Intrusion detection systems for wireless sensor networks using computational intelligence techniques

Network Intrusion Detection Systems (NIDS) are utilized to find hostile network connections. This can be accomplished by looking at traffic network activity, but it takes a lot of work. The NIDS heavily utilizes approaches for data extraction and machine learning to find anomalies. In terms of feature selection, NIDS is far more effective. This is accurate since anomaly identification uses a number of time-consuming features. Because of this, the feature selection method influences how long it takes to analyze movement patterns and how clear it is. The goal of the study is to provide NIDS with an attribute selection approach. PSO has been used for that purpose. The Network Intrusion Detection System that is being developed will be able to identify any malicious activity in the network or any unusual behavior in the network, allowing the identification of the illegal activities and safeguarding the enormous amounts of confidential data belonging to the customers from being compromised. In the research, datasets were produced utilising both a network infrastructure and a simulation network. Wireshark is used to gather data packets whereas Cisco Packet Tracer is used to build a network in a simulated environment. Additionally, a physical network consisting of six node MCUs connected to a laptop and a mobile hotspot, has been built and communication packets are being recorded using the Wireshark tool. To train several machine learning models, all the datasets that were gathered—created datasets from our own studies as well as some common datasets like NSDL and UNSW acquired from Kaggle—were employed. Additionally, PSO, which is an optimization method, has been used with these ML algorithms for feature selection. In the research, KNN, decision trees, and ANN have all been combined with PSO for a specific case study. And it was found demonstrated the classification methods PSO + ANN outperformed PSO + KNN and PSO + DT in this case study.

According to Musa et al. (2021), IDSs are "active processes or devices that review device and connection activities for unapproved and disagreeable behavior." IDS are available in three flavors. These categories include HIDS, NIDS, and hybrid-based IDS (Waskle 2020). The HIDS seeks to keep track of internal computer system activity. The NIDS's objective is to dynamically monitor the network traffic in real-time. In order to ascertain any potential network intrusions, the NIDS tries to accomplish that. It tries to do that by using the right detection techniques.

There are three distinct categories: hybrid IDS built on an IDS, exploitation identification, and anomaly detection (Ganesh and Sharma 2021). A collection of specified characteristics or criteria is used in the detection system to identify recognised hazards. The anomaly detection mechanism detects unidentified attacks on a regular basis. This is achieved by evaluating if the device's state is normal. The IDS classification for anomaly detection is shown in Fig. 1. A hybrid IDS may be able to spot both known and unidentified attacks. The focus of this essay is the NIDS. NIDS uses the entire network's traffic characteristics to detect threats. The NIDS is the subject of this article. NIDS uses the whole network's traffic characteristics to find hazards. The utilization of all capabilities is not necessary for attack detection.

IoT environment threat dimensions

Full size image

Infiltration is a notion that exists anyplace there is connectivity. Applications comprise Wifi hotspots in big businesses, residential area networks, wireless sensor networks, and the Internet of Things. Securing sensitive data kept in various databases is essential. Customer-related information, such as TINs, dates of birth, and Aadhar card numbers, must be kept safe for this reason. As a result, intrusion detection systems become necessary. It is necessary to have systems for both intrusion detection and prevention (Sivagaminathan and Dr. Manmohan Sharma. 2021a).

DoS attacks, Man in the Middle attacks, sinkhole attacks, selected transmitting attacks, flooded attacks, worm attacks, etc. are just a few examples of the many diverse attack types that may be used. DoS attacks can involve saturating a server with phony information in an effort to jam the networks and block actual traffic from reaching the host. This regularly happens in the world of online business. It's possible for a site to purposefully flood other site's server with fictitious traffic. As a result, intrusion detection and prevention are crucial. (Bang et al. 2020).

Wireless sensors also demand penetration testing. All industries, including those connected to agriculture, business, building roads and traffic networks, the military, telecommunications, and the medical and health fields, employ WSNs. the tracking of patients' locations and the surveillance of elderly patients (Karimipour et al. 2019) are examples of how this is used in the health world.

