, 2006.

6. S Munir, B Ren, W Jiao, BWang, DXie, J Ma, Mobile wireless sen-sor network: architecture and enabling technologies for ubiquitouscomputing, In Proc. International Conference on Advanced Informa-tion Networking and Applications Workshops, 2007.

7. Amundson I, Koutsoukos X. A Survey on Localization for MobileWireless Sensor Networks. In: Proceedings of MELT 2009.Orlando, FL, USA; 2009.

8. Yaseen Q, Albalas F, Jararweh Y, Al‐Ayyoub M. A Fog ComputingBased System for Selective Forwarding Detection in MobileWireless Sensor Networks. In: Proceedings of the IEEE 1stInternational Workshops on Foundations and Applications of Self*Systems. Germany; 2016.

9. Mandala S, Ngadi A, Abdullah H. A survey on MANET intrusiondetection. J Comput Sci Secur. 1999;2:1‐11.

10. Blazevic L. Self‐organization in mobile ad hoc networks: theapproach of terminodes. J IEEE Commun Mag. 2001;39:166‐174.

11. Zhang W, Rao R, Cao G, Kesidis G. Secure routing in ad hoc net-works and a related intrusion detection problem. In: Proceedingsof IEEE MILCOM. Boston, MA, USA; 2003.

12. T Anantvalee J. Wu, A survey on intrusion detection in mobile adhoc networks, Book Series Wireless Network Security, Springer,pp. 170–196, 2007.

13. Zhang Y, Lee W, Huang Y. Intrusion detection techniques formobile wireless networks. J ACM/Kluwer Wirel Netw. 2003;9:545‐556.

14. Sterne D, Balasubramanyam P, Carman D, et al. A GeneralCooperative Intrusion Detection Architecture for MANETs. In:Proceedings of the 3rd IEEE International Workshop onInformation Assurance (IWIA'05). College Park, MD, USA; 2005.

15. Albers P, Camp O, Percher J, Jouga B, Me L, Puttini R. Security inAd Hoc Networks: a General Intrusion Detection ArchitectureEnhancing Trust Based Approaches. In: Proceedings of the 1stInternational Workshop on Wireless Information Systems. CiudadReal, Spain; 2002.

16. Kachirski O, Guha R. Effective intrusion detection using multiplesensors in wireless ad hoc networks, In Proceedings of the 36thAnnual Hawaii International Conference on System Sciences, BigIsland, HI, USA, 2003.

17. Hai TH, Huh E. Detecting selective forwarding attacks inwireless sensor networks using two‐hops neighbor knowledge.In: Proceedings of the 7th IEEE International Symposium onNetwork Computing and Applications. Cambridge, MA; 2008.


18. Ioannis K Dimitriou T, Towards intrusion detection in wireless sen-sor networks, In Proceedings of 13th European Wireless Conference,2007.

19. Stetsko A, Smolka T, Matyas V Stehlik M, Improving intrusiondetection systems for wireless sensor networks, In Proceedings ofthe 12th International Conference on Applied Cryptography andNetwork Security, Switzerland, 2014.

20. Keung G, Li B, Zhang Q. The intrusion detection in mobile sensornetwork. In: Proceedings of the ACM International Symposium onMobile Ad Hoc Networking and Computing (MobiHoc). Chicago:Illinois, USA; 2010.

21. Sun B, Guan Y, Chen J, Pooch UW: Detecting black‐hole attack inmobile ad hoc networks. In Proceedings of the 5th EuropeanPersonal Mobile Communications Conference, Glasgow, UnitedKingdom, 22–25 April, 2003.

22. Kozma W Lazos L, REAct: Resource‐efficient accountability fornode misbehavior in ad hoc networks based on random audits, Inproceedings of the 2nd ACM Conference on Wireless Network Secu-rity, Zurich, Switzerland, 16–18 March 2009.

23. Djenouri D, Badache N. Struggling against selfishness and blackhole attacks in MANETs. J Wirel Commun Mob Comput.2008;8(6):689‐704.

24. Tamilselvan L, Sankaranarayanan V, Prevention of blackhole attackin MANET, In proceedings of the 2nd International Conference onWireless Broadband and Ultra Wideband Communications, Sydney,Australia, 27–30 August 2007.

25. Raj PN, Swadas PB. DPRAODV: a dynamic learning system againstblackhole attack in AODV based MANET. J Comput. Sci.2009;2:54‐59.

26. Jaisankar N, Saravanan R, Swamy K, A novel security approach fordetecting black hole attack in MANET, In proceedings of the

International Conference on Recent Trends in BusinessAdministration and Information Processing, Thiruvananthapuram,India, 26–27 March, 2010.

27. Mistry N, Jinwala D, IAENG, Zaveri M. Improving AODV protocolagainst blackhole attacks, In Proceedings of the InternationalMultiConference of Engineers and Computer Scientists, HongKong, 17–19 March, 2010.

28. Ahmed A, Ahmed E. A survey on mobile edge computing, In Pro-ceedings of the 10th IEEE International Conference on IntelligentSystems and Control (ISCO 2016), India, 2016.

29. Hu F, Hao Q, Bao K. A survey on software defined networking(sdn) and openflow: from concept to implementation. J IEEECommun Surv Tutorials. 2014;16:2181‐2206.

30. Jararweh Y, Alayyoub M, Darabseh A, Benkhelifa E, Vouk M,Rindos A. SDIoT: a software defined based Internet of Thingsframework. J Ambient Intell Humaniz Comput. 2015;6:453‐461.

31. Cecchinel C, Jimenez M, Mosser S Reveill M. An architecture to sup-port the collection of big data in the Internet of Things, In Proceedingsof the IEEE world congress on services (SERVICES), 2014.

32. Jararweh Y, Jarrah M, Kharbutli M, Alsaleh M, Al‐Ayyoub M.Cloudexp: a comprehensive cloud computing experimentalframework. J Simul Model Pract Theory. 2014;49:180‐192.

How to cite this article: Yaseen Q, Albalas F,Jararwah Y, Al‐Ayyoub M. Leveraging fog computingand software defined systems for selective forwardingattacks detection in mobile wireless sensor networks.Trans Emerging Tel Tech. 2017;e3183. https://doi.org/10.1002/ett.3183



leveraging fog computing and software defined systems for ...qmyaseen/ett1.pdf · station may form...

Documents