698

IEEE TRANSACTIONS ON MOBILE COMPUTING,

VOL. 7,

NO. 6,

JUNE 2008

Intrusion Detection in Homogeneous and Heterogeneous Wireless Sensor Networks Yun Wang, Student Member, IEEE, Xiaodong Wang, Student Member, IEEE, Bin Xie, Senior Member, IEEE, Demin Wang, Student Member, IEEE, and Dharma P. Agrawal, Fellow, IEEE Abstract—Intrusion detection in Wireless Sensor Network (WSN) is of practical interest in many applications such as detecting an intruder in a battlefield. The intrusion detection is defined as a mechanism for a WSN to detect the existence of inappropriate, incorrect, or anomalous moving attackers. For this purpose, it is a fundamental issue to characterize the WSN parameters such as node density and sensing range in terms of a desirable detection probability. In this paper, we consider this issue according to two WSN models: homogeneous and heterogeneous WSN. Furthermore, we derive the detection probability by considering two sensing models: single-sensing detection and multiple-sensing detection. In addition, we discuss the network connectivity and broadcast reachability, which are necessary conditions to ensure the corresponding detection probability in a WSN. Our simulation results validate the analytical values for both homogeneous and heterogeneous WSNs. Index Terms—Intrusion detection, node density, node heterogeneity, sensing range, Wireless Sensor Network (WSN).

Ç 1

INTRODUCTION

A

Wireless Sensor Network (WSN) is a collection of spatially deployed wireless sensors by which to monitor various changes of environmental conditions (e.g., forest fire, air pollutant concentration, and object moving) in a collaborative manner without relying on any underlying infrastructure support [1]. Recently, a number of research efforts have been made to develop sensor hardware and network architectures in order to effectively deploy WSNs for a variety of applications. Due to a wide diversity of WSN application requirements, however, a general-purpose WSN design cannot fulfill the needs of all applications. Many network parameters such as sensing range, transmission range, and node density have to be carefully considered at the network design stage, according to specific applications. To achieve this, it is critical to capture the impacts of network parameters on network performance with respect to application specifications. Intrusion detection (i.e., object tracking) in a WSN can be regarded as a monitoring system for detecting the intruder that is invading the network domain. Fig. 1 gives an example that sensors are deployed in a square area ðA ¼ L LÞ for detecting the presence of a moving intruder. Note that in Fig. 1, as well as in Figs. 3 and 4, the illustration of sensors and an intruder is based on a slide for paper [2]. The intrusion detection application concerns how fast the intruder can be detected by the WSN. If sensors are deployed with a high density so that the union of all sensing ranges covers the entire network area, the

. The authors are with the OBR Center of Distributed and Mobile Computing, Department of Computer Science, University of Cincinnati, Cincinnati, OH 45221-0030. E-mail: {wany6, wangxd, xieb, wangdm, dpa}@email.uc.edu. Manuscript received 15 May, 2007; revised 26 Oct. 2007; accepted 10 Jan. 2008; published online 28 Jan. 2008. For information on obtaining reprints of this article, please send e-mail to: [email protected], and reference IEEECS Log Number TMC-2007-05-0136. Digital Object Identifier no. 10.1109/TMC.2008.19. 1536-1233/08/$25.00 ß 2008 IEEE

intruder can be immediately detected once it approaches the network area. However, such a high-density deployment policy increases the network investment and may be even unaffordable for a large area. In fact, it is not necessary to deploy so many sensors to cover the entire WSN area in many applications [3], since a network with small and scattered void areas will also be able to detect a moving intruder within a certain intrusion distance. In this case, the application can specify a required intrusion distance within which the intruder should be detected. As shown in Fig. 1, the intrusion distance is referred as D and defined as the distance between the point the intruder enters the WSN, and the point the intruder is detected by the WSN system. This distance is of central interest to a WSN used for intrusion detection. In this paper, we derive the expected intrusion distance and evaluate the detection probability in different application scenarios. Given a maximal allowable intrusion distance Dmax ¼ , we theoretically capture the impact on the detection probability in terms of different network parameters, including node density, sensing range, and transmission range. For example, given an expected detection distance EðDÞ, we can derive the node density with respect to sensors’ sensing range, thereby knowing the total number of sensors required for WSN deployment. In a WSN, there are two ways to detect an object (i.e., an intruder): single-sensing detection and multiple-sensing detection. In the single-sensing detection, the intruder can be successfully detected by a single sensor. On the contrary, in the multiple-sensing detection, the intruder can only be detected by multiple collaborating sensors [4]. In some applications, the sensed information provided by a single sensor might be inadequate for recognizing the intruder. It is because individual sensors can only sense a portion of the intruder. For example, the location of an intruder can only be determined from at least three sensors’ sensing data [5], [6], [7], [8]. In view of this, we analyze the Published by the IEEE CS, CASS, ComSoc, IES, & SPS

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

699

intrusion detection model. Section 4 analyzes the intrusion detection in a homogeneous WSN, and Section 5 examines the intrusion detection in a heterogeneous WSN. Section 6 studies the network connectivity and broadcast reachability in a heterogeneous WSN. Simulation and verification results are given in Section 7. Finally, the paper is concluded in Section 8.

2

Fig. 1. Intrusion detection in a WSN.

intrusion detection problem under two application scenarios: single-sensing detection and multiple-sensing detection. According to the capability of sensors, we consider two network types: homogeneous and heterogeneous WSNs [9]. We define the sensor capability in terms of the sensing range and the transmission range. In a heterogeneous WSN [10], [11], [12] some sensors have a larger sensing range and more power to achieve a longer transmission range. In this paper, we show that the heterogeneous WSN increases the detection probability for a given intrusion detection distance. On the other hand, a heterogeneous WSN poses the challenge of network connectivity due to asymmetric wireless link. The high-capability sensors have a longer transmission range while low capability sensors have a shorter transmission range. Due to this, the packet sent by a high-capability sensor may reach the low-capability sensor, while the low capability sensor may not be able to send packets to the corresponding high-capability sensor [13]. This motivates us to analyze the network connectivity in this paper. Furthermore, in a heterogeneous WSN, highcapability sensors usually undertake more important tasks (i.e., broadcasting power management information or synchronization information to all the sensors in the network), it is also desirable to define and examine the broadcast reachability from high-capability sensors. The network connectivity and broadcast reachability are important conditions to ensure the detection probability in WSNs. They are formally defined and analyzed in this paper. To the best of our knowledge, our effect is the first to address this issue in a heterogeneous WSN. The main contributions of this paper can be summarized as follows: Developing an analytical model for intrusion detection in WSNs, and mathematically analyzing the detection probability with respect to various network parameters such as node density and sensing range. . Applying the analytical model to single-sensing detection and multiple-sensing detection scenarios for homogeneous and heterogeneous WSNs. . Defining and examining the network connectivity and broadcast reachability in a heterogeneous WSN. The remainder of the paper is organized as follows: Section 2 presents the related work. Section 3 describes the .

RELATED WORK

Intrusion detection is one of the critical applications in WSNs, and recently, several approaches for intrusion detection in homogeneous WSNs have been presented [3], [14], [15], [16], [17]. The focus of these approaches aims at effectively detecting the presence of an intruder. First, the problem is investigated from the aspect of the network architecture. Kung and Vlah [14] take advantage of a hierarchical tree structure to effectively track the movement of an intruder. The hierarchical tree consists of connected sensors and is built upon expected properties of intruder mobility patterns such as its movement frequency over a region. Based on the hierarchical tree, it allows an efficient record of an intruder’s moving information and supports fast querying from the base station. Another tree structure for tracking an intruder, called as a logic object-tracking tree, is developed by Lin et al. [15]. The logic object tracking tree reduces the communication cost for data updating and querying by taking into account the physical network topology. In particular, the logic object tracking tree targets to balance the update cost and the query cost so as to minimize the total communication cost. Second, the intrusion detection problem has been considered from the constraint of saving network resources. For example, Chao et al. [16] have addressed the issue of tracking a moving intruder by power-conserving operations and sensor collaboration. To achieve this, the authors defined a set of novel metrics for detecting a moving intruder and developed two efficient sleep-awake schemes called PECAS and MESH, to minimize the power consumption. Ren et al. [3] further studied the trade-off between the network detection quality (i.e., how fast the intruder can be detected) and the network lifetime. Therefore, the sensor coverage had to be carefully designed according to the detection probability with respect to specific application requirements. The authors then proposed three wave sensing scheduling protocols to achieve the bounded worst case detection probability. Rather than a static WSN architecture as the above approaches, Liu et al. [17] have modeled the intrusion detection problem in a mobile WSN, where each sensor is capable of moving. The authors have given the optimal strategy for fast detection and shown that mobile WSN improves its detection quality due to the mobility of sensors. In this paper, we address the intrusion detection problem from the other angle. Most of the above efforts consider intrusion detection and its efficiency in terms of the single-sensing model in a homogeneous WSN. Instead of the network architecture and detecting protocol design, we provide a comprehensive theoretical analysis on the intrusion detection in both homogeneous and heterogeneous WSNs [18]. The detection probability is theoretically captured by using underlying network parameters, and thus, our work is of paramount importance for a network

700

IEEE TRANSACTIONS ON MOBILE COMPUTING,

VOL. 7,

NO. 6,

JUNE 2008

WSN, where both Type I and Type II sensors follow the 2D Poisson point distribution. In a homogeneous or heterogeneous WSN, a point is said to be covered by a sensor if it is located in the sensing range of any sensor(s). The WSN is thus divided into two regions, the covered region, which is the union of all sensor coverage disks, and the uncovered region, which is the complement of the covered region within the area of interest A. In our network model, the intruder does not know the sensing coverage map of the WSN.

Fig. 2. Heterogeneous WSN deployment.

planner to design WSNs for intrusion detection applications. To the best of our knowledge, this is the first work that considers the intrusion detection problem in a heterogeneous WSN and provides fundamental analytical results on it. The analytical results indicate the improvement on the detection quality in a heterogeneous WSN, as compared to a homogeneous WSN, either for the singlesensing detection or the multiple-sensing detection scenarios. Furthermore, we have modeled the network connectivity and broadcast reachability in a heterogeneous WSN [19], which serve as the necessary conditions for achieving desirable detection probability.

3

INTRUSION DETECTION MODEL

AND

.

DEFINITIONS

Our intrusion detection model includes a network model, a detection model, and an intrusion strategy model. The network model specifies the WSN environment. The detection model defines how the intruder can be detected and the intrusion strategy illustrates the moving policy of the intruder.

