Professional Documents
Culture Documents
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3047642, IEEE Internet of
Things Journal
IEEE INTERNET OF THING JOURNAL,VOL.1,NO.1,AUGUST 2020 1
Abstract—IoT network is vulnerable to various cyberattacks, devices in IoT networks to steal, modify [3, 4], discard data,
especially insider attacks. Most existing studies mainly detect or consume network bandwidth. Such attacks can interfere
non-targeted insider attackers, who manipulate all packets for- with routing establishment and data transmission seriously,
warded by them with a probability. Compared with non-targeted
attackers, targeted attackers only manipulate specific packets, resulting in the failure of data fusion and affecting the normal
which makes them more efficient and covert. In this paper, we function of networks.
propose a targeted insider attack model called conditional packets Motivation: Compared with non-targeted attackers who
manipulation attack (CPMA), in which attackers maliciously manipulate all packets forwarded by them with a probability
manipulate the packets whose attribute values meet specific
[5, 6], targeted attackers only manipulate specific packets,
conditions with a probability. When resisting CPMA attack,
most existing detection algorithms are inefficient to find such which makes them more efficient and covert. Therefore, in
malicious behavior. Also, they detect malicious nodes by collecting this paper, we propose a targeted insider attack model called
and analyzing the overall behavior of nodes, which are not conditional packets manipulation attack (CPMA), in which
appropriate for energy-constrained nodes in IoT network. To attackers manipulate maliciously the packets whose attribute
solve these problems, we present CPMAED, a malicious nodes
values meet specific conditions with a probability.
detection framework against CPMA attack. CPMAED maintains
some partial trust metrics for each relay node, which indicate the As shown in Fig. 1, the sensor node S1 , S2 and S3 are
probability of launch attacks when forwarding the packets with deployed in three different areas of a forest respectively. Also,
different attribute values. Also, our scheme leverages regression they can monitor the temperature of the surrounding envi-
and clustering algorithms to evaluate the trust values of nodes ronment, and send sensing data to the sink through multihop
and classify them into benign or malicious. In order to obtain
higher detection accuracy, we optimize the routing of transmitted routing. Assume that node Rf is malicious, and it only tamper
packets and inject the packets to collect more information about the packets sent by node S3 with a probability of 0.5. If a
nodes to enhance detection. The experimental results show that fire breaks out in the above three areas, the sensing data of
our proposed scheme utilizing SVM and K-means can achieve S1 and S2 will be sent to the sink safely and trigger the fire
good detection performance and identify malicious nodes’ attack alarm. However, S3 ’s sensing data packet1 will be manipulated
modes with high accuracy.
maliciously by node Rf , so that the position of the fire can not
Index Terms—IoT network, Insider attacks, Trust evaluation, be located in time or even the alarm system fails. Also, most
Machine learning.
I. I NTRODUCTION
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: VIT University. Downloaded on July 24,2021 at 02:22:35 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3047642, IEEE Internet of
Things Journal
IEEE INTERNET OF THING JOURNAL,VOL.1,NO.1,AUGUST 2020 2
Because node Rf only attack the packets sent by node S3 , the improve IoT network security, in which each node monitored
overall reputation of node Rf is (20 + 20 + 20 × 0.5) ÷ (20 + its one-hop neighbours’ behavior, and periodically reported
20 + 20) = 5/6, which is relatively high. Therefore, node Rf is to a base station which utilized these information to evaluate
very likely to be identified as benign. In fact, when forwarding the trust values of nodes. A trust management scheme was
the packets whose source node is S3 , the partial trust value of designed in [14], which calculated the node’s direct trust
node Rf is (20 × 0.5) ÷ 20 = 1/2, which is relatively low. value by Bayesian and periodically updated it based on the
From the above example, most existing detection ap- combination of effective history records and adaptive decay
proaches are not efficient to detect such malicious nodes who factor. Indirect trust was used only if the current trust value
are highly concealed and destructive. Therefore, it is necessary was below a threshold. Also, in their scheme, the weights of
and challenging to design an effective detection mechanism different trust values could be calculated based on entropy
against CPMA attack in IoT networks. theory.
