ArticlePDF Available

Wireless sensor network intrusion detection system based on MK-ELM

Authors:
Wenjie Zhang
Wenjie Zhang
Wenjie Zhang
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Dezhi Han at Huazhong University of Science and Technology
Dezhi Han
Kuan-Ching Li at Providence University
Kuan-Ching Li
Francisco Isidro Massetto
Francisco Isidro Massetto
Francisco Isidro Massetto
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Download full-text PDF
Read full-text
Download citation

Abstract and Figures

Advances in digital electronics, wireless communications, and electro-mechanical systems technology have revolutionized the society and economy across the globe by enabling the development of low-cost, low-power, and multi-functional sensor nodes, from which the sensor networks are realized by leveraging the features of sensing, data processing, and communication present in these nodes. Though the energy of the wireless sensor network (WSN) nodes is limited, the detection of existing intrusion detection systems in WSN is weakly accurate further. To reduce the energy consumption of nodes in WSNs during detection processing, we propose a hierarchical intrusion detection model that clusters the nodes in a WSN according to their functions. Even more, to improve the detection accuracy of abnormal behavior of the WSN intrusion detection system and reduce the false alarm rate, it is considered in this research the usage of the classification algorithm of kernel extreme learning machine, following to Mercer Property to synthesize multi-kernel functions. We realize the optimal linear combination by testing and applying the multi-kernel function and build a multi-kernel extreme learning machine to WSN intrusion detection systems. Simulation results show that the system not only guarantees a high detection accuracy but also dramatically reduces the detection time, being well suited for resource-constrained WSNs.
Figures - uploaded by Dezhi Han
Author content
All figure content in this area was uploaded by Dezhi Han
Content may be subject to copyright.
Content uploaded by Dezhi Han
Author content
All content in this area was uploaded by Dezhi Han on Dec 02, 2021
Content may be subject to copyright.
METHODOLOGIES AND APPLICATION
Wireless sensor network intrusion detection system based on MK-ELM
Wenjie Zhang
1
Dezhi Han
1
Kuan-Ching Li
2
Francisco Isidro Massetto
3
Published online: 10 January 2020
ÓSpringer-Verlag GmbH Germany, part of Springer Nature 2020
Abstract
Advances in digital electronics, wireless communications, and electro-mechanical systems technology have revolutionized
the society and economy across the globe by enabling the development of low-cost, low-power, and multi-functional sensor
nodes, from which the sensor networks are realized by leveraging the features of sensing, data processing, and commu-
nication present in these nodes. Though the energy of the wireless sensor network (WSN) nodes is limited, the detection of
existing intrusion detection systems in WSN is weakly accurate further. To reduce the energy consumption of nodes in
WSNs during detection processing, we propose a hierarchical intrusion detection model that clusters the nodes in a WSN
according to their functions. Even more, to improve the detection accuracy of abnormal behavior of the WSN intrusion
detection system and reduce the false alarm rate, it is considered in this research the usage of the classification algorithm of
kernel extreme learning machine, following to Mercer Property to synthesize multi-kernel functions. We realize the
optimal linear combination by testing and applying the multi-kernel function and build a multi-kernel extreme learning
machine to WSN intrusion detection systems. Simulation results show that the system not only guarantees a high detection
accuracy but also dramatically reduces the detection time, being well suited for resource-constrained WSNs.
Keywords Wireless sensor networks Intrusion detection Kernel extreme learning machine Multi-kernel learning
1 Introduction
With the increased connectivity between networks, the
openness of wireless sensor network deployment area and
the broadcast ability of wireless communication make the
network vulnerable to external attacks or intrusions,
severely increasing the exposure to risks that threaten
information systems’ availability in the network system
infrastructure. Intrusion detection technology is widely
used in network security protection, as it refers to col-
lecting and analyzing data from the network to detect
abnormal behavior in the network.
By using different detection methods, wireless sensor
networks (WSNs) intrusion detection is classified into 2
categories: anomaly detection and misuse detection. The
former is a detection method based on a mathematical
model since a standard network model is established with
normal network behavior profile and calculated whether
specific feature values of network behavior deviate from
average values. If the limit threshold is exceeded, it is
determined that an intrusion has occurred. Anomaly
detection methods include (1) anomaly detection based on
data mining, (2) anomaly detection based on machine
learning, and (3) anomaly detection based on clustering;
the latter is an intrusion detection method based on an
information base, as it establishes a data state information
base for known attack network behavior and establishes
one or more matching patterns for each intrusion. By
matching with user behavior, if the matching patterns are
found in the information base, the existing intrusion pat-
terns can be quickly detected.
Communicated by V. Loia.
&Kuan-Ching Li
kuancli@pu.edu.tw
Dezhi Han
dzhan@shmtu.edu.cn
Francisco Isidro Massetto
francisco.massetto@ufabc.edu.br
1
College of Information Engineering, Shanghai Maritime
University, Shanghai 201306, China
2
Department of Computer Science and Information
Engineering (CSIE), Providence University, Taichung 43301,
Taiwan
3
Center for Cognition and Complex Systems, Universidade
Federal do ABC (UFABC), Santo Andre
´, SP 09210-580,
Brazil
123
Soft Computing (2020) 24:12361–12374
https://doi.org/10.1007/s00500-020-04678-1(0123456789().,-volV)(0123456789().,-volV)
Neural networks have the advantages of self-learning
ability, classification ability, and good robustness, and have
attracted a large number of scholars to investigate the
intrusion detection algorithm based on neural network and
have achieved interestingly good results. Shone et al.
(2018) proposed a deep learning approach to network
intrusion detection, which reduces the training time of
samples and has high accuracy and detection rate. Yin et al.
(2017) proposed an intrusion detection algorithm based on
recurrent neural network incurred the performance in bin-
ary classification and multi-classification, as well as the
effect of a different number of neurons and learning rate on
model performance.
Kernel extreme learning machine (KELM) is an excel-
lent classification algorithm in artificial neural networks
(ANNs). Huang and Chen (2007) studied the least-squares
supported vector machines (LS-SVM) and found that the
kernel function has excellent advantages in dealing with
large-scale complex data. Later, Huang et al. introduced
kernel function into ELM to construct the kernel extreme
learning machine (KELM) with the least-square optimal
solution. Compared with the extreme learning machine
(ELM) (Huang et al. 2006), KELM does not need to set the
number of network hidden layer nodes, since the kernel
function is used to represent the unknown nonlinear feature
mapping of the hidden layer, and the regularized least-
squares algorithm calculates the output weights of the
network (Liang et al. 2019). Fast calculation speed and
high classification accuracy of KELM algorithms are
shown to be attractive. In this paper, an intrusion detection
system based on multi-kernel extreme learning machine
(MK-ELM) for clustered WSN environments, showing a
high detection rate, low false positive rate, and low energy
consumption is proposed. Experimental results obtained
show promising performance with breakneck learning
speed.
The remaining of this paper is organized as follows.
Related work is introduced in Sect. 2, the proposed multi-
kernel extreme learning machine (MK-ELM) construction
approach is described in Sect. 3, and the design of WSN
intrusion detection system based on MK-ELM is presented
in Sect. 4. In Sect. 5, experimental results and discussions
are presented. Finally, conclusion remarks and future work
are given in Sect. 6.
2 Related work
Wireless sensor network is obtaining significant interest,
and its application is being investigated within many
research fields. The security of wireless sensor networks is
becoming more and more important, so its intrusion
detection is particularly significant. There are several
existing works within the field of WSN intrusion detection
system. In this section, we will discuss the most current
notable works.
In previous studies, WSN intrusion detection mostly
utilizes single-point independent detection, as proposed
and deployed by (Silva et al. 2005) the detection algorithm
on a single detection node. In the analysis of intrusion
detection, once the number of failures caused by non-
compliance with rules is more than the number of failures
caused by accidental network reasons, the intrusion is
determined to have occurred. Based on linear prediction
theory, Han et al. (2010) constructed a Markov mathe-
matical prediction model on a single sensor node. If the
absolute value of the difference between the actual and
predicted network traffic is higher than the preset threshold
value, an attack behavior is determined. Due to the
resource-constrained of nodes in WSN, single-point inde-
pendent detection is not applicable.
For planar networks, peer-to-peer cooperative detection
is mainly used. Ping et al. (2015) designed a multi-agent
intrusion detection system based on immune theory. The
monitoring agent is deployed on each node, and the deci-
sion agent matches the collected data features. Once an
attack is determined on a sensor node, the nearby Killer
agent is activated, and the Killer agent responds and iso-
lates the anomalous node. Hierarchical detection is mainly
used for heterogeneous networks, as proposed by Rani and
Jayakumar (2017) a hierarchical intrusion detection
method that layers the WSN network progressively. The
sensor nodes are set as the first layer, the aggregation nodes
as the second layer, and the upper base station is the third
layer responsible for anomaly detection of received infor-
mation, analyzing data and judging whether an intrusion
has occurred.
