# An Efficient Multilevel Probabilistic Model for Abnormal Traffic Detection in Wireless Sensor Networks

^{1}

^{2}

^{3}

^{4}

^{*}

## Abstract

**:**

## 1. Introduction

- (a)
- The buffer space of a BS has been filled due to a large volume of traffic, and communication between the BS and normal nodes has come to a halt.
- (b)
- The fraction of often-missed packets is particularly high due to network connection overload.
- (c)
- Due to network congestion, only a few packets from regular nodes make it to the target BS, but not in a timely manner. As a result, network throughput suffers.
- (d)
- DDoS attack is a form of abnormal traffic. The abnormal traffic can also be FC. A mechanism merely blocking the abnormal traffic, assuming it is a DDoS attack, may lose some important and legitimate users, too.
- (e)
- A sophisticated and efficient mechanism for discriminating FC from DDoS is always required to prevent sensor nodes from malicious attacks but not the FC-based abnormal traffic.

## 2. Background and Related Works

## 3. Proposed Detection Mechanism

#### 3.1. Packets Capturing

#### 3.2. Features Extraction

#### 3.3. Packets Categorization

#### 3.4. Traffic Classification

- (a)
- First, two different flows are captured at the BS node. The receiving time and payload sizes are considered, and arithmetic mean $\mu $ and standard deviation $\sigma $ are calculated, as shown in Equations (3) and (4).$$\mu =\sum _{i=1}^{n}\frac{{h}_{i}}{n}$$$$\sigma =\sqrt{\sum _{i=1}^{n}\frac{{\left({h}_{i-}\mu \right)}^{2}}{n}}$$
- (b)
- After obtaining these values for two flows, the standard deviations of both are checked. The flow with a higher standard deviation should be considered as a flash flow, and the other one is marked as an attack flow.
- (c)
- Prior probabilities of both flows are computed by using Equations (5) and (6). In this equation, a denotes the number of packets class in the attack class, while $fc$ is the total number of packets in the FC class.$$p\left[a\right]=\left(\right)open="["\; close="]">\frac{a}{fc+a}$$$$p\left[fc\right]=\left(\right)open="["\; close="]">\frac{fc}{fc+a}$$
- (d)
- Equations (7) and (8) are used to calculate the likelihood probability of a packet, whether an attack or $FC$. This is based on the Gaussian probability density function. By using this equation, the probabilities for the size of payload and reception time are calculated.$${p}^{\prime}\left(\right)open="["\; close="]">\frac{h}{a}$$$${p}^{\prime}\left(\right)open="["\; close="]">\frac{h}{fc}$$
- (e)
- (f)
- Finally, the posterior probabilities of both the classes, the DDoS attack and $FC$, are computed by using Bayes theorem in Equations (8) and (9).$$p\left(\right)open="["\; close="]">\frac{fc}{h}p\left(\right)open="["\; close="]">\frac{h}{fc}\times p\left(\right)open="["\; close="]">fc$$$$p\left(\right)open="["\; close="]">\frac{a}{h}+p\left(\right)open="["\; close="]">\frac{h}{a}\times p\left[a\right]$$
- (g)
- In Equation (9), the computed posterior probabilities of both attack and $FC$ are compared to judge whether the receiving packets are associated with an attack or $FC$.$$p\left(\right)open="["\; close="]">\frac{a}{h}$$
- (h)
- In the class with a higher posterior probability, the packet is assumed to belong in that class.