3.1 Network Model We consider a WSN in a two-dimensional (2D) plane with N sensors, denoted by a set N ¼ ðn1 ; n2 ; . . . ; nN Þ, where ni is the ith sensor. These sensors are uniformly and independently deployed in a square area A ¼ L L. Such a random deployment results in a 2D Poisson point distribution of sensors. All sensors are static once the WSN has been deployed. In particular, we consider two WSN types: homogeneous and heterogeneous WSNs. In a homogeneous WSN, each sensor has the same sensing radius of rs , and the transmission range of rx . A sensor can only sense the intruder within its sensing coverage area that is a disk with radius rs centered at the sensor. Denote the node density of the homogeneous WSN as . We then focus on a heterogeneous WSN with two types of sensors, as shown in Fig. 2: Type I sensor that has a larger sensing range rs1 , as well as a longer transmission range rx1 , and . Type II sensor that has a smaller sensing range rs2 , as well as a shorter transmission range rx2 . The densities of Type I and Type II sensors are represented as 1 and 2 , respectively. Fig. 2 shows a heterogeneous .

3.2 Detection Model There are two detection models in terms of how many sensors are required to recognize an intruder: singlesensing detection model and multiple-sensing detection model. It is said that the intruder is detected under the single-sensing detection model if the intruder can be identified by using the sensing knowledge from one single sensor. On the contrary, in the multiple-sensing detection model, the intruder can only be identified by using cooperative knowledge from at least k sensors (k is defined by specific application requirements). For simplicity of expression, multiple sensing and k-sensing are interchangeable in the following discussion: In order to evaluate the quality of intrusion detection in WSNs, we define three metrics as follows:

.

.

Intrusion distance. The intrusion distance, denoted by D, is the distance that the intruder travels before it is detected by a WSN for the first time. Specifically, it is the distance between the point where the intruder enters the WSN and the point where the intruder gets detected by any sensor(s). Following the definition of intrusion distance, the Maximal Intrusion Distance (denoted by , > 0) is the maximal distance allowable for the intruder to move before it is detected by the WSN. Detection probability. The detection probability is defined as the probability that an intruder is detected within a certain intrusion distance (e.g., Maximal Intrusion Distance ). Average intrusion distance. The average intrusion distance is defined as the expected distance that the intruder travels before it is detected by the WSN for the first time.

3.3 Intrusion Strategy Model As illustrated in Figs. 3 and 4, we consider two intrusion strategies for the movement of the intruder in a WSN. If the intruder (say, a panzer) already knows its destination before entering the network domain, it follows the shortest path to approach the destination. In this case, the intrusion path is a straight line ðD1 Þ from the entering point to the destination, as illustrated in Fig. 3. The main idea behind this strategy is that the straight movement causes the least risk for the intruder due to the least area that it has to explore by following a straight line toward the destination. The corresponding intrusion detection area S1 is determined by the sensor’s sensing range rs and intrusion distance D1 , as shown in Fig. 3. It is because the intruder can be detected within the intrusion distance D1 by any sensor(s) situated within the area of S1 .

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

Fig. 3. Intrusion strategy 1.

On the contrary, if the intruder does not know its destination, it moves in the network domain in a random fashion. We consider that the intruder tends to minimize the overlapping on its path. Thus, the intrusion path of the intruder can be regarded as a nonoverlapping curved line ðD2 Þ, and the intrusion area accordingly is a curved band S2 , as illustrated in Fig. 4. In the above two strategies, if the intruder travels the same distance, i.e., D1 ¼ D2 , the corresponding intrusion detection areas approximately satisfy S1 ¼ S2 . Therefore, we adopt a straight path in the following discussion, and the analytical results can be directly applied to the case of the curved path. Furthermore, the intruder can start its intrusion from the network boundary or a random point inside the network domain. For example, the intruder can be dropped from the air and starts from any point in the network domain.

4

INTRUSION DETECTION IN A HOMOGENEOUS WIRELESS SENSOR NETWORK

In this section, we present the analysis of intrusion detection in a homogeneous WSN. We derive the detection probability for single-sensing detection and k-sensing detection.

Fig. 4. Intrusion strategy 2.

701

Fig. 5. The intruder starts from the boundary of the WSN.

4.1 Single-Sensing Detection In the single-sensing detection model, the intruder can be recognized once it moves into the sensing coverage disk of any sensor(s). According to the intrusion strategy, the intruder may access the network domain from any point of the network boundary or a random point in the network domain. When the intruder starts from a point of the network boundary, as shown in Fig. 5, given an intrusion distance D 0, the corresponding intrusion detection area SD is almost an oblong area. This area includes a rectangular area with length D and width 2rs and a half disk with radius rs attached to it. It has SD ¼ 2 D r s þ

r2s : 2

ð1Þ

According to the definition of single-sensing detection, the intruder is detected if and only if there exists at least one sensor within this area SD . Otherwise, the intruder is not detected. Similarly, when the intruder starts from a random point in the network domain, the corresponding intrusion detection area is SD ¼ 2 D rs þ r2s , as shown in Fig. 6. In the following analysis, we focus on the case that the intruder starts from the boundary of the network

Fig. 6. The intruder starts form a random point in the WSN.

702

IEEE TRANSACTIONS ON MOBILE COMPUTING,

domain. The derived results can be applied to the other case r2 by replacing 2s with r2s . We first consider the detection probability that the intruder can be immediately detected once it enters the network domain. In other words, it has an intrusion distance D ¼ 0. The corresponding intrusion detection area r2 is S0 ¼ 2s . We then have Theorem 1 as follows: Theorem 1. The probability p1 ½D ¼ 0 that an intruder can be immediately detected once it enters a homogeneous WSN with node density and identical sensing range rs can be given by

p1 ½D ¼ 0 ¼ 1 e

r2s 2

ð2Þ

:

ðSÞm S e : P ðm; SÞ ¼ m!

ð3Þ

Therefore, the probability of no sensor in the immediate r2 s r2 r2 intrusion detection area S0 ¼ 2s is P ð0; 2s Þ ¼ e 2 . r2s Then, the complement of P ð0; 2 Þ is the probability that r2 there is at least one sensor located in S0 ¼ 2s . In this case, the intruder can be detected once it approaches the network with intrusion distance D ¼ 0. Thus, the probability that the intruder can be detected immediately by the WSN once2 it enters the WSN is p1 ½D ¼ 0 ¼ rs r2 1 P ð0; 2s Þ ¼ 1 e 2 . u t This result shows that the immediate detection probability p1 ½D ¼ 0 is determined by the node density and the sensing range. By increasing the node density or enlarging the sensing range, p1 ½D ¼ 0 can be improved. Immediate detection may need a large sensing range or a high node density, thus increasing the WSN deployment cost. We then consider the detection probability in a relaxed condition when the intruder is allowed to travel some distance in the WSN. Theorem 2. Suppose is the maximal intrusion distance allowable for a given application. The probability p1 ½D that the intruder can be detected within in the given homogeneous WSN can be derived as 2 2rs þ

JUNE 2008

p1 ½D ¼ ¼ 2rs e and pﬃﬃ 2 L Z r2 2rs þ 2s 2rs e dðÞ: E1 ðDÞ ¼

ð5Þ

2rs þ

VOL. 7,

2

rs 2

0

Proof. In Theorem 2, (4) gives the cumulative density function (CDF) of intrusion distance such as p1 ½D . Therefore, p1 ½D ¼ can be obtained from the differential of p1 ½D , and it can r2 s dðp1 ½DÞ ¼ 2rs eð2rs þ 2 Þ . dðÞ

be calculated as p1 ½D ¼ ¼ The average intrusion distance

E1 ðDÞ can be easily derived from the PDF of the intrusion

Proof. In a uniformly distributed WSN with node density , the probability of m sensors located within the area S follows the Poisson distribution [18]:

p1 ½D ¼ 1 e

NO. 6,

rs 2

:

ð4Þ

Proof. According to the definition of single-sensing detection model, the probability that the intruder can be detected within an intrusion distance of is equivalent to the probability that there is at least one sensor located in the r2 corresponding intrusion detection area S ¼ 2rs þ 2s . That is, p1 ½D ¼ 1 P ð0; S Þ while P ð0; S Þ is obtained from (3). The probability p1 ½D can further be r2 s represented as p1 ½D ¼ 1 P ð0; S Þ 2¼ 1 eð2rs þ 2 Þ . rs Then, it yields p1 ½D ¼ 1 eð2rs þ 2 Þ . u t Theorem 3. Let p1 ½D ¼ be the probability that the intruder is detected at an intrusion distance , > 0, and E1 ðDÞ be the average intrusion distance. Then,

distance (i.e., p1 ½D ¼ ). Since the intruder is assumed to move in the network along a straight path, and the network domain is a square area with size A ¼ L L, the pﬃﬃﬃ maximum distance the intruder may travel is 2L. Then, the average intrusionpﬃﬃ distance is given as E1 ðDÞ ¼ R 2L r2 R pﬃﬃ2L s p1 ½D ¼ dðÞ ¼ 0 2rs eð2rs þ 2 Þ dðÞ. u t 0 Theorems 1-3 indicate that the quality of intrusion detection in single-sensing detection scenario for a given WSN improves as the sensing range or the node density increases.