Contributions: In this paper, our key contributions are Machine learning-based detection: Recently, the rapid
summarized as follows. growth of machine learning also provides a new perspective
1) In this paper, we propose an advanced insider attack for cybersecurity. Kaplantzis et al. [15] used Support Vector
model called CPMA attack, in which the attackers ma- Machines to deal with security threats in WSN for the first
liciously manipulate the packets whose attribute values time and achieved high accuracy. However, this method could
meet specific conditions with a probability; not identify which nodes are malicious. For the first time, Tie
2) In our work, we present CPMAED, a malicious nodes Luo et al. [1] introduced autoencoder neural networks into
detection framework against CPMA attack in IoT net- WSN to solve the anomaly detection problem. Because of deep
works. In CPMAED, each relay node has at least one learning’s formidable hunger for computational resources, the
partial trust value, which indicates the probability that method built an autoencoder neural network that consists
it maliciously manipulate the packets with a specific of three layers. However, the complexity of this method is
attribute value. too high to be suitable for large-scale sensor networks. A
3) In our scheme, we leverage regression and clustering kNN-based anomaly detection scheme was introduced in [16].
algorithms to calculate nodes’ trust values and classify Through redening anomaly detection region and converting
them into benign or malicious. And to obtain higher hypergrid structure, the computational complexity could be
detection accuracy, we optimize the routing of transmit- reduced and detection efficiency could be improved. Xin
ted packets and inject the packets again to collect more Liu et al. [17] designed a malicious nodes identification
information about nodes to enhance detection. approach using network diversity and clustering algorithm,
4) The experimental results show that the detection scheme which motivates our work. In their work, a contribution
we designed can achieve good detection performance metric was formulated for each node in the network based
and identify malicious nodes’ attack modes with high on their behaviour. However, it assumed that the contributions
accuracy. of different nodes in the same path to the path’s reputation are
Organization: The remainder of this paper is organized the same, which is unrealistic.
as follows. Section 2 mainly introduces the existing work of Most of the above studies mainly focus on non-targeted
malicious nodes detection. Section 3 presents our proposed attacks rather than destructive and covert targeted attacks.
system model, including network model, packet model, attack To meet this challenge, we consider a targeted insider attack
model, node model and path model. Then section 4 details model named CPMA attack and propose an efficient detection
the detection scheme we designed. Section 5 presents the framework (CPMAED) against CPMA attack in IoT networks.
experimental environment and experimental results. At last,
section 6 concludes our work. III. S YSTEM MODEL
This section describes system model which includes net-
II. R ELATED WORK work model, packet model, attack model, node model and path
model. Later, we will use these models to detail our proposed
To detect malicious nodes, various detection methods based
scheme. And all symbols used in this paper are presented in
on trust evaluation or machine learning techniques have been
TABLE I.
proposed.
Trust-based detection: Trust evaluation or reputation eval-
uation can be used to improve network security [6] [9]. A. Network model
Nodes with higher trust values are more likely to be benign, According to the role of different nodes, all nodes are
whereas nodes with lower trust values are more likely to be divided into three sets: source node set S, the sink, and
vicious [10]. Xia Li et al. [11] proposed that the direct trust relay node set R. The source node set S can be denoted as
values could combine with recommendation trust values from S = {S1 , S2 , S3 · · · }. Their role is to send probe pack-
other nodes. In [12], Romman et al. proposed to use the ets over several routing paths to the sink for assisting in
neighbour weight trust determination algorithm (NWTD) to identifying malicious nodes [17]. The sink is responsible for
detect malicious nodes in MANETs. In NWTD, the trust of collecting packets and evaluating the reputation metric for
a node was evaluated by its one-hop neighbours. Rikli et al. each routing path. The relay node set R can be denoted as
[13] proposed a lightweight trust-based security mechanism to R = {R1 , R2 , R3 · · · }. Their role is to route packets from the
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: VIT University. Downloaded on July 24,2021 at 02:22:35 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3047642, IEEE Internet of
Things Journal
IEEE INTERNET OF THING JOURNAL,VOL.1,NO.1,AUGUST 2020 3
TABLE I: The symbols used in this paper Such advanced attackers follow IoT protocols to hide as
Symbol Description much as possible for most of their lifetime, and will launch
attacks unless they encounter packets that meet specific con-
S the set of source nodes
R the set of relay nodes
ditions. Furthermore, the condition function ft for launching
packetm the m-th packet injected into the network attack αt , t ∈ [1, ω] can be defined as:
Ri the i-th relay node
Ri .T the trust value of node Ri ft : packetm → boolean (2)
P athj the j-th routing path
Pj .T the trust value of routing path P athj If ft (packetm ) is true, it indicates that packetm ’s attribute
θ the set of attribute values
α the set of attack modes values meet the conditions for launching attack αt .