Algorithm 1 Training |

Require: Train Dataset |

Ensure: Normal, DDoS, FC |

1: Begin |

2: Incoming Known Traffic; |

3: for $(i=1;i<Dataset.Length;i++)$ do |

4: $RL\left[i\right].IP\u27f5Pk.IP$ // Assignment to receiving list |

5: $RL\left[i\right].RT\u27f5Pk.RT$ // RT-receiving time |

6: $RL\left[i\right].PLS\u27f5Pk.PLS$ // Pls-payload size |

7: $RL\left[i\right].P\u27f5Pk$ //Packet assigned |

8: end for |

9: for each i minute in $RL.RT$ do |

10: $m\left(interval\right).\left[i\right]\u27f5Med\left(\right)open="("\; close=")">\frac{N{o}_{pkts}}{5secin1minute}$ |

11: end for |

12: $m\left(slot\right)\u27f5Med\left(m\right(interval\left)\right)$ // Median of all intervals |

13: $TH\u27f5m\left(slot\right)$ // Setting Threshold value |

14: if $(Pkts<TH)$ then |

15: Return “Normal Flow” |

16: else |

17: for $(i=1;i<2;i++)$ do |

18: $\mu {F}_{i}PM\u27f5{\sum}_{i=1}^{n}\frac{pkts\left[PL{S}_{i}\right]}{n}$ // mean calculation |

19: $\sigma {F}_{i}PS\u27f5\sqrt{{\sum}_{i=1}^{n}\frac{{(PL{S}_{i}-\mu PLS)}^{2}}{n}}$ // SD calculation |

20: $\mu {F}_{i}RM\u27f5{\sum}_{i=1}^{n}\frac{R{T}_{i}}{n}$ |

21: $\sigma {F}_{i}RS\u27f5\sqrt{{\sum}_{i=1}^{n}\frac{{(R{T}_{i}-\mu RT)}^{2}}{n}}$ |

22: end for |

23: end if |

24: $clas{s}_{i}\u27f5P\left(\right)open="("\; close=")">\frac{instanceofclas{s}_{i}}{totalinstances}$ |

25: ${p}^{\prime}\left(\right)open="["\; close="]">\frac{h}{a}$ |

26: ${p}^{\prime}\left(\right)open="["\; close="]">\frac{h}{a}$ |

27: End |

Algorithm 2 Testing |

Require: Test Dataset |

Ensure: Normal, DDoS, FC |

1: Begin |

2: Incoming Unknown Traffic; |

3: if $(Pkts<TH)$ then |

4: Return “Normal Flow” |

5: else |

6: for $(i=1;i<Dataset.Length;i++)$ do |

7: $RL\left[i\right].IP\u27f5Pi.IP$ |

8: $RL\left[i\right].RT\u27f5Pi.RT$ |

9: $RL\left[i\right].PLS\u27f5Pi.PLS$ |

10: Apply Classifier |

11: $p\left(\right)open="["\; close="]">\frac{a}{h}+p\left(\right)open="["\; close="]">\frac{h}{a}\times p\left[a\right]$ |

12: $p\left(\right)open="["\; close="]">\frac{fc}{h}p\left(\right)open="["\; close="]">\frac{h}{fc}\times p\left(\right)open="["\; close="]">fc$ |