Due to the random initialization of the ELM algorithm,
it is difficult to build a sample-based nonlinear model.
KELM solves this problem and shows good robustness to
model parameters. Zhang et al. (2014) proposed an online
modeling of kernel extreme learning machine based on fast
leave-one-out cross-validation. Experimental results show
that the proposed algorithm improves the detection rate of
the original kernel extreme learning machine, though the
random selection of dataset has a high impact on the
classification performance. Tang et al. (2016) proposed an
extreme learning machine for multi-layer perceptron and
tested on KDD CUP 99 dataset, where the performance
compared with previous results shows to be effective.
Wang et al. (2018) applied the equality constrained-opti-
mization-based extreme learning machine to network
intrusion detection and proposed an adaptive optimization
criterion for hidden neurons, which effectively establish a
model with high attack detection rate and fast learning
speed.
12362 W. Zhang et al.
123
Borkar et al. (2019) presented an efficient clustering
technique called adaptive chicken swarm optimization
algorithm. Through this adaptive method, the lifetime and
scalability of the WSN are improved, and the time con-
sumption is also greatly reduced. In addition, a two-stage
classification method called adaptive SVM is proposed,
which uses an acknowledgment-based method to report
malicious sensor nodes. Their work concluded that the
hierarchical intrusion detection model offers better accu-
racy than conventional method. Dai and Pan (2019) pro-
posed an improved DBN-ELM integrated intrusion
detection classification, the model uses the feature extrac-
tion of the DBN to represent the learning network, and the
ELM and final learning are determined by the majority
vote. Although this algorithm improves the accuracy and
reduces the false alarm rate, it increases the complexity of
the algorithm.
The focus of the above references is to solve WSN
intrusion detection problems with previous learning algo-
rithms or to solve intrusion detection problems with
machine learning methods in traditional networks. There-
fore, it is proposed in this paper an intrusion detection
method for WSNs based on a multi-kernel extreme learn-
ing machine (MK-ELM). By comparing to previous works,
MK-ELM model is applied for classification. As there is no
need for iterative training, this algorithm is fast and time-
saving. Besides, NSL-KDD and UNSW-NB 15 datasets are
applied to training and testing the model, comparing the
experimental results with SVM (Maleh et al. 2015) and
basic ELM (Zhang et al. 2014; Zhang 2014).
Based on the issues mentioned above, the contributions
in this paper are twofold. The former is the investigation of
the intrusion detection system model and propose a hier-
archical intrusion detection model in clustered WSN, while
the latter is the design of a suitable multiple kernel function
applying the extreme learning machine based on the theory
of multi-kernel function. By training and adjusting the
required parameters, the multi-kernel extreme learning
machine (MK-ELM) investigated meets the efficiency of
the intrusion detection system design.
3 ELM algorithm
3.1 Kernel extreme learning machine
The network of the extreme learning machine is single-
hidden-layer feed-forward neural networks (SLFNs). As
shown in Fig. 1,mis the number of input layer nodes, Lis
the number of hidden layer nodes, and nis the number of
output layer nodes. The training samples are x1;x2;...;xp,
and the corresponding labels are t1;t2;...;tp.gðxÞ
represents activation function of the hidden layer, wis the
weight matrix of size mL,wirepresents the weight
vector between the i-th node of the hidden layer and the
input layer, biis bias value of the i-th node in the hidden
layer. bis the weight matrix of size Lnbetween the
hidden layer and output layer, birepresents the weight
vector between the i-th node of the hidden layer and the
output layer. Randomly generated of wiand bi. The solu-
tion is transformed into Moore–Penrose generalized
inverse. Thus, the ELM can directly generate a globally
optimal solution, and the resolution speed is fast (Huang
et al. 2015).
The output of an ELM network with Lhidden neurons is
expressed as:
y¼X
L
i¼1
bigðwT
ixþbiÞð1Þ
Moreover, the hidden layer output matrix is as follows:
H¼
gðwT
1x1þb1Þ  gðwT
Lx1þbLÞ
.
.
...
..
.
.
gðwT
1xmþb1Þ  gðwT
LxmþbLÞ
2
6
43
7
5ð2Þ
where hðxiÞ¼gðwT
1xiþb1Þis a function of hidden layer
node mapping, which is only related to xi.
Next, the optimization objective of ELM is as follows:
min
bjjHbTjj2þC
2jjbjj2ð3Þ
where Cis the regularization parameter, and Eq. (3) can be
solved as:
b¼ðHTHþCIÞyHTTð4Þ
where ðHTHþCIÞyis the Moore–Penrose generalized
inverse of ðHTHþCIÞ.
Accordingly, the classification of the extreme learning
machine can be expressed as:
fðxÞ¼sign hðxÞHTI
CþHHT

1
T
!
ð5Þ
Fig. 1 Basic ELM structure
Wireless sensor network intrusion detection system based on MK-ELM 12363
123
As shown in Fig. 1, the activation function in the output
matrix H of the hidden layer is unknown, and kernel
functions can be introduced into ELM. Moreover, a kernel
function to replace HHTis built, presented in Eq. (6) as:
HHTði;jÞ¼Kðxi;xjÞð6Þ
HHT¼XELM ¼
Kðx1;x1Þ  Kðx1;xjÞ
.
.
...
..
.
.
KðxN;x1Þ  KðxN;xNÞ
2
6
43
7
5ð7Þ
hðxÞHT¼
Kðx;x1Þ
.
.
.
Kðx;xNÞ
2
6
43
7
5ð8Þ
By substituting Eqs. (6)–(8) into Eq. (5), the equations
above can be equivalently written as:
fðxÞ¼sign
Kðx;x1Þ
.
.
.
Kðx;xNÞ
2
6
43
7
5
T
I
CþXELM

1
T
0
B
@1
C
Að9Þ
As shown in Eq. (9), kernel extreme learning machine
(KELM), as an optimization solution that is a combination
of machine learning theory with standard optimization
method, has better generalization performance due to rel-
atively weak optimization constraints. In the specific kernel
implementation of the extreme learning machine, the fea-
ture mapping gðxiÞof hidden layer is usually unknown, and
the corresponding kernel (e.g., the kernel
Kðx;xiÞ¼expðjjxxijj2=d2Þ) is generally given. Com-
paring with traditional support vector machine (SVM),
KELM has better performance owing to fewer constraints
(Cao et al. 2014).
3.2 Multi-kernel learning theory
By combining the kernel functions with different charac-
teristics, advantages of multi-kernel functions can be
obtained, such as better mapping performance. Mercer’s
theorem (Girolami 2002) is a sufficient condition for con-
structing kernel functions, referring that any semi-positive
definite symmetric function can be used as a kernel func-
tion. Different kernel functions have different effects on the
performance of the constructed MK-ELM. Thereupon, a
weighted multi-kernel synthesis method has emerged,
whereas similar multi-kernel method is obtained by the
linear combination of multiple kernels. Figure 2is the
schematic diagram of this composition.
Next, the linear combination of multi-kernel functions
as a math formula is described. Suppose that Kðx;xiÞis a
known kernel function, and ^
Kðx;xiÞis the normalized form
of the kernel function, the kernel function can be
normalized as follows: ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
Kðx;xÞKðx1;x1Þ
p. Using the
symbols introduced above, the following synthetic kernels
can be defined:
(a) Direct summation kernel:
Kðx;xiÞ¼X
M
j¼1
^
Kjðx;xiÞð10Þ
(b) Weighted summation kernel:
Kðx;xiÞ¼X
M
j¼1
bj^
Kjðx;xiÞ
s.t. bj0;X
M
j¼1
bj¼1
ð11Þ
(c) Weighted polynomial extended kernel:
Kðx;xiÞ¼l^
Kp
1ðx;xiÞþð1lÞ^
Kp
2ðx;xiÞð12Þ
where Kpðx;xiÞis a polynomial extended kernel of Kðx;xiÞ.
3.3 The proposed MK-ELM
The KELM algorithm combines the advantages of extreme
learning machine and the generalization performance of the
support vector machine method, though still under the
single-kernel learning method. Besides, its classification
performance is affected by the type of kernel function and
the selection of kernel parameters. Taking into considera-
tion that KELM is composed of a single-kernel function, it
has drawbacks such as poor robustness and low detection
accuracy. In according with the Mercer property of kernel
function, combining the multi-kernel learning method with
Fig. 2 Linear combination schematic diagram of multi-kernel
functions
12364 W. Zhang et al.
123
ELM and the proposed multi-kernel extreme learning
machine model, the algorithm is derived next.