ω the number of attack modes As shown in Fig. 1, attack mode α1 means that an attacker
ft the condition function to launch attack αt maliciously manipulates the packets whose Source Node is S3
αt the t-th attack mode
ϕt the t-th packet group and its condition function is f1 : packetm → boolean, where
ξt the t-th detection domian
LT Gξt the low trust value group in ξt true if packetm ’s Source Node is node
M T Gξt the medium trust value group in ξt
S3
HT Gξt the high trust value group in ξt f1 (packetm ) =
BGξt the benign group in ξt
f alse if packetm ’s Source Node is not
M Gξt the malicious group in ξt
F BG the final benign group node S3
F MG the final malicious group
Malicious node Rf with attack mode α1 can determine
whether the packets that forwarded by it are its targets using
condition function f1 . Then if f1 (packet1 ) = true, Rf will
source node to the sink. There may be some malicious nodes
launch an attack on packet1 with a probability.
in R, and our purpose is to detect them and identify their attack
modes.
D. Node model
B. Packet model The i-th relay node in the relay node set R can be repre-
Let packetm be the m-th packet injected into the network sented as
and it can be denoted as a tuple: Ri = {(αi1 , pi1 ), (αi2 , pi2 ), · · · , (αik , pik )}, (3)
packetm = {θ1m , θ2m , θ3m · · · θkm , flag, pass} (1) where αik ∈ attack mode set α. αik is k-th attack mode
of node Ri and pik is the probability of node Ri launching
where θkm represents the attribute value of the k-th field of
attack αik . Define βi as a flag to present whether node Ri is
packetm and θkm ∈ attribute value set θ. When packetm
malicious. If node Ri is benign, then βi = 1; otherwise βi =
arrives at the sink, it will verify if packetm has been com-
0. That is
promised by an attacker and update the packet’s flag. That
(
1 if Ri is benign
is βi =
0 otherwise
(
1 if packetm is not compromised
flag =
0 otherwise When forwarding packetm , whether node Ri will launch
And pass is the sequence of relay nodes that forward packetm an attack depends on βi and condition function fik to launch
[18]. attack αik (refer to (2)). If βi = 1, node Ri will not launch any
For example, in Fig. 1, every packet can be represented as attacks; If βi = 0 and fik (packetm ) = false, node Ri will not
a 5-tuple: launch an attack on packetm ; If βi = 0 and fik (packetm )
= true, node Ri will launch an attack on packetm with
{Source Node, Length, Data Type, flag, pass}. probability pik .
