AI ‐ Based Wormhole Attack Detection Techniques in Wireless Sensor Networks

: The popularity of wireless sensor networks for establishing different communication systems is increasing daily. A wireless network consists of sensors prone to various security threats. These sensor nodes make a wireless network vulnerable to denial ‐ of ‐ service attacks. One of them is a wormhole attack that uses a low latency link between two malicious sensor nodes and affects the routing paths of the entire network. This attack is brutal as it is resistant to many cryp ‐ tographic schemes and hard to observe within the network. This paper provides a comprehensive review of the literature on the subject of the detection and mitigation of wormhole attacks in wireless sensor networks. The existing surveys are also explored to find gaps in the literature. Several existing schemes based on different methods are also evaluated critically in terms of throughput, detection rate, low energy consumption, packet delivery ratio, and end ‐ to ‐ end delay. As artificial intelligence and machine learning have massive potential for the efficient management of sensor networks, this paper provides AI ‐ and ML ‐ based schemes as optimal solutions for the identified state ‐ of ‐ the ‐ art problems in wormhole attack detection. As per the author’s knowledge, this is the first in ‐ depth review of AI ‐ and ML ‐ based techniques in wireless sensor networks for wormhole attack detection. Finally, our paper explored the open research challenges for detecting and mitigating wormhole attacks in wireless networks.


Introduction
Several types of distributed denial-of-service (DDoS) attacks are currently being launched against wireless sensor networks. The sinkhole, black hole, grey hole, wormhole, Sybil, and clone assaults are examples of these attacks. The wormhole attack in WSN includes more than one malicious node, establishing an active path between them over long ranges. These malicious nodes then affect the routing algorithm. Wormhole attacks can be categorised into three types, i.e., open wormhole, half wormhole, and closed wormhole.
The continuous development of wireless communication tends to increase in WSN implementation [1]. WSN is self-organised and consists of a self-organised network con- Mohit et al., reviewed different techniques for the detection of wormhole attacks, a significantly dangerous attack affecting the mission of the network [16]. Alomar et al., focused on the security of wormhole detection techniques in WSNs by compromising their energy efficiency [17]. Goyal et al., reviewed schemes for recognizing a wormhole attack in IoT networks [18]. Farjamnia et al., provided a review of several techniques for the recognition and avoidance of wormhole attacks in WSNs [19].  Table 1 presents a summary of the existing surveys of wormhole detection schemes. The main focus of the existing surveys is stated in the brief. The difference between the existing surveys and this paper is also presented.
According to Table 1, it is clear that there are several gaps in the existing surveys. The surveys are not presented systematically and do not provide detailed and comprehensive critical and comparative analyses. The listed surveys do not include the latest techniques such as artificial intelligence-based schemes and machine learning schemes for mitigating wormhole attacks. Therefore, we present this systematic literature review to fill the gaps in the existing surveys by contributing to the field. This study provides state-of-the-art approaches and the most recent schemes for mitigating wormhole attacks in WSNs.

2020
Survey wormhole attack detection and prevention techniques in WSN Mohit et al. [16] reviewed schemes such as WGDD, RTT, Packet leaches, AOMDV, ANN, and high-power transmission. The advantages and disadvantages of these schemes are listed along with the author's remarks about the schemes. However, a performance analysis based on quality assessment was not included.
Our survey presents a detailed performance analysis, including critical analysis and results comparison, and identified the gaps in all existing schemes.

2018
Detection and prevention analysis of wormhole attacks in wireless sensor networks Kumar et al. [17] presented a comparative analysis of several techniques, including reputation-based routing, Packet leashes, Beacon nodes, LITEWORP, and algorithms using active nodes. However, the study did not include the strengths and limitations of the existing schemes.
Our survey presents a detailed critical analysis and comparative analysis of the schemes and identified gaps.

Review intrusion detection of wormhole attacks in IoT
Goyal et al. [18] compared several existing techniques, including the use of the hound packet, distributed detection algorithm, modified AODV, node connectivity, Merkle tree, and AODV protocol for recognising and preventing wormhole attacks, including the constraints of all the schemes. However, strengths were not specified.
Our survey presents a comprehensive comparative analysis of all existing schemes and detailed critical analysis.

2019
Review techniques used against wormhole attacks on wireless sensor networks Farjamnia et al. [19] presented a review of the existing models (including AOVD with different sizes, ADT, T-AOVD, AOMDV, and DV-Hop with different sizes). The advantages and disadvantages of the models were specified.
Our survey presents a detailed literature review along with a solution to identify gaps in the existing schemes.

2020
Schemes to detect wormholes in WSNs Umashankar et al. [20] presented a detailed review of the literature on wormhole attack detection. However, the latest schemes were not included. The advantages and disadvantages of the existing schemes were not specified.
Our survey presents all the latest schemes, including AI-and ML-based schemes, and a detailed critical analysis of all existing schemes.

2019
Survey the detection and prevention of wormhole attacks in mobile ad hoc networks Anju et.al. [21] presented several existing schemes of wormhole recognition, including AODV, RTT, Neighbour Discovery, and Hop count. However, the strengths of the schemes were not specified, and the presented survey was not systematic.
Our survey presents all existing schemes in detail and identifies a better technique. Moreover, challenges are specified for future research.

2018
Survey approaches and measures in detecting wormhole attacks in WSNs Diksha et al. [22] presented a literature review on different location time, cluster-base, public key encapsulation, moving average indicator, hop count, and RTT-based approaches. However, it is not a systematic survey and not all the pros and cons of the schemes were elaborated in detail.
Our survey presents a detailed literature review of existing techniques along with a comprehensive critical analysis. It also includes AI-and ML-based schemes.