Linear combination of multi-kernel functions usually
adopts several kernels, e.g., linear kernel Kðx;xiÞ¼xxi,
Gaussian kernel Kðx;xiÞ¼expðjjxxijj2=d2Þ, and
polynomial kernel Kðx;xiÞ¼ðxxiþ1Þd. The obtained
multi-kernel function overcomes the deficiency present in
single-kernel functions, and the form of the multi-kernel
function is as follows:
Kðx;xiÞ¼l1K1ðx;xiÞþl2K2ðx;xiÞ
þl3K3ðx;xiÞþþlmKmðx;xiÞ
s.t. X
m
k¼1
lk¼1;8uk0
ð13Þ
where each of the kernel function in Eq. (13) may be a
different type kernel, such as a Gaussian kernel and a
wavelet kernel, which can also be the same type kernel
with different kernel parameters.
The optimization problem of the multi-kernel extreme
learning machine can be described as:
minLMKELM ¼1
2Xk
1
uk
jjwkjj2þC1
2X
N
i¼1
n2
i
s.t. XkKðx;xiÞwk¼tini;i¼1;...;N;
Xk
1
lk
¼1
ð14Þ
where wkis feature weight corresponding to the adopted
kernel function Kðx;xiÞ.niis the predicted error of sample
i, and Cis regularization parameter to balance model
complexity and predictive performance.
By replacing the kernel matrix of Eq. (9) in the ELM
with the newly constructed multi-kernel function, the
multi-kernel extreme learning machine (MK-ELM) algo-
rithm is obtained by following:
Step 1 Initialize sample set N,N¼fðxi;tiÞjxi2Rm;
ti2Rm;i¼1;2;...;Ng,
Step 2 Through constructed multi-kernel formula
Eq. (13), combining different single-kernel functions,
selecting the optimal kernel function combination, and
determining the regularization parameter C and kernel
parameters; construct optimal MK-ELM,
Step 3 Randomly generated weights wand bias
bbetween the input layer and hidden layer according
to MK-ELM algorithm,
Step 4 Input training samples, calculate hidden layer
output matrix H and output layer weight matrix bby
Eqs. (2) and (4),
Step 5 Input testing samples, test the performance of
MK-ELM through a large number of experiments;
compare the performance of MK-ELM composed of
different single-kernel functions,
Step 6 Output the classification result and get the MK-
ELM classifier.
The process of MK-ELM algorithm is illustrated in
Fig. 3.
4 WSN intrusion detection system
4.1 Wireless sensor network model
The wireless sensor network (WSN) consists of sensor
nodes, cluster head nodes, sink nodes, and management
node (Butun et al. 2014). To ensure the stable operation of
the network, the WSN is clustered to effortless manage-
ment processing. A large number of sensing nodes are
deployed in the monitoring area, and they form a network
in a self-organizing manner; the cluster head nodes trans-
mit the collected information to the sink node through
multi-hop relay, reaching to the management node through
satellite or the Internet. The user can remotely configure or
manage the network through the management node and
issue monitoring tasks.
The WSN network model is shown in Fig. 4. The model
consists of three parts: a large number of sensor nodes
distributed in the monitoring area, a small number of
scattered sink nodes and management node. The functions
of each part are as follows:
(1) Sensor node As the basis of WSN, the main task is to
collect the data information of each range, process
the collected information, and then transmit the
Start
Initialize the training
sample
Construct MK-ELM
model
Randomly generate the
Weight w, bias b
Input training sample,
training MK-ELM,
update H and
Input tes t sam ple ,
Test MK-ELM
Output classification
result
End
Fig. 3 Flowchart of MK-ELM algorithm
Wireless sensor network intrusion detection system based on MK-ELM 12365
123
information to the upper node; this part includes
common sensor nodes and cluster head nodes,
(2) Sink node Fuses the data information sent by the
cluster head sensor, and then transmits it to the
management node through other network channels
such as the Internet and satellite,
(3) Management node It is directly oriented to the user.
Used to observe the running status of the network,
perform intrusion detection and analysis on the data
information sent by the sink nodes, and take
corresponding operations. Besides, the management
node can also actively send a query request to the
WSN.
The assumptions of the wireless sensor network envi-
ronment in this paper are fourfold, and are listed as:
(1) The wireless sensor network is a clustered network.
The common nodes in the cluster can communicate
directly with the cluster head nodes. The cluster head
nodes can communicate with the sink nodes directly
or through other cluster heads, and the sink nodes
can directly communicate with the management
node,
(2) Each node is static, has a unique identifier ID, and
belongs to only one cluster. The cluster head node is
necessarily the same as the common node, and the
sink node has more resources and energy,
(3) The data transmission model of the network is
hybrid, including the sustainability model and the
event-driven transmission model,
(4) The state of the node includes a sleep state, a
monitoring state, and an active state.
4.2 Hierarchical intrusion detection model
As WSNs have many restrictions, it is necessary to con-
sider the following aspects when designing an intrusion
detection model:
(1) Energy saving The overall design of the model
should not be sophisticated. Else, it significantly
increases the energy cost of the network in the actual
application and eventually leads to shortening the
life cycle of the network,
(2) Detection accuracy Since the design of the intrusion
detection system should consider the requirements of
real time and application, how to improve the
accuracy of detecting intrusion and reduce the false
negative rate and false positive rate have become the
main concerns of intrusion detection systems,
(3) Processing power for large traffic networks.
WSNs have gradually entered into people’s lives and
have been applied in several fields that lead to an
increasing amount of data to be processed. Therefore, this
intrusion detection system should also be capable of pro-
cessing under massive data traffic.
Being WSNs different from traditional computer net-
works such as terminal type, data transmission, and net-
work topology, traditional network intrusion detection
methods are no longer applicable. Each device in WSNs is
divided into three layers according to its characteristics,
which framework for intrusion detection of WSNs is
depicted as Fig. 5. The model of wireless network intrusion
detection based on MK-ELM adopts anomaly detection
method, and according to the characteristics of the kernel
Sensor node Cluster head
node
Sink node
Sink node
Satellite or the
Internet
Management
node
Monitoring
area
Monitoring
area
Fig. 4 WSN model
12366 W. Zhang et al.
123
function, a multi-kernel extreme learning machine is con-
structed to resolve the limitations of the single-kernel
extreme learning machine in dealing with intrusion detec-
tion. With the large and unevenly distributed features of the
intrusion data, data preprocessing is conducted, so data
processed are used as the dataset of intrusion detection.
The networks are mostly heterogeneous in WSNs. That
is, different types of nodes in the network have different
responsibilities (Bao et al. 2012; Liang et al. 2020). For
instance, the capacity of sink node is higher than that of
cluster head node and common nodes in the cluster of a
clustered hierarchical WSN, as management node is at a
terminal location and its energy can be regarded as infinite
relative to another type of nodes. Based on this fact, the
hierarchical intrusion detection method takes into account
the difference in functions between nodes and maximizes
the use of nodes in the wireless sensor network. Based on
the limited energy of nodes in WSN yet the perspective of
saving network energy consumption, only simple data
collection and aggregation work are carried out on ordinary
nodes. Next, the cluster head node transmits the collected
data to the sink node for data preprocessing. Finally, the
detection and anomaly processing modules are imple-
mented on the management node with infinite energy. Such
an arrangement can effectively reduce energy consumption
in intrusion detection systems. The functions of each level
are as follows:
(1) Perception layer It contains common sensor nodes
and cluster head nodes. Common sensor nodes in the
monitoring area are used to sense and collect data,
and cluster head nodes are used to summarize data
sent by current common nodes. This layer collects
network packets, TCP/IP traffic packets, and other
information,
(2) Data aggregation layer This layer is composed of
sink nodes. Firstly, data sent by network and cluster
head nodes are collected. Next, the data are fused,
and the intrusion detection features are extracted.
The preprocessed data are sent to the core control
layer for analysis and judgment. As the collected
network data format is not uniform, and there is data
information that cannot be recognized by the clas-
sifier, so the data should be digitized or vectorized in
advance. Each dimension feature value corresponds
to a number, and the next step is normalization. After
the operation of vectorization and normalization, the
feature values of each dimension are distributed
between [0, 1],
(3) Core control layer This layer consists of manage-
ment nodes, including intrusion detection modules
and anomaly handling modules,
(4) Intrusion detection module Responsible for receiving
data information from sink node and intrusion
judgment. As the core part of the intrusion detection
system, the accuracy and timeliness of data infor-
mation analysis in this module affect the perfor-
mance of the whole intrusion detection system. The
module utilizes the MK-ELM detection algorithm as
a classifier to predict and classify the testing dataset,
(5) Anomaly handling module The output of the intru-
sion detection module is sent to the anomaly
handling module, in which the final response is
analyzed, and the corresponding measures are taken.
