WSN-DS: A Dataset for Intrusion Detection Systems in Wireless Sensor Networks

and


Introduction
Wireless Sensor Networks (WSN) have become increasingly an important field of research due to their wide range of real-time applications like critical military surveillance, battlefields, building security monitoring, forest fire monitoring, and healthcare [1].A WSN consists of large number of autonomous sensor nodes, which are distributed in different areas of interest to gather important data and cooperatively transmit the collected data wirelessly to a more powerful node called sink node or Base Station (BS) [2,3].The data transmitted across the network depend on specialized WSN protocols.Therefore, protecting WSN from different security threats is essential.Unfortunately, achieving this objective becomes a major challenge because of the constrained resources of WSNs including battery energy, memory, and processing capabilities [4].Such limiting characteristics make traditional security measures like cryptography not always sufficient for such networks.
WSNs are highly vulnerable to attacks, due to their open and distributed nature and limited resources of the sensor nodes.Moreover, in WSNs packets broadcasting has to be done frequently, sensor nodes can be deployed randomly in an environment so an attacker adversary can be easily injected to a WSN [5].
An attacker can compromise a sensor node, eavesdrop messages, inject fake messages, alter the integrity of the data, and waste network resources.Denial of Service (DoS) attack is considered one of the most general and dangerous attacks that threaten WSN security.This attack has several forms and its main objective is to interrupt or suspend the services provided by WSNs [6,7].
Because the process of avoiding or preventing security threats cannot be always successful, an Intrusion Detection System (IDS) is needed to detect known and unknown attacks and alert sensor nodes about them [3,4].IDS allows detecting suspicious or abnormal activities and triggers an alarm when an intrusion occurs.The implementation of IDSs for WSNs are more difficult than other systems because sensor nodes are usually designed to be tiny and cheap, and they do not have enough hardware resources.Additionally, there is no specialized dataset that contains normal profiles and attacks in WSN that can be used to detect an attacker signature [3].Considering the above challenges, there are mainly two conditions while designing IDS for WSNs: The IDS must be of high degree of accuracy in detecting an intruder that includes unknown attacks, and it also must be lightweight to ensure minimum overhead on the infrastructure of WSNs [8].
In this paper a specialized WSN dataset is constructed to characterize four types of DoS attacks in addition to the normal behavior when no attacks exist.WSNs' characteristics and challenges were considered when Low Energy Aware Cluster Hierarchy (LEACH) [9] routing protocol was used in this study.This choice was made since LEACH is one of the most popular hierarchical routing protocols in WSNs that consumes limited energy and is characterized by its simplicity.The constructed dataset is called WSN-DS.
The rest of paper is organized as follows.Section 2 provides an overview of LEACH protocol, IDSs, and reviews related work.Section 3 analyzes LEACH protocol mathematically; Section 4 describes the extracted features of the constructed dataset.Section 5 models different attacks.Section 6 presents the experimental results obtained from IDS and discusses the importance of the achieved results.Conclusions and avenues for future work are presented in Section 7.

Background and Related Works
This section presents an overview of LEACH protocol, LEACH-based protocols, DoS, and IDS in WSNs.