13: if $(p\left(\right)open="["\; close="]">\frac{a}{h})$ then |

14: Return “DDoS” |

15: else |

16: Return "FC" |

17: end if |

18: end for |

19: end if |

20: End |

## 4. Simulation Results

#### 4.1. Threshold Value

#### 4.2. First Experiment

#### 4.3. Classification of Traffic

#### 4.4. Second Experiment

#### 4.5. Classification of Traffic

## 5. Simulation Results by Using Real Datasets

## 6. Conclusions and Future Work

## Author Contributions

## Funding

## Institutional Review Board Statement

## Informed Consent Statement

## Data Availability Statement

## Acknowledgments

## Conflicts of Interest

## List of Symbols

Symbol | Description |

n | Number of packets |

TH | The threshold value of packets |

$\mu $ | Mean of a packet |

$\mu FiPM$ | Flow fi payload mean |

$FiPS$ | Flow fi payload standard deviation |

µFiRM | Flow fi receiving time mean |

$FiRS$ | Flow fi receiving time standard deviation |

${h}_{x}$ | Attribute x |

M | Network |

$p\left[h{[/f]}_{c}\right]$ | Likelihod probability of flash crowd |

$p[h/a]$ | Likelihood probability of attack class |

RL | Receiving list |

interval | Period between two nodes |

slot | Combination of intervals |

$Pi$ | Packets |

$\sigma $ | Standard deviation |

$p[f\_(c\left)\right]$ | Prior probability of flash crowd |

p[a] | Prior probability of attack class |

p $[{f}_{c}/h]$ | Posterior probability of flash crowd |

$p[a/h]$ | Posterior probability of DDoS attack |

n | Total number of nodes |

$clas{s}_{i}$ | Prior probability of class |

$PLS$ | Payload size of packet |

RT | Received time of packet |

## References

- Naresh, V.S.; Nasralla, M.M.; Reddi, S.; García-Magariño, I. Quantum Diffie–Hellman Extended to Dynamic Quantum Group Key Agreement for e-Healthcare Multi-Agent Systems in Smart Cities. Sensors
**2020**, 20, 3940. [Google Scholar] [CrossRef] [PubMed] - Nasralla, M.M.; García-Magariño, I.; Lloret, J. MASEMUL: A Simulation Tool for Movement-Aware MANET Scheduling Strategies for Multimedia Communications. Wirel. Commun. Mob. Comput.
**2021**, 2021, 6651402. [Google Scholar] [CrossRef] - Nagar, S.; Rajput, S.S.; Gupta, A.K.; Trivedi, M.C. Secure routing against DDoS attack in wireless sensor network. In Proceedings of the 2017 3rd International Conference on Computational Intelligence & Communication Technology (CICT), Ghaziabad, India, 9–10 February 2017; pp. 1–6. [Google Scholar]
- Sharma, M. Wireless sensor networks: Routing protocols and security issues. In Proceedings of the Fifth International Conference on Computing, Communications and Networking Technologies (ICCCNT), Hefei, China, 11–13 July 2014; pp. 1–5. [Google Scholar]
- Khan, Z.I.; Afzal, M.M. Security in Wireless Sensor Networks: DoS Perspective. Int. J. Eng. Res. Technol. (IJERT)
**2017**, 6, 311–316. [Google Scholar] - Gulisano, V.; Callau-Zori, M.; Fu, Z.; Jiménez-Peris, R.; Papatriantafilou, M.; Patiño-Martínez, M. STONE: A streaming DDoS defense framework. Expert Syst. Appl.
**2015**, 42, 9620–9633. [Google Scholar] [CrossRef] - Nasralla, M.M.; García-Magariño, I.; Lloret, J. Defenses against perception-layer attacks on iot smart furniture for impaired people. IEEE Access
**2020**, 8, 119795–119805. [Google Scholar] [CrossRef] - Saravanan, R.; Shanmuganathan, S.; Palanichamy, Y. Behavior-based detection of application layer distributed denial of service attacks during flash events. Turk. J. Electr. Eng. Comput. Sci.
**2016**, 24, 510–523. [Google Scholar] [CrossRef] - Ahmed, M.E.; Ullah, S.; Kim, H. Statistical application fingerprinting for DDoS attack mitigation. IEEE Trans. Inf. Forensics Secur.
**2018**, 14, 1471–1484. [Google Scholar] [CrossRef] - Douligeris, C.; Mitrokotsa, A. DDoS attacks and defense mechanisms: Classification and state-of-the-art. Comput. Netw.
**2004**, 44, 643–666. [Google Scholar] [CrossRef] - Bhatia, S.; Mohay, G.; Tickle, A.; Ahmed, E. Parametric differences between a real-world distributed denial-of-service attack and a flash event. In Proceedings of the 2011 Sixth International Conference on Availability, Reliability and Security, Vienna, Austria, 22–26 August 2011; pp. 210–217. [Google Scholar]
- Lai, G.H.; Chen, C.M. Detecting denial of service attacks in sensor networks. J. Comput.