The following are some IPDS systems that have been created in various fields:

1. a

   A commercially available NIDS tool called Snort was used to compare an intrusion detection network system's effectiveness (IDPS) that has been described. All Snort rules Utilize the prefix in the suggested system and randomized indexes techniques, and as during periods of intense network connections, key sequences are developed to decrease the duration of packet sniffing and the probability of false positives (Almomani and M. AL-Akhras 2016).

2. b

   Synchronized phasor systems may now identify malicious intrusions with the use of a tool called System for detecting intrusions specific to synchro phasors (SSIDS). It combines a behaviour patterns strategy and a diverse whitelist to detect both known and unidentified attacks. (Abdulaziz et al. 2019).

3. c

   To avoid intrusion, a solution known as home region network using ZigBee could use HANIDPS as just an intrusion protection and monitoring system has been developed (Firoz Kabir and Sven Hartmann 2018).

4. d

   An IDPS has also been created to safeguard linked automobiles' Controller Area network (CAN) buses. Real-time vehicle data may be provided through the Controller Area Network interface, which links sensing devices and controlling devices in a network for control applications (Yang et al. 2020). A serial automobile bus network is involved.

Threats to IoT settings come in many forms, both physical and virtual. Figure 1 demonstrates the many forms of cyber security included in the IoT process, including cloud services with multiple-system creation, and attack level. All of the above-mentioned categories have a high degree of assault; hence these procedures demand high-security characteristics on several dimensions (Jokar and Leung 2016; Sharma and Moller 2018). Despite the fact that several IoT systems provide poor attack characteristics, protocol-level feature implementations significantly superior than that used by all people. As a result, to prevent any sort of hazard from accessing the defined system, a greater feature is necessary.

The paper will follow the following format: The preparation of datasets utilising two pieces is covered in Sect. “Proposed methodology”. Part a involves employing a simulation environment, such as the Wireshark and Cisco Packet Tracer tools. The development of datasets through a real, physical network made with node MCUs is covered in Part b (Jing et al. 2022). Several machine learning classifiers are trained in Sect. “ML classification model training using a variety of methods “ utilising the datasets mentioned above and PSO as an optimization strategy. Section “Result and discussion” includes the findings and Discussions.

The proposed Methodology is as follows:

A variety of machine learning (ML) models, including Linear Regression, SVM, Decision Trees, Random Forest, k nearest neighbor (knn), Artificial Neural Networks, Adaboost, Naive Bayes classifier, and Bayesian classifiers, among others, are trained using the selected features, as shown in Fig. 2, and their prediction accuracy is determined (Zhao et al. 2022; Zhang et al. 2022a). To further improve the effectiveness of ML classifiers, PSO has also been used as an optimization strategy.

1. a)

   Creating datasets with the wireshark tool using a cisco packet tracer simulated network

   

   Operating a better IDS system

   Full size image

   The technique used in our proposed study was to first construct the network system with the appropriate node layout, as illustrated in Flowchart Fig. 3 (Mushtaq et al. 2022). This node was created using a distinctive network design (Transfer learning-based multi-adversarial detection of evasion attacks against network intrusion detection systems 2022). We set up Cisco Packet Tracer to initialize a model of the whole network architecture for this purpose. We have created a test network environment for this system with 5 source IP addresses, 13 destination IP addresses, and 9 protocols. ARP, BROWSER, DHCP, ICMPV6, IGMPV3, LLMNR, MDNS, NBNS, and SSDP were among the network protocols used (Ravi et al. 2022). Using the Cisco packet tracer simulator, the protocol was started for a duration of 10 min. There were no run time errors while the simulation was running since the run time was properly setup (Mokhtar Mohammadi et al. 2021; Lo et al. 2022) through. Once the simulation model was fully modelled, we utilized the Wireshark system to gather data packet values for source, destination IP, and protocols with respect to time, allowing us to initialize the time domain model and create a more accurate and reliable prediction model.