4.2 K-Sensing Detection In the k-sensing detection model, an intruder has to be sensed by at least k sensors for intrusion detection in a WSN. The number of required sensors depends on specific applications. For example, at least three sensors’ sensing information is required to determine the location of the intruder. Theorem 4. Let pk ½D ¼ 0 be the probability that an intruder is detected immediately once it enters a WSN with node density and sensing range rs in k-sensing detection model. It has 2 i k1 X rs r2s e 2 : ð6Þ pk ½D ¼ 0 ¼ 1 2i i! i¼0 Proof. According to (3), P ði;

r2s 2 Þ

is the probability that

there are i sensors located in the immediate detection r2 Pk1 r2s area S0 ¼ 2s . i¼0 P ði; 2 Þ is therefore the probability that there are less than k sensors in the area S0 . Further, P r2s 1 k1 i¼0 P ði; 2 Þ represents the probability that there are at least k sensors located in the area S0 . In this case, the intruder can be sensed by at least k sensors when it accesses the network boundary. Consequently, it P r2s can be said that pk ½D ¼ 0 ¼ 1 k1 i¼0 P ði; 2 Þ ¼ 1 i Pk1 ðr2s Þ r2s 2 is the probability of the intruder to i¼0 2i i! e be detected immediately when it enters the WSN domain under k-sensing detection scenarios.

u t

Theorem 5. Let pk ½D be the probability that the intruder is detected within the maximal intrusion distance in a k-sensing detection model for the given homogeneous WSN. Then, pk ½D can be calculated as

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

i k1 X S S e pk ½D ¼ 1 i! i¼0

Theorems 4-6 show that the quality of intrusion detection ð7Þ

r2 where S ¼ 2rs þ s : 2 Proof. S ¼ 2rs þ

r2s 2

703

in the k-sensing detection scenario for a given WSN improves as the sensing range and node density increase and

is the intrusion detection area with

decreases as k grows. If we relax the multiple-sensing

respect to the maximal intrusion distance . If there are at

detection to single-sensing detection2 by setting k ¼ 1.

least k sensors in the area S , the intruder can be sensed

Equation (8) is reduced to E1 ðDÞ ¼ e2rs 2i! , which shows (5) R pﬃﬃ2L r2s in another way (i.e., E1 ðDÞ ¼ 0 2rs eð2rs þ 2 Þ dðÞ).

by the k sensors, and the k sensors could collaborate with each other to recognize the intruder. From (3), i ðS Þ S P ði; S Þ ¼ i! e denotes the probability that i senP sors are located in the area of S . Then, k1 i¼0 P ði; S Þ ¼ Pk1 ðS Þi S is the probability that less than k sensors i¼0 i! e are located in the area S . Thus, the complement of Pk1 ðS Þi S Pk1 is the probability that i¼0 P ði; S Þ, 1 i¼0 i! e there are at least k sensors located in the area S . If this is the case, the intruder can be sensed by at least k sensors P ðS Þi S from the WSN with probability 1 k1 i¼0 i! e before it travels a distance of . Finally, the probability pk ½D that the intruder is detected within the maximal intrusion distance in k-sensing detection model can be Pk1 ðS Þi S . t u i¼0 i! e

derived as pk ½D ¼ 1

Theorem 6. Let Ek ðDÞ be the average intrusion distance in the k-sensing detection model for the given WSN with node density and sensing range rs , it has P r2s i r2s 2 k k1 i¼0 2 e : ð8Þ Ek ðDÞ ¼ 2rs i! Proof. Ek ðDÞ is the average intrusion distance. Then, Sk ¼ Ek ðDÞ 2rs is the average intrusion detection area, and Ek ðDÞ 2rs is the average number of sensors located in the area of Sk . Based on the definition of k-sensing detection model, k sensors are required to identify the intruder. Thus, the average number of sensors located in the average intrusion detection area should be equal to k, that is, Ek ðDÞ 2rs ¼ k. Considering the case when the intruder is detected immediately once it enters the WSN domain, the average intrusion distance is Ek ðDÞ ¼ 0, while Ek ðDÞ 2rs ¼ 0. In this case, Ek ðDÞ 2rs ¼ k does not hold. Thus, it is necessary to eliminate this boundary effect, and we get Ek ðDÞ 2rs ¼ kð1 pk ½D ¼ 0Þ. By replacing pk ½D ¼ 0 by (7)

r s

Note that there is no closed form solution for the integral in (5), but it matches with (8) when L rs .

5

INTRUSION DETECTION IN A HETEROGENEOUS WIRELESS SENSOR NETWORK

In a heterogeneous WSN, as defined in Section 3.1, we consider two types of sensors: Type I and Type II with the node density of 1 and 2 , respectively. A Type I sensor has the sensing range rs1 , and the sensing coverage is a disk of area S1 ¼ r2s1 . A Type II sensor has the sensing coverage of S2 ¼ r2s2 with the sensing range rs2 . Without loss of generality, we can assume that rs1 > rs2 in our network model. In a heterogeneous WSN, any point in the network domain is said to be covered if the point is under the sensing range of any sensor (Type I, Type II, or both). In this section, we present the analysis of intrusion detection probability of a heterogeneous WSN in singlesensing detection and multiple-sensing detection models.

5.1 Single-Sensing Detection We denote the intrusion distance by Dh in the given heterogeneous WSN. Again, an intruder may be detected by the WSN once it approaches the network boundary, and the corresponding intrusion distance is Dh ¼ 0. This leads to the following theorem. Theorem 7. The probability p1 ½Dh ¼ 0 that an intruder can be immediately detected once it enters the given heterogeneous WSN in a single-sensing detection model can be represented by p1 ½Dh ¼ 0 ¼ 1 e1

r2 s1 2

e2

r2 s2 2

ð9Þ

:

Proof. According to the single-sensing detection model, the intruder is detected if and only if one of the following conditions is satisfied: . .

The intruder enters into the sensing coverage area of any Type I sensor(s). The intruder enters into the sensing coverage area of any Type II sensor(s).

following Theorem 4, we further obtain Ek ðDÞ 2rs ¼ P Pk1 r2s i r2s r2s 2 . Finally, the average k k1 i¼0 P ði; 2 Þ ¼ k i¼0 ð 2 Þ e

In the Cartesian coordinate system, as illustrated in

intrusion distance in the k-sensing detection model for

intruder, and y-axis is the network boundary. If a Type

the given WSN can be calculated as P r2s i r2s 2 k k1 i¼0 2 e : Ek ðDÞ ¼ 2rs i!

Isensor is located inside the half disk S1 ¼

Fig. 7, suppose point (0, 0) is the starting position of the r2s1 2

, which is

centered at the point (0, 0) with radius rs1 , the first condition holds. Similarly, the second condition holds if t u

there is a Type II sensor inside the half disk S2 ¼

r2s2 2

,

which is centered at the point (0, 0) with radius rs2 . Then,

704

IEEE TRANSACTIONS ON MOBILE COMPUTING,

Fig. 7. Intrusion detection at the start point ðDh ¼ 0Þ.

S1 is P1 ð0; S1 Þ ¼ e1 S1 ¼ e

, and the probability of 2

no Type II sensor inside S2 is P2 ð0; S2 Þ ¼ e2 S2 ¼ e2

r

s2 2

.

Considering Type I and Type II, sensors are independently deployed according to our heterogeneous WSN model, the probability of neither Type I sensor nor Type II sensor that senses the intruder is P1 ð0; S1 ÞP2 ð0; S2 Þ ¼ 2 2 e1

r s1 2

e2

r s2 2

. Thus, the probability of at least one sensor

(either Type I or Type II) around the boundary that can 2 sense2 the intruder is 1 P1 ð0; S1 ÞP2 ð0; S2 Þ ¼ 1 e1 e2

r s2 2

r s1 2

. Therefore, the probability that the intruder is

detected immediately once it enters the network domain 2 2 can be represented as p1 ½Dh ¼ 0 ¼ 1 e1

r s1 2

e2

r s2 2

.

u t

Theorem 8. Suppose is the maximal intrusion distance allowable for the intruder to travel within the given heterogeneous WSN in single-sensing detection. The probability p1 ½Dh that the intrusion distance Dh is less than can be calculated as 0

0

Theorem 9. The probability p1 ½Dh ¼ that the intruder is detected at an intrusion distance ð > 0Þ when it travels within the given heterogeneous WSN in single-sensing detection can be derived as 0

where r2si ; ði ¼ 1; 2Þ: 2

ð10Þ

.

At least one Type I sensor is located in the area of S10 . If condition 1 does not hold, at least one Type II sensor is located in the area of S20 .

0

p1 ½Dh ¼ ¼ 2ð1 rs1 þ 2 rs2 Þeð1 S1 þ2 S2 Þ ;

0

Proof. The probability of an intruder to be detected within the maximal intrusion distance is equivalent to the probability of at least one sensor (either Type I or Type II) inside the corresponding intrusion detection area S0 . For Type I sensors, the intrusion detection area S10 is the region that includes a rectangular area with length and width 2rs1 , as well as a half disk with r2 radius rs1 , as shown in Fig. 8. It gives S10 ¼ 2rs1 þ 2s1 . Similarly, the intrusion detection area for Type II sensors r2 is S20 ¼ 2rs2 þ 2s2 . Then, we obtain the maximal intruS sion detection area with respect to as S0 ¼ S10 S20 . The intruder can be detected within the intrusion distance if one of the following conditions is satisfied: .

JUNE 2008

Note that P1 ð0; S10 Þ ¼ e1 S1 is the probability of no Type I 0 sensor in the area of S10 , and P2 ð0; S20 Þ ¼ e2 S2 is the probability of no Type II sensor in the area of S20 . The first condition can be satisfied with the probability of 1 P1 ð0; S10 Þ, and the second condition holds with the probability of P1 ð0; S10 Þð1P2 ð0; S20 ÞÞ. Thus, 1P1 ð0; S10 Þ þ P1 ð0; S10 Þð1 P2 ð0; S20 ÞÞ ¼ 1 P1 ð0; S10 ÞP2 ð0; S20 Þ represents the probability of at least one sensor (either Type I or Type II) that can detect the intruder within the maximal intrusion detection area S0 . Finally, the probability that the intrusion distance Dh is less than can be derived 0 0 2 S2 a s p1 ½Dh ¼ 1 P1 ð0; S10 ÞP2 ð0; S20 Þ ¼2 1 e1 S1 e . r r2 s1 s2 Further, we get p1 ½Dh ¼ 1e1 ð2rs1 þ 2 Þ e2 ð2rs2 þ 2 Þ . t u

p1 ½Dh ¼ 1 e1 S1 e2 S2 ; where Si0 ¼ 2rsi þ

NO. 6,

Fig. 8. Intrusion detection in the heterogeneous WSN ðDh ¼ Þ.

from (3), the probability that no2 Type I sensor lies inside r 1 2s1

VOL. 7,

Si0 ¼ 2rsi þ

r2si ; ði ¼ 1; 2Þ: 2

ð11Þ

Proof. Equation (10) gives the CDF of intrusion distance in a single-sensing detection scheme. Therefore, the probability p1 ½Dh ¼ that the intruder is detected at an intrusion distance can be derived by the differential of p1 ½Dh . ½Dh Þ ¼ 2ð1 rs1 þ 2 rs2 Þeð1 S1 þ2 S2 Þ ¼ It has p1 ½Dh ¼ ¼ dðp1dðÞ 0

1 r2 þ2 r2 s1 s2 Þ ð21 rs1 þ22 rs2 þ 2

2ð1 rs1 þ 2 rs2 Þe

0

. Then, based on

the PDF of an intrusion detection distance such as p1 ½Dh ¼ , it is easy to obtain the expected intrusion distance as

E1 ðDh Þ ¼

pﬃﬃ Z 2L

0

0

2ð1 rs1 þ 2 rs2 Þeð1 S1 þ2 S2 Þ dðÞ:

0

This is because the maximum intrusion distance that the intruder could travel in the square network domain is pﬃﬃﬃ 2L by following a straight path. u t

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

Theorems 7-9 indicate that the quality of intrusion detection in single-sensing detection scenario for a given heterogeneous WSN increases with the increasing of sensing range and node density. In addition, the existence of high-capability sensors improves the network detection probability further due to a larger sensing range.