To reach the best decisions before the intrusion
detection model is output, two situations need to be
considered: the accuracy of the detection model and
the possible classification of the attack. Because the
false alarm rate of the MK-ELM can reduce the
accuracy of the detection module, setting the alarm
threshold can improve the detection precision of the
module. The WSN is detected using the intrusion
detection module of the core control layer, and the
output is sent to the anomaly handling module.
Whenever the number of abnormal data detected
reaches the alarm threshold, the node that requests
the maximum number of records is found by the
node routing table (Dai et al. 2018), according to the
data collected by the common sensor node of the
sensing layer and regarded as an abnormal node. The
message is sent to the management node of the IDS
Intrusion
detection
Exception
handling
Collect data Summarize
data
Data
preprocessing
Perception layer
Core control layer
Data aggregation layer
Fig. 5 WSN intrusion detection framework
Wireless sensor network intrusion detection system based on MK-ELM 12367
123
core control layer, and the user decides to remove the
neighbor nodes from the routing table of the
abnormal nodes. Next, the abnormal nodes are
removed from the system, so the abnormal nodes
are ignored in the next communication, according to
the routing protocol.
Based on energy saving, high detection accuracy, and
large-scale network detection capability, our intrusion
detection model is based on hierarchical WSN. Due to the
unlimited energy of the management node, we let intrusion
detection algorithm model on the management node to
operate intrusion detection. However, a two-step faulty
nodes detection algorithm is based on spatial–temporal
cooperation for WSN (Dai et al. 2018). The intrusion
detection algorithm is placed on the sink node. Due to the
limited energy of the sink node, it is more reasonable to
place the intrusion detection algorithm model on the
management node. At present, many intrusion detection
systems use SVM and basic ELM for intrusion detection,
but their accuracy is lower than MK-ELM and their false
alarm rate is higher than MK-ELM. From the perspective
of WSN node energy and intrusion detection indicators, the
proposed algorithm has great advantages.
5 Simulation experiments
The experiment is performed on a personal computer,
configured with Intel 4-core i5-6500 3.2 GHz CPU pro-
cessor, 6 MB cache, 8 GB memory, and GPU acceleration
disabled running Windows 7 OS. The software environ-
ment is MATLAB R2014b version.
5.1 Dataset
5.1.1 NSL-KDD dataset
KDD Cup99 dataset is the most widely used dataset for
evaluations of intrusion detection systems. Nevertheless,
this dataset is duplicative, redundant, and imbalanced,
which seriously affects the performance of the evaluated
intrusion detection systems. As shown in Table 1, this
paper utilizes NSL-KDD dataset which is a less biased
subset from the KDD Cup99 dataset and covers the
KDDTrain
?
dataset as the training set and KDDTest
?
dataset, as the testing set that has different standard records
and four different types of attack records. This dataset
contains 148,517 samples, with 41 features and 5
categories.
(1) Vectorization of symbol features
Firstly, we must convert some non-numeric features, such
as ‘protocol_type,’ ‘service,’ and ‘flag’ features, into
numeric form. For instance, the three protocol types: TCP,
UDP, and ICMP, are converted into binary digital feature
vectors: TCP{1,0,0}, UDP{0,1,0}, and ICMP{0,0,1}. The
service type feature is extended to 70-dimensional features,
and the state of flag feature is extended to 11-dimensional
features. Coming next, the 41-dimensional features map
into 122-dimensional features after transformation. Simi-
larly, to test the accuracy of the machine learning classi-
fication algorithms, 40 types of labels are classified into
Normal, Dos, Probe, U2R, and R2L together 5 categories.
(2) Normalization of digital features
In the NSL-KDD dataset, there are 41 feature items with
different value ranges. Some of the values higher than 10
6
dramatically affects ELM performance and makes smaller
features easy to be ignored. Therefore, to facilitate
numerical calculation and avoid excessive proportion of
features with large values in the training process, it is
necessary to normalize the feature data. Normalization
maps the original data to the range of standard attributes
through some mapping so that the data can be transformed
into [0,1] intervals. The min–max normalization formula is
as follows:
x¼xixmin
xmax xmin
ð15Þ
where xidenotes the value to be normalized, xmin denotes
the minimum value in a dimension, xmax denotes the
maximum value in a dimension, and xdenotes the nor-
malized value.
5.1.2 UNSW-NB 15 dataset
UNSW-NB 15 dataset is created by UNSW cybersecurity
laboratory through IXIA PerfectStorm tool and released in
2015. It contains real modern normal and the synthetical
abnormal network traffic in the synthetic environment.
UNSW-NB 15 represents nine major families of attacks,
and contains 49 features and their labels. As depicted in
Table 2, a partition of this dataset is configured as two sets,
training set and testing set. The major disadvantage of
NSL-KDD is that it does not represent the current low
footprint attack scenarios. Thus, to further validate the
Table 1 Different classifications in the NSL-KDD dataset
NSL-KDD All types Normal Dos Probe R2L U2R
KDDTrain
?
125,973 67,343 45,927 11,656 995 52
KDDTest
?
22,544 9711 7458 2421 2754 200
12368 W. Zhang et al.
123
performance of the proposed method, UNSW-NB 15
dataset is applied to validate the indicators selected.
Similar to the NSL-KDD dataset, we first digitize the
characteristic features of the UNSW-NB 15 and then nor-
malize the data features. There are two forms of label
processing: divided into 2 categories and 10 categories.
The size of the training set and testing set is 82,332 944
and 175,341 944 dimensions, respectively, and the size of
the training set and testing set in the second method is,
respectively, 82,332 952 and 175,341 952 dimensions.
Ten-category labels of UNSW-NB 15 are shown in
Table 3.
5.2 Multi-kernel function parameters setting
Extensively tested the weights of commonly used kernel
functions, the results are shown in Table 4. Referencing to
optimal parameters from other publications, some of the
parameters are determined in advance (Cheng et al. 2012).
This experiment is based on following parameters: the
regularization parameter C=2
17
, the kernel parameter of
RBF = 100, the kernel parameter of multiquadric ker-
nel = 75, and 5000 different training data and testing data,
respectively, from KDDTrain
?
and KDDTest
?
in NSL-
KDD are chosen. Similarly, we take 5000 different sam-
ples, respectively, from the training set and testing set of
UNSW-NB 15. The experimental accuracy of KDDTest
?
is obtained in the five-category experiment.
Even so, the accuracy of UNSW-NB 15 is obtained in
the two-category experiment. In the process of searching
for the best performance multi-kernel function, the control
variable method is adopted. In this research, we take into
account the performance of different combinations and the
MK-ELM with the best performance is selected. As can be
seen in Table 4, the best accuracy can be achieved when
the weight of the RBF kernel is 0.3, and the weight of the
multiquadric kernel is 0.7. Therefore, the optimal combi-
nation of the multi-kernel function selected is 0.3RBF
kernel ?0.7 multiquadric kernel.
5.3 Performance evaluation
5.3.1 Evaluation metrics
The accuracy AC (accuracy) is used to measure the per-
formance of the proposed MK-ELM intrusion detection
algorithm, as the total rate of correct decisions whether the
incident of an attack happened. Three performance metrics
are used: true positive rate (TPR), false positive rate (FPR),
and false negative rate (FNR), which represents the rate of
attack cases identified correctly, the rate of no-attack cases
identified as attacks by the system, and the rate of attack
cases identified as normal ones, respectively.
The receiver operating curve (ROC) helps in visualizing
a classifier’s performance by plotting the actual positive
rate against the false positive rate of the classifier. The area
under the ROC gives the best estimate of an average of
average performance of the classifier. Higher the area,
more significant is the performance. The calculation
methods are:
AC ¼TP þTN
TP þTN þFP þFN ð16Þ
TPR ¼TP
TP þFN ð17Þ
FPR ¼FP
FP þTN ð18Þ
FNR ¼FN
FN þTP ð19Þ
where TP denotes positive samples predicted by the model,
TN denotes negative samples predicted by the model, FP
denotes negative samples predicted by the model, and FN
denotes positive samples predicted by the model.