Moreover, when forwarding the packets with different at-
Then, S3 ’s sensing data packet1 can be denoted as
tribute values, the reliability of a node can be measured by its
{S3 , 16bits, temperature, 0, (R3 , R6 , R9 , Rb , Rd , Re , Rf )}. partial trust values, which can be defined as below [17]:
Rik .T = 1 − pik . (4)
C. Attack model
In this paper, we propose a targeted insider attack model E. Path model
named conditional packets manipulation attack (CPMA), in
which the attackers only maliciously manipulate the packets Let P athj be the j-th path that connects a source node to
whose attribute values meet specific conditions with a proba- the sink. It can be denoted as :
bility. Depending on the different targets of malicious nodes, P athj = {a1j , a2j , a3j , · · · , anj } (5)
we divide CPMA attack into multiple attack modes. Also ω is
the number of attack modes, and α is the set of attack modes, where n is the number of relay nodes and aij indicates whether
which is denoted as {α1 , α2 , · · · , αω }. node Ri is in the P athj . That is
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: VIT University. Downloaded on July 24,2021 at 02:22:35 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3047642, IEEE Internet of
Things Journal
IEEE INTERNET OF THING JOURNAL,VOL.1,NO.1,AUGUST 2020 4
(
1 if Ri is in the P athj
aij =
0 if Ri is not in the P athj
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: VIT University. Downloaded on July 24,2021 at 02:22:35 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3047642, IEEE Internet of
Things Journal
IEEE INTERNET OF THING JOURNAL,VOL.1,NO.1,AUGUST 2020 5
reputation. When the training is finished, we can obtain all information, the sink can evaluate the reliability of P ath1 and
nodes’ trust values [24]. the result can be expressed as P1 .T (refer to (6)). That is
4) Malicious node detection: In some detection strategies, |{packet1 , packet3 }|
clustering algorithms are used to detect malicious nodes and P1 .T =
|{packet1 , packet2 , packet3 }| (8)
they cluster the nodes directly into two groups, such as benign 2
group and malicious group. Moreover, a node’s trust value =
3
can be impacted by the behaviour of other nodes along its
associated multihop paths, which can degrade the performance In addition, the reputation of a path is also the contribution
of detection schemes. To improve detection accuracy, we of all nodes along this path. By referring to equation (7), the
cluster the nodes into three groups, which are low trust value reputation of P ath1 can also be formalized as:
group (LTG), medium trust value group (MTG) and high trust P1 .T =(1 − p3 ) × (1 − p6 ) × (1 − p9 ) × (1 − pb ) × (1 − pd)
value group (HTG). To determine whether nodes in the MTG
× (1 − pe ) × (1 − pf )
are benign or malicious, we optimize the routing of transmitted
packets and inject the packets into the network again to collect =R31 .T × R61 .T × R91 .T × Rb1 .T × Rd1 .T × Re1 .T
more information about them, which can enhance the learning × Rf 1 .T
of regression model. Then we use clustering algorithm based (9)
on obtained trust values of nodes again to classify the nodes Mathematically, the equation (9) can be derived as below:
into benign or malicious.
ln (P1 .T ) = ln (R31 .T ) + ln (R61 .T ) + ln (R91 .T ) +
5) Detection result aggregation: After the detection is
ln (Rb1 .T ) + ln (Rd1 .T ) + ln (Re1 .T ) + ln (Rf 1 .T )
completed in each detection domain, we can obtain the final (10)
benign group (FBG) and final malicious group (FMG) by To generalize, the relationship between P ath1 ’ reputation
aggregating detection result in each detection domain. and all relay nodes’ reputation along P ath1 can be expressed
Also, if the reputation of node Ri is relatively low in the as below:
detection domain ξt , it indicates that node Ri launches attacks
ln (P1 .T ) = ln (R11 .T ) × a11 + ln (R21 .T ) × a21 + ln (R31 .T )
on the packets in the packet group ϕt with a high probability.
Also, this kind of attacks on the packets in the packet group × a31 + · · · + ln (Rn1 .T ) × an1
ϕt is defined as attack mode αt , so αt is one of attack modes (11)
of node Ri . If node Ri exists in other detection domains, we where aij indicates whether node Ri is in the P ath1 (refer to
can identify other attack modes of Ri in this way. (5)).