5.2 K-Sensing in a Heterogeneous WSN In the k-sensing detection model of a heterogeneous WSN with two types of sensors, at least k sensors are required to detect an intruder. These k sensors can be any combination of Type I and Type II sensors. For instance, if three sensors are required to detect an intruder for a specific application, the intruder can be detected by any of the following sensor combinations: 1. 2. 3. 4.

pk ½Dh ¼ 0 ¼ 1 ¼1

705

m¼0

i P ðj; S ÞP ðm j; S Þ 1 1 2 2 j¼0

m¼0

P ðj; j¼0 1

Xk1

hXm

Xk1 Xm

r2s1 r2 ÞP2 ðm j; s2 Þ : 2 2 u t

Theorem 11. Let pk ðDh Þ be the probability that the intrusion distance is less than ð > 0Þ in the k-sensing detection model, is the maximal intrusion distance allowable for an intruder to move in the given heterogeneous WSN. It has " # k1 X m X 0 0 P1 j; S1 P2 m j; S2 ; pk ½Dh ¼ 1 m¼0 j¼0 ð13Þ 2 r where Si0 ¼ 2rsi þ si ; ði ¼ 1; 2Þ: 2 Proof. From (3), P1 ðj; S10 Þ is the probability that j Type I

three Type I sensors, three Type II sensors, one Type I sensor and two Type II sensors, and two Type I sensors and one Type II sensor.

sensors are located in the intrusion detection area S10 ¼ 2rs1 þ

r2s1 2

. P2 ðm j; S20 Þ is the probability of

ðmjÞ Type II sensors located in the corresponding

Theorem 10. Let pk ðDh ¼ 0Þ be the probability that an intruder can be immediately detected once it enters the given heterogeneous WSN in the k-sensing detection model. It has " # k1 X m X r2s1 r2s2 : P1 j; pk ½Dh ¼ 0 ¼ 1 P2 m j; 2 2 m¼0 j¼0 ð12Þ Proof. According to k-sensing detection model, an intruder is detected immediately once it enters the network if and only if at least k sensors are located within their half sensing disk centered at the intrusion start point (as j

intrusion detection area S20 and S20 ¼ 2rs2 þ P1 ðj; S10 ÞP2 ðm

j; S20 Þ

r2s2 2

. Then,

represents the probability of

m sensors, consisting of j Type I sensors and ðm jÞ Type II sensors can sense the intruder within the intrusion S detection area S10 S20 with respect to . If m ¼ k, P1 ðj; S10 ÞP2 ðm j; S20 Þ stands for the probability that the intruder can be detected by the WSN within intrusion distance . Since these m sensors can be any combination P 0 0 of sensor types, m j¼0 P1 ðj; S1 ÞP2 ðm j; S2 Þ is the probability that there are totally m sensors can sense the P Pm 0 0 intruder. Then, k1 m¼0 ½ j¼0 P1 ðj; S1 ÞP2 ðm j; S2 Þ is the

illustrated in Fig. 7). Based on (3), P1 ðj; S1 Þ ¼ ðS1j!Þ eS1 is

probability that there are at most ðk 1Þ (i.e., less than k)

the probability of j Type I sensors that can sense the

sensors that can sense the intruder within the intrusion S detection area S10 S20 . Consequently, the probability

intruder within the corresponding intrusion detection r2s1 2

ðmjÞ

2 Þ , and P2 ðm j; S2 Þ ¼ ðSðmjÞ! eS2 is the

pk ðDh Þ that the intruder travels with distance less

probability of ðm jÞ Type II sensors that can sense the

than before being detected by the given heterogeneous

area S1 ¼

intruder within the area of S2 ¼

r2s2 2

. Consequently,

P1 ðj; S1 ÞP2 ðm j; S2 Þ represents the probability of m sensors (j Type I sensors plus m j Type II sensors) that can sense the intruder at the start point. Since these m sensors can be any combination of sensor types, Pm j¼0 P1 ðj; S1 ÞP2 ðm j; S2 Þ is the probability that there are totally m sensors that can sense the intruder in S the intrusion detection area of S1 S2 . Therefore, Pk1 Pm m¼0 ½ j¼0 P1 ðj; S1 ÞP2 ðm j; S2 Þ is the probability of at most ðk 1Þ (less than k) sensors that can sense the intruder when it approaches the WSN. Finally, the probability that the intruder can be immediately detected once it enters the heterogeneous WSN in the k-sensing detection model is equivalent to the complement of Pk1 Pm m¼0 ½ j¼0 P1 ðj; S1 ÞP2 ðm j; S2 Þ, yielding

WSN in the k-sensing detection model can be derived hP i P m 0 0 as pk ðDh Þ ¼ 1 k1 P m¼0 j¼0 1 ðj; S1 ÞP2 ðm j; S2 Þ ¼ i Pk1 hPm r2s1 r2s2 1 m¼0 P ðj; 2r þ ÞP ðmj; 2r þ Þ . t u 1 s1 2 s2 j¼0 2 2 Theorem 12. Let Ek ðDh Þ be the average intrusion distance under the k-sensing detection model in the given heterogeneous WSN. Then hP i P r2s1 r2s2 m k k1 m¼0 j¼0 P1 j; 2 P2 m j; 2 : ð14Þ Ek ðDh Þ ¼ 2rs1 1 þ 2rs2 2 Proof. Ek ðDh Þ is the average intrusion distance in the heterogeneous WSN. Then, the corresponding average intrusion detection areas for Type I and Type II sensors are S1 ¼ 2rs1 Ek ðDh Þ and S2 ¼ 2rs2 Ek ðDh Þ, respectively. While the node densities of Type I and Type II sensors are 1 and 2 . The average number of Type I sensors that with the intruder during its invasion is N1 ¼ 1 S1 .

706

IEEE TRANSACTIONS ON MOBILE COMPUTING,

At the same time, the average number of Type II sensors that hit the intruder in its intrusion is N2 ¼ 2 S2 . In the k-sensing detection model, k sensors are required to detect the intruder, it has N1 þ N2 ¼ 1 S1 þ 2 S2 ¼ 2rs1 Ek ðDh Þ1 þ 2rs2 Ek ðDh Þ2 ¼ k. The only exception is 2rs1 Ek ðDh Þ1 þ 2rs2 Ek ðDh Þ2 ¼ 0 while Ek ðDh Þ ¼ 0 in the case of immediate intrusion detection. In view of this, we eliminate this boundary effect (i.e., Ek ðDh Þ ¼ 0) and obtain kð1 pk ½Dh ¼ 0Þ ¼ 2Ek ðDh Þrs1 1 þ 2Ek ðDh Þrs2 2 . Substituting pk ½Dh ¼ 0 with (12), iwe further obtain Pk1 hPm r2s1 r2s2 k m¼0 j ¼ 0 P1 ðj; 2 ÞP2 ðm j; 2 Þ ¼ 2Ek ðDh Þrs1 1 þ 2Ek ðDh Þrs2 2 . Consequently, the average intrusion distance for k-sensing model in the heterogeneous WSN can be derived as hP i P r2s1 r2s2 m k k1 m¼0 j¼0 P1 j; 2 P2 m j; 2 : Ek ðDh Þ ¼ 2rs1 1 þ 2rs2 2 u t Theorems 10-12 indicate that the quality of intrusion detection in the k-sensing detection scenario for a given heterogeneous WSN improves with the increase in the sensing range and the node density and decreases as k grows. In addition, the existence of high-capability sensors further improves the network detection quality due to the enlarged sensing coverage.

5.3 Incorporating Node Availability It should be noted that the above analytical results (Theorems 1-12) can be extended to the scenario that a power management scheme is adopted as follows: A power management scheme in WSNs is greatly desirable due to power constraint on common sensors. Sensor power can be put on/off periodically to save energy in most of the WSN applications [16], [21], [22]. Thus, it is appropriate to take the node availability rate into consideration in our analysis. The most basic prescheduled independent sleeping approach can be implemented by a Random Independent Sleeping (RIS) scheme. In this scheme, time is divided into cycles based on a time synchronization method. At the beginning of a cycle, each sensor independently decides whether to become active with probability p or go to sleep with probability 1 p. Thus, the network lifetime is increased by a factor up to 1=p [23]. Here, we incorporate this RIS scheme in our analysis of intrusion detection in terms of node availability. We assume all sensors have the same availability probability, denoted by pa , which means each sensor has the probability of 1 pa to be off in every sensing period. Note that the Poisson stream has its characteristics. If a Poisson stream with mean rate is split into k substreams such that the probability of a job that is going to be the ith substream is pi , each substream is also Poisson distributed with a mean rate of pi [24]. In our network model, all sensors are randomly deployed and conform to a Poission distribution. Therefore, our above analysis can be extended to incorporate RIS scheme with a node availability rate pa by replacing the previous node densities , 1 , and 2 with pa , pa 1 , and pa 2 , respectively, in the above derivation of Theorems 1-12 for either homogeneous or heterogeneous WSN.

VOL. 7,

NO. 6,

JUNE 2008

For instance, in Theorem 1, the probability p1 ½D ¼ 0 that the intruder can be immediately detected once it enters a homogeneous WSN with node density , sensing range rs , and node availability pa can be given by r2 s

p1 ½D ¼ 0 ¼ 1 epa 2 :

ð15Þ

It is clear that (15) is reduced to (2) for pa ¼ 1.