**2008**, 4, 15–29. [Google Scholar] - Singh, N.A.; Singh, K.J.; De, T. Distributed denial of service attack detection using Naive Bayes Classifier through Info Gain Feature Selection. In Proceedings of the International Conference on Informatics and Analytic, Pondicherry, India, 25–26 August 2016; ACM: New York, NY, USA, 2016; Volume 54, pp. 1–54. [Google Scholar]
- Oo, T.T.; Phyu, T. A statistical approach to classify and identify DDoS attacks using UCLA dataset. Int. J. Adv. Res. Comput. Eng. Technol. (IJARCET)
**2013**, 2, 1766–1770. [Google Scholar] - Wang, M.; Xue, A.; Xia, H. Abnormal event detection in wireless sensor networks based on multiattribute correlation. J. Electr. Comput. Eng.
**2017**, 2017, 2587948. [Google Scholar] [CrossRef][Green Version] - Reddy, K.G.; Thilagam, P.S. Naïve Bayes classifier to mitigate the DDoS attacks severity in ad-hoc networks. Int. J. Commun. Netw. Inf. Secur.
**2020**, 12, 221–226. [Google Scholar] - Kato, K.; Klyuev, V. An intelligent ddos attack detection system using packet analysis and support vector machine. IJICR
**2014**, 14, 478–485. [Google Scholar] [CrossRef] - Katiyar, P.; Kumarn, U.S.; Balakrishanan, S. Detection and discrimination of DDoS attacks from flash crowd using entropy variations. Int. J. Eng. Technol.
**2013**, 5, 3514–3519. [Google Scholar] - Yu, S.; Thapngam, T.; Liu, J.; Wei, S.; Zhou, W. Discriminating DDoS flows from flash crowds using information distance. In Proceedings of the 2009 Third International Conference on Network and System Security, Gold Coast, QLD, Australia, 19–21 October 2009; pp. 351–356. [Google Scholar]
- Li, K.; Zhou, W.; Li, P.; Hai, J.; Liu, J. Distinguishing DDoS attacks from flash crowds using probability metrics. In Proceedings of the 2009 Third International Conference on Network and System Security, Gold Coast, QLD, Australia, 19–21 October 2009; pp. 9–17. [Google Scholar]
- Thapngam, T.; Yu, S.; Zhou, W.; Beliakov, G. Discriminating DDoS attack traffic from flash crowd through packet arrival patterns. In Proceedings of the 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Shanghai, China, 10–15 April 2011; pp. 952–957. [Google Scholar]
- Yu, S.; Zhou, W.; Jia, W.; Guo, S.; Xiang, Y.; Tang, F. Discriminating DDoS attacks from flash crowds using flow correlation coefficient. IEEE Trans. Parallel Distrib. Syst.
**2011**, 23, 1073–1080. [Google Scholar] [CrossRef] - Gera, J.; Battula, B.P. Detection of spoofed and non-spoofed DDoS attacks and discriminating them from flash crowds. EURASIP J. Inf. Secur.
**2018**, 2018, 1–12. [Google Scholar] [CrossRef][Green Version] - Daneshgadeh, S.; Ahmed, T.; Kemmerich, T.; Baykal, N. Detection of DDoS attacks and flash events using Shannon entropy, KOAD and Mahalanobis distance. In Proceedings of the 2019 22nd Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN), Paris, France, 19–21 February 2019; pp. 222–229. [Google Scholar]
- Sahoo, K.S.; Tiwary, M.; Sahoo, B. Detection of high rate DDoS attack from flash events using information metrics in software defined networks. In Proceedings of the 2018 10th International Conference on Communication Systems & Networks (COMSNETS), Bengaluru, India, 3–7 January 2018; pp. 421–424. [Google Scholar]
- Anna, K.B. A New Framework For Qos Provisioning In Wireless Lans Using The P-persistent Mac Protocol. Ph.D. Thesis, University of Central Florida, Orlando, FL, USA, 2010. [Google Scholar]
- Mithila, N.H. Performance analysis of DSDV, AODV and DSR in Wireless Sensor Network. Int. J. Adv. Res. Comput. Sci. Electron. Eng. (IJARCSEE)
**2013**, 2, 395–404. [Google Scholar] - Chhetri, M.B.; Forkan, A.R.M.; Vo, B.; Nepal, S.; Kowalczyk, R. Exploiting Heterogeneity for Opportunistic Resource Scaling in Cloud-hosted Applications. IEEE Trans. Serv. Comput.
**2019**, 14, 1739–1750. [Google Scholar] [CrossRef] - Osanaiye, O.A.; Alfa, A.S.; Hancke, G.P. Denial of service defence for resource availability in wireless sensor networks. IEEE Access
**2018**, 6, 6975–7004. [Google Scholar] [CrossRef]