Based on equation (11), the corresponding node-trust model
in the detection domain ξ1 can be formalized as below:
ln (P1 .T ) = ln (R11 .T ) × a11 + ln (R21 .T ) × a21 + · · ·
B. Conditional packet manipulation attack detection
+ ln (Rn1 .T ) × an1
As shown in Fig. 1, there are fifteen relay nodes and ln (P .T ) = ln (R11 .T ) × a12 + ln (R21 .T ) × a22 + · · ·
2
multiple possible routing paths between three source nodes + ln (Rn1 .T ) × an2
and the sink. First of all, we inject probe packets by three
···
trusted source nodes and collect statistical information by the
ln (Pσ .T ) = ln (R11 .T ) × a1σ + ln (R21 .T ) × a2σ + · · ·
sink in the same way as [17].
+ ln (Rn1 .T ) × anσ
1) Detection domain formation: To detect malicious nodes
(12)
that launch attack α1 , we use condition function f1 to filter
where σ is the number of available routing paths in the
packets so that all the packets whose Source Node is S3
detection domian ξ1 .
form the packet group ϕ1 . When the packets in the group
ϕ1 are forwarded from node S3 to the sink, their routing 3) Trust value calculation: Then we can use three matrixes
paths form a domain which is shown by the black arrows to represent above equation (12):
in Fig 1. We define this domain as the detection domain of T ×X =Y (13)
attack type α1 and use ξ1 to represented it. Also, P ath1
”R3 − R6 − R9 − Rb − Rd − Re − Rf ” which can be denoted In equation (13), T is the matrix of nodes’ reputation which
as {0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 1, 1, 1} exists in the detection is what we want to calculate and
domain ξ1 and its Send-set is { packet1 , packet2 , packet3 }.
T = [ln (R11 .T ) , ln (R21 .T ) , ln (R31 .T ) , · · · , ln (Rn1 .T )]
2) Trust model construction: After the probe packets trans- (14)
mitted along P ath1 reach the sink, they form Receive-set1 , X is the matrix of nodes’ existence, and
which can be denoted as {packet1 , packet20 , packet3 }. Here
we assume that packet20 has been tampered maliciously by
a11 a12 · · · a1σ
an attacker. Then the sink can check the integrity of all a21 a22 · · · a2σ
packets in Receive-set1 by a keyed hash function [25, 26] and X= · · · · · · · · · · · ·
(15)
update packet2 ’s flag to 0. Based on the obtained statistical an1 aσ2 · · · anσ
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: VIT University. Downloaded on July 24,2021 at 02:22:35 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3047642, IEEE Internet of
Things Journal
IEEE INTERNET OF THING JOURNAL,VOL.1,NO.1,AUGUST 2020 6
Y is the matrix of routing paths’ reputation and of the attack modes of node Rf . And, if node Rf exists in
other detection domains besides ξ1 , we can use above method
Y = [ln (P1 .T ) , ln (P2 .T ) , ln (P3 .T ) · · · ln (Pσ .T )] (16) to obtain node Rf ’ other attack modes.
When probe packets reach the sink, the sink can use every
V. S IMULATION AND ANALYSIS
packet’s pass which stores the packet’s routing information to
construct X [18]. Also, by checking the integrity of collected In this section, we mainly evaluate the detection perfor-
packets, the sink can calculate every routing path’s reputation mance of our proposed CPMAED in two aspects of: (1) the
and construct Y . combination of regression and clustering algorithms; (2) the
According to equation (13), the calculation of matrix T can influence of experimental parameters. To this end, we first
be considered as a multivariable linear regression problem. select the combination of regression and clustering algorithm
Therefore, we introduce the regression algorithm to evaluate with the best detection performance. Also, we change some
the reputation of all nodes. Inspired by [27], we take matrix key experimental parameters respectively to analyze the detec-
Y and X as the dependent variable and independent variable tion performance of CPMAED comprehensively. Meanwhile,
respectively, and feed them as inputs to train the regression we compare our proposed scheme with Hard Detection (HD)
model. In statistics, the regression model focuses on generating [17] and Perception Detection with enhancement (PDE) [24],
a relationship between a dependent variable and multiple in- both of which can detect tamper attacks in IoT networks.
dependent variables. When the training is finished, the matrix
of nodes’ reputation T can be obtained as the regression A. Environment setting
coefficient.