5.3.2 Experiment results and discussion
(1) MK-ELM experiment results
The NSL-KDD dataset was used in the first phase of the
experiment, where 14,000 pieces training data are
Table 2 Statistics of the UNSW-NB 15 dataset
All types Training set Testing set
Sample % Sample %
Normal 65,000 37.08 37,000 44.94
Attack 110,341 62.92 45,332 55.06
Total 175,341 100.00 82,332 100.00
Table 3 Ten-category labels of
UNSW-NB 15 Label type Vectorization
Normal 1000000000
Analysis 0100000000
Backdoor 0010000000
Dos 0001000000
Exploits 0000100000
Fuzzers 0000010000
Generic 0000001000
Reconnaissance 0000000100
Shellcode 0000000010
Worms 0000000001
Wireless sensor network intrusion detection system based on MK-ELM 12369
123
randomly selected from ‘KDDTrain
?
’ for network training,
and another 14,000 pieces of different data are randomly
selected from ‘KDDTest
?
’ for testing. The training set and
the testing set are uniformly subject to the above data
preprocessing and become 14,000 9127 and
14,000 9127 dimensions. Figure 6a shows the confusion
matrix of the MK-ELM on the selected testing set in the
five-category classification experiments. Experiments show
that the accuracy of the model is 98.3%. From this 5 95
confusion matrix, it is noted that some other indicators are
summarized in Tables 5and 6. Depicted in Fig. 6b, the
ROC curve for 5 different classes that, except for U2R, the
exact position of other four classes is more than 90%, and
the false positive is less than 5%, which is due to the tiny
number of U2R intrusion type that leads to a false alarm.
The true positive rate of U2R is significantly improved
when compared with the literature work (Huang et al.
2017), and achieved a detection rate of 50%, derived from
the confusion matrix shown in Fig. 6a. According to the
5-category confusion matrix, Table 5shows the binary-
category confusion matrix of Dos.
(2) Experiment comparison among different schemes
Parameters’ setting of SVM algorithm is given as: the
typical kernel functions are the polynomial kernel
Kðx;xiÞ¼ðxxiþ1Þdand the Gaussian kernel
Table 4 The optimal combination of multi-kernel function
C¼217 Kernel1
RBF_kernel ðu1Þ
Kernel2
lin_kernel ðu2Þ
Kernel3
mq_kernel ðu3Þ
Accuracy
KDDTest
?
(%)
Accuracy
UNSW-NB 15 (%)
RBF_para = 100
mq_para = 75
Training/testing = 5000/5000
1 0.0 1.0 0.0 0.92 0.83
2 0.0 0.5 0.5 0.87 0.76
3 0.0 0.0 1.0 0.88 0.69
4 0.1 0.9 0.0 0.91 0.72
5 0.1 0.5 0.4 0.85 0.63
6 0.1 0.0 0.9 0.89 0.75
7 0.2 0.8 0.0 0.85 0.72
8 0.2 0.5 0.3 0.86 0.71
9 0.2 0.0 0.8 0.95 0.91
10 0.3 0.7 0.0 0.89 0.79
11 0.3 0.5 0.2 0.87 0.79
12 0.3 0.0 0.7 0.98 0.92
13 0.4 0.6 0.0 0.97 0.85
14 0.4 0.5 0.1 0.82 0.66
15 0.4 0.0 0.6 0.97 0.90
16 0.5 0.5 0.0 0.95 0.83
17 0.5 0.4 0.1 0.81 0.69
18 0.5 0.0 0.5 0.92 0.86
19 0.6 0.4 0.0 0.91 0.81
20 0.6 0.3 0.1 0.82 0.74
21 0.6 0.0 0.4 0.94 0.79
22 0.7 0.3 0.0 0.91 0.86
23 0.7 0.2 0.1 0.84 0.66
24 0.7 0.0 0.3 0.98 0.85
25 0.8 0.2 0.0 0.96 0.87
26 0.8 0.1 0.1 0.83 0.69
27 0.8 0.0 0.2 0.95 0.88
28 0.9 0.1 0.0 0.94 0.89
29 0.9 0.0 0.1 0.95 0.91
30 1.0 0.0 0.0 0.97 0.89
12370 W. Zhang et al.
123
Kðx;xiÞ¼expðjjxxijj2=d2Þ, where dis the degree of
the polynomial kernel and d2is the bandwidth of the
Gaussian kernel. In experiments performed, the cost
parameter C and kernel parameter d2were appropriately
chosen from ½224;29;28;...;225and
½224;29;28;...;225 , respectively, for each dataset.
Therefore, 50 50 ¼2500 combinations for each dataset
were tested and the set of parameters is applied to the test
dataset. An SVM implementation called LIBSVM-3 was
used in this work. For basic ELM, the number of hidden
neurons is 400 and let the hidden neurons be sigmoidal
additive nodes. As random values are assigned to some of
the parameters in basic ELM, the output is not fixed. Let
the number of hidden neurons be 400 and choose the value
of Cin Eq. (5). Hence, for SVM, basic ELM, and proposed
MK-ELM algorithm, 50 trials for each dataset are con-
ducted and record its average testing accuracy.
Table 7shows the average detection rate for three
algorithms performed 50 times when both the training
dataset and the test dataset are 14,000. Results show that
the detection rate of the SVM algorithm is comparable to
the basic ELM algorithm. The detection rate of the pro-
posed algorithm is the highest, about 2% higher than the
other two algorithms. Comparing to the literature (Cheng
et al. 2012), 1000, 2000, 4000, 8000, and 14,000 test data
are selected. As presented in Table 8, the proposed MK-
Fig. 6 aConfusion matrix for the five-category and bROC curve for the five-category
Table 5 Dos confusion matrix
Predicted Actual
Positive Negative
Positive (TP)5096 (FP)43
Negative (FN)102 (TN)8759
Table 6 Results of the evaluation metrics for the five-category
Intrusion type TPR (%) FPR (%) FNR (%)
Dos 98.04 0.49 1.96
Probe 95.67 0.47 4.33
R2L 76.12 0.11 23.88
U2R 50.00 0.00 50.00
Table 7 The detection rate of three methods
Intrusion type Detection rate (%)
SVM ELM MK-ELM
Normal 97.73 97.92 99.12
Dos 96.24 97.15 98.03
Probe 93.75 94.54 95.74
R2L 55.26 65.03 76.15
U2R 30.73 23.02 50.00
Wireless sensor network intrusion detection system based on MK-ELM 12371
123
ELM accuracy is higher than SVM and ELM under same
conditions. The time consumed by SVM, ELM, and MK-
ELM is calculated, and, respectively, refers to the total
time spent in training and testing.
Experiments with 5000, 10,000, 15,000, 20,000, and
25,000 test data are selected. From the results presented in
Fig. 7, we can observe that the basic ELM performs better
than SVM in terms of time consumption. Moreover, due to
the performance degradation of SVM, the proposed MK-
ELM outperforms SVM in terms of speed and accuracy,
what demonstrates that the proposed MK-ELM method
shows better scalability than SVM when classifying multi-
class traffic for intrusion detection.
In the second phase of the experiment, the UNSW-NB
15 dataset is used to evaluate the performance of the pro-
posed method, and the statistical distribution is shown in
Table 2. Different 14,000 pieces of data are randomly
selected from the preprocessed training dataset and testing
set. The model for binary category is evaluated by con-
sidering all kinds of attacks as a single attack class to make
a comparison with SVM and basic ELM. The binary-cat-
egory confusion matrix of three algorithms on the UNSW-
NB 15 dataset is shown in Tables 9,10, and 11.
Also, the comparison of this proposed model MK-ELM
with other models using UNSW-NB 15 is shown in
Table 12. The accuracy of SVM and ELM is similar, while
the accuracy of the proposed algorithm MK-ELM is the
highest. However, compared with the NSL-KDD dataset,
the accuracy of these three algorithms has decreased.
The label of UNSW-NB 15 dataset is vectorized into 10
categories; also ten classifications testing are performed.
The preprocessed training dataset and the testing set are
randomly selected to have different data amounts of
10,000, 15,000, 20,000, and 25,000, respectively. The
accuracy of the above discussed three algorithms is
depicted in Fig. 8.