Article | Details |
---|---|

Katiyar et al. [18] | Parameters: IP and Port addresses of Source & Destination Validation Technique: Simulation Dataset: No dataset used Detection Metrics: Entropy variation Limitations: When the traffic increases the performance degrades low efficiency |

Yu. et al. [22] | Parameters: Source IPs distribution, access intent, traffic rate Validation Technique: Simulation Dataset: $DDoS\u27f6MITLincoln\&FC\u27f6HTTPlogs$ Detection Metrics: Correlation coefficient total variation Limitations: Degrade for high-rate DDoS attack Only flow similarity is not suitable |

Bathia et al. [11] | Parameters:Variation in the source addresses and traffic rate, packets scattering among source addresses Validation Technique: Real-time Dataset: $DDoS\u27f6CAIDA2007\&FC\u27f61998FIFAworld-cup$ Detection Metrics: Statistical calculation Limitations: Not have any accuracy |

S.Renukadevi et al. [8] | Parameters: Flow similarity, client legitimacy, page referred Validation Technique: Simulation Dataset: $DDoS\u27f6CAIDA2007\&FC\u27f61998FIFAworld-cup$ Detection Metrics: Hellinger distance Limitations: Accuracy is 91%. Environment specific |

J. Gera et al. [23] | Parameters: Source entropy & traffic entropy Validation Technique: Simulation Dataset: No Dataset Used Detection Metrics: Entropy |

K. S. Sahoo et al. [25] | Parameters: Source & destination IPs, source & destination port Validation Technique: Simulation Dataset: DDoS and FC datasets generate through Scapy tool Detection Metrics: General entropy & generalized information distance |

S. Daneshgadeh et al. [24] | Parameters: Time interval, source/destination IPs Validation Technique: Simulation Dataset: CAIDA 2007 for DDoS attack & 1998 FIFA World Cup for FC Detection Metrics: Shannon entropy, Mahalanobis distance, kernel online anomaly detection |

Wang et al. 2017 [15] | Parameters: Structural, such as temperature, humidity, light intensity, and voltage; Validation technique: Simulation; Dataset: IBRL dataset with manual entries; Target: Detection of abnormal structural events |

Reddy and Thilagam, 2020 [16] | Parameters: Packet size, port number, source address, destination address, and jitter; Validation Technique: Simulation; Dataset: None; Target: DDoS detection and mitigation |

Parameter | Values |
---|---|

Simulator | NS-2.33 |

Duration of Simulation | 60 s |

Nodes’ Transmission range | 250 m |

Network Area | 1000 × 1000 m |

Base Protocol | AODV |

Number of Nodes | 100–200 |

Nodes’ Distribution | Random |

Traffic source | CBR |

Maximum speed of node | 10 m per second |

Packet Size | Random |

Nodes’ Pause Times | 10 to 60 s |

Traffic Type | Number of Packets per Second | |||||
---|---|---|---|---|---|---|

Time (s) | 10 | 20 | 30 | 40 | 50 | 60 |

Normal | 24 | 26 | 32 | 34 | 36 | 38 |

Abnormal | 37 | 38 | 48 | 58 | 64 | 64 |

Traffic Type | Interarrival Time | |||||||
---|---|---|---|---|---|---|---|---|

Received Packets | 200 | 400 | 600 | 800 | 1000 | 1200 | 1400 | 1600 |

DDoS | 0.00743 | 0.01135 | 0.01283 | 0.01600 | 0.01010 | 0.00643 | 0.01923 | 0.00889 |