6

NETWORK CONNECTIVITY AND BROADCAST REACHABILITY IN A HETEROGENEOUS WIRELESS SENSOR NETWORK

Based on our network model, Theorems 1-12 statistically characterize the intrusion detection probability in terms of the intrusion distance, the node density, the sensing range, and the node heterogeneity. Given a maximal allowable intrusion distance, a predefined detection probability, and the sensor capability (i.e., sensing range), the network planner can calculate the required node density by using Theorems 1-12. Hereafter, the network planner knows the number and type of sensors that have to be deployed in the WSN. However, detecting the intruder is the first step in intrusion detection. To operate successfully, a WSN must provide satisfactory connectivity so that sensors can communicate for data collaboration and reporting to the administrative center (i.e., base station). The sensing data may have to be reported to the base station, which may be in any location of the network [25]. If the network connectivity is not assured, it is meaningless even the sensor(s) detect the presence of the intruder. Zhang and Hou [26] have proven that in a homogeneous WSN, if the transmission range is equal to or higher than twice of the sensing range, a given coverage probability guarantees a connectivity probability. In this manner, when the coverage is satisfied in the homogeneous WSN, the network connectivity is also statistically guaranteed so that it allows two sensors to communicate with each other. However, in a heterogeneous WSN, the deployment of sensors with different capability complicates the network operation with the asymmetric links. Specifically, a sensor with longer transmission range (i.e., Type I sensor) might reach some sensors with shorter transmission range (i.e., Type II sensors), while the Type II sensors may not be able to reach the Type I sensor. The network connectivity has to be reconsidered. In a heterogeneous WSN, sensors mainly use a broadcast paradigm for communication [12] and high-capacity sensors usually undertake more important tasks (i.e., for broadcasting power management information or synchronization information to all the sensors). This motivates us to examine two fundamental characteristics of a heterogeneous WSN. The definitions are listed below: .

.

Network connectivity. The probability that a packet broadcasted from any sensor (either Type I or Type II sensor) can reach all the other sensors in the network. Broadcast reachability. The probability that a packet broadcasted from any Type I sensor can reach all the other sensors in the network.

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

Fig. 9. Transmission range in heterogeneous case.

Given node densities and the transmission ranges of different sensors deployed in a WSN, we can calculate the network connectivity or the broadcast reachability. On the other hand, if the required network connectivity (or broadcast reachability) is specified, we can compute the required transmission ranges in terms of node density. Thus, the minimal transmission power can be obtained for the purpose of power efficiency. In [27], Bettstetter has proved the following lemma on the network connectivity of WSNs using sensors with different transmission ranges. Lemma 1. Given is a WSN with N uniformly distributed sensors. These N sensors consist of J different sensor types, i.e., there are Nj sensors of type j with transmission range rxj , P such that N ¼ Jj¼1 Nj for j ¼ 1; . . . ; J, and Nj 1 for 8j. Let P ðconÞ be the probability that the WSN is connected, and P ðnoiÞ be the probability that no sensor is isolated in the WSN. It has P ðconÞ ﬃ P ðnoiÞ;

ð16Þ

for P ðnoiÞ close to 1. Based on Lemma 1, we then have Theorem 13 and 14 as follows: Theorem 13. Consider a heterogeneous WSN consisting of independently deployed Type I and Type II sensors with node densities 1 and 2 and transmission range rx1 and rx2 ðrx1 > rx2 Þ, respectively. The upper bound of the network connectivity is

N 2 N Pcon ¼ 1 eð1 þ2 Þrx2 :

ð17Þ

Proof. In a heterogeneous WSN, network connectivity requires that a packet broadcasted from any sensor (either Type I or Type II) can reach all the other sensors of the network. Note an arbitrary sensor A, as illustrated in Fig. 9. If there is one Type I sensor (e.g., B) located in the area of Sx1 ¼ r2x1 while outside of the area Sx2 ¼ r2x2 , a packet generated from sensor A may not be able to reach sensor B. This is because sensor B may be out of sensor A’s transmission range if sensor A is a Type II sensor with transmission range rx2 , and rx2 < rx1 . In view of this, for a packet generated from sensor A to be received by all the other sensors in WSN, at least one sensor (either Type I or Type II) should lie in the area of the smaller transmission range Sx2 . Further, if all the

707

sensors has at least one neighbor in the relatively smaller transmission range Sx2 , the network is connected. Assuming all the other N 1 sensors except A are 2 connected, with probability 1P ð0; Sx2 Þ ¼ 1eð1 þ2 Þrx2 , there is at least one sensor located in the smaller transmission range Sx2 . Then, sensor A can broadcast its packet to at least one of the other N 1 sensors, and the packet can further be broadcasted to all the sensors in the network. Thus, we obtain the conditional probability 2 A Pcon ¼ 1 eð1 þ2 Þrx2 . Due to the fact that sensor A is chosen arbitrarily and the statistical independence for all the sensors, the probability that the other N 1 sensors are connected can be calculated as h i 2

N1 ¼ 1 eð1 þ2 Þrx2 Pcon

ðN1Þ

. Finally, the upper bound

of the network connectivity can h iN be derived as 2 N A N1 Pcon ¼ Pcon Pcon ¼ 1 eð1 þ2 Þrx2 . u t Theorem 14. Consider a heterogeneous WSN consisting of independently deployed Type I and Type II sensors, with node densities 1 and 2 and transmission range rx1 and rx2 ðrx1 > rx2 Þ, respectively. The upper bound of the network broadcast reachability is

N 2 2 PbrN ¼ 1 e1 rx1 e2 rx2 :

ð18Þ

Proof. Different from the network connectivity, broadcast reachability is the probability that a packet broadcasted from any Type I sensor can reach all the other sensors in the WSN. As illustrated in Fig. 9, A 2 N is an arbitrary sensor in the WSN. It has the responsibility to receive the packet broadcasting from any Type I sensor(s). In order for A to receive the packet, it has to be in the transmission range of at least one of the other N 1 sensors. In other words, sensor A should not be isolated from the rest of the network, and at least one sensor can reach A in its transmission range. The probability of no Type I sensor in its transmission range 2 from A is P1 ð0; r2x1 Þ ¼ e1 rx1 . The probability that no type II sensor lies in its transmission range from A 2 is P2 ð0; r2x2 Þ ¼ e2 rx2 . Then, P1 ð0; r2x1 ÞP2 ð0; r2x2 Þ ¼ 2 2 e1 rx1 e2 rx2 is the probability that neither Type I sensors nor Type II sensors can reach sensor A. Therefore, the probability that at least one sensor can 2 2 reach A is 1 e1 rx1 e2 rx2 . Due to statistical independence among all sensors, the probability that the other ðN 1Þ sensors are reachable from the broadcast h iðN1Þ 2 2 can be calculated as PbrN1 ¼ 1e1 rx1 e2 rx2 . Consequently, we obtain the upper bound of broadcast h iN 2 2 u t reachability as PbrN ¼ 1 e1 rx1 e2 rx2 . The results in this section indicate that for a given heterogeneous WSN, the network connectivity and broadcast reachability is enhanced with the increase of node density and transmission range. Furthermore, the broadcast

708

IEEE TRANSACTIONS ON MOBILE COMPUTING,

VOL. 7,

NO. 6,

JUNE 2008

Fig. 10. Intrusion detection probability (single and three-sensing) in the homogeneous WSN.

Fig. 11. Average intrusion distance (single and three-sensing in the homogeneous WSN.

reachability is always higher than the network connectivity under the same network parameters.

approaches 1 when the sensing range increases to a certain threshold. For example, in the single-sensing detection, the intruder can be detected with probability 1 if the sensing range exceeds 50, whereas in three-sensing detection, the intruder can be almost surely detected if the sensing range exceeds 90. In addition, we can see that the detection probability grows fast when the sensing range is far from the threshold and grows slowly when it approaches the threshold. Fig. 10 shows that the sensing range significantly impacts the detection probability of a homogeneous WSN. To investigate the influence of a sensor’s sensing range on an average intrusion distance of a WSN, we fix the number of sensors as N ¼ 500 and vary the sensing range from 0 to 30 meters. Fig. 11 presents the average intrusion distance in single-sensing and three-sensing detection scenarios. It can be observed that the average intrusion distance drops dramatically with an increase of the sensing range. This is because the increase of sensing range significantly enhances the network coverage. Fig. 11 also shows that under the same network parameters, the average intrusion distance in single-sensing detection decreases more quickly than in three-sensing detection. This is because with the increase in a sensor’s sensing range, more area can be monitored by one sensor than by three sensors. In the simulation, we also show how to improve the detection efficiency by assuring the network connectivity so that the sensor can adjust its sleep period. In the normal state, each sensor keeps awake for 80 percent of a cycle ðpa ¼ 0:8Þ. If an intruder is detected by a sensor, an alarming message is broadcasted by the sensor over the entire network. Then, all the sensors receiving the massage keep awake for 100 percent of a cycle ðpa ¼ 1:0Þ. The results in Figs. 10 and 11 show a similar trend that for a given sensing range, the average intrusion distance drops if the waking time of the sensor is longer ð1:0 > 0:8Þ.

7

SIMULATION

AND

VERIFICATION

We have performed a simulation-based verification of our analytical results in both homogeneous and heterogeneous WSNs. The simulation is carried out for single-sensing and k-sensing detection models. The analytical and simulation results are compared by varying the sensing range, transmission range, node density, and node availability. In the simulation, sensors are deployed in accordance with a uniform distribution in a squared network domain. The intruder moves into the network domain from a randomly selected point on the network boundary. Monte-Carlo simulation is performed, and each data point shown in the following figures is the average of 500 simulation results. The analytical results are calculated by using Theorems 1-14. For successive simulation runs, the sensors are uniformly redistributed in the network domain.