Table 8 The accuracy of three methods in different data size
Data size SVM ELM MK-ELM
Training/testing Accuracy (%) Accuracy (%) Accuracy (%)
1000/1000 97.58 96.83 97.85
2000/2000 98.31 97.07 98.88
4000/4000 98.69 97.00 98.92
8000/8000 98.02 96.79 98.79
14,000/14,000 97.02 96.43 98.34
Fig. 7 Time consumption of three algorithms
Table 9 Binary-category confusion of SVM
Predicted Actual
Positive Negative
Positive (TP)7959 (FP)105
Negative (FN)1547 (TN)4389
Table 10 Binary-category confusion of ELM
Predicted Actual
Positive Negative
Positive (TP)7899 (FP)172
Negative (FN)1522 (TN)4407
Table 11 Binary-category confusion of MK-ELM
Predicted Actual
Positive Negative
Positive (TP)8437 (FP)108
Negative (FN)998 (TN)4457
Table 12 Comparison of the proposed model with other models using
UNSW-NB 15 in selected four evaluation indicators
Evaluation indicators (%) SVM ELM MK-ELM
AC 88.20 87.90 92.10
TPR 83.73 83.84 89.42
FPR 2.34 3.76 2.37
FNR 16.27 16.16 10.58
12372 W. Zhang et al.
123
When testing with the UNSW-NB 15 dataset, it is noted
that the accuracy of two classifications, true positive rate,
false positive rate, and false negative rate, or the accuracy
of 10 classifications of different groups, the proposed MK-
ELM algorithm achieve the highest performance. Taking
into consideration the detection and evaluation indexes of
the three algorithms and their respective time consumed in
different datasets, it is noted that the MK-ELM algorithm
proposed in this paper has significant advantages and
promising when applied in WSN environments.
6 Conclusion remarks and future work
Based on the KELM algorithm and the multi-kernel theory,
the optimal multi-kernel function 0.3RBF kernel ?0.7
multiquadric kernel is chosen, and intrusion detection
algorithm MK-ELM proposed to clustered WSN environ-
ments, architecting a hierarchical WSN intrusion detection
system model. The classification algorithm is compared
with the SVM-based multi-classification algorithm and
basic ELM algorithm. Simulation results show that this
proposed method improves the detection rate in compar-
ison with the basic ELM algorithm, dramatically shortens
the detection time compared to the multi-classification
algorithm of SVM, and solves the problems of low detec-
tion rate based on the basic ELM algorithm and time-
consuming detection based on SVM algorithm. Yet, it
provides a new approach for intrusion detection in WSNs.
Even though this model has a high detection rate, the
proposed model needs to increase the detection of multiple
intrusion patterns. For future work, other classes of attacks
in WSNs are focused and consider the energy consumption
of communication among nodes further, aiming at reducing
network energy consumption and improving the overall
performance of WSNs.
Acknowledgements Authors of this manuscript are grateful to the
valuable comments provided by external reviewers and international
experts for the improvement of technical and organization sections.
Funding This work is supported by the National Natural Science
Foundation of China (Nos. 61672338 and 61873160).
Compliance with ethical standards
Conflict of interest All the authors declare that they have no conflict
of interest.
Ethical approval This article does not contain any studies with human
participants or animals performed by any of the authors.
References
Bao F, Chen R, Chang MJ et al (2012) Hierarchical trust management
for wireless sensor networks and its applications to trust-based
routing and intrusion detection. IEEE Trans Netw Serv Manag
9(2):169–183
Borkar GM, Patil LH, Dalgade D et al (2019) A novel clustering
approach and adaptive SVM classifier for intrusion detection in
WSN: a data mining concept. Sustain Comput Inform Syst
23:120–135
Butun I, Morgera SD, Sankar R (2014) A survey of intrusion
detection systems in wireless sensor networks. IEEE Commun
Surv Tutor 16(1):266–282
Cao LL, Huang WB, Sun FC (2014) Optimization-based extreme
learning machine with multi-kernel learning approach for
classification. IEEE Comput Soc 14:3564–3569
Cheng C, Tay WP, Huang GB (2012) Extreme learning machines for
intrusion detection. In: the 2012 international joint conference on
neural networks (IJCNN). IEEE, pp 1–8
Dai JJ, Tao Y, Yang FY (2018) A novel intrusion detection system
based on IABRBFSVM for wireless sensor networks. Procedia
Comput Sci 131:1113–1121
Girolami M (2002) Mercer kernel-based clustering in feature space.
IEEE Trans Neural Netw 13(3):780–784
Han Z, Zhang W, Chen Z (2010) A Markov-based intrusion detection
scheme for wireless sensor networks. Comput Eng Sci 9:009
Huang GB, Chen L (2007) Convex incremental extreme learning
machine. Neurocomputing 70(16):3056–3062
Huang GB, Zhu QY, Siew CK (2006) Extreme learning machine:
theory and applications. Neurocomputing 70(16):489–501
Huang G, Huang GB, Song S et al (2015) Trends in extreme learning
machines: a machines: a review. Neural Netw 61:32–48
Huang SH, Chen WZ, Li J (2017) Network intrusion detection based
on extreme learning machine and principal component analysis.
J Jilin Univ (Inf Sci Ed) 35(5):576–583
Liang W, Li K-C et al (2019a) An industrial network intrusion
detection algorithm based on multi-feature data clustering
optimization model. IEEE Trans Ind Inform. https://doi.org/10.
1109/TII.2019.2946791
Liang W, Tang M, Long J, Peng X, Xu J, Li K-C (2019b) A secure
fabric blockchain-based data transmission technique for indus-
trial internet-of-things. IEEE Trans Ind Inform 15(6):3582–3592
Fig. 8 The AC of three algorithms in UNSW-NB 15 dataset
Wireless sensor network intrusion detection system based on MK-ELM 12373
123
Maleh Y, Ezzati A, Qasmaoui Y et al (2015) A global hybrid
intrusion detection system for wireless sensor networks. Procedia
Comput Sci 52:1047–1052
Rani TP, Jayakumar C (2017) Unique identity and localization based
replica node detection in hierarchical wireless sensor networks.
Comput Electr Eng 64:148–162
Shone N, Ngoc TN, Phai VD et al (2018) A deep learning approach to
network intrusion detection. IEEE Trans Emerg Top Comput
Intell 2(1):41–50
Silva AAPD, Martins MH, Rocha BP et al (2005) Decentralized
intrusion detection in wireless sensor networks. In: Proceedings
of the 1st ACM international workshop on quality of service &
security in wireless and mobile networks, pp 16–23
Tang J, Deng C, Huang GB (2016) Extreme learning machine for
multilayer perceptron. IEEE Trans Neural Netw Learn Syst
27(4):809–821
Wang CR, Xu RF, Lee SJ et al (2018) Network intrusion detection
using equality constrained-optimization-based extreme learning
machines. Knowl Based Syst 147:68–80
Yin C, Zhu Y, Fei J et al (2017) A deep learning approach for
intrusion detection using recurrent neural networks. IEEE
Access 5(2):21954–21961
Zhang Z (2014) Efficient computer intrusion detection method based
on artificial bee colony optimized kernel extreme learning
machine. Indones J Electr Eng Comput Sci 12(3):1954–1959
Zhang YT, Ma C, Li ZN et al (2014) Online modeling of kernel
extreme learning machine based on fast leave-one-out cross-
validation. Shanghai Jiaotong Univ (Sci) 48:641–646
Publisher’s Note Springer Nature remains neutral with regard to
jurisdictional claims in published maps and institutional affiliations.
12374 W. Zhang et al.
123
A preview of this full-text is provided by Springer Nature.
Learn more
Content available from Soft Computing
This content is subject to copyright. Terms and conditions apply.
... Moreover, the practical implementation of intrusion detection schemes grapples with the challenges posed by the complex and dynamic nature of real-world application scenarios. The intricacies of diverse network environments, varying traffic patterns, and evolving attack strategies contribute to a substantial false alarm rate [13,14]. The high false alarm rate not only hampers the efficiency of intrusion detection but also poses a significant operational challenge, demanding a balance between sensitivity to potential threats and minimizing unnecessary disruptions to normal network activities. ...
Intrusion Detection Model for Wireless Sensor Networks Based on FedAvg and XGBoost Algorithm
Article
Full-text available
For the characteristics of channel instability in wireless sensor networks, this paper proposes an intrusion detection algorithm based on FedAvg (federated averaging) and XGBoost (extreme gradient boosting) wireless sensor networks using fog computing architecture. First, the network edge is extended by introducing fog computing nodes to reduce the communication delay. It reduces the transmission bandwidth and privacy leakage risk while improving the accuracy of jointly learned global and local models. Then, the histogram-based approximation calculation method is improved to adapt to the unbalanced data characteristics of wireless sensor networks. Finally, by introducing TOP-K gradient selection, the number of model parameter uploads is minimized, and the efficiency of model parameter interaction is improved. The experimental results show that this algorithm has superior detection performance and low energy consumption. It is also compared with other algorithms to demonstrate the high detection rate and low computational complexity of this algorithm.
View
... The simulation is carried out by deploying a variable number of nodes in an area of 100 m × 100 m with an initial energy of 1 J. Table 4 depicts the suggested model's parameter choices. A variety of methods were utilized for comparison, including support vector machine (SVM) [31], extreme learning machine (ELM) [32], hidden Markov model (HMM) [33], and multi-kernel extreme learning machine deployment (MK-ELM) [34]. This section discusses the experimental setup and performance of the proposed hybrid ASSO-MERNN approach. ...