FC | 0.02215 | 0.05002 | 0.05999 | 0.03656 | 0.07009 | 0.04996 | 0.03533 | 0.02778 |

Traffic Type | Payload Size (Bytes) | |||||||
---|---|---|---|---|---|---|---|---|

Received Packets | 200 | 400 | 600 | 800 | 1000 | 1200 | 1400 | 1600 |

DDoS | 512 | 512 | 512 | 480 | 480 | 490 | 490 | 490 |

FC | 512 | 460 | 440 | 480 | 530 | 510 | 512 | 460 |

Type | IPs | $\mathbf{\sigma}\left(\mathit{PLsSize}\right)$ | $\mathbf{\sigma}\left(\mathit{Time}\right)$ | $\mathbf{\mu}\left(\mathit{PLsSize}\right)$ | $\mathbf{\mu}\left(\mathit{Time}\right)$ |
---|---|---|---|---|---|

FC | 14 | 18.1818 | 0.0285 | 490.33 | 0.0472 |

DDoS | 6 | 10.0484 | 0.00780 | 500.83 | 0.00742 |

Type | IPs | $\mathbf{\sigma}\left(\mathit{PLsSize}\right)$ | $\mathbf{\sigma}\left(\mathit{Time}\right)$ | $\mathbf{\mu}\left(\mathit{PLsSize}\right)$ | $\mathbf{\mu}\left(\mathit{Time}\right)$ |
---|---|---|---|---|---|

FC | 15 | 23.214 | 0.02973 | 483.33 | 0.037 |

DDoS | 10 | 5.0484 | 0.00130 | 503.12 | 0.00432 |

Type | IPs | $\mathit{\sigma}\left(\mathit{PLsSize}\right)$ | $\mathit{\sigma}\left(\mathit{Time}\right)$ | $\mathbf{\mu}\left(\mathit{PLsSize}\right)$ | $\mathbf{\mu}\left(\mathit{Time}\right)$ |
---|---|---|---|---|---|

FIFA World Cup | 8106 | 6130.3 | 0.3498 | 10,055.1 | 27.8181 |

CAIDA DDoS | 5556 | 0.90 | 0.001123 | 60.8 | 0.0048 |

Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |

© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Khan, M.A.; Nasralla, M.M.; Umar, M.M.; Ghani-Ur-Rehman; Khan, S.; Choudhury, N.
An Efficient Multilevel Probabilistic Model for Abnormal Traffic Detection in Wireless Sensor Networks. *Sensors* **2022**, *22*, 410.
https://doi.org/10.3390/s22020410

**AMA Style**

Khan MA, Nasralla MM, Umar MM, Ghani-Ur-Rehman, Khan S, Choudhury N.
An Efficient Multilevel Probabilistic Model for Abnormal Traffic Detection in Wireless Sensor Networks. *Sensors*. 2022; 22(2):410.
https://doi.org/10.3390/s22020410

**Chicago/Turabian Style**

Khan, Muhammad Altaf, Moustafa M. Nasralla, Muhammad Muneer Umar, Ghani-Ur-Rehman, Shafiullah Khan, and Nikumani Choudhury.
2022. "An Efficient Multilevel Probabilistic Model for Abnormal Traffic Detection in Wireless Sensor Networks" *Sensors* 22, no. 2: 410.
https://doi.org/10.3390/s22020410