7.1 Verification for Homogeneous WSNs We simulate the intrusion detection in a homogeneous WSN. There are 500 sensors uniformly deployed in a 1,000 1,000 square meters, and the node density is ¼ 0:0005 per square meter. The sensing range changes from 0 to 100 meters and the maximal allowable intrusion distance is set as 50 meters. Fig. 10 illustrates the detection probability of the analytical and simulation results. It can be seen in Fig. 10 that the analytical results match the simulation results pretty well, which indicates the correctness of our analytical model. The detection probability increases with the increase of the sensors’ sensing range. It is because the increase of sensing range improves the network coverage. At the same time, the single-sensing detection probability is higher than that of three-sensing detection. This is because the k-sensing detection imposes a more strict requirement on detecting the intruder (e.g., at least k ¼ 3 sensors are required). Fig. 10 also demonstrates that the detection probability in single-sensing detection or three-sensing detection

7.2 Verification for Heterogeneous WSNs The purpose of the simulation in this part is to verify the analytical results on intrusion detection in heterogeneous WSNs. To examine the effect of introducing high-capability sensors (e.g., Type I sensors) on the network intrusion

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

Fig. 12. Intrusion detection probability under heterogeneous case.

detection probability, we fix the number of Type II nodes at 200, and the number of Type I nodes varies from 10 to 150. The sensing range rs1 and rs2 are set as 120 meters and 40 meters, respectively. Again, the maximal allowable intrusion distance is set as ¼ 50 meters. Fig. 12 demonstrates the analytical and simulation results on the intrusion detection probability and clearly shows the verification of our analytical expressions with simulation results. Note that we also plot the results in homogeneous WSN (marked as “homo”) by reducing the more powerful Type I nodes to normal Type II nodes, in contrast to the performance of heterogeneous case (marked as “heter”). As expected, Fig. 12 shows that the intrusion detection probability in the heterogeneous WSN increases at a much faster rate than in the homogeneous WSN, as the number of Type I sensors is increased. Especially in the more demanding multiple-sensing (i.e., three-sensing) detection case, the intrusion detection probability increases even more quickly in heterogeneous WSN than in homogeneous case. This substantiates our intuition that the introduction of high-capability sensors can dramatically improve the intrusion detection quality of WSNs. It is also shown in Fig. 12 that the intrusion detection probability increases as the node density grows (e.g., by increasing the number of Type I sensors) under all simulation scenarios. This is because the node density plays a critical role in the intrusion detection quality of WSNs. In addition, for a given parameter k and sensor capabilities, the figure indicates how to choose the number and the type of sensors to achieve a certain intrusion detection probability.

Verification for Network Connectivity and Broadcast Reachability In this part, we verify our analysis on the network connectivity and broadcast reachability. The analytical results shown in Figs. 13 and 14 are calculated by using Theorems 13 and 14. In the simulation, an adjacency matrix is constructed to represent the digraph of the network topology. The depth-first-search algorithm is employed to check the network connectivity by selecting a random sensor as the starting node and the broadcast reachability by choosing a

709

Fig. 13. Effects of transmission range on the broadcast reachability in heterogeneous WSN.

random Type I sensor as the broadcast initiator. The simulation considers 200 Type I sensors and 300 Type II sensors. In the homogeneous WSN, the transmission range of Type I sensors is set equally to that of Type II sensor (i.e., rx1 ¼ rx2 ). While in the heterogeneous WSN, the transmission range of Type I sensors is set twice as much as that of Type II sensors (i.e., rx1 ¼ 2rx2 ). The transmission range of Type II sensor rx2 is varied from 40 meters to 100 meters in both homogeneous and heterogeneous cases. Fig. 13 shows that the network connectivity and broadcast reachability increase rapidly with the increase of sensors’ transmission range and approach 1 after certain threshold. In addition, it can be observed that the broadcast reachability increases much faster than the network connectivity as the transmission range of sensors grows. This is because the network broadcast reachability considers the broadcast from Type I sensors, while the network connectivity takes broadcast from both Type I and Type II sensors into account. Note that in homogeneous WSN, the

7.3

Fig. 14. Effects of Type I sensors on the broadcast reachability in heterogeneous WSN.

710

IEEE TRANSACTIONS ON MOBILE COMPUTING,

broadcast reachability is equivalent to the network connectivity since there are no asymmetric links. Next, the simulation is carried out to see the effect of Type I sensors on the network connectivity and broadcast reachability. We fix the number of Type II sensors as n2 ¼ 300 and vary the number of Type I sensors from 10 to 300. The transmission ranges are set as rx1 ¼ 140 meters and rx2 ¼ 70 meters for Type I and Type II sensors, respectively. Similar to the results shown in Fig. 12, we compare the results in homogeneous WSN with that in heterogeneous WSN by reducing Type I sensors to Type II sensors. Fig. 14 shows the analytical and simulation results, and they match with each other closely. From the figure, network connectivity and broadcast reachability are improved while increasing Type I sensors. This is because some sensors that are originally isolated or unreachable from the rest of the network are now connected or reachable in the network after the introduction of Type I sensors. In addition, the results indicate that even a small increase of Type I sensor significantly improves the broadcast reachability, while network connectivity only improves gradually. This also implies that the node heterogeneity does affect the broadcast reachability much more dramatically than it does to the network connectivity.

[6]

[7] [8]

[9]

[10]

[11]

[12] [13]

[14] [15]

8

CONCLUSION

This paper analyzes the intrusion detection problem in both homogeneous and heterogeneous WSNs by characterizing intrusion detection probability with respect to the intrusion distance and the network parameters (i.e., node density, sensing range, and transmission range). Two detection models are considered: single-sensing detection and multiple-sensing detection models. The analytical model for intrusion detection allows us to analytically formulate intrusion detection probability within a certain intrusion distance under various application scenarios. Moreover, we consider the network connectivity and the broadcast reachability in a heterogeneous WSN. Our simulation results verify the correctness of the proposed analytical model. This work provides insights in designing homogeneous and heterogeneous WSNs and helps in selecting critical network parameters so as to meet the application requirements.

[16]

[17]

[18]

[19]

[20]

[21] [22]

REFERENCES [1] [2] [3]

[4]

[5]

D.P. Agrawal and Q.-A. Zeng, Introduction to Wireless and Mobile Systems. Brooks/Cole Publishing, Aug. 2003. B. Liu and D. Towsley, “Coverage of Sensor Networks: Fundamental Limits,” Proc. Third IEEE Int’l Conf. Mobile Ad Hoc and Sensor Systems (MASS), Oct. 2004. S. Ren, Q. Li, H. Wang, X. Chen, and X. Zhang, “Design and Analysis of Sensing Scheduling Algorithms under Partial Coverage for Object Detection in Sensor Networks,” IEEE Trans. Parallel and Distributed Systems, vol. 18, no. 3, pp. 334-350, Mar. 2007. S. Banerjee, C. Grosan, A. Abraham, and P. Mahanti, “Intrusion Detection on Sensor Networks Using Emotional Ants,” Int’l J. Applied Science and Computations, vol. 12, no. 3, pp. 152-173, 2005. S. Capkun, M. Hamdi, and J. Hubaux, “GPS-Free Positioning in Mobile Ad-Hoc Networks,” Proc. 34th Ann. Hawaii Int’l Conf. System Sciences, Jan. 2001.

[23] [24] [25]

[26]

[27]

VOL. 7,

NO. 6,

JUNE 2008

N. Bulusu, J. Heidemann, and D. Estrin, “Gps-Less Low Cost Outdoor Localization for Very Small Devices,” IEEE Personal Comm. Magazine, special issue on smart spaces and environments, 2000. D. Niculescu, “Positioning in Ad Hoc Sensor Networks,” IEEE Network, vol. 18, no. 4, pp. 24-29, July-Aug. 2004. Y. Wang, X. Wang, D. Wang, and D.P. Agrawal, “Localization Algorithm Using Expected Hop Progress in Wireless Sensor Networks,” Proc. Third IEEE Int’l Conf. Mobile Ad hoc and Sensor Systems (MASS ’06), Oct. 2006. P. Traynor, R. Kumar, H. Choi, G. Cao, S. Zhu, and T.L. Porta, “Efficient Hybrid Security Mechanisms for Heterogeneous Sensor Networks,” IEEE Trans. Mobile Computing, vol. 6, no. 6, June 2007. J.-J. Lee, B. Krishnamachari, and C.J. Kuo, “Impact of Heterogeneous Deployment on Lifetime Sensing Coverage in Sensor Networks,” Proc. First Ann. IEEE Comm. Soc. Conf. Sensor and Ad Hoc Comm. and Networks, pp. 367-376, Oct. 2004. V.P. Mhatre, C. Rosenberg, D. Kofman, R. Mazumdar, and N. Shroff, “A Minimum Cost Heterogeneous Sensor Network with a Lifetime Constraint,” IEEE Trans. Mobile Computing, vol. 4, no. 1, pp. 4-15, 2005. M. Yarvis, N. Kushalnagar, H. Singh, A. Rangarajan, Y. Liu, and S. Singh, “Exploiting Heterogeneity in Sensor Networks,” Proc. IEEE INFOCOM, 2005. I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A Survey on Sensor Networks,” IEEE Comm. Magazine, vol. 40, no. 8, pp. 102-114, Aug. 2002. H. Kung and D. Vlah, “Efficient Location Tracking Using Sensor Networks,” Proc. IEEE Wireless Comm. and Networking Conf., vol. 3, pp. 1954-1961, Mar. 2003. C.-Y. Lin, W.-C. Peng, and Y.-C. Tseng, “Efficient in-Network Moving Object Tracking in Wireless Sensor Networks,” IEEE Trans. Mobile Computing, vol. 5, no. 8, pp. 1044-1056, 2006. C. Gui and P. Mohapatra, “Power Conservation and Quality of Surveillance in Target Tracking Sensor Networks,” Proc. 10th Ann. Int’l Conf. Mobile Computing and Networking (MobiCom ’04), pp. 129-143, 2004. B. Liu, P. Brass, O. Dousse, P. Nain, and D. Towsley, “Mobility Improves Coverage of Sensor Networks,” Proc. Sixth ACM Int’l Symp. Mobile Ad Hoc Networking and Computing (MobiHoc ’05), pp. 300-308, 2005. X. Wang, Y. Yoo, Y. Wang, and D.P. Agrawal, “Impact of Node Density and Sensing Range on Intrusion Detection in Wireless Sensor Networks,” Proc. 15th Int’l Conf. Computer Comm. and Networks (ICCCN ’06), Oct. 2006. Y. Wang, X. Wang, D.P. Agrawal, and A.A. Minai, “Impact of Heterogeneity on Coverage and Broadcast Reachability in Wireless Sensor Networks,” Proc. 15th Int’l Conf. Computer Comm. and Networks (ICCCN ’06), Oct. 2006. C. Bettstetter, “On the Minimum Node Degree and Connectivity of a Wireless Multihop Network,” Proc. Third ACM Int’l symposium on Mobile ad hoc Networking and Computing (MobiHoc ’02), pp. 80-91, 2002. A. Ephremides, “Energy Concerns in Wireless Networks,” IEEE Wireless Comm., vol. 9, no. 4, pp. 48-59, Aug. 2002. L. Wang and Y. Xiao, “A Survey of Energy-Efficient Scheduling Mechanisms in Sensor Networks,” Mobile Network Applications, vol. 11, no. 5, pp. 723-740, 2006. S. Kumar, T.H. Lai, and J. Balogh, “On K-Coverage in a Mostly Sleeping Sensor Network,” Proc. 10th Ann. Int’l Conf. Mobile Computing and Networking (MobiCom ’04), pp. 144-158, 2004. R. Jain, The Art of Computer Systems Performance Analysis: Techniques for Experimental Design, Measurement, Simulation and Modeling. Wiley-Interscience, 1991. A. Durresi, P.V.K. , S. Iyengar, and R. Kannan, “Optimized Broadcast Protocol for Sensor Networks,” IEEE Trans. Computers, vol. 54, no. 8, pp. 1013-1024, Aug. 2005. H. Zhang and J. Hou, “On Deriving the Upper Bound of -lifetime for Large Sensor Networks,” Proc. Fifth ACM Int’l Symp. Mobile Ad Hoc Networking and Computing (MobiHoc ’04), pp. 121-132, 2004. C. Bettstetter, “On the Connectivity of Wireless Multihop Networks with Homogeneous and Inhomogeneous Range Assignment,” Proc. IEEE Vehicular Technology Conf. (VTC ’02), vol. 3, pp. 1706-1710, Sept. 2002.