An energy efficient data fault prediction based clustering and routing protocol using hybrid ASSO with MERNN in wireless sensor network
Article
Full-text available
  • Mar 2024
  • TELECOMMUN SYST
Wireless sensor networks (WSNs) and Internet of Things (IoT) are essential for numerous applications. WSN nodes often operate on limited battery capacity, so energy efficiency is a significant problem for clustering and routing. In addition to these limitations, one of the primary issues of WSNs is achieving reliability and security of transmitted data in vulnerable environments to prevent malicious node attacks. This work aims to develop a secure and energy-efficient routing protocol for fault data prediction to enhance WSNs network lifespan and data reliability. The proposed technique has three major phases: cluster construction, optimal route selection, and intrusion detection. The adaptive shark smell optimization (ASSO) technique was initially used with three input parameters for CH selection. These parameters are the residual energy, the distance to the BS, and the node density. After clustering, salp swarm optimization (SSO) is used to select the optimum path for data transmission between clusters, resulting in an energy-efficient WSN. Finally, to ensure the security of cluster-based WSNs, an effective intrusion detection system based on a modified Elman recurrent neural network (MERNN) is implemented to detect the presence of intrusions in the network. The experimental results show that it outperforms the competing methods in various performance metrics. The performance results of quality of service (QoS) parameters are expressed as dispersion value (0.8072), packet delivery rate (98%), average delay (160 ms), network lifetime (3200 rounds), and the accuracy of this method is 99.2%. Compared to the SVM, ELM, HMM, and MK-ELM protocols, the proposed protocol increases network lifetime by 77%, 60%, 45.4%, and 14.2%, respectively.
View
View
A comprehensive review of energy efficient routing protocols for query driven wireless sensor networks
Article
  • Jun 2024
In this current era of communications and networking, The Internet of things plays the main role in the making of smart communication and networking. In this article, we have focused on the literature survey on wireless sensor networks which are energy efficient. Various standard protocols are reviewed along with some enhanced protocols which makes the network energy efficient. The comparison of the standard and enhanced protocols with respect to various applications in wireless sensor networks is thoroughly done in this article. The outcomes of the enhanced protocols are also briefly discussed. For easier analysis to future researchers, a comparative table which lists the enhanced protocols which are compared with standard counterparts along with the factors for energy efficiency of the protocols. This article also comments on the issues and challenges of the protocols which can be further analyzed for making the wireless sensor network more energy efficient.
View
Deep learning-enabled energy optimization and intrusion detection for wireless sensor networks
Article
  • May 2024
Ad hoc wireless networks can limit creativity, and wireless sensor networks can enhance innovation. The functionalities of components inside a wireless ad hoc network depend on characteristics such as random access memory capacity, battery life, and storage capacity. Several factors such as lack of protection, insufficient infrastructure, ease of construction, proximity to war zones, and absence of security measures make the buildings susceptible to various risks. The rising frequency of network attacks has greatly affected various characteristics like energy consumption, packet loss, latency, throughput, and uptime. Intrusion detection systems and other conventional security measures may not offer an adequate guarantee of the consistency of the system that they are protective of. This article proposes a two-pronged technique for understanding the addressing Restricted Boltzmann Machines (RBMs), a specific form of computer system. The main emphasis is on this specific method. The Restricted Boltzmann Machine (RBM) methodology often surpasses state-of-the-art methods. The objective is achieved through the use of an approach known as chaotic ant optimization (CAO). We have developed a method using Restricted Boltzmann Machines (RBMs) to determine the optimal confidence level for each sensor node. Our research provides increased credibility to a multi-modal approach utilizing deep learning to address challenges in intrusion detection and energy optimization through wireless sensor networks, often known as WSNs. RBM’s data processing capabilities with CAO’s routing and security advantages, our comprehensive solution enhances the performance and reliability of Wireless Sensor Networks (WSNs) across different scenarios.
View
Analysis of Extreme Learning Machines (ELMs) for intelligent intrusion detection systems: A survey
Article
  • Nov 2024
  • EXPERT SYST APPL
The ever-increasing interconnectedness of our world, fueled by technological advancements across industries, has made network security a paramount concern. This concern stems from the evolving tactics of cybercriminals and our dependence on interdependent systems. Extreme Learning Machines (ELMs) have recently been renamed Single-Hidden-Layer Feedforward Neural Networks (SLNFs) to achieve a rapid learning rate by randomly initializing weights and deviations. For a decade, researchers have been primarily focused on the investigations of ELM, which offers a distinctive use that prompted academics to investigate its possible application in various disciplines. Considering the Intrusion Detection System (IDS) framework, ELM provides an enticing path for constructing effective and adaptable IDS models capable of analyzing enormous amounts of network data in real-time. ELMs are based on feedforward networks using single or Multi-Hidden Layers (MHLs). ELM-based IDS assists in safeguarding networks, systems, and web applications against cyber-attacks, phishing, and cyber threats. As a result, during the last decade, ELM has taken center stage for development as an exciting technology for effective and accurate classification tasks. ELM represents a subset of the Machine Learning (ML) algorithms utilized by IDSs, which makes our work contribute significantly to the field of network security. First, we investigate the ELM-based IDS throughout the previous decade, including the idea, scope, and rationale of ELM. Second, our study aims to identify abnormal and malicious actions in network traffic while offering real-time protection against potential threats, including detecting Distributed Denial of Services (DDoS) attacks and phishing attacks that use malicious URLs and payloads for successful attacks. Finally, our work encompasses applications, extensions, attacks, security issues, and a comparative analysis showcasing the versatility of ELM within various algorithms. This underscores ELM’s evolution as a promising technology for accurate and effective classification tasks, particularly in network security research.
View
A Comprehensive Review on Energy Balancing and Routing in Wireless Sensor Networks
Article
  • Jul 2023
Wireless Sensor Networks (WSNs) play a vital role in various applications ranging from environmental monitoring to industrial automation. One of the key challenges in WSNs is the limited energy resources of sensor nodes, which necessitates the development of energy-efficient routing and clustering protocols to prolong network lifetime and ensure reliable data transmission. This literature review provides an extensive overview of recent research efforts in energy-efficient routing and clustering techniques for WSNs. The review covers a wide range of algorithms, including optimization-based, machine learning-based, hybrid, and protocol-based approaches. Additionally, it discusses the challenges faced in designing energy-efficient WSNs, identifies research gaps, outlines objectives, proposes future research directions, and concludes with insights into the current state and future prospects of energy-efficient WSNs
View
View
A comprehensive review of energy efficient routing protocols for query driven wireless sensor networks
Article
  • Apr 2024
In this current era of communications and networking, The Internet of things plays the main role in the making of smart communication and networking. In this article, we have focused on the literature survey on wireless sensor networks which are energy efficient. Various standard protocols are reviewed along with some enhanced protocols which makes the network energy efficient. The comparison of the standard and enhanced protocols with respect to various applications in wireless sensor networks is thoroughly done in this article. The outcomes of the enhanced protocols are also briefly discussed. For easier analysis to future researchers, a comparative table which lists the enhanced protocols which are compared with standard counterparts along with the factors for energy efficiency of the protocols. This article also comments on the issues and challenges of the protocols which can be further analyzed for making the wireless sensor network more energy efficient.
View
View
An Industrial Network Intrusion Detection Algorithm based on Multi-Feature Data Clustering Optimization Model
Article
Full-text available
  • Oct 2019
Industrial networks are complex and diverse. Among existing intrusion prevention systems available, several of them have problems such as low detection accuracy rate, high false-positive rate, and low real-time performance for impersonation attacks. To address such issues, it is proposed in this work an industrial network intrusion detection algorithm based on multi-feature data clustering optimization model, where the weighted distances and security coefficients of data are classified based on the priority threshold of data attribute feature for each node in the network, given that the data modules in the industrial network environment are diverse and easy to diagnose, restore and rebuild. The proposed algorithm can effectively improve the detection rate and real-time performance of detecting abnormal behavior for the multi-feature data in industrial networks. The novel features are twofold, to rapidly select a node with high security coefficient as the cluster center, and match the multifeature data around the center into a cluster. Experimental results show that the proposed algorithm has good superiority in terms of detection rate and time compared to other algorithms. In the industrial network, the detection accuracy of abnormal data reaches 97.8%, and the false positive of detection is decreased by 8.8%.