   

   Demonstrates the entire process of data collecting for any network simulation model

   Full size image

Proposed algorithm

The suggested approach is made to lessen the features of network incursion for effective management of source and destination protocols on the available network bandwidth. Any network, including Bluetooth, 3G, 4G, 5G, Wi-Fi 2.4Ghz or Wi-Fi 33 5Ghz, may use this method. Understanding the method for determining the historical features of incursion flow on the specific network is necessary (Wang et al. 2022a). In order to comprehend the future mutation in the infiltration over any network bandwidth, this analysis is being taught utilizing neural networks (Wang et al. 2020). The method begins with the function A (x, y, z), where x, y, and z represent source IP, destination IP, and intrusion protocols, respectively.

We have I as a variable that identifies the features of an intrusion, j as the likelihood that the intrusion would be discovered, and x, y, and z as parameters that rely on the simulation model's functions (Saba et al. 2022; Maldonado et al. 2022).

Back trace to find the sequence of Intrusion

The probability of the ideal sequence for source, destination, protocols, incursion, and values attributes is stored in the array Network Intrusion (X, Y, Z, I j). Certain network features will be given probability and weight in C(T) functions (Wang et al. 2022b).

1. 1.

   Using Cisco Packet Tracer, a network made up of PCs, switches, and routers connected by LAN is built in the simulated scenario. Figure 4 illustrates that (Selection and for Intrusion Detection System et al. 2020).

   

   Showing the test network architecture in Cisco packet tracer

   Full size image

2. 2.

   Using the Wireshark tool, 10 min worth of activity on our laptop system, including the aforementioned conversation, is captured in the packets that were transmitted. The Wireshark tool is used to recover the protocols utilised, source IP addresses, destination IP addresses, and the length of communication between specified sources and specific destinations (Detecting botnet by using particle swarm optimization algorithm based on voting system 2020).

3. 3.

   In order to determine which destination takes the longest, filters are now being used, graphs are being displayed, and each protocol is being examined individually (Chohra et al. 2022). The area that is most affected is the one that occupies the majority of the graph's time. When a destination's maximum time is shown, it means the location offered the greatest degree of defense against any odd incoming packets from a source. Consequently, this odd package that just arrived could be an intrusion.

4. 4.

   We next try to identify the source from where this packet originated to the place where it experienced the most resistance by applying filters to that particular destination. Once more, by finding the source that takes up the greatest space in the graph, the IP address of the suspected intrusion source may be determined.

The information is shown in the following R-plotted graphs, Figs. 5, 6, and 7. (Part a's findings).

Shows protocols vs (ff02::1:3) destination IP

Full size image

Shows protocols vs (192.168.239.1) Source IP

Full size image

Shows protocols vs (192.168.239.255) destination IP

Full size image

The many criteria by which the above graphs are shown include the different Source IPs, Destination IPs, Protocols involved, and the length of time it takes for a certain Protocol to have an effect on a certain Destination IP before having an impact on a particular Source IP. The parameters are shown below:

Figure 4 depicts the network architecture utilised in our testing environment, and Table 3 shows the Source, Destination, and Protocol Dataset in relation to it.

Figure 8 shows the development of wireless sensor networks made up of NS2 nodes.

Creation of wireless sensor networks consisting of nodes in NS2

Full size image

According to varied data bandwidth communications, it has been discovered that the processing time line for various communication protocols on the specified test environment varies from 0.002 to a maximum of 40 s (Cui et al. 2019). Our research has documented the duration of data packet transmission, which is a result of communication protocols. This observation directly relates to the reliability of intrusion to time and the processing power of the network design, network nodes, or network cloud.