2018
Techniques and challenges in detecting wormhole attacks in WSNs Padmarpriya et al. [23] presented challenges in WSN concerning the limited bandwidth, time, power management, design constraints, and security. The schemes of wormhole recognition were presented on a category basis. However, there was neither a critical analysis of schemes nor a quality assessment of research articles.
Our survey presents a comprehensive critical analysis of all existing schemes. Moreover, research gaps and challenges are identified.
The use of WSNs has been increasing day by day in the field of medical and military [24]. Eal et al., conducted an extensive survey that provides a deep insight into different WSNS applications in the real world and the nature of the security needed for those WSNs [25]. This SLR aims to identify gaps in the research on the detection and prevention of wormhole attacks in WSNs. To identify gaps in the research, the research papers of the last four years-sourced from three databases, i.e., IEEE, Springer, and Elsevier, were systematically searched. All strings with three synonyms were searched for, and seven papers were selected for each string. Newspapers, theses and white works were not included. Repeated papers in all strings were excluded. The articles were then filtered out based on title and abstraction. This SLR reviews all the schemes for recognizing and avoiding wormhole attacks in WSNs. All the techniques were deeply studied based on set objectives. This work provides a comprehensive critical analysis of the existing methods.
After the critical analysis of all techniques, this SLR presents a detailed performance analysis of all wormhole mitigation schemes, followed by a section presenting the identified challenges. Finally, this SLR concludes that many researchers have presented different techniques based on different objectives. Several methods are evaluated based on detection accuracy, performance, additional hardware used, packet delivery ratio, and energy consumption. Figure 3 presents the organization of the paper. The main contributions of our work are as follows: 1. A detailed review is performed to analyse the problems in state-of-the-art techniques for wormhole attack detection. 2. In this paper, AI and ML techniques are proposed as the optimal solution to the state-of-the-art problems in wormhole detection in wireless sensor networks. 3. The open research challenges are identified, and the literature addressing them is listed.
This paper is organized as follows: Section 2 provides a systematic literature review; Section 3 provides detailed literature, and Section 4 provides performance analysis. The performance analysis is divided into subsections based on the critical analysis, comparative analysis, and identified challenges. Section 5 discusses the optimal solutions, followed by the last section, Section 6, which provides conclusions. Table 2 represents the acronyms used in this paper and their definitions.

Systematic Literature Review
The research literature presented in this paper is reviewed systematically. First, a searching protocol was developed according to which the systematic searches were conducted. These searchers were led using the development of strings according to the identified research question. Afterwards, a search strategy was made to categorise all the searches according to the search journals. Moreover, research articles were included according to their inclusion criteria and filtered according to their title, abstract, and objectives.

Searching Protocol
A searching protocol was designed according to which papers published over four years (2018, 2019, 2020, and 2021) were selected for searching. In addition, three synonyms of each keyword and four databases (IEEE, Springer, Elsevier, and Science Direct) were used for searching. Only seven papers were selected against each string. Figure 4 presents the search strategies.

String Development
The strings were developed by using three synonyms of each keyword. Research Question: Which methods provide the detection of wormhole attacks in WSNs?

Inclusion Criteria
An inclusion criterion was made according to which all papers from journals were included. No white papers were included. Those papers which are not yet published are not included.

Filtering
In the filtering phase, the first stage was title-based filtering, as shown in Figure 5. All papers which were not relevant to the topic of the problem were excluded from all the selected databases. In the second part, abstract-based filtering was conducted. All the papers in which the abstracts were irrelevant to the problem were excluded from all the selected databases. In the third part of the filtering, objective-based filtering was conducted, as shown in Figure 5.
All the papers were filtered according to their objectives, and a table was produced which shows papers categorised by their objectives.
After the title and abstract-based clustering, the objectives of the research papers were identified and categorised into clusters. Table 3 shows this objective-based screening. The categories of objectives were as follows: detection rate (DR), packet delivery ratio (PDR), low energy consumption (LEC), no additional hardware (NAH), detection accuracy (DA), false positive rate (FPR), mean detection delay (MDD), end-to-end delay (EED)fewer resources (LR), less complex (LC), speed (S) and poor connectivity (PC).

Detailed Literature
The main aim of all the papers was to recognize and prevent wormhole attacks in wireless sensor networks.