LEACH Protocol Overview.
LEACH is a hierarchical routing protocol used in WSNs to increase the network's lifetime [9][10][11].LEACH is a clustering, adaptive, and selforganizing protocol.LEACH assumes that BS is fixed and located far from sensor nodes.Additionally, all sensor nodes are homogeneous and have limited energy and memory.Sensors can communicate among each other and they can communicate directly with the BS.The main idea of LEACH protocol is to organize nodes into clusters to distribute the energy among all nodes in the network.Also, in each cluster there is a node called Cluster Head (CH) which aggregates the data received from sensors within its cluster and forward them to the BS. Figure 1 shows the structure of nodes in LEACH routing protocol.Each round in LEACH protocol consists mainly of two phases: setup phase and steady-state phase.In the setup phase, clusters are formed, whereas in the steady-state phase, sensed data will be transferred to the sink node [12].
At the beginning of the setup phase, every node generates a random number between 0 and 1, and it then computes a threshold formula (), as shown in (1).If the selected random number is less than the threshold value, the node becomes a CH: where  is the CH probability (usually in LEACH a node becomes CH with a probability of 0.05), : is the set of nodes that have not been a CH, in the last 1/ rounds, and  is the current round.CH in the first round cannot be CH again in the next 1/ rounds.After 1/ − 1 rounds, the threshold value becomes 1 for any sensor node that has not been CH yet, and after 1/ rounds, all nodes are eligible again to become CHs.Once CHs are assigned for all clusters, each CH will broadcast an advertisement message (ADV CH) to the rest of nodes using Carrier Sense Multiple Access-Media Access Control (CSMA-MAC) protocol [9].After receiving ADV CH message, each node decides to which cluster it belongs by selecting a CH based on the Received Signal Strength Indication (RSSI) of the advertisement message, the node then sends a (JOIN REQ) message to the selected CH with the highest RSSI.Each node uses CSMA-MAC protocol to transmit its selection [9,10].During the setup phase, all CHs keep their receivers ON.After clusters formation, each CH creates a Time Division Multiple Access (TDMA) schedule according to the number of nodes in its cluster called Cluster Members (CM) and broadcasts it to them.
During steady-state phase, each sensor node collects data and transmits them to its CH during its allocated time slot according to the TDMA schedule.CHs receive all the data and aggregate them before sending them to the BS.After a predetermined time, the network starts another round by going back to the setup and steady-state phases again [9].

LEACH-Based Protocols.
LEACH was and still is studied in enormous number of research articles.The authors in [13] provided a review of 27 clustering and routing techniques based on LEACH protocol for WSNs that includes a comprehensive discussion and comparisons among them.The authors in [14,15] highlighted LEACH protocol and presented fifteen LEACH improved versions introduced in the literature.The papers have compared some features of several variants of LEACH protocol not empirically but based on their descriptions.In [16] the author proposed and evaluated two new clustering-based protocols for heterogeneous WSNs that were built based on LEACH protocol by considering three types of nodes with different battery energies, which was the source of heterogeneity in the author's protocols.
LEACH-ICE (LEACH Inner Cluster Election) algorithm based on LEACH algorithm was introduced in [17].The threshold function of the node selected as CH is adjusted.Also, direct communication with the BS occurs when a node is closer to the BS.To improve the clustering mechanism, LEACH-ICE elects a new CH inside the cluster when the resident energy of the current CH is lower than a predefined threshold.
In [18] the authors proposed an energy efficient secondary CH selection algorithm for WSN.By controlling the distances among the CHs, a uniform distribution of CHs is satisfied.Two-level hierarchy mode was applied to transmit data to the BS.LEACH is compared with the improved LEACH-TLCH method.Simulation results show that the improved method can reduce the network consumption of energy and lengthen the network's lifetime.
In [19], a distributive Energy Neutral Clustering (ENC) protocol was proposed to group the network into several clusters, with the goal of providing perpetual network operation.ENC employs a novel Cluster Head Group (CHG) mechanism that allows a cluster to use multiple CHs to share heavy traffic load and to reduce the frequency of cluster reformation.An extension to ENC based on convex optimization techniques of the number of clusters was proposed to group the network into equal-sized clusters to maximize network information gathering.According to the authors' experiments, the proposed protocol can successfully prevent sensors from shutting down due to excessive usage of energy.

DoS and IDS in WSN.
As mentioned earlier, DoS is a common attack that could have a severe impact on WSN's functionalities and services [20].Many different types of DoS attacks have been identified so far, for example, Blackhole attack, Grayhole attack, Flooding attack, and Wormhole.The seriousness of DoS attack stems from the fact that most WSN applications require the deployment of a sensor node in harsh environments where they are far away and difficult to be controlled [20,21].Recently, many researches are going on in an attempt to find solutions for DoS attacks, but mainly they have tackled one or two forms of these attacks but not the majority [2,[22][23][24].Moreover, they offer partial solutions and they cannot be applied concurrently because they will consume high energy, which is not practical in WSNs [2,25].Therefore, a mechanism should be found to identify different behaviors of DoS attacks and classify them to take effective countermeasures.
Cryptography is a security mechanism that is used for protecting WSN against external attacks.It ensures many security services including integrity and authentication by checking the data packet source and its contents using several techniques such as symmetric encryption, public key cryptography, and hash functions [25].These techniques cannot be used to detect internal attacks when security keys are exposed to the attacker which uses them to perform encryption and decryption of messages' contents.Consequently, such techniques serve as first line of defense [5].Attackers always attempt to launch new and unknown attacks in more than one way; therefore, it is necessary to create an efficient IDS, which acts as a second line of defense to detect known and unknown attacks and alert sensor nodes about them.IDS allows detecting suspicious or abnormal activities and triggers alarms when intrusions are detected [26].
The National Institute of Standards and Technology (NIST) [27] categorized intrusion detection into two main approaches: anomaly detection and misuse detection.In anomaly detection the system depends on prior knowledge of normal behavior of the network which will be then compared with its current activities.In misuse detection, the system depends on prior knowledge of attack signatures.It compares the signature with the current activities in the network.
IDS has become an important security component of WSNs; however, the implementation of IDS in WSNs introduces number of challenges that can have negative impact on WSN performance [28].It is inefficient to use IDS in every sensor node due to the resource-constrained nature of such nodes.IDS components should be installed in places where sensor nodes can be followed to be able to defend against certain threats to the network.IDS is also used in WSNs where huge amount of traffic is transmitted; therefore, there is a possibility an intrusion could be missed as sensor nodes generally have restrictions in handling huge data in the network.
There are two main components of IDS, features extraction and modeling algorithm.Features extraction defines measured attributes that are linked to the IDS functionalities.Modeling algorithm is the main component; the accuracy and the efficiency of detecting and responding to intrusions depend on the modeling algorithm.IDS may have components that depend on the network characteristics and possible intrusions [29].Most of IDSs have six common components as shown in Figure 2: (1) Monitoring component: which is used for local activity monitoring or for monitoring neighbor sensor nodes.This component mostly monitors internal activities, traffic patterns, and resource utilization.
(2) Analysis component: which contains all records of normal and abnormal behaviors for all nodes in the network [30].
(3) Detection component: which is the main component that is built based on the modeling algorithm.It works after analyzing network behaviors.Decisions are made to declare such behaviors as malicious or not [31].The other three components of IDS consist of actions that can be taken, either one, two, or all of them [32]: (4) Logging: storing each packet in a log file so that security administrator can use it for later analysis.
(5) Alarming: a responding generating component in case of detection of an intrusion.The response may trigger an alarm to announce the misbehaving node(s).
(6) Prevention: an advanced step that can be added to IDS to enable it to take an action to prevent dealing with an attack once detected.This can be done, for example, by excluding harmful nodes from the network [30].
Designing a specialized dataset for WSN to achieve better detection and classification of DoS attacks is the main aim of this paper.The authors in [30] presented current IDSs and a comparison among them.The authors revised mechanisms, attacks, and evaluation metrics but without mentioning the use of specialized datasets.The comparison depended on the type of IDSs, whether it is anomaly-based, signature-based, hybrid, or cross layer.
Knowledge Discovery and Data Mining Tools Competition (KDD) dataset [33] was constructed for Local Area Network (LAN).KDD is not specialized for wireless in general and WSN in particular, even though many researchers have used it to deal with fraud and intrusion detection [34].
Anomaly, signature, and hybrid-based IDSs have been reviewed in [35].Mainly KDDCup-99 was used in these IDSs.For example, in the eight studied hybrid-based IDSs, four of them have used KDDCup-99 and the rest have used real data samples.
Other researches which also considered KDD in their analysis and classifications can be found in [36][37][38].
It can be concluded that there is no specialized dataset for WSN that has been reported in the literature for detecting and classifying as many DoS as possible.Therefore, there is an urgent need to define a labelled, specialized dataset that successfully characterizes WSN to help in studying normal and anomaly behaviors.The construction and testing of such dataset are proposed in this paper.

LEACH Mathematical Analysis
To ensure the correctness of the constructed dataset called WSN-DS, a mathematical analysis has been conducted to all LEACH phases and then has been compared to the results of simulation in case of normal situation when there is no DoS attack.The terms used in LEACH's mathematical model are listed as follows:  Proof.According to LEACH, once each sensor node has decided to which cluster it will belong, then it informs its CH by sending a (JOIN REQ) message.Therefore, all sensor nodes () except CHs (NC) will send (JOIN REQ) messages ( − NC) and these messages will also be received by CHs.

Data Transmission
Phase.Theorem 3 calculates the amount of sensed data packets that are delivered to the BS at the end of each round.
Theorem 3. In the data transmission phase of LEACH, at the end of each round, BS receives ∑  =1 (--/   ) packets.
Proof.According to LEACH, when the CH receives the sensed data from the sensors nodes (CMs) according to their time slots assigned by TDMA schedule, it aggregates them into one packet and sends it to the BS.Throughout the round, the number of packets sent to the CH from CMs is (NO-DATA-PKT) but due to the aggregation process only (NO-DATA-PKT/CMs of CH) packets will be sent to the BS.Having NC of CHs, then the overall data packets received by BS are ∑ NC =1 (NO-DATA-PKT/CM of CH).

Comparison between Mathematical Model and Simulation
Results.To confirm the correctness of the simulation which is used to collect data to construct the dataset, a comparison is performed between the mathematical analysis and simulation results.The comparison will be based on sample of the simulation results representing the first 14 rounds as after this round nodes start to die.In the first 14 rounds, the number of alive nodes is 100.Table 1 shows this comparison.The mathematical results were obtained by applying the equations in Theorems 1-3, while the simulation results were obtained from Network Simulator 2 (NS-2) simulator.
For more clarification, Table 2 presents how the mathematical formula of Theorem 3 is applied to a sample round (Round 1) in one of the simulation scenarios to calculate the number of received data packets by BS.
Table 1 shows 100% match between the mathematical model and the simulation results.This is due to the behavior of LEACH protocol which implements dynamic

WSN-DS Dataset Description and Creation
In order to build the dataset and collect the required data from the sent and received packets within WSN, a monitoring service is needed with minimum cost.On the other hand, we need to guarantee that necessary data related to the network which help in detecting, classifying, and then preventing different possible attacks are collected.In this research, to distribute the load among sensor nodes, each sensor will take part in the monitoring process and should be able to monitor set of its neighbors.The challenge was how to find the suitable number of nodes to be watched by a sensor node in order to monitor all network sensors.Many experiments have been conducted to decide on this number and the summary of the results is shown in Table 3.
When each sensor node has watched 3 nodes of its neighbors, it has been noticed that the largest number of sensor nodes which could be monitored by a single node was seven.In other words, the BS has received seven different reports about the same node from seven different watching nodes.To make sure that the received information are correct, these reports could be checked for consistency.In some scenarios, some sensor nodes were not monitored by any sensor.This indicates that monitoring 3 neighboring nodes is not enough to get information about all network sensor nodes.
Additionally, an improvement has occurred when 4 neighbors are being watched.But only when the number is 5, all sensor nodes are being watched in all 5 scenarios.Similar results have been obtained when a sensor node was watching 6 of its neighbors.Consequently, it has been found that monitoring 5 neighbors is enough to get information about all nodes in the network and there is no need to increase the computational complexity by going further.
Choosing 5 neighbors to be monitored is done at the beginning of the simulation.All nodes broadcast a Hello message.Accordingly, each node selects the first 5 nodes it heard from.Then it monitors them over the simulation period, so that each node sends a report to its CH at the end of each round.Then the CH sends the received reports to the BS.For security purposes and in case of suspecting the CH and having one monitor for this node (one report), these reports could be sent directly to the BS at the expense of consuming more energy if this node is further from the BS than the CH.After deep study of LEACH routing protocol, we have succeeded to extract 23 attributes to help in identifying the status of each node in the network, These attributes are listed as follows.

WSN-DS Dataset Attributes
Node ID: a unique ID to distinguish the sensor node in any round and at any stage.For example, node number 25 in the third round and in the first stage is to be symbolized as 001 003 025.Time: the current simulation time of the node.
Is CH?A flag to distinguish whether the node is CH with value 1 or normal node with value 0.
Who CH?The ID of the CH in the current round.RSSI: Received Signal Strength Indication between the node and its CH in the current round.Data sent: the number of data packets sent from a sensor to its CH.
Data received: the number of data packets received from CH.
Data sent to BS: the number of data packets sent to the BS.
Distance CH to BS: the distance between the CH and the BS.
Send Code: the cluster sending code.
Attack Type: type of the node.It is a class of five possible values, namely, Blackhole, Grayhole, Flooding, and Scheduling, in addition to normal, if the node is not an attacker.

Attack Models
Four types of DoS attacks in LEACH protocol are implemented in the constructed dataset; Blackhole, Grayhole, Flooding, and Scheduling attacks.This section models each one of these attacks.To ensure proper distribution of the attacker nodes, the network terrain has been divided into 10 regions.Then the attackers' ratios according to the simulation scenario were distributed randomly within these regions.

Blackhole Attack.
Blackhole attack is a type of DoS attack where the attacker affects LEACH protocol by advertising itself as a CH at the beginning of the round.Thus, any node that has joined this CH during this round will send the data packets to it in order to be forwarded to the BS.The Blackhole attacker assumes the role of CH and it will keep dropping these data packets and not forwarding them to the BS [39][40][41].Algorithm 1 shows the algorithm of Blackhole attack.
To implement this attack in the simulation environment, several attackers' intensities (10%, 30%, and 50%) have been injected randomly to perform Blackhole attack.These attackers which act as CHs will drop all the packets relayed through them in their way to the BS.

Grayhole Attack. Grayhole attack is a type of DoS attack
where the attacker affects LEACH protocol by advertising itself as a CH for other nodes.Therefore, when the forged CH receives data packets from other nodes, it drops some packets (randomly or selectively) and prevents them from reaching the BS [40][41][42].Algorithm 2 shows the algorithm of Grayhole attack.
Similar to Blackhole attack, 10%, 30%, and 50% of the sensor nodes are injected randomly to implement the Grayhole attack.The decision whether to forward a specific packet or not is also devised randomly.But the decision can be done selectively based on the sensitivity of the sensed data carried by the packet.this will consume sensors' energy and waste more time to determine which CH to join.Moreover, the attacker attempts to cheat victims to choose it as a CH, especially those nodes that are located on a far distance from it in order to consume their energy [40,43].Algorithm 3 shows the algorithm of Flooding attack.

Flooding
Flooding attack has been implemented in several ways in the simulation environment.In some experiments 10 ADV CH messages were sent by the attacker; other scenarios consider 50 ADV CH messages to be sent or a random number between 10 and 50.The idea is when more ADV CH messages are sent, more messages will be received and more energy will be consumed.We have already studied in [44] the impact of Flooding attack on WSN lifetime.The energy consumption was shown in each round using several attackers' ratios.[44].Scheduling attack occurs during the setup phase of LEACH protocol, when CHs set up TDMA schedules for the data transmission time slots.The attacker which acts as a CH will assign all nodes the same time slot to send data.This is done by changing the behavior from broadcast to unicast TDMA schedule.Such change will cause packets collision which leads to data loss.Algorithm 4 shows the algorithm of Scheduling attack.

Scheduling Attack. Scheduling attack was introduced in a previous study of the authors
The implementation of Scheduling attack is performed by setting the same time for all Cluster Members to send their data packets.Other scenarios assign every two nodes the same time or every five nodes the same time.
In [44] it has been shown that the risk of DoS attackers on LEACH protocol services could be significant.The attackers can influence the network in more than one way, through wasting the nodes' energy or dropping their data packets.This badly affects the services provided by WSN.Therefore, a methodology to detect such attacks and protect different services provided by WSN is urgently required.
Section 6 illustrates the importance of studying normal and anomaly (under attack) behaviors of WSN protocols and presenting them through a specialized dataset (WSN-DS).WSN-DS allows several intelligent and data mining approaches to be applied for the aim of better detection and classification of DoS attacks.As a result, sensor nodes will be more experienced with the normal behaviors and attackers' signatures and will be able to make proper decisions at the right time.In this research ANN is applied to test the constructed dataset and measure its accuracy in detecting and classifying four types of DoS attacks.

Experiments and Results
In this paper, WSN-DS, a specialized dataset for WSN to detect DoS attacks, was constructed.LEACH protocol was used to collect the dataset because it is one of the most common and widely used routing protocols in WSNs.WSN-DS contains 374661 records that represent four types of DoS attacks: Blackhole, Grayhole, Flooding, and Scheduling attack, in addition to the normal behavior (no-attack) records.In order to gather the required data, NS-2 was used [45].Simulation parameters are summarized in Table 5.
This section shows the results obtained from the dataset collected as described in Section 4. Waikato Environment for Knowledge Analysis (WEKA) Toolbox was used in the simulation experiments to evaluate the proposed dataset.
WEKA is an open source data mining software suite built using Java programming language and developed at the University of Waikato in New Zealand.Data mining algorithms in WEKA could be applied to datasets and be called using either WEKA's interface or user customized Java code.WEKA contains a lot of algorithms for data preprocessing, clustering, classification, association rules, regression, and visualization [46,47].
Because different performance metrics are appropriate in different settings, in this paper seven performance metrics are used: True Positive Rate (TPR), True Negative Rate (TNR), False Positive Rate (FPR), False Negative Rate (FNR), Overall Accuracy (), Precision (), and Root Mean Square Error (RMSE).
TPR represents the rate of attack cases identified correctly, TNR represents the rate of normal (no-attack) cases identified correctly, FPR represents the rate of no-attack cases identified as attacks by the system, and FNR represents the rate of attack cases identified as normal ones. is the total rate of correct decisions whether identifying an attack correctly or deciding there is no attack when really there is no attack. represents the predicted positive cases that were correctly classified; RMSE provides information on the efficiency that indicates the difference between the outputs and the targets.Lower values of RMSE indicates more accurate evaluation.Zero means no error: where TP is the number of attack cases classified correctly as attacks.TN is the number of normal (no-attack) cases classified correctly as normal (no-attack).FP is the number of normal (no-attack) cases classified incorrectly as attacks.
FN is the number of attack cases classified incorrectly as normal (no-attack).  and   are the output and target values, respectively, and  is the total number of data points.
The classification results of this dataset were obtained through a number of test cases applied using Artificial Neural Networks (ANNs), which can be built in several ways.ANN is used as a classifier were the 23 attributes extracted from the simulation experiments are used as inputs and the type of attack, including the normal case, is used as output.ANN training algorithm includes a built-in procedure to help minimizing the error between the neural network output and the desired output.Its iterative training procedure terminates when that error reaches a value below a predetermined threshold.After the training phase, the trained neural network is used on the test dataset to check its generalization accuracy.
We are extracting different results with two ANNs test options.The first one is by using holdout method where the dataset is separated to 60% training data and 40% testing data.Table 6 shows data separation using holdout method.
The second option is by using 10-Fold Cross Validation which separates the training dataset into 10 equal parts.This method trains ANN using nine of the 10 parts and evaluates it with the remaining part.The same process is repeated for all 10 parts using a sliding window to determine the test set and the remaining parts are used for training the ANN.After the completion of the 10 iterations, the results are compiled and averages are computed.The main advantage of the 10-Fold Cross Validation is using all records in the dataset alternately for both training and testing.On the other hand, it is computationally expensive.An important parameter of ANNs is the used transfer function.In this study the most common activation (transfer) function which is the logistic sigmoid function was used.This function is also called log-sigmoid.The function is defined as The logistic sigmoid function accepts any value and returns a value between 0 and 1.Because of the nonlinear characteristics of this function, it allows ANNs to model complex data with possible built-in nonlinearities.
Table 7 shows the parameters and the values used in this paper for WEKA toolbox Multilayer Perceptron (MLP) ANN classifier configuration.MLP is the most popular ANN variation that allows configuration of multilayer ANN which is able to model complex relations between the input and output parameters.
Several ANN architectures were attempted in this paper, an ANN with one hidden layer and 11 neurons is used.Moreover, an ANN with two hidden layers with 11 neurons in the first layer and 5 neurons in the second hidden layer was used.Finally, ANN with three hidden layers with 11 neurons in the first layer, 5 neurons in the second hidden layer, and two neurons in the third hidden layer was also attempted.
By using the holdout method to train the ANN with one hidden layer, an overall classification accuracy of 97.5431% was achieved.This corresponds to correctly classifying 146184 out of 149865 in the testing set as can be noticed from Table 6.
Table 8 shows the Confusion matrix for this method.For example, there are 2656 records in the testing set for Scheduling attack as shown in Table 6.2620 records were classified correctly as Scheduling attack, 23 records were classified as no-attack, 3 records were classified as Grayhole attacks, and 10 records were classified as Blackhole attack.This means that the percentage of positive classification of Scheduling attack is 98.6%.The percentage of samples that were incorrectly classified as positive while they are normal is 0.4%.Table 9 shows the results of the remaining metrics for the holdout method.RMSE as calculated in (8) is 0.073 which is an acceptable value.
From Table 9, it can be concluded that the accuracy of detecting Blackhole attack was (34.3%), which is a low percentage.For that reason, an ANN architecture that has two hidden layers was attempted.In this case, 98% (avg. of TPR) of DoS cases were correctly classified with an error of 0.0817.Table 10 shows summary of the metrics of using this architecture.From Table 10, it can be shown that the accuracy rate decreased for Grayhole attack and significantly increased for Blackhole attacks.
When the ANN was trained on the dataset with three hidden layers, 97.8% of DoS cases were correctly classified with an error of 0.0791.Table 11 shows summary of results of using holdout method with three hidden layers.
More decrease in the accuracy rate of Grayhole attack can be seen in Table 11.
An ANN was trained on the WSN-DS dataset using 10-Fold Cross Validation method with one hidden layer.In this case, 98.52% of DoS attacks were correctly classified with an error of 0.0636.Table 12 shows the summary results of using this method with one hidden layer.
Table 12 shows an improvement in the results for all types of attacks.We have trained the ANN using 10-Fold Cross Validation with two hidden layers.Having two hidden layers, 98.53% of the DoS cases were classified correctly with an error of 0.0643.Table 13 summarizes the results of using this method.
Using 10-Fold Cross Validation to train an ANN architecture that has three hidden layers on WSN-DS dataset, 97.18% of the cases were correctly classified with an error of 0.0914.Table 14 summarizes the results of using this method.
Figures 3, 4, and 5 summarize the previous results.Figure 3 shows the True positive rate.On average the best  was slightly more accurate to use holdout method with one hidden layer (H1).Figure 4 shows FPR.In FPR the smaller the rate, the better the performance.On average H1 was the best method; it is slightly better than CV1; however, CV1 was better than H1 in classifying Flooding, Scheduling, and Grayhole attacks.H1 was better in classifying the normal behavior and the Blackhole attack.
Figure 5 shows the error rate of all methods using Root Mean Squared Error (RMSE).
Figure 5 shows that CV1 was the best in terms of RMSE.From the results of TPR, FPR, and RMSE in Figures 3-5, it is concluded that the use of CV1 architecture outperforms other ANN architectures in classifying DoS attacks in WSN.
From the previous results obtained from applying ANN to WSN-DS dataset, high accuracy was achieved in the task of classifying four DoS attacks to determine whether the protocol is in its normal mode or exposed to any type of attack.

Conclusions and Future Work
The aim of this paper is to design an intelligent intrusion detection and prevention mechanism that could work efficiently to limit DoS attacks with reasonable cost in terms of processing and energy.To achieve this aim, a specialized dataset for WSN was constructed to classify four types of DoS attacks.The considered attacks are Blackhole, Grayhole, Flooding, and Scheduling attacks.The data were collected using NS-2.In addition to including normal behavior, it was also able to collect 374661 records containing the signatures of these four attacks.The dataset containing normal and malicious network traffic was used to obtain the experimental results shown.In this paper, mathematical validation of the created dataset has been provided to ensure its correctness.The constructed dataset is called WSN-DS.ANN-MLP model using WEKA toolbox was built; attacks were classified using two methods, holdout and 10-Fold Cross Validation, with one, two, and three hidden layers used in each case.We have found that, using 10-Fold Cross Validation with one hidden layer, the percentages of classification accuracies of attacks were 92.8%, 99.4%, 92.2%, 75.6%, and 99.8 in Blackhole, Flooding, Scheduling, and Grayhole attacks, in addition to the normal case (without attacks), respectively.From these results, it can be concluded that ANN trained using WSN-DS dataset is very useful in classifying DoS attacks as it was able to achieve high classification accuracy in the presence of more than one attack.This work, which compares a number of distinct DoS attacking models, provides additional insights.Specifically, it would draw conclusions in terms of selecting the best protocol to be employed in a precisely predefined realtime application in WSN.This research reemphasizes the importance of considering security early in the network protocol development process.Without this, inherited vulnerabilities in these network protocols and other software will increasingly become targets for malicious attacks.
In future, this work can be extended to include other types of DoS attacks in data link layer such as Wormhole or Sybil.In addition, attacks on protocols other than LEACH and in different layers of WSN can be considered.It is also possible to attempt the use of other classifiers and data mining approaches.The current and future versions of WSN-DS will be posted to the researchers.

Theorem 1 .
: number of sensor nodes in WSN S: senor node  NC: number of CHs CM: number of members within a cluster ADV-CH-SENT: number of advertisement messages sent by CH ADV-CH-RCVD: number of advertisement messages received by sensor nodes JOIN-REQ-SENT: number of join request messages sent by sensor nodes JOIN-REQ-RCVD: number of join request messages received by CHs TDMA-SENT: number of TDMA schedules sent by CHs TDMA-RCVD: number of TDMA schedules received by sensor nodes NO-DATA-PKT: number of data packets received by a CH 3.1.Advertisement Phase.Theorem 1 calculates the number of advertisement messages that are sent by CHs and received by CMs in a specific round as follows.In the advertisement phase of LEACH, maximum ADV-CH-SENT in a specific round is  and the maximum ADV-CH-RCVD is ( − 1) * .
IdTime Is CH Who CH Dist To CH ADV S ADV R JOIN S JOIN R SCH S SCH R Rank DATA S DATA R Data Sent To BS Dist CH To BS Send code Consumed energy Attack type

Table 1 :
Comparison between the mathematical model and simulation results.

Table 2 :
Applying Theorem 3 equation to round 1 of simulation round.
NC =1 (NO-DATA-PKT/CM of CH) Total: 238Proof.According to LEACH, each CH in each round is supposed to broadcast an advertisement message to the rest of nodes.Therefore, in case of having NC cluster heads, then ADV-CH-SENT equals NC.On the other hand, these advertisement messages (NC) will be received by all sensor nodes () except the CH node itself which equals ( − 1) * NC.3.2.Cluster SetupPhase.Theorem 2 calculates the number of join request messages sent by sensor nodes and received by CHs in order to associate with them.Theorem 2. In clusters setup phase of LEACH, the maximum JOIN-REQ-SENT equals JOIN-REQ-RCVD which is  − .

Table 3 :
Observations for five different simulation scenarios (A-E) when determining the number of nodes monitored by each node.
Integer value between 0 and  − 1 ∀ SN  , 0 <  ≤ , compute (SN  ) and random  SN  IF ( SN  < (SN  )) THEN SN Attack.Flooding attack is a type of DoS attack where the attacker affects LEACH protocol in more than one way.This research studies the impact of Flooding attack by sending large number of advertising CH massages (ADV CH) with high transmission power.Consequently, when sensors receive large number of ADV CH messages, SN  , 0 <  ≤ , compute (SN  ) and random  SN  IF ( SN  < (SN  )) THEN SN Table 4 shows sample from WSN-DS dataset to help in detecting and classifying DoS attacks.Integer value between 0 and  − 1 ∀ SN  , 0 <  ≤ , compute (SN  ) and random  SN  IF ( SN  < (SN  )) THEN SN Integer value between 0 and  − 1 ∀ SN  , 0 <  ≤ , compute (SN  ) and random  SN  IF ( SN  < (SN  )) THEN SN Algorithm 4: Model of Scheduling attack.

Table 6 :
Dataset separated 60% training set and 40 testing sets using holdout method.

Table 7 :
Parameters for MLP neural network classifier.

Table 8 :
Confusion matrix of holdout method with one hidden layer.

Table 9 :
Summary results of holdout method with one hidden layer.

Table 10 :
Summary results of holdout method with two hidden layers.

Table 11 :
Summary results of holdout method with three hidden layers.

Table 12 :
Summary results of 10-Fold Cross Validation with one hidden layer.
method for classifying the attacks is Cross Validation with one hidden layer (CV1).It was the best in classifying all attacks except for Scheduling and Grayhole attack where it

Table 13 :
Summary results of 10-Fold Cross Validation with two hidden layers.

Table 14 :
Summary results of 10-Fold Cross Validation with three hidden layers.