1. b)

   The development of datasets from a physical network made using five node MCUs, a laptop, and a mobile device

   The following was done during the experiment. An internet connection based on a mobile hotspot was made possible by the development of a network of laptops and six node MCUs. The matching node MCUs were then connected to six LEDs. First, normal on and Off buttons from a mobile device with IoT programming were used to switch on and off the LEDs (Gölcük et al. 2020). The Normal Dataset was compiled using the Wireshark software. The IP address of one of the nodes' MCUs was afterwards modified to an extremely long string, allowing some type of intrusion to be introduced (Alazzam et al. 2020; Kitali et al. 2021; Lima et al. 2020). Another dataset—this time an intrusion-induced dataset—was also created using the Wireshark programme. This moment, the node MCU received two successive ON orders followed by two seconds later by two OFF commands. Using the normal and intrusion-induced datasets from each of these datasets, the neural network model was trained. Some datasets were created from scratch, while others come from UNSW and other Kaggle and GitHub sources (Hemmasian et al. 2022).

   A physical network was constructed utilising a laptop, a mobile device, and five node MCUs, as illustrated in Fig. 9. Additionally, the dataset was obtained via both harmful and lawful means. These datasets are those that we presently have (Balamurugan et al. 2022).(v). Several types of data caused by viruses are included in a UNSW dataset from GitHub.(vi). The dataset Kddcup 99

   

   A physical network made up of a mobile device, a laptop, and five node MCUs was created

   Full size image

1. (i).

   A typical dataset created with the Wireshark programmed and a simulated Cisco Packet Tracer network.

2. (ii).

   Using node MCUs in wireless networks, a typical dataset for an IoT context was obtained.

3. (iii).

   The NSDL dataset from Kaggle is used to train the neural network (which consists of details about various types of attacks)

4. (iv).

   The perturbed dataset was created by adding turbulence within the network we built using IoT (Qazi et al. 2022; Zhu et al. 2022).

These datasets were used to train the various ML classifiers mentioned above, and their rates of accurately detecting hazardous behavior were calculated (Joon and Tomar 2022). Following that, PSO was combined with each of these various ML classifiers, and a comparison study is provided in Results.

Figures 10, 11, 12, and 13 below illustrate the confusion matrix, classification report, and receiver operating characteristic for logistic regression and KNN (Tables 1 and 2).

Confusion matrix plotting for Logistic Regression

Full size image

Receiver operating characteristic (ROC)for logistic regression

Full size image

Plotting confusion matrix for KNN

Full size image

Receiver operating characteristic (ROC) for KNN

Full size image

After utilising the aforementioned datasets to train multiple ML classifiers, PSO was used in conjunction with each of these classifiers. A comparison of PSO in conjunction with three of the classifiers—k Nearest Neighbor, Artificial Neural Networks, Decision Trees, are listed here (Tables 3, 4, 5 and 6).

The following was noted when the proposed IDS system and the present IDS were contrasted from various research studies:

Therefore, it can be stated that, when compared to other systems, the suggested IDS, PSO + ANN provides the best accuracy and the lowest FPR (A survey on firefly algorithms et al. 2022; Judy Simon et al. 2022).

Below are some benefits of the various algorithms and technologies used for this study endeavor:

1. i.

   Advantages of particle swarm optimization (PSO)

   Popular optimization methods include Particle Swarm Optimization (PSO). The concept behind it is to simulate the behaviour of a flock of birds, with each bird standing in for a particle that seeks for the global optimum. Finding the best answer requires, the method utilises a swarm of particles that fly across the solution space and investigate various options (Ganesh and Sharma 2021).

   PSO continues to be a popular option for many optimization issues despite the development of several other optimization techniques throughout the years. This is because PSO provides a number of benefits over other optimization methods, including: Simple and straightforward to use: PSO is an easy-to-implement optimization method that works with any computer language (Guilherme Ramos et al. 2022).

   • Efficient in terms of computations PSO is a quick and effective optimization approach because it doesn't call for complicated or time-consuming calculations.

   • Effective performance for complicated issues PSO has been demonstrated to be effective for difficult optimization issues with high-dimensional search spaces.