Artificial Immune Systems and Machine Learning-Based Systems
The research of Ref. [26] presented an artificial immune system with fuzzy logic for mitigating wormhole attacks with high FPR and PDR and less PLR. The system was designed by modifications to the AODV protocol with fuzzy logic to develop an immune system. The results were simulated using the NS2 simulator. The delivery ratio of the AODV protocols decreases with a high increase in the number of connections. In the process of finding the right path, the shortest path can be lost due to network traffic.
The research of Ref. [27] presented a hybrid RPL protocol for mitigating wormhole attacks with high DA and using less computation power. It uses a support vector machine, a supervised machine learning algorithm for detecting intruders. RPL is a complex protocol that increases the network's control packets, resulting in overhead and increased energy consumption.
The research of Ref. [28] presented an ANN approach for wormhole mitigation. It uses the connectivity information of sensor nodes as a distance measure for hop counts. The simulations of the proposed approach were conducted on 500 nodes using MATLAB. The ANN's training and testing results show that this approach can detect wormholes with a high detection accuracy-up to 97%-and without using any additional hardware.
The research of Ref. [29] presented a deep learning approach for wormhole mitigation. It uses RTT and LSTM for the detection process. It also uses the Whale optimization algorithm with fitness rate modification to select the optimized path. The analysis of the scheme was conducted using Python. The results show that this optimised LSTM approach provides a high detection accuracy and PDR. It also consumes less energy and provides less E2E delay.
The research of Ref. [30] presented a wormhole mitigation approach named Delta Rule First Order Iteration Deep Neural Learning Intrusion Detection (DRFOIDL-ID). It uses a deep neural network for the detection of intruders and removes them by the isolation process. The DRFOIDL-ID was compared with the energy trust system (ETS) and RPL-based system. The results showed that DRFOIDL-ID provides a high detection accuracy and less FPR and PLR.
The research of Ref. [31] presented a machine learning-based approach for wormhole mitigation in MANET. It uses KNN, SVM, DT, LDA, NB, and CNN for the classification of malicious nodes from the extracted features of the collected data of the nodes. The simulations of all the methods were conducted in MATLAB 2019b. The results showed that the decision tree (DT) provides high detection accuracy: of up to 98.9%.
The research of Ref. [32] presented a novel intrusion detection system that uses fuzzy logic with a feed-forward neural network. The fuzzy rules are used to train the neural network, and the neural network's performance was evaluated through simulation. The results were compared with simple machine learning techniques, which showed that this novel approach provides a detection accuracy of up to 98.8%.
The research of Ref. [33] presented an unsupervised learning-based scheme that uses a weighted clustering algorithm for wormhole attack detection. It is an energy-efficient scheme that makes clusters of networks and collects data on the base station without any intervention in the network's activity. These data are then classified using SVM and MLP (multilayer perceptron). The results of this approach showed an accuracy of up to 90%, but in a real-time system, it showed an accuracy of up to 75%.
The research of Ref. [34] presented a supervised machine learning-based scheme which detects wormhole attacks in VANET over an accurate map. It uses the random forest and K-nearest neighbour classifiers for malicious node detection. This paper also proposed a packet leash and cryptographic concept-based scheme to prevent wormhole attacks. The simulation results showed that the proposed scheme for detection provides a detection accuracy of up to 99.1%.
The research of Ref. [35] presented a supervised machine learning-based scheme which uses the naïve Bayes classifier with EC-BRTT (enhanced code-based round trip time) for malicious node detection. The simulation of the presented technique showed effective results in terms of communication overhead, data delay, and attack detection.
The research of Ref. [36] presented a supervised-based machine learning algorithm for intrusion detection. It uses decision tree algorithms named C4.5 and CART to identify network patterns. The results of the proposed approach were compared in terms of different network parameters, such as accuracy, number of nodes, number of training samples, and number of attackers. The results show that C4.5 attained a higher accuracy (70%) than the CART classifier. Figure 6 shows the classification of AI-based schemes for wormhole detection in WSNs.

Neighbor Discovery-Based Systems
The research of Ref. [37] presented a less energy-consuming technique, using no additional hardware and providing higher detection accuracy. A localized protocol for creating credible discovery (CREDND) is proposed. It recognizes wormholes outside-as well as inside-the network. The presented scheme, CREDND, was compared with the accuracy of the already existing SECUND and SEINE techniques, which also use local monitoring and hop difference. CREDND did not work well with dynamic changes in the communication range of nodes.
The research of Ref. [38] presented an energy-friendly trust-based technique with reduced overhead on network traffic. A trust-based mechanism is used to detect wormhole and grey hole attacks in IoT networks. It uses the routing protocol for low power and lossy networks (RPL) as a routing protocol for IoT networks. It computes direct and indirect trust based on the properties of nodes and the opinions of neighbour nodes, respectively.
The research of Ref. [39] presented a technique that provides a lower false positive rate, shorter mean detection delay, and higher detection accuracy. A decentralised statistical scheme detects wormholes in MANETs using an NS3 simulator. It uses already existing statistical wormhole apprehension using the neighbors (SWAN) algorithm with some modifications. A decentralised statistical technique showed a loss of control and costlier operations.
The research of Ref. [40] presented an MLAMAN technique that detects wormhole attacks in dynamic tunnel lengths and changes nodes' speed. It detects intruders by calculating hop difference and using the AODV protocol in three levels, i.e., packet level, neighbour level, and membership level, for the authentication of intermediate nodes. The results of the MLAMAN protocol were simulated using an NS2 simulator. This protocol provides an accuracy of 100% in a static network and an accuracy of 98% in a dynamic network. The delivery ratio of the AODV protocols decreases with a high increase in the number of connections. In the process of finding the right path, the shortest path can be lost due to network traffic. The AODV protocol does not provide scalability, load balancing, or congestion control.
The research of Ref. [41] presented a detection scheme in 3D networks for wormhole detection by using only the connectivity information of the node. The proposed maximum independent sets (MAXIS) use a greedy algorithm. The proposed technique can be easily implemented. The detection rate was calculated for several node densities. The results showed that the proposed technique can provide an accuracy of 90%. The greedy algorithm fails to find an optimal solution.
The research of Ref. [42] proposed a scheme-named neighbourhood information and alternate path calculation (NIAPC), which provides high accuracy, PDR, and throughput. The presented scheme is based on the AODV protocol. The simulation was conducted for 100 nodes, showing a high detection accuracy without specific storage requirements.
The research of Ref. [43] presented a scheme-named energy preserving secure measure against wormhole (EPSMAW)-which provides low end-to-end delay, less energy consumption, and traffic overhead. The presented scheme uses the AODV routing protocol and is based on neighbour and connectivity information. The simulations were conducted for 150 nodes, showing high throughput and a lower false positive rate.
The research of Ref. [44] presented a software-defined network-based approach for wormhole detection. It uses information regarding neighbour similarity. The simulations of the presented approach were conducted on 100 and 1000 nodes, which were implemented using Python. The K-means clustering was applied after computing the neighbour similarity index (NSI) and augmented concentration index (ACI) values. The results showed that SWAN can detect wormholes with less communication overhead and low FPR and FNR.

AODV Protocol-Based Systems
The research of Ref. [45] presented an improved AODV protocol technique that is less complex and consumes less energy. An ad-hoc on-demand distance vector (AODV) protocol detects and prevents blackhole and wormhole attacks. Several denial-of-service attacks are also compared. The delivery ratio of AODV protocols decreases with a high increase in the number of connections. In the process of finding the right path, the shortest path can be lost due to network traffic.
The research of Ref. [46] presented a confirmation system for detecting wormhole attacks using a honeypot. It creates trees attacked by wormholes and honeypots in order to make a decision. It used the AODV protocol and resilient ethernet protocol to search for the wormholes of a tree. The system was simulated for 50-200 nodes. This proposed system provides accurate results in different network sizes. It provides scalability and a reduction in the production of false alarms. The delivery ratio of the AODV protocols decreases with a high increase in the number of connections. In the process of finding the right path, the shortest path can be lost due to network traffic.
The research of Ref. [47] presented a review of the performance of wormhole attacks in three different protocols: AODV, OSLR, and ZRP (a hybrid protocol IARP and IERP). The results were simulated using the qualnet 5.0 simulator (Scalable Network Technologies, Inc., Los Angeles, CA, USA). The results were evaluated based on end-to-end delay, throughput, and energy consumption. The results showed that AODV and ZRP are better than OSLR. ZRP has more throughput than the other two protocols. The delivery ratio of AODV protocols decreases with a high increase in the number of connections. In the process of finding the right path, the shortest path can be lost due to network traffic.
The research of Ref. [48] presented a lightweight scheme for wormhole mitigation in MANET. The sender nodes collect all reply packets and their sequence numbers and compare them with the calculated average sequence number to detect intruders. This lightweight scheme is compared with the AODV in the NS2 Simulator. The results showed that the proposed mechanism provides high throughput, high PDR, less routing overhead, and average delay.

RTT-Based Systems
The research of Ref. [49] presented an RTT-based technique that uses clock synchronisation and does not require additional hardware. A round-trip time (RTT) centred mechanism was proposed in order to recognise dynamic wormhole attacks. It detects the wormhole attack by comparing the actual and expected RTT of the nodes. The performance of the mechanism was simulated using the NS2 simulator. The results were improved regarding packet delivery ratio, average energy consumption, throughput, routing overhead, and jitter. The RTT is inhibited due to network traffic. If a server requests an increase, it results in increased RTT and affects the efficiency of the RTT. The RTT also increases when a node experiences network congestion due to the network traffic slowing down the connection. The increased distance between the nodes increases the RTT.
The research of Ref. [50] proposed a new protocol for the detection of wormhole attacks in wireless mesh networks, providing high detection rates. The proposed protocol used the round-trip time (RTT) method in conjunction with the propagation time. The simulations of four different scenarios with different numbers of nodes were performed on NS3 simulators to test the effectiveness of the proposed protocol. The RTT was inhibited due to network traffic. If a server requests an increase, it results in increased RTT and affects the efficiency of the RTT. The RTT also increases when a node experiences network congestion due to network traffic slowing down the connection. The increased distance between nodes increases the RTT. Table 4 briefly presents a summary of methodologies of wormhole detection schemes. Table 4. Summary of methodologies of wormhole detection schemes.

Ref. Scheme Methodology
Neighbours discovery based [37] CREDND (creating a credible neighbour discovery) protocol This scheme uses a neighbour ration threshold to evaluate which nodes should be checked. After this, an external wormhole is recognized by hop count as external malicious nodes acting in hidden mode and using the out-of-band channel. In the last step, an internal wormhole is recognized by authentication packets as internal malicious nodes act as normal nodes and use packet encapsulation.
[38] Trust-based scheme This lightweight trust-based scheme computes direct trust (DT) by considering the node properties and indirect trust (IT) and by considering the opinions of neighbour nodes. Every node keeps track of its neighbours and checks that they work according to the RPL network rules. The sum of DT and IT is calculated, and the decision is made based on TT (total trust).
[39] Decentralized statistical scheme This scheme uses two parameters, i.e., the number of new neighbours and the number of old neighbours. The SWAN algorithm is used for detecting the number of neighbours. The decision rule is used with a sliding window to make the decision.
[40] MLAMAN scheme This scheme works by changing tunnel lengths and the speed networks of the nodes. The malicious node is recognized by using hop-difference and AODV protocol. It detects intruders at the packet, neighbour, and membership levels.
[41] MaxIS scheme The proposed method uses a greedy algorithm to search for intruders in maximum independent sets with forbidden sub-structures.
[42] NIAPC scheme This scheme uses the AODV protocol and neighbourhood information to detect malicious nodes. It finds an alternate path for secure communication all over the network.
[43] ESPMAW scheme This scheme uses the AODV routing protocol, neighbour, and connectivity information to find intruders in the system. This scheme uses the information of neighbour similarity for the detection of wormholes in software-defined networks.
AODV protocol-based schemes [45] Wormhole recognition using AODV The sender sends an RREQ (route request packet) to the receiver node in the AODV network. The sender calculates the average sequence numbers of all the receiver nodes. The receiver sends an RREP (route reply packet) to the sender, who compares the sequence number of the receiver with the already calculated average and decides whether the path is attacked. [46] Confirmation system using honeypot This method uses a honeypot for creating trees. The AODV and resilient ethernet protocol searches these trees for wormhole node detection.
[47] AODV based scheme AODV, OSLR, and ZRP are used to detect malicious nodes in the wireless sensor network.
[48] Lightweight scheme (AODV) In this scheme, the sender nodes collect all reply packets along with their sequence numbers and compare them with the calculated average sequence number to detect intruders.
RTT based [49] RTT-centred wormhole recognition The AODV protocol is used in the route discovery phase. The sender sends an RREQ and saves the TREQ. The receiver sends the RREP back to the sender. The RTT is calculated as the difference between the TREP and TREQ. The path is considered a wormhole attack if the RTT exceeds the threshold limit.
[50] RTT centred scheme This scheme uses RTT in conjunction with propagation time. The sender sends an RREQ packet and receives an RREP packet. The sender then calculates the RTT and propagation time to decide whether the route is attacked or attacked-free.
[51] EIRGP and RTT-based scheme This scheme uses the EIGRP protocol and round-trip time for the detection of intruders. [52] Trust-based scheme This scheme uses RTT and AODV protocols for detecting malicious nodes.
High-power transmission based [53] Energy model by using AODV and hop count Hop count is used to computing the distance between sender and receiver. Every node consists of a routing table and the next-hop of all nodes. The AODV routing protocol and high-power transmission are used to build a wormhole path. The malicious nodes send data packets with high energy levels, resulting in nodes draining. The system shows the normal nodes in green and the negative nodes in red.
[54] RPL-based scheme The RPL routing protocol is used with the RSSI value to detect malicious nodes in the network.
Path selection [55] 3PATw scheme This scheme applied 3PAT to recognize the blackhole in each communication in the network. Once it recognized the black hole, the modified transmission radius based (TRB) is applied to recognize the wormhole.
[56] Spanning trees scheme This scheme selects a rode node for the spanning tree. The Breadth-First Search (BFS) algorithm is applied to detect wormhole nodes in the tree.
[57] AD-PSO scheme First of all, K paths are selected. The sender sends a detection packet (DP) containing RTT and hops count information. The receiver generates a feedback packet (FP). The DP and FP are compared to find wormhole nodes. Once it detects the malicious node, PSO is used to find the optimal attacker-free path.
Statistical method based [58] Encapsulation and fragmentation of message (EFM) scheme This scheme presents a data packet security process that encapsulates the message and adds extra four-bit information. The message is decapsulated at the receiver's end. The technique divides the message into small pieces and sends all pieces through different parts to the destination.
[59] Intrusion prevention system This scheme presents an intrusion prevention system (IPS) which detects malicious nodes and broadcasts their credentials all over the network so that no more nodes connect with those malicious nodes.
[60] HCBS protocol-based scheme This scheme uses a dynamic matrix key process to store all the local information of the nodes so that legal nodes can be identified. It performs encryption and decryption along with two hash functions.
[66] HKP-HD scheme This scheme uses key generation and its pre-distribution to reduce the chance of attacker nodes.
[67] Elliptic curve cryptography scheme This scheme uses elliptic curve cryptography with the AODV protocol for wormhole attack-free networks.

Mobile agent and
Cloud-base d [68] Visiting centre local-based scheme This scheme introduces a mobile agent in the network which is responsible for distinguishing malicious nodes from normal nodes.
[69] Cross-layer verification scheme This scheme presents a cross-layer verification framework (CLVF) to find intruders in the system.
The research of Ref. [51] presented a scheme based on the EIGRP protocol, which provides high throughput and less packet delivery ratio. It used round trip time for the detection of intruders. The scheme is simple, and simulations show improved results in terms of performance. The research of Ref. [52] presented a hybrid trust-based scheme that provides AODV protocol with RTT for the detection of wormhole nodes. This scheme provides high Packet delivery ratio.

High-Power transmission-based Systems
The research of Ref. [53] presented a high-power transmission technique with a high packet delivery ratio and less end-to-end delay for recognising wormholes in mobile ad-hoc networks (MANETs). MANETs use WLAN technology for communication. The proposed technique uses the ad-hoc on-demand distance vector (AODV) protocol to detect wormholes by high-power transmission using the energy model ns2 simulator. The delivery ratio of AODV protocols decreases with a high increase in the number of connections. In the process of finding the right path, the shortest path can be lost due to network traffic.
The research of Ref. [54] presented a detection scheme for wormhole attacks that provides an effective detection rate. It uses the RPL protocol and RSSI values to detect intruder nodes. The experiments were simulated on Contiki OS with a Cooja simulator for the different nodes, i.e., 8, 16, and 24. The results provide a successful true positive detection rate of 90%.

Path Selection-Based Systems
The research of Ref. [55] presented the 3PAT wormhole technique for detecting wormhole attacks, which provides results with a high packet delivery ratio and detection rate. It combines existing transmission radius-based and 3PAT blackhole algorithms with slight modifications. The RTT is inhibited due to network traffic. If a server requests an increase, it results in increased RTT and affects the efficiency of the RTT. The RTT also increases when a node experiences network congestion due to network traffic slowing down the connection. The increased distance between nodes increases the RTT.
The research of Ref. [56] presented a spanning trees technique for detecting wormhole attacks which use no additional hardware and provides higher detection accuracy. This technique used the breadth-first search algorithm to select the roots of trees. It used only the network's connectivity information. It is a cost-effective technique without any traffic overhead. All the traffic flows towards a single path, which sometimes restricts more direct paths.
The research of Ref. [57] presented an optimal AD-PSO scheme for recognising and preventing wormhole attacks in WSNs with less energy consumption and an effective network lifetime. The proposed technique used the ad-hoc on-demand multipath distance vector (AOMDV) for wormhole path detection and particle swarm optimization (PSO) for optimal path selection. The results were compared with trust-and energy-based routing protocols (TESRP) regarding the energy consumption and network lifetime. The delivery ratio of AODV protocols decreases with a high increase in the number of connections. In the process of finding the right path, the shortest path can be lost due to network traffic.

Statistical Method-Based Systems
The research of Ref. [58] presented a scheme that uses the encapsulation and fragmentation of message (EFM) techniques to secure data packets. This technique encapsulates the message and adds extra four-bit information to it. The message is decapsulated at the receiver's end. The technique divides the message into small pieces and sends all the pieces through different parts to the destination. In this case, more data loss can be avoided when there is a wormhole attack in the network. The simulations were conducted for 10 nodes which showed the average packet delivery ratio.
The research of Ref. [59] presented an intrusion prevention system (IPS) scheme which detects malicious nodes and broadcasts their credentials all over the network so that no more nodes connect with those malicious nodes. This scheme causes unnecessary communications among nodes, resulting in high costs and increased traffic overhead.
The research of Ref. [60] presented a trust-based scheme for wormhole mitigation in ad-hoc WSN. It detects malicious nodes in clusters using the heterogeneous cluster-based secure directing convention (HCBS) protocol. The simulations of the presented approach-named TSDAMN-were conducted in the MANsim testing system, which showed high throughput, limited E2E delay, less PLR, and high PDR.

Hop Count and Weight-Based Methods
The research of Ref. [61] presented a scheme named Location information and time synchronisation (LITS), which detects suspicious nodes using increased delay information. The suspicious nodes are passed through a verification process of two replayable control messages and time synchronization.
The research of Ref. [62] presented a detection scheme-named WDV-hop-based localisation-which provides a high detection rate. The scheme first detects suspicious nodes, then calculates their localisation errors, and drops the malicious nodes.
The research of Ref. [63] presented a wormhole mitigation approach that provides high throughput and PDR. It uses the DELPHI (delay per hop indication) approach with some broadcasting modification by computing the threshold values. The simulations of this scheme were conducted in the NS2 simulator. The results showed that the proposed scheme provides less packet loss, less jitter, and average E2E delay.
The research of Ref. [64] presented a hybrid approach for wormhole mitigation named RSSI and hop count-based energy efficient wormhole attack detection system for IoT network (RHE2WADI). It uses received signal strength indicator (RSSI) values and hop count to detect malicious nodes in the IoT network. The simulations were conducted in a Cooja simulator. The results showed that it provides a high detection accuracy of up to 95%, less overhead, less energy consumption, and less delay.

Authentication Key-Based Systems
The research of Ref. [65] presented a scheme-named efficient dynamic authentication and key (EDAK) management-which generates dynamic keys for messages to be transmitted from the source to the destination. The dynamic matrix key DMK process stores the local information of all the nodes so that legal nodes can be identified. The EDAK performs encryption and decryption, along with two hash functions. The scheme is flexible and scalable to large networks. It causes less traffic overhead.
The research of Ref. [66] presented a hybrid key pre-distribution scheme (HKP-HD) scheme, which reduces the chances of sensor nodes being attacked.
The research of Ref. [67] presented an elliptic curve cryptography scheme for wormhole mitigation. It uses the AODV protocol. The simulations were conducted on 250 nodes in the NS2 simulator. The results showed that the presented crypto scheme provides high throughput, high PDR, less E2E delay, and less routing overhead.

Mobile Agent and Cloud-Based Systems
The research of Ref. [68] presented a scheme named visiting centre local (VCL), which is based on mobile agent packet structure (MAPS). This scheme introduces a mobile agent in the sensor network which is responsible for distinguishing malicious nodes from normal nodes. The simulations for 200 nodes are done in the Sinalgo simulator, and the results show an improved packet delivery ratio, less energy consumption, and enhanced network lifetime.
The research of Ref. [69] presented a scheme-named cross-layer verification framework (CLVF)-which provides high detection accuracy, minor end-to-end delay, and high throughput. The simulations were conducted for 250 nodes, and the results were compared with the existing LBIDS technique. The results were better than the existing techniques. Table 5 summarises the critical analysis of all the schemes for recognising and avoiding wormhole attacks. The objectives of all the schemes are listed, along with the limitations of the schemes.