In our simulation environment, all IoT nodes are deployed
4) Malicious nodes detection: Based on the obtained repu-
in a 100 × 100 m2 rectangle area discretely, as shown in Fig.
tation of all nodes in the detection domain ξ1 , we detect mali-
1. Each node’s communication range is 15m. Besides, we use
cious nodes using clustering algorithm. To improve detection
the scikit-learn [28] to implement regression and clustering
accuracy, we cluster the nodes in ξ1 to three groups instead
algorithms.
of two, namely low trust value group (LTGξ1 ), medium trust
To ensure the reliability of the experimental results, we
value group (MTGξ1 ) and high trust value group (HTGξ1 ).
run our simulation for each experiment in ten rounds with
Considering that a node’s trust value can be impacted by the
ten different networks generated randomly. The average value
behavior of other nodes along its associated multihop paths, we
of ten rounds’ results is calculated as the final result of
optimize the routing paths to collect more information about
each experiment. Unless otherwise specified, all experimental
node behavior. And the optimization of routing paths follows
parameters will remain the default, which is set as follows:
three principles:
1) The utilization of all routing paths in the network is
1) each path contains as few nodes in LSGξ1 as possible;
100%;
2) each path contains nodes in MSGξ1 , but contains as few
2) 30% of nodes in the relay node set R are malicious;
nodes in MSGξ1 as possible;
3) The attack modes of each malicious node are randomly
3) each path contains as few nodes as possible.
selected from attack mode set α and the probability of
By the set of optimized routing paths, we inject the packets each attack is 30%;
into the network again to collect more evidence about the 4) The number of probe packets injected into the network
nodes at the sink. The additional information obtained can be is 2000;
used to retrain the regression model to output more accurate 5) The relay node set R contains 15 elements that are
trust values. Then the clustering method can be applied again deployed between source nodes and the sink.
to classify the nodes into two groups, such as benign group 6) The source node set S contains 2 source nodes.
(BGξ1 ) and malicious group (MGξ1 ).
5) Detection results aggregation: After the detection is
completed in each detection domain, we can obtain the final B. Evaluation metrics
detection result by aggregating the detection result in each We mainly measure the detection performance of our pro-
detection domain. For example, in Fig. 1, the final benign posed scheme in terms of detection accuracy of malicious
group can be represented as FBG = BGξ1 ∪ BGξ2 ∪ · · · ∪ BGξω , nodes, detection false alarm rate of malicious nodes [29],
and the final malicious group can be represented as FMG = running time and detection accuracy of attack modes. Based
MGξ1 ∪MGξ2 ∪· · ·∪MGξω , where ω is the number of detection on TABLE II, four measures are defined as follows:
domains.
In addition, our approach can obtain the attack modes of TABLE II: Confusion matrix
each node in FMG. In Fig. 1, if node Rf is assigned to MGξ1 , Predicted result
it indicates that the trust value of node Rf is relatively low in Negative Positive
Negative True Positive (TP) False Negative (FN)
the detection domain ξ1 and it is very likely to launch attacks Actual result
Positive False Positive (FP) True Negative (TN)
when forwarding the packets in the group ϕ1 . According to
condition function f1 , all packets whose Source Node is S3 1) detection accuracy of malicious nodes:
form the packet group ϕ1 and this kind of attacks on the
packets in the group ϕ1 is defined as α1 . Therefore, α1 is one Am = (T N + T P )/n,
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: VIT University. Downloaded on July 24,2021 at 02:22:35 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3047642, IEEE Internet of
Things Journal
IEEE INTERNET OF THING JOURNAL,VOL.1,NO.1,AUGUST 2020 7
where ω is the number of attack modes. And T P t is the (c) The influence of the percentage (d) The influence of the percentage
number of nodes whose actual attack mode is αt and the of malicious nodes on t of malicious nodes on Aα
attack mode predicted by our scheme is also αt ; T N t
Fig. 5: The influence of the percentage of malicious nodes
is the number of nodes whose actual attack mode is not
on detection performance
αt and the predicted attack mode is not αt .