   • Robustness PSO is a robust optimization method, which means it can deal with erratic or noisy objective functions (Wang et al. 2021).

PSO, a well-liked optimization method, has been extensively applied in many different applications, including feature selection (Meysam Valueian et al. 372022; Abdallah and Wafa’ Eleisah et al. 2022). The approach offers various benefits over other optimization methods, including resilience, strong performance for complicated problems, and simplicity and computing economy.

Different performance measures have been used in studies on numerous contemporary intrusion detection systems (Sivagaminathan and Dr. Manmohan Sharma. 2021b). A number of machine learning algorithms have been studied, including K-Nearest Neighbors, SVM, Discriminant Analysis, Naive Bayes Model, Logistic Regression, Ridge Classifier, and Decision Trees. The functioning of computational intelligence methods including Grey Wolf Optimization (GWO), Firefly Optimization (FFA), Genetic Algorithms, and numerous evolutionary algorithms was also thoroughly researched (Pampapathi et al. 2022).

1. ii.

   Advantages of wireshark tool

   For 10 minutes, the packets sent through the laptop system were captured using the Wireshark Tool, and a simulation of a LAN server, PCs, and routers was built using Cisco Packet Tracer. We used this information to build our own dataset, which had protocols, source and destination IP addresses, and—most importantly—the amount of time needed to communicate between each source and each destination. We then plotted several graphs to study these interdependencies (Zhang et al. 2022b).

   Popular software for recording and examining network data is called Wireshark. To monitor and fix network issues, network administrators, security experts, and network engineers frequently utilize it. Wireshark is a recommended tool for collecting active communication packets for a number of reasons, including:

   • Compatibility windows, Linux, and macOS are just a few of the many operating systems that Wireshark supports. Additionally, it supports a large number of networking protocols, giving it a flexible tool for examining various kinds of network data.

   • User-friendly interface The Wireshark interface is user-friendly, making it simple to explore and analyses network traffic. Additionally, it offers a number of visualization tools, including packet decoding, protocol dissectors, and graphs, to make it simpler to comprehend the data being gathered.

   • Open-source because Wireshark is an open-source programme, it is available for free and may be altered to suit certain requirements. This implies that a sizable user base exists that can offer the tool resources and assistance (Al-Anzi 2022).

   • Advanced functions Wireshark has a number of advanced functions.

   • Additional features Wireshark has a number of advanced capabilities that make it a strong tool for network analysis and troubleshooting, including packet filtering, protocol analysis, and exporting of recorded data.

   Due to its interoperability, user-friendly interface, open-source status, and extensive functionality, Wireshark is a recommended tool for collecting active communication packets (Hassan et al. 2022). These elements make it a flexible and effective tool for network traffic analysis and problem-solving.

   1. iii.

      Advantages of cisco packet tracer

      A network simulation programme called Cisco Packet Tracer offers a visual interface for network design and setup. It is a graphical user interface (GUI)-based programme that enables users to effortlessly drag and drop elements to construct a virtual network environment, such as PCs, switches, routers, and servers. Users may experiment with various setups, test out network situations, and debug network problems with the help of the tool, which is intended to mimic a real-world network environment (Pingale et al. 2022; Choudhary and Kesswani 2020).

      On the other hand, NS2 is a discrete event simulator that gives network simulations a command-line interface. In order to construct and configure network components in the virtual environment, users must write code. This necessitates a better comprehension of network protocols, coding principles, and some degree of programming expertise (Rintyarna et al. 2019).

      Cisco Packet Tracer and NS2 vary primarily in that the former offers a graphical interface for network simulations while the later necessitates user-written code. Cisco Packet Tracer is therefore a more approachable choice for folks who are unfamiliar with network simulations or who lack a solid experience in programming (Alzubaidi et al. 2020).