Critical Analysis
The research of Ref. [37] presented the creating credible discovery (CREDND) scheme, which uses neighbour information. It uses no additional hardware. It detects wormhole attacks at a high rate and consumes less energy; however, this scheme does not work well in networks with changing communication ranges of nodes. A high-power transmission technique was presented [53], providing a high packet delivery ratio and less end-to-end delay. However, this scheme uses the AODV protocol, which provides no scalability [70].
The research of Refs. [49][50][51][52] presented RTT-based techniques which provide a high detection rate. The limitation of these schemes is that the RTT increases with the increase in distance between nodes. The local area network traffic also affects the RTT.
The research of Refs. [38,54] presented RPL protocol-based schemes. The presented schemes are complex, as RPL increases control packets in the network resulting in traffic overhead [71].
The research of Ref. [45] presented an improved AODV protocol that consumes less energy. It is a less complex scheme. However, it provides no congestion control [70].
The research article of Ref. [41] presented a forbidden substructure technique that uses a greedy algorithm; however, sometimes, it fails to find an optimal solution.
The research of Ref. [46] proposed a tree-based model with a honeypot which uses very few resources. However, no protection is provided against misconfiguration, so it is easy to create loops.
The research of Ref. [39] presented a decentralised statistical technique that provides high detection accuracy and a false-positive rate. This scheme provides less mean detection delay; however, there is a loss of control regarding the traffic overhead and costlier operations affect the performance.
The research of Ref. [56] presented a spanning tree technique, which uses no additional hardware and provides high detection accuracy; however, it restricts more direct paths as all data flow towards only a single path.
The research of Ref. [57] presented an AD-PSO technique, which consumes less energy and provides an effective network lifetime. This is an optimal scheme but does not provide load balancing [70].
The research of Ref. [40] is a modified AODV scheme that uses multi-hop count analysis. It provides the maximum moving speed of nodes; however, there is a loss of energy in the multi-hop count analysis.
The research of Ref. [26] proposed an artificial immune-based scheme using fuzzy logic, which provides high PDR, high FPR, and less PLR. However, this scheme provides less stability in the network due to fuzzy logic [72].
The research of Ref. [27] presented an SVM-based scheme with an RPL protocol which provides high detection accuracy and requires less computation power; however, the computational complexity of the SVM is high [73].
The research of Ref. [42] presented a NIAPC scheme using AODV, which provides high detection accuracy, PDR, and throughput. The scheme has no specific storage requirement; however, the false negative rate for the short-distance wormhole is high.
The research of Ref. [43] presented an ESPMAW scheme using AODV, which provides high throughput, less E2E delay, and traffic overhead. This scheme consumes less energy. However, it cannot detect wormholes for shorter tunnel lengths. The research of Ref. [51] presented an EIRGP-and RTT-based scheme, which provides high throughput and less PDR; however, it cannot find malicious nodes effectively. The study of Ref. [52] presented a trust-based scheme using RTT and AODV, which provides high PDR. This scheme uses no additional hardware; however, the throughput rate is low. The research [58] proposed the encapsulation and fragmentation of message (EFM) scheme, which provides less PLR; however, the packet delivery ratio is average. The research of Ref. [59] presented an intrusion prevention system which provides high detection accuracy; however, the traffic overhead is increased, and the computation cost is high. The research of Ref. [61] presented a LITS scheme that provides high detection accuracy and reduced localization error; however, it requires clock synchronisation, increasing the computation cost.
The research of Ref. [62] presented a WDV-hop scheme that provides high detection accuracy; however, the packet delay is increased, and the complexity is high. The research of Ref. [65] presented an EDAK scheme which provides less traffic overhead. This scheme is scalable to large networks; however, there is no data integrity. The research of Ref. [66] presented an HKP-HD scheme which provides high detection accuracy. This scheme has less of a chance of attack; however, it is not applicable for the highly mobile network. The research of Ref. [32] presented a PPKP scheme which provides secure communication; however, it can only be applied initially. The research of Ref. [68] presented a visiting centre local-based scheme which provides high detection accuracy and less energy consumption. It provides an enhanced network lifetime; however, the security in the transaction context is only medium [64]. The research of Ref. [69] presented a cross-layer verification scheme that provides high detection accuracy and high throughput. This scheme experiences less E2E delay. However, it cannot be applied to multicast routing protocols. The performance rate of the network degrades with time.
The research of Ref. [44] presented a SWANS scheme which provides less communication overhead, less FPR, and less FNR.
The research of Ref. [28] presented an ANN-based approach with a hop count which provides high detection accuracy. This scheme uses no additional hardware; it only uses connectivity information. However, the computational complexity of the neural network is high [74].
The research of Ref. [63] presented a delay per hour indication (DELPHI) scheme which provides high throughput, PDR, and less PLR. This scheme provides less jitter; however, the end-to-end delay is average. The research of Ref. [60] presented an elliptic curve cryptography scheme using AODV which provides high throughput, high PDR, and less E2E delay. It provides less routing overhead, although provides no scalability, no congestion control, and no-load balancing [70].
The research of Ref. [29] presented an LSTM scheme using RTT, providing high detection accuracy, high PDR, and less energy consumption. It provides less E2E delay; however, the computational complexity of the neural network is high [74]. The research of Ref. [60] presented an HCBS protocol-based scheme which provides high throughput, high PDR, and less PLR. This scheme provides less E2E delay; however, the cluster head selection increases the computational complexity [75]. The research of Ref. [48] presented an AODV-based scheme which provides high throughput, high PDR, and less routing overhead, although the end-to-end delay is average. The research of Ref. [30] presented a DRFOIDL-ID scheme using RPL, which provides high detection accuracy, less FPR, and PLR; however, the computational complexity of the neural network is high. The research of Ref. [31] tested the ML supervised learning methods KNN, SVM, DT, LDA, NB, and CNN for wormhole detection in which DT provides high detection accuracy; however, CNN has high computational complexity. The research of Ref. [72] presented the RHE2WADI scheme using RSSI value, which provides high detection accuracy, less traffic overhead, and less energy consumption; however, the end-to-end delay is average. Table 6 presents a summary of the comparative analysis of the performance matrices of all the schemes of wormhole recognition and avoidance. All the schemes are evaluated and compared in this table based on the performance matrices. Table 6. A comparison of the performance matrices wormhole detection schemes.

Identified Challenges
This section presents the issues and challenges of all schemes of recognition and the avoidance of wormhole attacks listed in Table 7. It briefly states the limitations of all the schemes. These are the open research areas in which work can be conducted in the future to overcome the issues and challenges addressed by the schemes. Table 7. Identified challenges of wormhole detection schemes.

Category
Challenges Neighbour discovery-based schemes [37][38][39][40][41][42][43][44] It is difficult to work well in different communication ranges and dynamically changing WSNs. The dependency on the neighbour node should not be high. In addition, the energy consumption is high, which shortens the network lifetime.
AODV-based schemes [45][46][47][48] It is difficult to provide scalability, load balancing, and congestion control in working with the AODV protocol. The shortest path may be lost due to traffic overhead. The delivery ratio of the AODV protocol decreases with a high increase in the number of connections. Therefore, it is difficult to work with it in complex conditions. It also cannot be implemented in a network with many nodes.
RTT-based schemes [49][50][51][52] The RTT stops when there is an increase in network traffic. It also increases with the increase in distance between nodes. It is difficult to work with RTT in a complex network as the increase in server requests increases, affecting RTT's efficiency.
RPL-based schemes [38,54] It is difficult to work in the RPL network as it is a complex protocol that generates a large number of control packets resulting in high energy consumption. The network overhead increase with an increased number of data packets.

Need to Work with Constantly Shifting Ranges
When the nodes in WSNs are changing their positions continuously, and the network uses various communication ranges, the communication becomes difficult because each node depends on neighbours' information, making it vulnerable to several attacks. Therefore, it is difficult for it to work well in different communication ranges and dynamically changing WSNs because the dependency on the neighbour node should not be high [37]. The delivery ratio of AODV protocols decreases with a high increase in the number of connections. Therefore, it is difficult to work with it in complex conditions [45].