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

Yun Wang received the BS degree in computer science and engineering in 2001 at Wuhan University, Hubei, China, and then entered the PhD program in computer science and engineering at Wuhan University, where she specialized in multimedia communication. She joined the Center for Distributed and Mobile Computing, Department of Electrical and Computer Engineering and Computer Science, University of Cincinnati, Ohio, in 2004, as a PhD student. Her research activities include fundamental design issues in wireless sensor networks such as sensor deployment, energy efficiency, positioning, and network security. She also performs research on wireless MAC protocol design in wireless ad hoc networks and audio and video processing in multimedia communication. She is a student member of the IEEE. Xiaodong Wang received the BS degree in communication engineering in 1995, the MS degree in electric engineering in 1998, and the PhD degree in computer engineering from the University of Cincinnati, Cincinnati, Ohio, in 2005. He joined China Telecom in 1998, where he worked on communication protocols for telecommunication. From June 2000 to July 2002, he worked on GSM base station software development at Bell-labs China, Beijing. His research activities included wireless MAC protocols and energy saving for wireless sensor networks. He joined Motorola in 2005. He is currently with the OBR Center of Distributed and Mobile Computing, Department of Computer Science, University of Cincinnati. He is a student member of the IEEE. Bin Xie received the BSc degree from Central South University, Changsha, China, the MSc and PhD degrees (with honors) in computer science and computer engineering from the University of Louisville, Kentucky. As a research associate, he is currently with the Department of Computer Science, University of Cincinnati. He is the author of the book entitled Heterogeneous Wireless Networks—Networking Protocol to Security and published more than 30 papers in international conference proceedings and journals. His research interests are focused on ad hoc networks, sensor networks, wireless mesh networks, integrated WLAN/MANET/cellular with Internet, in particular the fundamental aspects of mobility management, performance evaluation, Internet/wireless infrastructure security, and wireless network capacity. In addition to his academic experience, he has six years of industry experience, including ISDN, 3G, and Lucent Excel programmable switching systems. He is an IEEE senior member.

711

Demin Wang received the BS degree in computer science and the MS degree in safety technology and engineering from the University of Science and Technology of China, Hefei, China, in 2000 and 2003, respectively. He is currently working toward the PhD degree in computer science and engineering at the University of Cincinnati, Cincinnati, Ohio. His research interests include coverage and energy problems in wireless sensor networks, implementation of wireless sensor networks, and wireless mesh networks. He is an IEEE student member. Dharma P. Agrawal is the Ohio board of regents distinguished professor of computer science and the founding director for the Center for Distributed and Mobile Computing, Department of ECECS, University of Cincinnati, Ohio. He was a visiting professor of ECE at the Carnegie Mellon University, where he was on sabbatical leave during the Autumn 2006 and Winter 2007 Quarters. He has been a faculty member at the North Carolina State University, Raleigh, North Carolina, from 1982 to 1998) and the Wayne State University, Detroit, from 1977 to 1982). His recent research interests include resource allocation and security in mesh networks, efficient query processing and security in sensor networks, and heterogeneous wireless networks. He is a coauthor of an introductory textbook on wireless and mobile computing that has been widely accepted throughout the world, and a second edition was published in 2006. The book has been has been reprinted both in China and India and translated to Korean and Chinese languages. He is also a coauthor of a book on ad hoc and sensor networks published in the spring of 2006 and has been named as a best seller by the publisher. He has given tutorials and extensive training courses in various conferences in the USA and numerous institutions in Taiwan, Korea, Jordan, Malaysia, and India on ad hoc and sensor networks and mesh networks. He is an editor for the Journal on Parallel and Distributed Systems, International Journal on Distributed Sensor Networks, International Journal of Ad Hoc and Ubiquitous Computing, and International Journal of Ad Hoc and Sensor Wireless Networks. He served as an editor of the IEEE Computer magazine, the IEEE Transactions on Computers, and the International Journal of High Speed Computing. He has been the program chair and general chair for many international conferences and meetings. He has received numerous certificates and awards from the IEEE Computer Society. He was awarded a “Third Millennium Medal” by the IEEE for his outstanding contributions. He has also delivered the keynote speech for five international conferences. He also has five patents in wireless networking area. He has also been named as an ISI Highly Cited Researcher in Computer Science. He is a fellow of the IEEE, the ACM, the AAAS, and the WIF. . For more information on this or any other computing topic, please visit our Digital Library at www.computer.org/publications/dlib.

IEEE TRANSACTIONS ON MOBILE COMPUTING,

VOL. 7,

NO. 6,

JUNE 2008

Intrusion Detection in Homogeneous and Heterogeneous Wireless Sensor Networks Yun Wang, Student Member, IEEE, Xiaodong Wang, Student Member, IEEE, Bin Xie, Senior Member, IEEE, Demin Wang, Student Member, IEEE, and Dharma P. Agrawal, Fellow, IEEE Abstract—Intrusion detection in Wireless Sensor Network (WSN) is of practical interest in many applications such as detecting an intruder in a battlefield. The intrusion detection is defined as a mechanism for a WSN to detect the existence of inappropriate, incorrect, or anomalous moving attackers. For this purpose, it is a fundamental issue to characterize the WSN parameters such as node density and sensing range in terms of a desirable detection probability. In this paper, we consider this issue according to two WSN models: homogeneous and heterogeneous WSN. Furthermore, we derive the detection probability by considering two sensing models: single-sensing detection and multiple-sensing detection. In addition, we discuss the network connectivity and broadcast reachability, which are necessary conditions to ensure the corresponding detection probability in a WSN. Our simulation results validate the analytical values for both homogeneous and heterogeneous WSNs. Index Terms—Intrusion detection, node density, node heterogeneity, sensing range, Wireless Sensor Network (WSN).

Ç 1

INTRODUCTION

A

Wireless Sensor Network (WSN) is a collection of spatially deployed wireless sensors by which to monitor various changes of environmental conditions (e.g., forest fire, air pollutant concentration, and object moving) in a collaborative manner without relying on any underlying infrastructure support [1]. Recently, a number of research efforts have been made to develop sensor hardware and network architectures in order to effectively deploy WSNs for a variety of applications. Due to a wide diversity of WSN application requirements, however, a general-purpose WSN design cannot fulfill the needs of all applications. Many network parameters such as sensing range, transmission range, and node density have to be carefully considered at the network design stage, according to specific applications. To achieve this, it is critical to capture the impacts of network parameters on network performance with respect to application specifications. Intrusion detection (i.e., object tracking) in a WSN can be regarded as a monitoring system for detecting the intruder that is invading the network domain. Fig. 1 gives an example that sensors are deployed in a square area ðA ¼ L LÞ for detecting the presence of a moving intruder. Note that in Fig. 1, as well as in Figs. 3 and 4, the illustration of sensors and an intruder is based on a slide for paper [2]. The intrusion detection application concerns how fast the intruder can be detected by the WSN. If sensors are deployed with a high density so that the union of all sensing ranges covers the entire network area, the

. The authors are with the OBR Center of Distributed and Mobile Computing, Department of Computer Science, University of Cincinnati, Cincinnati, OH 45221-0030. E-mail: {wany6, wangxd, xieb, wangdm, dpa}@email.uc.edu. Manuscript received 15 May, 2007; revised 26 Oct. 2007; accepted 10 Jan. 2008; published online 28 Jan. 2008. For information on obtaining reprints of this article, please send e-mail to: [email protected], and reference IEEECS Log Number TMC-2007-05-0136. Digital Object Identifier no. 10.1109/TMC.2008.19. 1536-1233/08/$25.00 ß 2008 IEEE

intruder can be immediately detected once it approaches the network area. However, such a high-density deployment policy increases the network investment and may be even unaffordable for a large area. In fact, it is not necessary to deploy so many sensors to cover the entire WSN area in many applications [3], since a network with small and scattered void areas will also be able to detect a moving intruder within a certain intrusion distance. In this case, the application can specify a required intrusion distance within which the intruder should be detected. As shown in Fig. 1, the intrusion distance is referred as D and defined as the distance between the point the intruder enters the WSN, and the point the intruder is detected by the WSN system. This distance is of central interest to a WSN used for intrusion detection. In this paper, we derive the expected intrusion distance and evaluate the detection probability in different application scenarios. Given a maximal allowable intrusion distance Dmax ¼ , we theoretically capture the impact on the detection probability in terms of different network parameters, including node density, sensing range, and transmission range. For example, given an expected detection distance EðDÞ, we can derive the node density with respect to sensors’ sensing range, thereby knowing the total number of sensors required for WSN deployment. In a WSN, there are two ways to detect an object (i.e., an intruder): single-sensing detection and multiple-sensing detection. In the single-sensing detection, the intruder can be successfully detected by a single sensor. On the contrary, in the multiple-sensing detection, the intruder can only be detected by multiple collaborating sensors [4]. In some applications, the sensed information provided by a single sensor might be inadequate for recognizing the intruder. It is because individual sensors can only sense a portion of the intruder. For example, the location of an intruder can only be determined from at least three sensors’ sensing data [5], [6], [7], [8]. In view of this, we analyze the Published by the IEEE CS, CASS, ComSoc, IES, & SPS

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

699

intrusion detection model. Section 4 analyzes the intrusion detection in a homogeneous WSN, and Section 5 examines the intrusion detection in a heterogeneous WSN. Section 6 studies the network connectivity and broadcast reachability in a heterogeneous WSN. Simulation and verification results are given in Section 7. Finally, the paper is concluded in Section 8.