View
A Novel Intrusion Detection System based on IABRBFSVM for Wireless Sensor Networks
Article
Full-text available
  • Jan 2018
With the rapid development of wireless sensor technology, the application of Wireless Sensor Networks (WSNs) is more and more extensive, and has important military value and broad commercial application prospect. However, due to the limited resources of terminal equipment, wireless communication environment and other reasons, it faces severe security problems. This paper mainly proposes an intrusion detection algorithm based on improved AdaBoost-RBFSVM, and designs an intrusion detection system (IDS) for WSNs denial of service (DoS) attack based on the proposed method. In order to make the RBF-SVM algorithm as the AdaBoost weak classifier, the effect of training is achieved. Using the influence of parameter σ to RBF-SVM and the effect of model training error em on the smoothness of AdaBoost weights, the IABRBFSVM algorithm is proposed. On the other hand, after analyzing the DoS attack, the eigenspace for the attack is proposed, and the corresponding intrusion detection system is designed. Through simulation, the proposed IDS can significantly improve the network performance by detecting and removing malicious nodes in the network, from the perspective of detection rate, packet delivery rate, transmission delay and energy consumption analysis, and has the characteristics of simple structure, short computation time and high detection rate.
View
A Deep Learning Approach for Intrusion Detection Using Recurrent Neural Networks
Article
Full-text available
  • Oct 2017
Intrusion detection plays an important role in ensuring information security, and the key technology is to accurately identify various attacks in the network. In our study, we explore how to model an intrusion detection system based on deep learning, and we propose a deep learning approach for intrusion detection using recurrent neural networks (RNN-IDS). Moreover, we study the performance of the model in binary classification and multiclass classification, and the number of neurons and different learning rate impacts on the performance of the proposed model. We compare it with those of J48, Artificial Neural Network, Random Forest, Support Vector Machine and other machine learning methods proposed by previous researchers on the benchmark dataset. The experimental results show that RNN-IDS is very suitable for modelling a classification model with high accuracy and that its performance is superior to that of traditional machine learning classification methods in both binary and multiclass classification. The RNN-IDS model improves the accuracy of the intrusion detection and provides a new research method for intrusion detection.
View
A Secure FaBric Blockchain-Based Data Transmission Technique for Industrial Internet-of-Things
Article
  • Jun 2019
The previous blockchain data transmission techniques in industrial Internet of Things (IoT) have low security, high management cost of the trading center, and big difficulty in supervision. To address these issues, this paper proposes a secure FaBric blockchain-based data transmission technique for industrial IoT. This technique uses the blockchain-based dynamic secret sharing mechanism. A reliable trading center is realized using the power blockchain sharing model, which can also share power trading books. The power data consensus mechanism and dynamic linked storage are designed to realize the secure matching of the power data transmission. Experiments show that the optimized FaBric power data storage and transmission has high security and reliability. The proposed technique can improve the transmission rate and packet receiving rate by 12% and 13%, respectively. Moreover, the proposed technique has good superiority in sharing management and decentralization.
View
Extreme Learning Machine: Theory and Applications
Article
  • Dec 2006
  • NEUROCOMPUTING
It is clear that the learning speed of feedforward neural networks is in general far slower than required and it has been a major bottleneck in their applications for past decades. Two key reasons behind may be: (1) the slow gradient-based learning algorithms are extensively used to train neural networks, and (2) all the parameters of the networks are tuned iteratively by using such learning algorithms. Unlike these conventional implementations, this paper proposes a new learning algorithm called extreme learning machine (ELM) for single-hidden layer feedforward neural networks (SLFNs) which randomly chooses hidden nodes and analytically determines the output weights of SLFNs. In theory, this algorithm tends to provide good generalization performance at extremely fast learning speed. The experimental results based on a few artificial and real benchmark function approximation and classification problems including very large complex applications show that the new algorithm can produce good generalization performance in most cases and can learn thousands of times faster than conventional popular learning algorithms for feedforward neural networks.1
View
A novel clustering approach and adaptive SVM classifier for intrusion detection in WSN: A data mining concept
Article
  • Jun 2019
Nowadays Wireless Sensor Network (WSN) mainly faces security issue during packet transmission between different sensor nodes in network combined with data mining. To overcome this challenge an efficient clustering technique called adaptive chicken swarm optimization algorithm is proposed for cluster head (CH) selection. By this adaptive method the time consumption is reduced to a greater extend along with that the lifetime of the network and the scalability is improved alternatively. Additionally a two stage classification technique known as adaptive SVM classification a supervised learning technique is proposed with Intrusion Detection System (IDS) where an acknowledgement based method is utilized for reporting the malicious sensor nodes. By this acknowledgement different types of attacks such as DOS, probe, U2R, R2L are detected incorporation with Intrusion Detection System (IDS). Once detected a high level security mechanism along with intrusion response is provided to other sensor nodes by which a secure packet transmission occurs between different sensor nodes. The proposed methodology is implemented in python platform and the comparison results provided with existing methods proves a better result.
View
Network Intrusion Detection Using Equality Constrained-Optimization-Based Extreme Learning Machines
Article
  • Feb 2018
  • KNOWL-BASED SYST
Since Internet is so popular and prevailing in human life, network security has become a very important issue and attracted a lot of study and practice. To detect or prevent network attacks, a network intrusion detection (NID) system may be equipped with machine learning algorithms to achieve better accuracy and faster detection speed. Applying machine learning has another major advantage that expert knowledge is not needed as much as the black or white list model. Extreme learning machines (ELMs) are single-layer artificial neural networks not required to be iteratively trained. Therefore, their learning speed is fast, and speed is crucial in the success of network intrusion detection systems for them to take prompt, effective defending reactions. Huang et al. proposed the equality constrained-optimization-based ELM (C-ELM) which is a modified version of ELM by integrating with the features of least squares support vector machines. In this paper, we apply C-ELM to network intrusion detection. An adaptively incremental learning strategy is proposed to derive the optimal number of hidden neurons. The optimization criteria and a way of adaptively increasing hidden neurons with binary search are developed. A broad number of experiments have been done and the results show that our proposed approach is effective in building models with good attack detection rates and fast learning speed.
View
A Deep Learning Approach to Network Intrusion Detection
Article
  • Feb 2018
Network intrusion detection systems (NIDSs) play a crucial role in defending computer networks. However, there are concerns regarding the feasibility and sustainability of current approaches when faced with the demands of modern networks. More specifically, these concerns relate to the increasing levels of required human interaction and the decreasing levels of detection accuracy. This paper presents a novel deep learning technique for intrusion detection, which addresses these concerns. We detail our proposed nonsymmetric deep autoencoder (NDAE) for unsupervised feature learning. Furthermore, we also propose our novel deep learning classification model constructed using stacked NDAEs. Our proposed classifier has been implemented in graphics processing unit (GPU)-enabled TensorFlow and evaluated using the benchmark KDD Cup ’99 and NSL-KDD datasets. Promising results have been obtained from our model thus far, demonstrating improvements over existing approaches and the strong potential for use in modern NIDSs.
View
Unique identity and localization based replica node detection in hierarchical wireless sensor networks
Article
  • Aug 2017
  • COMPUT ELECTR ENG
Clustering in Wireless sensor networks (WSN) is a prevalent Hierarchical network management technique. Though disjoint clusters are generally preferred, overlapping clusters find its prominence in some applications of inter-cluster routing, time-synchronization and node localization. Replica node detection is a major challenge in overlapping clusters. This paper aims at replica node detection in overlapping clusters based on two methods, Replica detection based on RFID (RDBRFID) and Replica detection based on Localization techniques (RDBLT). The first method uses RFID for unique node identification and the second method detects replica by identifying its locality based on received signal strength (RSSI) and Triangulation method. These methods are implemented and their performance is compared with Multicast and non clustered methods: Randomized multicast (RM), Line selected multicast (LSM), Fault tolerant virtual back bone tree (FTVBT) and K-coverage WSN. It is observed that RDBRFID exhibits better detection rate and lesser communication overhead due to its deterministic approach.
View
Online modeling of kernel extreme learning machine based on fast leave-one-out cross-validation
Article
  • May 2014
A novel algorithm based on fast leave-one-out cross-validation was proposed, named as online kernel extreme learning machine (OKELM). Online modeling was accomplished by importing the latest training sample and discarding the oldest training sample. An adaptive FLOO-CV prediction error-based threshold without any manual work was used to enhance the sparsity and generalization ability of the model by only introducing the samples with larger predictive error. The output weights of the OKELM were determined recursively based on Hermitian formula. Thus, the online storage space and calculation time was reduced. Numerical experiments on chaotic time series prediction and identification of a continuous stirred tank reactor show that the OKELM has faster calculation speed and higher learning accuracy in comparison with off-line kernel extreme learning machine, unsparsity online kernel extreme learning machine and on-line sequential extreme learning machine.
View