Need for Scalability and Load Balancing
The AODV protocol is well known for routing. However, it does not assure the proper working of the network in cases of increased network size. It also does not provide load balancing and congestion control. When the network traffic increases, there is a high chance of the loss of the shortest path in the AODV protocol [53]. The AODV protocol which is used for routing does not provide scalability in the network. It cannot be implemented in-network with a large number of nodes [46]. The AODV protocol used for routing does not provide congestion control in the network [40,57]. The RPL routing protocol increases network overhead with more data packets [38]. Working in complex conditions with a decentralised scheme is difficult as it experiences control loss and costlier operations [39]. In the spanning tree scheme, all the traffic flows towards a single path instead of more direct paths [56].

Need for High-Rate Transmission over Long Distance
The RTT scheme is often used to reduce several security threats; however, there are several limitations of the RTT. It does not work at a high rate of data packet transmission. It stops when there is an increase in network traffic. It also increases with the increase in distance between nodes [49]. Large-scale networks slow down the connection when a node experiences network congestion due to network traffic [55]. In a complex network, it increases with the increase in server requests, which affects the efficiency of RTT [50].
Recognising wormhole attacks is difficult with a greedy algorithm as it fails to find the optimal path for routing [41]. It is difficult for it to work in the RPL network as it is a complex protocol that generates many control packets, resulting in high energy consumption [54]. The statistical method-based schemes also provide computational complexity, resulting in high computation costs and network overhead [58][59][60].

Optimal Solutions
The previous section specifies several state-of-the-art problems such as no scalability, load balancing, congestion control, communication overhead, data integrity issues, high energy consumption, time delay, average PDR, and PLR, less FPR, low transmission rate, and low detection rate.

AI-and ML-Based Schemes as Optimal Solutions to State-of-the-Art Problems
Artificial intelligence-and ML-based schemes can be used to solve all the identified state-of-the-art problems [26][27][28][29][30][31][32][33][34][35][36]. The first challenge, as mentioned in Table 7, is neighbour-based discovery schemes. Although these schemes provide a detection accuracy of up to 90%, they are not energy efficient. In addition, they do not detect shorter tunnel wormholes in some cases. To overcome the problem, an unsupervised learning-based scheme that uses a weighted clustering algorithm [33] can be used. This provides less energy consumption with 90% detection accuracy. This scheme then uses a support vector machine and machine layer perceptron, which improves the results in terms of throughput and packet delivery ratio.
The second challenge, as mentioned in Table 7, is AODV-based schemes. Although the AODV protocol does not provide scalability, load balancing, and congestion control, an artificial immune system uses fuzzy logic with AODV [26] to provide a high detection accuracy of up to 98%. This highly scalable method provides high FPR and PDR, and less PLR. It also overcomes the problems of load balancing and congestion control. Another machine learning approach [34] used the AODV protocol with supervised KNN and random forest classifiers. This novel approach provides high PDR and high detection accuracy of up to 98.6%. In addition, it provides less PLR and JitterSum. It uses the packet leash cryptographic technique to prevent wormholes, which overcomes the state-of-the-art problems of AODV-based schemes.
The third challenge, as mentioned in Table 7, is RTT-based schemes. Although RTT does not work well in increased network traffic, EC-BRTT [35] used a supervised machine learning classifier named the naïve Bayes classifier with RTT. This scheme provides very efficient results regarding detection accuracy, time delay, throughput, PDR, energy consumption, and network lifetime. The milestone of this machine learning scheme is the reduced communication overhead, which overcomes the state-of-the-art problem of RTT-based schemes. Another deep learning approach that uses RTT with LSTM [27] provides high detection accuracy with high PDR. LSTM is a deep neural network that works very well in complex conditions. This scheme's latency rate and packet loss ratio are also very low. It uses a whale optimisation algorithm with a fitness rate to find the optimal routing path for data packet transmission. This optimal solution also consumes less energy and less end-to-end delay.
The fourth challenge, as mentioned in Table 7, is RPL-based schemes. A Delta Rule First Order Iteration Deep Neural Learning Intrusion Detection (DRFOIDL-ID) [30] has been presented and compared with RPL-based schemes. This deep learning outperforms RPL-based schemes in all terms, including attack detection rate (ADR), attack detection time (ADT), false alarm rate (FAR), and packet loss rate (PLR). The ADR of DRFOID-ID is 92%; this is 80% in the existing RPL-based mechanism. The ADT of DRFOID-ID is 13 ms; this is 20 ms in the existing RPL-based mechanism. The FAR of DRFOID-ID is 8%; this is 20% in the existing RPL-based mechanism. The PLR of DRFOID-ID is 2 PPS (packets per second); this is 5 PPS in the existing RPL-based mechanism. In addition, the neural network works well with increased data transmission rates and complex network situations.
All of the above analysis shows that AI-and ML-based techniques are better than the state-of-the-art techniques in terms of detection accuracy, PDR, FPR, PLR, energy consumption, and transmission rate. Figure 7 compares the detection accuracies of AIand ML-based schemes, neighbours discovery-based schemes, AODV-based schemes, and RTT-based schemes. AI-and ML-based schemes achieve higher detection accuracy than the other categories.

Conclusions
Several schemes are reviewed in this paper in which some detect wormhole attacks and others provide the avoidance of wormhole attacks. These schemes include AI-and ML-based, neighbours discovery-and path selection-based schemes, statistical methodand AODV-based, RTT and hop count, cloud, and mobile agent-based schemes. The paper presents an SLR reviewing all of these schemes using extensive critical and comparative analysis. The schemes were evaluated based on detection accuracy, network lifetime, energy consumption, complexity, packet delivery ratio, packet loss ratio, and delay. The gaps in the literature were identified, which shows the future scope of work in detecting and avoiding wormhole attacks. Researchers have recently attempted to apply artificial intelligence systems to identify wormhole attacks, with rather promising detection results. The comparison shows that AI-and ML-based schemes for wormhole detection provide more favourable results than state-of-the-art techniques.