In the modern world, network intrusion detection is quite important. Every network is vulnerable to different kinds of assaults. Using the Wireshark tool, data packets were recorded during live communication in the system where a simulation network was built utilising Cisco Packet Tracer, as well as in a real network built using five node MCUs, a laptop, and a mobile device. Datasets caused by intrusions were also gathered from this setup. Along with some standard datasets from UNSW, Kaggle, and GitHub, the acquired datasets were utilised to train numerous ML models. As an optimization method, PSO was used with these ML classifiers. PSO+ANN, PSO+KNN, and PSO+DT were carefully watched and investigated in a case study. With a best accuracy of 99.78 and a lowest FPR of 0.003%, it was discovered that PSO+ANN surpasses PSO+KNN, PSO+DT, and other current IDS.

Potential datasets when trained to the proposed IDS, may employ deep learning approaches for giving better efficient results.

Data is available with the author; it will be made available to researchers as per demand.

There are no funding resources for this research work.

Authors and Affiliations

1. Lovely Professional University, Phagwara, India

   Vaishnavi Sivagaminathan, Manmohan Sharma & Santosh Kumar Henge

Contributions

All authors have equally contributed to the research work. All authors read and approved by the final manuscript.

Authors’ information

Astt. Proff. Vaishnavi Sivagaminathan working as Assistant Professor in Priyadarshini College of Engineering, Nagpur is undergoing her PhD from Lovely Professional University, Punjab, India in Computer Science and Engineering discipline. As a highly skilled Assistant Professor with more than 12 years of experience delivering lectures, conducting training programs, supervising projects, collecting and processing technical data and conducting research. Her research specializations are artificial intelligence, machine learning, image processing, cyber security and Networking and Security.

Dr. Manmohan Sharma presently serving as Professor in School of Computer Applications, Lovely Professional University, Punjab, INDIA has a vast experience of more than 24 years in the field of academics, research and administration with different Universities and Institutions of repute such as Dr. B.R. Ambedkar University, Mangalayatan University etc. Dr. Sharma has been awarded with his Doctorate degree from Dr. B.R. Ambedkar University, Agra in 2014 in the field of Wireless Mobile Networks. His areas of interest include Wireless Mobile Networks, Adhoc Networks, Mobile Cloud Computing, Recommender Systems, Data Science and Machine Learning etc. More than 50 research papers authored and co-authored, published in International or National journals of repute and conference proceedings comes under his credits. He is currently supervising six doctoral theses. Three Ph.D. and three M.Phil. degrees has already awarded under his supervision. He has guided more than 600 PG and UG projects during his service period under the aegis of various Universities and Institutions. He worked as reviewer of many conference papers and member of the technical program committees for several technical conferences. He is also actively serving several journals related to the field of wireless, mobile communication and cloud computing as editorial board member. He is also member of various professional/technical Societies including Computer Society of India (CSI), Association of Computing Machines (ACM), Cloud Computing Community of IEEE, Network Professional Association (NPA), International Association of Computer Science and Information Technology (IACSIT), and Computer Science Teachers Association (CSTA).

Dr. Santosh Kumar Henge working as Associate Professor in the School of Computer Science and Engineering, Lovely Professional University, Punjab, India. As a highly skilled Associate Professor with more than 16 years of experience delivering lectures, comprised of nearly 8 years of international level teaching experience and more than 8 years of national level experience, conducting training programs, supervising projects, collecting and processing technical data and conducting research. He was awarded a Ph.D. degree from the Department of Computer Science, Kakatiya University. His research specializations are artificial intelligence, machine learning, medical image processing and cyber security which are mainly emphasis on neural-fuzzy hybrid systems, machine learning algorithms, image processing, data mining and wide data analysis. He is also actively serving several AI and cyber security related journals and conferences as editorial board member, organizing committee member, workshop organizer and reviewer.

Corresponding author

Correspondence to Vaishnavi Sivagaminathan.

Ethics approval and consent to participate

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper. And the work shown in the paper is original.

Competing interests

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions