Depth-First Search-Based Malicious Node Detection with Honeypot Technology in Wireless Sensor Networks

Abstract

Wireless sensor networks (WSNs) are highly susceptible to Denial-of-Service (DoS) attacks due to their resource-constrained and distributed nature. In this study, we propose a novel trust-based malicious node detection mechanism that leverages a Depth-First Search (DFS) strategy to trace and identify attack sources within clustered WSN architectures efficiently. The proposed approach dynamically evaluates trust scores between nodes to detect anomalous behaviors and employs a honeypot-based redirection system to isolate compromised nodes from the main communication flow. This combination enhances detection accuracy while minimizing false positives and energy overhead. The method is implemented and evaluated using a custom simulation environment. Comparative experimental results against state-of-the-art techniques such as the Evolved Trust Updating Mechanism (EVO) and Multi-agent Trust-based Intrusion Detection System (MULTI) demonstrate that our Trust-Based Honeypot (TBHP) achieves superior performance in terms of detection rate, false-alarm rate, and network lifetime extension.

1. Introduction

The proliferation of information technologies has significantly increased the demand for continuous and reliable data acquisition from the physical environment. Addressing this critical need, wireless sensor networks (WSNs) have evolved as distributed infrastructures composed of energy-efficient, small-scale nodes capable of sensing, processing, and wirelessly communicating environmental or physical phenomena [1]. A WSN is typically formed by a group of wirelessly connected sensors distributed within a specific area, each performing a defined role by collecting data from its surroundings and sharing it either with neighboring nodes or a central base station (BS) for further analysis [2].

Beyond merely gathering data, WSNs foster dynamic, cooperative architectures that challenge conventional centralized systems, thus enabling more resilient and scalable sensing environments. This technology originated from the need for continuous monitoring of mobile elements in the field, especially in military applications. In the late 1980s, DARPA-supported projects shaped the WSN concept in line with the demand for low-cost, self-organizing, and long-lasting systems [3]. Although it initially had limited use, advances in sensor technologies and communication infrastructures have enabled WSNs to become widespread across many areas, such as environmental monitoring, healthcare, industrial automation, and smart cities [4,5]. Today, WSNs are used in a wide range of applications, such as irrigation management in agriculture, patient monitoring in healthcare, disaster early-warning systems, and monitoring of transportation infrastructure [6]. This diversity results from the basic capabilities of sensor nodes (SNs). A SN not only detects but also preprocesses data, stores it to a limited extent, and communicates with other nodes using energy efficiently [7]. This multi-faceted structure is one of the basic elements that determine the network’s overall efficiency and long-term performance.

Building a feasible sensor network for any application poses several research problems and hurdles since SNs have limited power and storage capacity. The main concerns influencing a WSN’s performance and design have been discussed. The security issue is among the most significant [8]. The widespread use of WSNs has made these systems vulnerable to various security threats. SNs deployed in hostile or unattended areas are especially at serious risk of data leakage, manipulation, and attacks aimed at disrupting network performance. Denial-of-Service (DoS) attacks, one of the most common threats, jeopardize the integrity and continuity of systems by targeting various network layers [9]. In addition, other protocol-level attacks, such as Hello flooding, black hole, wormhole, collapse, and Sybil attacks, also weaken the security of the WSN architecture [10,11,12].

It is clear that creating a WSN that is not secure or protected against malicious attacks can lead to network failure [13]. Unlike traditional wireless networks, WSNs have limited processing capacity, memory, energy, and communication resources, making implementing complex security protocols difficult. To guarantee network security and prevent possible spyware attacks, it is vital for network designers to implement lightweight security mechanisms for WSNs that are resistant to attacks, are highly energy-efficient, and minimize the network’s communication load [14]. In recent years, many studies have been conducted on how these attacks can be detected using Intrusion Detection Systems (IDSs) and isolation mechanisms in WSNs. For example, Ref. [15] proposes a model with a modified sine–cosine optimization with a k-nearest neighbor classifier that balances detection performance with energy cost. The authors emphasized the possibility of reducing SN latency and energy consumption by using this model within a fog architecture. Similarly, Ref. [16] presented a lightweight IDS based on a deep convolutional generative adversarial network (DCGAN). With this proposed method, they achieved a high detection accuracy of around 94% on specialized WSN datasets containing black hole, flooding, and selective forwarding attacks, as well as significantly reduced computational load. On the other hand, Ref. [17] proposed a strategy that effectively detects sinkhole attacks and reduces energy consumption by integrating SPA and Jaya algorithms. To improve the classifier performance, Ref. [18] proposed a novel IDS by combining fuzzy temporal rules, the Artificial Bee Colony (ABC) optimization technique and a convolutional neural network (CNN) optimized with FT-ABC-CNN. The newly suggested FT-ABC-CNN method was compared to various classification algorithms frequently used in IDS design, including CNN, Long Short-Term Memory (LSTM), and recurrent neural networks (RNN), to evaluate its efficacy. Ref. [19] proposed a new model for intrusion detection in WSNs that combines a stacked CNN with bidirectional Long Short-Term Memory (SCNN-Bi-LSTM). Federated Learning (FL) is used in this model to improve intrusion detection efficiency and protect privacy. Ref. [20] introduced an innovative methodology termed Genetic Sacrificial Whale Optimization (GSWO) to overcome the shortcomings of traditional techniques. GSWO integrates a genetic algorithm (GA) and whale optimization algorithms (WOA), enhanced by a novel three-population division technique and an introduced conditional inherited choice (CIC) to mitigate premature convergence in WOA.

Reputation- and trust-based approaches are among the prominent methods in the literature for eliminating security vulnerabilities in WSNs. In such mechanisms, reputation refers to the experiential evaluation by a node, either directly or indirectly, from observing the past behaviors of other nodes. At the same time, trust is defined as a subjective expectation of a node regarding the future behavior of another node in the context of a specific action. Trust levels are divided into two basic components: direct trust (DT), obtained through direct observations, and indirect trust (IT), based on evaluations received from other nodes. This structure aims to select trustworthy nodes based on behavioral analysis of network nodes and to isolate malicious or uncooperative nodes by detecting them at an early stage [21,22,23]. The total trust level of a node is compared with the determined minimum acceptable trust (MAT); nodes that meet the threshold value are considered trustworthy, while nodes below this value are considered threats and are excluded from the network. In such trust-based schemes, only nodes with sufficient trust levels can participate in data transmission and routing, thereby maintaining the integrity and performance of the network [24,25].

In IDSs for WSNs, deep learning, optimization-based methods, and trust- and reputation-based approaches offer distinct advantages, but each has limitations. Deep learning and optimization-based IDSs, especially models such as CNNs, can detect attacks with high-accuracy rates. However, large and balanced data sets are needed for training these models. Data imbalance can limit the model’s ability to detect certain types of attacks and results in high false-alarm rates. In addition, these models’ computational and energy requirements may be incompatible with the limited resources of WSNs, which can cause difficulties in practical applications.

On the other hand, trust- and reputation-based systems aim to detect internal threats by evaluating the reliability of nodes based on their past behavior. However, these systems are vulnerable to strategies such as attackers exhibiting trustworthy behaviors and then engaging in malicious activities after gaining the system’s trust. This can reduce the system’s ability to detect attackers promptly and compromise the network’s security. Most of the weighted trust-based systems proposed in the literature use a fixed penalty factor to update the trust value (TV) that undermines the node’s reliability, and, in general, nodes that lose weight over time due to a temporary defect are not considered for trust recovery. Malicious nodes may be discovered after sacrificing some healthy nodes, resulting in the loss of network connectivity and sensing coverage. Moreover, these approaches may lead to inconsistencies in reliability assessments due to the network’s dynamic nature and the nodes’ limited resources. To overcome these limitations, honeypot systems offer an alternative by decoupling malicious behavior from the core network functionality, thus preserving energy and reliability even under attack.

As a result, in the design of IDS for WSNs, the limitations of trust- and reputation-based systems, as well as deep learning and optimization-based approaches, should be taken into account, and new methods should be developed to increase the effectiveness of these systems. This will help create more balanced and effective IDS solutions in terms of reliability and resource efficiency. This study proposes a novel intrusion detection and mitigation mechanism designed for WSNs deployed over a tree-structured virtual topology. The proposed system is centered around a contract-based confidence evaluation strategy, which assesses node behaviors based on specific and quantifiable network characteristics. Nodes whose behavior diverges from expected norms are flagged as malicious according to a dynamically calculated confidence score. Upon detection, these nodes are actively isolated from the main network via a dedicated honeypot subsystem, which is adapted from a well-established concept in wireless network security. By redirecting the activities of malicious nodes to a controlled environment, the honeypot ensures that legitimate network operations remain unaffected while allowing for further behavioral analysis of adversarial actions. Simulation results and experimental validation reveal that our detection mechanism significantly improves threat mitigation performance while reducing false positives and extending the operational lifetime of the network. Furthermore, integrating a lightweight trust evaluation model and the honeypot-based isolation strategy effectively prolongs the network lifetime by reducing the communication burden and mitigating internal threats at an early stage. This research contributes to the field by offering a practical, scalable, and energy-aware security solution explicitly tailored for resource-constrained WSN environments. While WSNs face a myriad of heterogeneous threats, the scope of this study specifically focuses on volumetric, energy-draining DoS attacks within clustered topologies to establish a foundational proof-of-concept for our novel Depth-First Search (DFS)-Honeypot architecture. Unlike the existing literature that predominantly relies either on resource-heavy machine learning models or traditional trust mechanisms that simply drop anomalous packets, our contribution introduces a unique triad: (1) a multi-metric cumulative trust computation, (2) a reverse DFS-based path-tracking algorithm that clears innocent forwarding nodes, and (3) an active high-interaction honeypot redirection. This specific combination not only accurately identifies the threat origin without exhausting network resources but also creates a secure sandbox that forces the attacker to waste its own energy, clearly differentiating our methodology from prior works such as EVO and MULTI. The main contributions of this study are summarized as follows:

• Proposed a mechanism to detect DoS attacks by calculating TVs of network nodes using the DFS algorithm;
• Malicious nodes were isolated using the Honeypot mechanism, enhancing the security of the network;
• The proposed method contributed to extending the overall lifetime of the WSNs by preventing energy draining attacks;
• A comprehensive simulation-based performance analysis demonstrating superior results compared to existing methods in the literature.

Organization

In the subsequent sections of this article, we will review relevant prior works related to our study in Section 2. Section 3 will discuss the calculation of confidence/TVs and the detection of malicious nodes. The simulation setup and results will be presented in Section 4, and, finally, Section 5 will provide the conclusions and outline potential directions for future research.

2. Related Works

In recent years, substantial research has been conducted into the security challenges of WSNs. Due to their constrained resources and intrinsic characteristics, these networks are susceptible to failures and malicious attacks. Therefore, an IDS must efficiently identify and isolate hostile nodes prior to their potential threat to the network.

In WSNs, the value of trust in a network is a complex value that can be determined by some network criteria and by direct and indirect trusts of the neighboring nodes of the network [26]. This value is vital in developing network security mechanisms and protection systems. According to the calculation method of TV, nodes can have more than one TV with different neighbor nodes. Many decision-making methods in the literature aim to improve security preferences for WSNs and are based on trust and reputation mechanisms.

To demonstrate the viability of the proposed trust-aware dynamic routing framework (TARF) approach, Ref. [27] outlines its research on developing a TARF and deploying key features on actual wireless devices. They demonstrated that their system can effectively improve the network throughput, reliability, and trustworthiness by detecting various routing misbehaviors and transmitting information (sensor readings) through more dependable and trustworthy routing paths through a series of simulation studies conducted under multiple network topologies and a small preliminary prototype implementation with 13 UC Berkeley/Crossbow MicaZ SNs. Ref. [28] builds a Quality-of-Service (QoS) secure routing protocol using trust, where three types of trust degrees are calculated, direct, indirect, and comprehensive trust degrees, so that the node has more than one TV, and then the arithmetic mean of all values is taken. To execute intrusion detection, the multi-agent model architecture is set up in both the cluster heads (CHs) and the regular SNs [29]. Initially, a number of common nodes’ trust qualities are established, and their normality is assessed using the Mahalanobis distance theory. Second, the Beta distribution and a tolerance factor are used to compute and update the node TV. Node intrusion detection is at last accomplished. The authors also claimed that every network factor has negative and positive effects, which must be considered while calculating the TV. In other words, the TV is formed according to the cumulative impact of the factors [29].

As the TV is often used to find reliable routes to send data over a network, the network’s limited resources must be considered while implementing mechanisms. In order to increase the security of WSNs, Ref. [30] proposes a trust ant colony routing algorithm by including a node trust evaluation model based on the D-S evidence theory in the ant colony routing protocol. To guarantee routing security, nodes with high-TVs are chosen as routing nodes, and the ant colony routing algorithm uses the TVs as heuristic functions. A mixed technique and a continuous strategy are proposed in [31], along with a trust-based plan for locating and separating malicious nodes. To counteract selective dropping attacks in WSN, a Monitor-Forward game is established between the sender node and its one-hop neighbor. According to the authors’ declarations, the ongoing game will reduce false positives in packet-dropping detection on unreliable wireless communication channels. A data fusion technique and a trust-based trust evaluation model are proposed [32]. Three components make up comprehensive trust in the proposed model: historical trust, data trust, and behavioral trust. Weighted computation can be used to achieve complete trust, after which the model is used to guide the data fusion process and generate the trust list. Ref. [33] proposes an adaptive trust system that simultaneously considers the TVs of SNs and the network’s danger level. The proposed system uses a variety of trust policies to adapt to the network’s circumstances. The authors’ solution adjusts its trust metrics according to the severity of the network attack in dangerous scenarios where the WSN environment is still unreliable. The system transitions to an energy-efficient policy and modifies its trust metrics to save SN energy once the attacks have stopped and the misbehavior rate is low. To appropriately assess the reliability of event data, a genetic programming-based trust management paradigm for vehicular ad hoc networks (VANETs) is proposed in [34]. The complicated characteristics of VANETs are considered by introducing a huge number of attributes. Ref. [35] carries out a comparison study of three trust management models: “Lightweight and Dependable Trust System (LDTS),” “Beta-based Trust and Reputation Evaluation System (BTRES),” and “Lightweight Trust Management based on Bayesian and Entropy (LTMBE).” The authors concluded from the experimental comparison study that the BTRES model is best suited for WSN applications that prioritize crucial security measures. In contrast, the LTMBE model is best for WSN applications that emphasize an excellent energy economy. To identify malicious nodes in a clustered WSN, Ref. [36] proposes an effective weighted trust-based malicious node detection (WT-MND) technique. In order to treat the node behaviors realistically, false-positive and false-negative cases are taken into consideration.

Some approaches to securing wireless networks include honeypot-based IDS. A honeypot is a closely watched network decoy that can be used for several reasons, such as diverting attackers’ attention from more valuable devices on a network, giving early notice of emerging attack and exploitation patterns, or enabling in-depth analysis of adversaries both during and after honeypot exploitation. Ref. [37] introduces Honeyd, a framework for virtual honeypots that replicates network-level virtual computer systems. The authors demonstrate how the Honeyd framework supports various system security tasks, such as identifying and stopping worms, diverting attackers, or preventing the spread of spam emails. Ref. [38] builds a honeypot that simulates a gateway for ZigBee. It aims to determine whether a Secure Shell (SSH) attack vector contains ZigBee attack intelligence. All attack traffic is recorded for later study. It sandboxes attacks of interest to determine if any attempts are explicitly directed against ZigBee. Ultimately, it concludes that while individual attackers were drawn to and engaged with the ZigBee-simulated honeypot, all recorded mass attacks were standard DDoS and bot software. Ref. [39] identifies and isolates black hole attacks using the Novel Honeypot-Based Detection and Isolation Approach (NHBADI), which uses honeypot techniques. An Intrusion Detection Honeypot (IDH) consisting of Honeyfolder, Audit Monitoring, and Complex Event Processing stages is proposed for ransomware detection in [40]. IDSs are used in conjunction with the honeypot server application that was developed to analyze data in real-time efficiently in [41]. This study combines the benefits of both low- and high-interaction honeypots to create a superior hybrid honeypot system. The designed system can graphically display network traffic on servers in real-time animation and is a honeypot-based intrusion detection and prevention system (IDPS) type.

Numerous applications use node and link setups. There are multiple uses for graph theory (GT) in this situation. Roads, electrical circuits, and biological molecules are examples of physical networks that can be structured using this idea. Additionally, it is employed to depict less tangible interactions that might occur in databases, sociological ties, ecosystems, or the control flow of a computer program. Combinatorial structures known as graphs, which are composed of two sets called vertices and edges and an event relationship between them, are used to model such arrangements formally. Additional characteristics, such as color, weight, or other properties relevant to a particular model, can be added to vertices and edges [42]. There are numerous applications for GT ideas in the discipline of computer science. Promising uses for GT include grouping online articles, cryptography, and examining how an algorithm is being executed, among other special applications in computer science [43]. Graph-search algorithms such as DFS are helpful for analyzing these issues. An approach for exploring a network or tree data structure is called DFS. The algorithm begins at a tree’s root (top) node, travels as far as it can along a specified branch (path), and then turns around until it encounters an unexplored path, which it then investigates. This is what the algorithm does until it has examined the entire graph [44]. There are many studies in the literature on the DFS algorithm in different fields. For example, Ref. [45] explains how to design basic flux mode (EFM) frameworks using the DFS strategy. EFMs are a way to express the response pathways present in metabolic networks. The DFS approach reduces the task of counting EFMs to one that is CPU-limited. Ref. [46] viewed an agricultural environment as an unidentified maze. They assumed that the walls of a labyrinth represent the surrounding vegetation. They created a mobile robot simulator using the Python Turtle package (https://docs.python.org/3/library/turtle.html, accessed on 25 February 2026) to model the suggested method. They proposed a modified DFS algorithm to map the environment based on predetermined motion rules. Ref. [47] explains how to employ DFS-based algorithms and linked list data structures to assess the connectivity of social networks, driven by the notion that search techniques created in the field of computer science can be used in the research of social networks. Ref. [48] introduced a modified search strategy to improve the effectiveness of the DFS approach in view of the Fat Tree topology’s intrinsic self-similarity and multi-path routing features.

To identify malicious nodes, we proposed a novel DFS-based technique in this study that detects DoS attacks by calculating the TVs of network nodes. Of the network’s attack-affected nodes, 60–80% were found by this technique, which subsequently used the honeypot mechanism’s concepts to isolate these nodes. Honeypot systems provide an effective alternative by isolating malicious activity from the core network operations, thereby maintaining energy efficiency and communication reliability even during attacks. Consequently, the proposed process contributed to the network’s increased lifespan.

3. The Proposed Mechanism

In this section, we explain the proposed IDS mechanism for securing WSNs. We will start with describing the architecture of the WSN, then discuss the scientific calculation of TV and how to update it in order to detect malicious network nodes and isolate them.

3.1. Network Architecture

Before delving into the details of calculating the TV, let’s have a look at the architecture of the network. A simulation of the network was created in a virtual environment. The network uses a LEACH protocol structure, in which the network nodes are divided into groups called clusters; each cluster has a CH node, which is represented as CH in this article. The other nodes in each cluster are called member nodes (MNs). In this network architecture, MNs are responsible for sensing and collecting data from the surrounding medium. After collecting data, they transmit it to the nearest CH, which then forwards it to the BS. In other words, network nodes transmit data over levels from MN to CH to BS as we can see in Figure 1 which describes the architecture of the network. In general, in such network structures, attacks aim to drain the nodes’ energy, preventing them from sensing and collecting data or transmitting it.

3.2. Characteristics of Trust Value

The TV of a network node is calculated based on the node’s behavior relative to its neighbors. This behavior can be classified into two trust classes: direct trust and indirect trust. Figure 2 shows the difference between direct and indirect trust in the behavior of a network node. While node A has a direct trust with node B, it has an indirect trust with node C. Trust behaviors between network nodes can be checked as a positive or negative value. While positive values increase the TV of a specific node, negative ones decrease it. There is a list of characteristics which affects the TV of a network node:

1.

Possibility of change: The TV may change over time in response to factors that affec it.

2.

Trust asymmetry: A node’s TV can change with variations in conditions.

3.

Representing TV: The TV can be represented in levels according to a specific threshold. In this article, only two values are used: positive and negative.

4.

Relation to the context of trust: In our study, the trust-based mechanism will be activated only when there is a drop in the overall energy level of the network; otherwise, it will remain inactive.

5.

Initial value: The initial TV of a node will be determined according to certain factors before it begins to increase or decrease due to changes in conditions.

3.3. Trust Value Calculation and Updating

A common method in the literature for calculating trust is the Beta Reputation System [49,50], which primarily relies on the probabilistic distributions of successful and failed packet transmissions. However, while probabilistic models like the Beta distribution are effective, their continuous floating-point computations introduce unnecessary computational overhead for resource-constrained WSNs. Furthermore, they typically depend on a strictly limited number of factors. In our proposed mechanism, to minimize computational complexity and strictly extend network lifetime, we deliberately eschewed complex probabilistic distributions in favor of a straightforward, linear integer-based update model. This lightweight approach incorporates multiple deterministic network characteristics to evaluate behavior rather than relying solely on packet delivery probabilities. Ref. [49] presented a study that lists the factors that affect the calculation of TV:

1.

Transmission/radio range: The distance between a node and the farthest node that can send packets to.

2.

Packet loss: Number of lost packets while transferring data from one node to another due to any reason.

3.

Power consumption: The consumed power while sending and receiving data from other nodes.

4.

Time delay: Representation of the average time that packets take to reach their destination.

5.

Path optimally/route quality: Ratio of the number of hops in the receiving path to the number of hops in the optimal path.

6.

Locations of nodes: The distribution of the nodes over the network.

7.

Hop counts: Representation of the number of nodes in a single data transferring path.

8.

Signal-to-Noise Ratio (SNR): The ratio of the power of the signal-to-noise signal in the network.

9.

Bit error rate: Ratio of the number of bit errors to the total number of bits transferred during a specific time.

All these factors must be taken into consideration while calculating the value of trust. These factors also shape the characteristics of the wireless network. From another perspective, the value of trust can also be determined according to the hierarchical structure [26]. The direct TV of a node is affected by the CH node. The CH node’s direct trust is also affected by the higher-level CH node. As we mentioned before, nodes’ behavior in this study is classified into two classes, positive and negative. Each negative behavior will reduce the node’s TV. On the opposite side, positive behaviors increase the value of trust. This was stated in [29] where a new model was presented depending on the following factors: packet loss rate, packet transmission frequency, packet receiver frequency, energy consumption rate, and sensor measurement value. In our study, we used the same factors while improving the detection process of the network attacked nodes. We reached an important statement that shows that the change effect of the factor is directly proportional to the value of trust. The factors that affect our calculations were:

1.

Packet loss rate ($PLR$):

$$PLR={\displaystyle \frac{(P_T-P_R)}{P_T}}$$

(1)

where

$P_R$: size of successfully received packets;

$P_T$: size of transmitted packets.

2.

Size of sent packets in the round (VPs): In each transmitting round, the maximum message size that can be sent from the MN to the CH is determined, which will contribute greatly to node behavior.

3.

Size of received packets in the round (VPr): If the size of the received message is greater than the maximum size, it may show that the sender node may be a malicious node.

4.

Ratio of energy loss in the round (REL): If the power spent in the round is greater than the normal power limit, it means that the node itself is an aggressive node, and it may be transmitting large messages, wasting great power, or being attacked by sub-nodes in the network. The equation is

$$REL={\displaystyle \frac{(E_B-E_A)}{E_B}}$$

(2)

where

$E_B$: power level before the round;

$E_A$: power level after the round.

The calculation of the TV for each network node is one of the responsibilities of the BS. If the TV of a network node is equal to or greater than a pre-specified threshold, the node’s behavior will be classified as positive behavior, and the TV will increase, otherwise, it will be classified as negative behavior and the TV will decrease. After each round, the TV will be updated according to the different factors’ changes according to Algorithm 1. The selection of the threshold values ($THPLR$, $THV{P}_s$, $THV{P}_r$) in this algorithm is critical for the generalization of the trust model across diverse network deployments. In practical WSN scenarios, these thresholds are not arbitrary but are mathematically and empirically derived from the baseline characteristics of the chosen MAC protocol and the specific application requirements. For instance, the message size thresholds ($THV{P}_s$, $THV{P}_r$) are strictly bounded by the Maximum Transmission Unit (MTU) defined by the network standard. Any packet size exceeding this protocol-defined MTU is a clear theoretical indicator of anomalous behavior (e.g., a DoS attack). Similarly, the packet loss threshold ($THPLR$) is determined by the expected baseline channel noise and distance-dependent attenuation. Grounding these thresholds in the inherent physical and protocol-level limits of the network ensures that the proposed mechanism can be generalized to various operational contexts beyond a specific simulation scenario.

Algorithm 1 Update trust value

1: // $TV$: node’s TV  2: // $T{V}_{New}$: node’s new TV  3: // $\delta$: cumulative trust score modifier  4: // $PLR$: packet loss rate  5: // $THPLR$: threshold of PLR  6: // $V{P}_s$: size of sent packages in a round  7: // $THV{P}_s$: threshold of size of sent packages in a round  8: // $V{P}_r$: size of received messages in a round  9: // $THV{P}_r$: threshold of size of received messages in a round 10: $\delta \leftarrow 0$ 11: if $PLR\le THPLR$ then 12:       $\delta \leftarrow \delta +1$ 13: else 14:       $\delta \leftarrow \delta -1$ 15: end if 16: if $V{P}_s\le THV{P}_s$ then 17:       $\delta \leftarrow \delta +1$ 18: else 19:       $\delta \leftarrow \delta -1$ 20: end if 21: if $V{P}_r\le THV{P}_r$ then 22:       $\delta \leftarrow \delta +1$ 23: else 24:       $\delta \leftarrow \delta -1$ 25: end if 26: $T{V}_{New}\leftarrow TV+\delta$

To ensure a rigorous and cumulative assessment of a node’s behavior, the algorithm evaluates all conditions simultaneously using a modifier variable ($\delta$). Initially set to zero, this modifier increases by one for every normal behavior (e.g., $PLR$, $V{P}_s$, and $V{P}_r$ being under their respective thresholds) and decreases by one for every anomalous behavior. Finally, the cumulative $\delta$ is added to the current TV. This compact and explicit update logic ensures that all network factors dynamically and proportionally contribute to the final trust calculation, preventing any single metric from overriding the others.

3.4. Malicious Nodes Detection

The Low-Energy Adaptive Clustering Hierarchy (LEACH) protocol is one of the most commonly used routing protocols in wireless sensor networks. As its name suggests, it divides network nodes into groups or clusters, and each cluster has a head node that is responsible for forwarding data to another CH node or to the BS directly. In wireless sensor networks, most attacks aim to drain the network’s energy or to limit its performance. One of these attacks is the DoS attack, which increases the volume of data, requiring more energy to be transferred than the normal power limit; thus, the SN will consume its energy more quickly, reducing the network’s lifetime below the expected lifetime.

DoS attacks in LEACH-based networks will affect the entire network hierarchically due to the network’s structure. For example, let’s take a look at Figure 3. As we can see, the attack started at node A, which sent a large message to its CH, node B, which forwarded it to the BS via node C. At this rate, all nodes A, B, and C will consume more energy than usual, which will cause a reduction in the network’s maximum lifetime. The process of detecting and locating the malicious node will start by tracking the path of the large message. This will begin in the BS to nodes C, B, and finally node A. the best algorithm to use in such cases is the DFS algorithm which we modified to integrate with the TV of nodes.

The pseudo-code is described in Algorithm 2. Applying the simulated strategy with a Trust-based DFS (TDFS) algorithm in the detection process is more economical and faster than the standard detection methods because there is no need to calculate the value of trust for all network nodes, just the nodes in the tracked path will be visited which will lead to major savings in both the energy and time needed to find the malicious nodes. This selective trust evaluation via path tracking represents the unique advantage of the proposed TDFS algorithm. Unlike traditional models that periodically evaluate the entire network, our pruning strategy drastically minimizes the computational overhead by isolating the search space strictly to the anomaly’s origin path.

According to the TV of the node in the 10th line of the algorithm, it enters the array of malicious nodes, and then, in the 14th–17th lines, the neighbors of the node are visited in the For loop. Nodes with a TV less than the threshold are included in the array of malicious nodes, and a node at the level above it is removed from the array of malicious nodes. Lines 17th–18th check each node and call the recursive function. A critical feature of this path-tracking logic occurs in line 16, where the parent node (S) is removed from the malicious list (MN) if its child node is also found to be malicious. This is a deliberate justification rather than a logical flaw: in a hierarchical WSN under a DoS attack, an innocent intermediate node (such as a CH) will exhibit malicious-like behavior (e.g., high energy consumption and large packet transmission) simply because it is forced to forward the massive data generated by the actual malicious leaf node. By recursively tracing the tree downward, our algorithm dynamically clears these innocent intermediate forwarders from the malicious list, strictly isolating the true origin of the attack.

Algorithm 2 TDFS ($Adj\left[\right],S,Visited\left[\right],MN\left[\right]$)

1: // S: selected node  2: // $S_{TV}$: selected node’s TV  3: // $T{H}_{TV}$: TV’s threshold  4: // $BS$: base station  5: // $MN\left[\right]$: list of malicious nodes  6: // $Adj\left[\right]$: selected node’s adjacent nodes list  7: // $Visited\left[\right]$: visited nodes list  8: Add S to $Visited\left[\right]$  9: if  $S_{TV}<T{H}_{TV}$  then 10:       if S is not $BS$ then 11:             Add S to $MN\left[\right]$ 12:       end if 13:       for $node$ in $Adj\left[\right]$ do 14:             if $nod{e}_{TV}<T{H}_{TV}$ then 15:                  Add $node$ to $MN\left[\right]$ 16:                  Remove S from $MN\left[\right]$ 17:                  if $node$ not in $Visited\left[\right]$ then 18:                        TDFS ($Adj\left[\right],node,Visited\left[\right],MN\left[\right]$) 19:                  end if 20:             end if 21:       end for 22: end if

3.5. Theoretical Complexity Analysis

To better understand the computational efficiency of the proposed detection mechanism, this section presents a theoretical analysis of the time complexities of the core algorithms. We analyze both the TV update process and the TDFS procedure in terms of their asymptotic behavior. These results provide insights into the scalability and practical applicability of the proposed system in large-scale wireless sensor networks.

Theorem 1.

Let n be the number of nodes in the network. The time complexity of the TV update algorithm (Algorithm 1) for a single round is $\mathcal{O}\left(n\right)$.

Proof. 

In each network round, the BS updates the TV for each of the n nodes based on three measurable factors: $PLR$, $V{P}_s$ and $V{P}_r$. Each update involves a constant number of arithmetic and comparison operations, which results in constant time per node. Therefore, the total time complexity for updating all TVs is $\mathcal{O}\left(n\right)$.  □

Theorem 2.

Let V be the number of nodes and E be the number of edges in the network graph. The time complexity of the TDFS algorithm (Algorithm 2) is $\mathcal{O}(V+E)$ in the worst case.

Proof. 

In classical DFS traversal, the worst-case time complexity is linearly proportional to the number of vertices and edges, i.e., $\mathcal{O}(V+E)$. However, our TDFS introduces a dynamic pruning probability. Let $p_i$ denote the probability that a node’s TV satisfies $TV\ge THVT$. In our mechanism, a branch is pruned with probability $p_t$ at each recursive step. Thus, the expected number of visited nodes $E\left[V_{\mathrm{visited}}\right]$ is given by $E\left[V_{\mathrm{visited}}\right]={\sum }_{i=1}^D{k}^i{(1-p_t)}^i$, where k is the average degree of the routing tree and D is the depth. Since $p_t$ approaches 1 for normal network branches, $(1-p_t)$ exponentially decays, severely bounding the search space. Therefore, while the asymptotic worst-case upper bound remains $\mathcal{O}(V+E)$, the mathematical expectation of the computational time is strictly bounded by $\mathcal{O}\left(D·(1-p_t)\right)$, demonstrating the theoretical lightweight nature of the algorithm. However, from a practical WSN operational perspective, this early pruning mechanism offers a unique advantage by actively preventing the rapid energy depletion typically caused by comprehensive network-wide scans.  □

3.6. Malicious Nodes Isolation

After identifying the malicious nodes using the TDFS algorithm, the proposed algorithm must find a way to secure or prevent these malicious nodes from harming the network. So, it’s essential to isolate these nodes from the network to keep it as secure as possible. To perform this isolation mechanism, we used the concept of honeypot which is used a lot in securing wireless networks [51]. Honeypots were basically proposed to support other defensive mechanisms in networks such as firewalls and IDS. A honeypot can be an entire network, servers, and client, or it can be part of the network, a server, or a client. Honeypot mechanisms can be classified into three types according to their interactions with the malicious nodes, these types are:

1.

Low-Interaction: The communication between malicious nodes and the honeypot is limited, where the honeypot has a simple structure that is easy to build and monitor. This type does not provide real communication with the system; it only simulates services and records communication with it.

2.

Medium-Interaction: This type has higher communication abilities than the first type. This type of honeypot can track the attacker’s behavior.

3.

High-Interactions: Building this type of honeypot requires a high budget because it’s not just a simulation but a system that provides real communication with the system.

We have worked on building a high-interactions honeypot system as a part of the network where the honeypot can take the role of a mono/multi-CH node. Including this low-cost honeypot will help the security system to isolate the detected malicious nodes from the network within a time of one network round. Honeypot has been used to isolate malicious nodes as in [39]. In our proposed mechanism, the system will redirect transferring data path from malicious nodes to the honeypot which plays as a CH node (CH-Honeypot) that is connected to an external power source as shown in Figure 4. Thus, DoS attacks will not be effective because the network’s nodes’ power is not consumed continuously. Specifically, this redirection significantly enhances network security compared to traditional isolation techniques. Conventional methods typically drop malicious packets or completely disconnect the compromised node, which often alerts the attacker and triggers alternative, more aggressive attack vectors. By contrast, our CH-Honeypot actively deceives the compromised node into believing its DoS attack is succeeding. This continuous, isolated engagement completely nullifies the energy-drain threat on legitimate nodes while providing a secure sandbox to contain the threat without disrupting the core network’s data routing operations. Furthermore, to address the threat of sophisticated adversaries who might attempt a lateral network compromise upon isolation, the CH-Honeypot utilizes its high-interaction capabilities to perfectly mimic legitimate BS acknowledgments and network traffic patterns. This deep deception ensures the attacker remains continuously engaged within the sandbox, completely unaware of its isolation, thereby preventing it from altering its behavior or scanning for new vulnerabilities. Regarding deployment practicality and cost—which are typical constraints for high-interaction honeypots in remote WSNs—our architectural design allows the CH-Honeypot to be strategically co-located near the BS. Since the BS inherently possesses a continuous power supply, this placement minimizes infrastructure costs and deployment challenges while maximizing centralized threat containment.

Technically, enforcing this redirection within the autonomous clustering nature of the LEACH protocol requires a coordinated approach coordinated by the BS. In standard LEACH, MNs autonomously select their CHs based on the received signal strength of Advertisement (ADV) messages. Once our TDFS algorithm flags a node as malicious, the BS instantly broadcasts a control message instructing all legitimate CHs to drop any subsequent Join Requests or data packets originating from that specific node. Concurrently, the CH-Honeypot transmits a targeted, high-power ADV message specifically to the flagged node. Stripped of legitimate alternatives and receiving the strongest signal from the CH-Honeypot, the malicious node autonomously binds to the honeypot, effectively sandboxing itself without requiring fundamental structural changes to the standard LEACH protocol.

4. Performance Evaluation

4.1. Simulation Setup

Simulations of networks are an important part in studying the structure of the network and finding its weaknesses and how to secure it before starting building for real projects. In order to develop and improve our mechanisms, we created a virtual simulation for our WSN. The simulations were conducted using the open-source WSN simulator available at https://github.com/darolt/wsn (accessed on 25 February 2026), which is implemented in Python and C++ (via SWIG). Simulations were coded in both Python and C++ programming languages and performed using Ubuntu 18.04 as an operating system. To ensure statistical significance and minimize the impact of stochastic variations in the random node distributions, each simulation scenario was executed for 30 independent runs. The results presented in the following sections represent the arithmetic mean of these 30 independent iterations. At the start, the network structure must be determined before creating the initial positions of the network sensors/nodes. As we mentioned before, we will use LEACH protocol in the network, which means that the network will have a hierarchical tree structure. Nodes were distributed in groups randomly in a square area of $250\times 250$ m. Each group/cluster has a CH node which will receive data from all other MNs in the cluster and transfer it again to a higher-level CH or to the BS directly. The BS will be in the center of the simulation area as shown in Figure 5. In this work, for the model for calculating the transmission energy consumed during the simulation, it is as in [28,52]. The transmission energy which is required for sending a l-bit message a distance d is computed as per the following:

$$E(1,d)=\left\{\begin{array}{cc}{E}_{mes}+E_{fs}\ast d^2\hfill & \mathrm{for}d<=d_{threshold},\hfill \\ E_{mes}+E_{mp}\ast d^4\hfill & \mathrm{for}d>d_{threshold}\hfill \end{array}\right.$$

(3)

where $E_{mes}$ is electronic energy; $E_{fs}$ is amplifier energy in free space; and $E_{mp}$ is amplifier energy in multi-path. The simulations were made to find and detect the malicious nodes affected by the energy-draining DoS attack on the network using TV. In the beginning, the initial TV of the nodes was set to 10. Other simulation parameters are listed in

Table 1. The input parameters of the simulation.

Parameter	Value
Area size	250 × 250 m
Number of nodes	500
BS coordinates	125, 125
Initial node’s energy	2 J
Communication protocol	LEACH
Probability of malicious nodes	0.05–0.2
Energy of attacking node	20 J
Attack type	Energy drain
Node’s Initial TV	10
Message bits sent per round	4000 bits
Transmission radius	30 m

. Based on these specific input parameters, the trust evaluation thresholds were empirically initialized to match the baseline normal state of the network. For instance, since the standard message size sent per round is constrained to 4000 bits under normal operations, $THV{P}_s$ and $THV{P}_r$ were configured strictly around this upper bound to immediately flag oversized DoS packets.

In the virtual simulation, nodes start sensing and collecting data; after collecting data, they transmit it to the nearest CH node, which then forwards it to the BS. All these steps are done in one network round. At the end of each round, nodes’ TVs must be updated to detect any possible attack. TVs are updated and calculated at the BS based on each node’s energy consumption. One other important thing, in this simulation, a honeypot mechanism has been implemented as well.

While the simulation keeps running, we start to apply DoS attack by choosing a random number of nodes that will begin to send big-sized messages to drain the energy of the receiving node which is a CH node. After one round of beginning the attack, the TDFS algorithm will be activated to detect the malicious nodes. After identifying the malicious nodes, their data transfer path will be redirected to the honeypot, which is directly connected to the BS. By applying this mechanism, the attack will not have any harmful impact on the network.

4.2. Simulation Result

After preparing the virtual simulation and testing it, the performance of the newly proposed mechanism was very good in comparison with other methods, but before discussing results and showing comparisons, there are important values that we will use in the comparisons: the first one is the ratio of the discovered nodes in the network (DR) and the error rate in malicious node detection (MDR). DR and MDR can be calculated as below:

$$DR={\displaystyle \frac{C_{MN}}{T_{MN}}}$$

(4)

$$MDR={\displaystyle \frac{U_{MN}+N_{MN}}{T_N}}$$

(5)

where $C_{MN}$ is the number of correctly detected malicious nodes, $T_{MN}$ is the total number of malicious nodes in the network, $U_{MN}$ is the number of undetected malicious nodes, $N_{MN}$ is the number of detected malicious nodes, and $T_N$ represents the total number of nodes in the network.

To evaluate the performance of the Trust-Based Honeypot (TBHP) mechanism, we compared TBHP with the Evolved Trust Updating Mechanism (EVO), which updates TVs in three cases as described in [34]. The second mechanism to compare with is the Multi-agent Trust-based IDS (MULTI), which updates a node’s TV when it exceeds a specific threshold [29]. To ensure a fair comparison, standard parameters have been standardized as in [29,34]. The node characteristics considered in calculating the TV are the same in both TBHP and MULTI. The TBHP mechanism calculates TVs using a simple method, making it faster and consuming less network energy than other mechanisms. This is also true for the updating process, which helps the mechanism perform fast detection.

The three mechanisms are applied to the Byzantine Generals’ problem, where it’s inaccurate to determine the loyal generals if the number of betrayed generals exceeds 33% of total generals. In our case, it means that detecting malicious nodes in the network will be inaccurate if the number of malicious nodes is more than 33% of the total network nodes. We tested different scenarios where the probability of the node being malicious has been chosen between 0.05 and 0.2. The start was in the ability of quick node detection. As we can see in Figure 6, TBHP started to detect at the first round, EVO after 10 rounds, and MULTI started after 70 rounds. This shows the superiority of the TBHP mechanism in the early detection process. The reason behind this superiority is that TBHP updates the TV of nodes simultaneously where the others update it in sequence order. Furthermore, a clear comparative analysis with the recent literature highlights the unique benefits of our DFS-based architecture. While recently proposed machine learning and optimization-based IDSs, such as DCGAN [16], FT-ABC-CNN [18], and SCNN-Bi-LSTM [19], achieve high detection accuracy, their heavy computational footprints and memory requirements often contradict the resource-constrained nature of WSNs. In contrast, the extremely lightweight nature of the TDFS algorithm allows it to identify the first malicious node in the very first round. This provides a highly practical, energy-conserving alternative to these resource-heavy models without compromising detection speed.

Let us take a look at Figure 7 which shows the variation in the DR value for the three mechanisms in three different scenarios. For a probability value of 0.05, TBHP’s score hits 0.8 in the value of DR where EVO and MULTI scores are 0.6 and 0.4, respectively. As the probability of being a malicious node increases, the DR value decreases are clear in the 0.1 and 0.2 probability values. We can clearly see that the newly proposed TBHP mechanisms perform better than both EVO and MULTI. The good performance of TBHP continues in the error rate results where it has the lowest error rate (MDR) among the three mechanisms, as we can see in Figure 8. Error rate increases with the increase in the percentage of attacking nodes.

For the evolution of the system, we studied the effect of the system on the power consumption of the network, and power consumption is the sum of the power used by all nodes in the network, including transmitting, receiving, and slowing down. Assuming that each transmission consumes a unit of power, the total power consumption equals the total number of packets sent in the network:

$$E_c=\sum _{n=0}^N{E}_{spent}$$

(6)

where $E_c$ is the power consumption of network and $E_{spent}$ is energy consumed per node.

Power consumption is a key factor of the communication quality in a WSN, so the calculation is important for a real WSN system. A method for calculating the power consumption of the end nodes, the router, and the whole network is given, and the calculation of the network lifetime is also given [53]. In order to evaluate the performance of the TBHP mechanism, we compared the average power consumption while the network was under attack, the use of the proposed TBHP system, and the network performance before it was attacked. We have analyzed the power consumption of each node in a network of 150 × 400 nodes, as shown in the Figure 9. It is found that the power consumption per node when using TBHP is close to the network performance when working in a normal scenario without attack. Thus, the proposed system has achieved its goal to conserve the energy of the nodes in the network. From a principled perspective, this significant reduction in energy consumption at the individual node level is driven by three architectural foundations. First, based on the energy model presented in Equation (3), continuously processing oversized malicious packets drastically depletes a node’s energy. Our TDFS algorithm instantly mitigates this by identifying the attacker at the very first round, saving the network from prolonged periods of heavy data transmission. Second, instead of periodically broadcasting trust update requests to all nodes, TDFS strictly traces the anomalous routing path, eliminating unnecessary network-wide communication overhead. Third, and most importantly, redirecting the malicious traffic to an externally powered local CH-Honeypot fundamentally cuts off the multi-hop transmission chain. Consequently, intermediate routing nodes located between the CH and the BS are completely relieved of the electronic ($E_{mes}$) and amplification ($E_{fs}/E_{mp}$) energy burdens associated with forwarding heavy malicious data. This directly minimizes their overall $E_{spent}$, as modeled in Equation (6).

Another important term in wireless sensor networks is the network’s lifetime. A network’s lifetime depends mainly on the power consumption of network nodes. As we applied an energy-draining DoS attack in our simulation, the attack will try to reduce the maximum lifetime of the network by sending oversized messages which will consume both the sender and the receiver node’s energy. Security mechanisms aim to isolate malicious nodes from the network as soon as they are detected. Figure 10 shows two graphs of the network’s lifetime. It shows that applying the TBHP mechanism extends the network’s maximum lifetime compared to the mechanism in [54], where the messages from detected malicious nodes are redirected directly to the BS. This comparison highlights a significant security enhancement of our proposed method: while existing techniques like TBBS inadvertently assist DoS attacks consuming energy from intermediate nodes to route malicious traffic all the way to the BS, our TBHP locally isolates the threat at the CH-Honeypot level. As a result, the structural integrity and energy reserves of the intermediate routing nodes are successfully protected.

5. Conclusions and Future Works

In this study, we have developed and proposed a new security mechanism that can detect harmful and malicious nodes in a WSN. Our goal was to find an effective and economically inexpensive mechanism that can be implemented easily in wireless sensor networks. The newly proposed mechanism takes into consideration the limitations of the wireless sensor networks like energy power which is a very important factor in such networks. After performing the necessary experiments and simulations, the proposed mechanism performed well and proved its effectiveness in securing the network. The honeypot isolation system helped the network to extend its lifetime and performance. Despite its robust detection capabilities, the proposed method has certain limitations. First, the high-interaction CH-Honeypot relies on an external power source to continuously absorb malicious traffic. In highly remote or unattended environments, deploying and maintaining externally powered nodes may pose practical deployment challenges, although co-locating them with the BS partially mitigates this. Furthermore, while the current high-interaction honeypot successfully deceives standard DoS attackers, highly sophisticated adversaries utilizing adaptive evasion techniques might eventually recognize the simulated environment and alter their attack vectors. Second, the TDFS-based path-tracking relies heavily on a hierarchical, tree-based routing topology (like LEACH). Its tracking efficiency may decrease in unstructured or multi-path mesh networks where tracing a single malicious trajectory is highly complex. Finally, the trust calculation currently depends on static, predefined thresholds, which may lack flexibility in highly fluctuating network conditions.

In future studies, we are aiming to implement this mechanism in a real network, explore dynamic threshold adjustment algorithms powered by machine learning, and adapt the TDFS path-tracking to suit unstructured multi-path wireless networks. As a result the TDFS path-tracking will be adapted to suit unstructured multi-path wireless networks and investigate advanced honeypot evasion countermeasures. Furthermore, while the current empirical evaluation extensively validates the system’s efficiency against volumetric energy-draining DoS attacks under the LEACH protocol, extending our testbed to evaluate the architecture’s generalizability against heterogeneous threat models—specifically selective forwarding, sinkholes, Hello flood attacks, colluding adversaries, and false trust manipulation—remains a primary objective for our upcoming research.