C. Experimental results According to the obtained results, we can find that as the
1) The influence of regression and clustering algorithms: percentage of malicious nodes increases, Am of HD gradually
First of all, to evaluate the influence of different machine increases, and Am of PDE gradually decreases, while Am of
learning algorithms on the detection performance, we choose CPMAED always remains high. For PDE, as the percentage
a variety of typical machine learning algorithms [30, 31], of malicious nodes, the reputation of a node is more likely
including five regression algorithms: Support Vector Machine to be impacted by the behaviour of malicious nodes along
(SVM), Gradient Descent Method (GD), Least Square Method its associated multihop paths, which degrades Am of PDE.
(LSM), Perceptron (P), Ridge Regression (RR) and three Also, by aggregating the detection results in multiple detection
clustering algorithms: K-means, Gaussian mixed clustering domains, Am of CPMAED always remains high.
(GMM), AGNES hierarchical clustering (AGNES). Our ex- In addition, we also find that as the percentage of malicious
perimental results are shown in Fig. 4. nodes increases, Fm of HD, PDE and CPMAED gradually
It is observed that SVM can achieve better detection per- decreases. Among them, Fm of HD is the highest.
formance, compared with other regression algorithms. Then And in all kinds of the proportion of malicious nodes,
we combine SVM with three clustering algorithms to evalu- CPMAED is significantly better then HD and PDE in terms of
ate their detection performance. In Fig. 4, we can find the Am and Fm , and Aα of our proposed scheme always remains
combination of SVM and K-means has the best detection above 90%.
performance. Therefore, we choose SVM and K-means for 3) The influence of probability of attack: To evaluate the
subsequent detection performance evaluation of CPMAED. impact of probability of attack on the detection performance,
the attack probability of malicious nodes is set to 0.1, 0.3,
0.5, 0.7 and 0.9 respectively. As the probability of attack
increases, malicious nodes will become more and more active.
The results are shown in Fig. 6.
Our results show that when the attack probability of mali-
cious nodes is small, HD and PDE cannot achieve excellent
detection performance. This is because a lower attack prob-
ability indicates that malicious nodes adopt a covert attack
(a) Regression methods (b) Clustering methods strategy to avoid being detected, which degrades the detection
performance of HD and PDE. However, CPMAED can detect
Fig. 4: The selection of machine learning algorithms such malicious behavior because it adopts the partial trust
values of nodes instead of the overall trust values.
2) The influence of percentage of malicious nodes: To Moreover, we can find that our proposed CPMAED has the
evaluate the impact of percentage of malicious nodes on the highest Am and the lowest Fm by optimizing the routing paths
detection performance, the percentage of malicious nodes in and aggregating the detection results of multiple detection
the relay node set R is set to 0.1, 0.2, 0.3, 0.4 and 0.5 domains. After detecting malicious nodes, CPMAED can
respectively. The results are shown in Fig. 5. identify the attack modes of the malicious nodes with high
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: VIT University. Downloaded on July 24,2021 at 02:22:35 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3047642, IEEE Internet of
Things Journal
IEEE INTERNET OF THING JOURNAL,VOL.1,NO.1,AUGUST 2020 8
(c) The influence of the count of (d) The influence of the count of
relay nodes on t relay nodes on Aα
(a) The influence of count of injected (b) The influence of count of in-
packets on Am jected packets on Fm Fig. 8: The influence of the count of relay nodes on
detection performance
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: VIT University. Downloaded on July 24,2021 at 02:22:35 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3047642, IEEE Internet of
Things Journal
IEEE INTERNET OF THING JOURNAL,VOL.1,NO.1,AUGUST 2020 9
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: VIT University. Downloaded on July 24,2021 at 02:22:35 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2020.3047642, IEEE Internet of
Things Journal
IEEE INTERNET OF THING JOURNAL,VOL.1,NO.1,AUGUST 2020 10
2327-4662 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: VIT University. Downloaded on July 24,2021 at 02:22:35 UTC from IEEE Xplore. Restrictions apply.