2

Fig. 1. Intrusion detection in a WSN.

intrusion detection problem under two application scenarios: single-sensing detection and multiple-sensing detection. According to the capability of sensors, we consider two network types: homogeneous and heterogeneous WSNs [9]. We define the sensor capability in terms of the sensing range and the transmission range. In a heterogeneous WSN [10], [11], [12] some sensors have a larger sensing range and more power to achieve a longer transmission range. In this paper, we show that the heterogeneous WSN increases the detection probability for a given intrusion detection distance. On the other hand, a heterogeneous WSN poses the challenge of network connectivity due to asymmetric wireless link. The high-capability sensors have a longer transmission range while low capability sensors have a shorter transmission range. Due to this, the packet sent by a high-capability sensor may reach the low-capability sensor, while the low capability sensor may not be able to send packets to the corresponding high-capability sensor [13]. This motivates us to analyze the network connectivity in this paper. Furthermore, in a heterogeneous WSN, highcapability sensors usually undertake more important tasks (i.e., broadcasting power management information or synchronization information to all the sensors in the network), it is also desirable to define and examine the broadcast reachability from high-capability sensors. The network connectivity and broadcast reachability are important conditions to ensure the detection probability in WSNs. They are formally defined and analyzed in this paper. To the best of our knowledge, our effect is the first to address this issue in a heterogeneous WSN. The main contributions of this paper can be summarized as follows: Developing an analytical model for intrusion detection in WSNs, and mathematically analyzing the detection probability with respect to various network parameters such as node density and sensing range. . Applying the analytical model to single-sensing detection and multiple-sensing detection scenarios for homogeneous and heterogeneous WSNs. . Defining and examining the network connectivity and broadcast reachability in a heterogeneous WSN. The remainder of the paper is organized as follows: Section 2 presents the related work. Section 3 describes the .

RELATED WORK

Intrusion detection is one of the critical applications in WSNs, and recently, several approaches for intrusion detection in homogeneous WSNs have been presented [3], [14], [15], [16], [17]. The focus of these approaches aims at effectively detecting the presence of an intruder. First, the problem is investigated from the aspect of the network architecture. Kung and Vlah [14] take advantage of a hierarchical tree structure to effectively track the movement of an intruder. The hierarchical tree consists of connected sensors and is built upon expected properties of intruder mobility patterns such as its movement frequency over a region. Based on the hierarchical tree, it allows an efficient record of an intruder’s moving information and supports fast querying from the base station. Another tree structure for tracking an intruder, called as a logic object-tracking tree, is developed by Lin et al. [15]. The logic object tracking tree reduces the communication cost for data updating and querying by taking into account the physical network topology. In particular, the logic object tracking tree targets to balance the update cost and the query cost so as to minimize the total communication cost. Second, the intrusion detection problem has been considered from the constraint of saving network resources. For example, Chao et al. [16] have addressed the issue of tracking a moving intruder by power-conserving operations and sensor collaboration. To achieve this, the authors defined a set of novel metrics for detecting a moving intruder and developed two efficient sleep-awake schemes called PECAS and MESH, to minimize the power consumption. Ren et al. [3] further studied the trade-off between the network detection quality (i.e., how fast the intruder can be detected) and the network lifetime. Therefore, the sensor coverage had to be carefully designed according to the detection probability with respect to specific application requirements. The authors then proposed three wave sensing scheduling protocols to achieve the bounded worst case detection probability. Rather than a static WSN architecture as the above approaches, Liu et al. [17] have modeled the intrusion detection problem in a mobile WSN, where each sensor is capable of moving. The authors have given the optimal strategy for fast detection and shown that mobile WSN improves its detection quality due to the mobility of sensors. In this paper, we address the intrusion detection problem from the other angle. Most of the above efforts consider intrusion detection and its efficiency in terms of the single-sensing model in a homogeneous WSN. Instead of the network architecture and detecting protocol design, we provide a comprehensive theoretical analysis on the intrusion detection in both homogeneous and heterogeneous WSNs [18]. The detection probability is theoretically captured by using underlying network parameters, and thus, our work is of paramount importance for a network

700

IEEE TRANSACTIONS ON MOBILE COMPUTING,

VOL. 7,

NO. 6,

JUNE 2008

WSN, where both Type I and Type II sensors follow the 2D Poisson point distribution. In a homogeneous or heterogeneous WSN, a point is said to be covered by a sensor if it is located in the sensing range of any sensor(s). The WSN is thus divided into two regions, the covered region, which is the union of all sensor coverage disks, and the uncovered region, which is the complement of the covered region within the area of interest A. In our network model, the intruder does not know the sensing coverage map of the WSN.

Fig. 2. Heterogeneous WSN deployment.

planner to design WSNs for intrusion detection applications. To the best of our knowledge, this is the first work that considers the intrusion detection problem in a heterogeneous WSN and provides fundamental analytical results on it. The analytical results indicate the improvement on the detection quality in a heterogeneous WSN, as compared to a homogeneous WSN, either for the singlesensing detection or the multiple-sensing detection scenarios. Furthermore, we have modeled the network connectivity and broadcast reachability in a heterogeneous WSN [19], which serve as the necessary conditions for achieving desirable detection probability.

3

INTRUSION DETECTION MODEL

AND

.

DEFINITIONS

Our intrusion detection model includes a network model, a detection model, and an intrusion strategy model. The network model specifies the WSN environment. The detection model defines how the intruder can be detected and the intrusion strategy illustrates the moving policy of the intruder.

3.1 Network Model We consider a WSN in a two-dimensional (2D) plane with N sensors, denoted by a set N ¼ ðn1 ; n2 ; . . . ; nN Þ, where ni is the ith sensor. These sensors are uniformly and independently deployed in a square area A ¼ L L. Such a random deployment results in a 2D Poisson point distribution of sensors. All sensors are static once the WSN has been deployed. In particular, we consider two WSN types: homogeneous and heterogeneous WSNs. In a homogeneous WSN, each sensor has the same sensing radius of rs , and the transmission range of rx . A sensor can only sense the intruder within its sensing coverage area that is a disk with radius rs centered at the sensor. Denote the node density of the homogeneous WSN as . We then focus on a heterogeneous WSN with two types of sensors, as shown in Fig. 2: Type I sensor that has a larger sensing range rs1 , as well as a longer transmission range rx1 , and . Type II sensor that has a smaller sensing range rs2 , as well as a shorter transmission range rx2 . The densities of Type I and Type II sensors are represented as 1 and 2 , respectively. Fig. 2 shows a heterogeneous .

3.2 Detection Model There are two detection models in terms of how many sensors are required to recognize an intruder: singlesensing detection model and multiple-sensing detection model. It is said that the intruder is detected under the single-sensing detection model if the intruder can be identified by using the sensing knowledge from one single sensor. On the contrary, in the multiple-sensing detection model, the intruder can only be identified by using cooperative knowledge from at least k sensors (k is defined by specific application requirements). For simplicity of expression, multiple sensing and k-sensing are interchangeable in the following discussion: In order to evaluate the quality of intrusion detection in WSNs, we define three metrics as follows:

.

.

Intrusion distance. The intrusion distance, denoted by D, is the distance that the intruder travels before it is detected by a WSN for the first time. Specifically, it is the distance between the point where the intruder enters the WSN and the point where the intruder gets detected by any sensor(s). Following the definition of intrusion distance, the Maximal Intrusion Distance (denoted by , > 0) is the maximal distance allowable for the intruder to move before it is detected by the WSN. Detection probability. The detection probability is defined as the probability that an intruder is detected within a certain intrusion distance (e.g., Maximal Intrusion Distance ). Average intrusion distance. The average intrusion distance is defined as the expected distance that the intruder travels before it is detected by the WSN for the first time.

3.3 Intrusion Strategy Model As illustrated in Figs. 3 and 4, we consider two intrusion strategies for the movement of the intruder in a WSN. If the intruder (say, a panzer) already knows its destination before entering the network domain, it follows the shortest path to approach the destination. In this case, the intrusion path is a straight line ðD1 Þ from the entering point to the destination, as illustrated in Fig. 3. The main idea behind this strategy is that the straight movement causes the least risk for the intruder due to the least area that it has to explore by following a straight line toward the destination. The corresponding intrusion detection area S1 is determined by the sensor’s sensing range rs and intrusion distance D1 , as shown in Fig. 3. It is because the intruder can be detected within the intrusion distance D1 by any sensor(s) situated within the area of S1 .

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

Fig. 3. Intrusion strategy 1.

On the contrary, if the intruder does not know its destination, it moves in the network domain in a random fashion. We consider that the intruder tends to minimize the overlapping on its path. Thus, the intrusion path of the intruder can be regarded as a nonoverlapping curved line ðD2 Þ, and the intrusion area accordingly is a curved band S2 , as illustrated in Fig. 4. In the above two strategies, if the intruder travels the same distance, i.e., D1 ¼ D2 , the corresponding intrusion detection areas approximately satisfy S1 ¼ S2 . Therefore, we adopt a straight path in the following discussion, and the analytical results can be directly applied to the case of the curved path. Furthermore, the intruder can start its intrusion from the network boundary or a random point inside the network domain. For example, the intruder can be dropped from the air and starts from any point in the network domain.

4

INTRUSION DETECTION IN A HOMOGENEOUS WIRELESS SENSOR NETWORK

In this section, we present the analysis of intrusion detection in a homogeneous WSN. We derive the detection probability for single-sensing detection and k-sensing detection.

Fig. 4. Intrusion strategy 2.

701

Fig. 5. The intruder starts from the boundary of the WSN.

4.1 Single-Sensing Detection In the single-sensing detection model, the intruder can be recognized once it moves into the sensing coverage disk of any sensor(s). According to the intrusion strategy, the intruder may access the network domain from any point of the network boundary or a random point in the network domain. When the intruder starts from a point of the network boundary, as shown in Fig. 5, given an intrusion distance D 0, the corresponding intrusion detection area SD is almost an oblong area. This area includes a rectangular area with length D and width 2rs and a half disk with radius rs attached to it. It has SD ¼ 2 D r s þ

r2s : 2

ð1Þ

According to the definition of single-sensing detection, the intruder is detected if and only if there exists at least one sensor within this area SD . Otherwise, the intruder is not detected. Similarly, when the intruder starts from a random point in the network domain, the corresponding intrusion detection area is SD ¼ 2 D rs þ r2s , as shown in Fig. 6. In the following analysis, we focus on the case that the intruder starts from the boundary of the network

Fig. 6. The intruder starts form a random point in the WSN.

702

IEEE TRANSACTIONS ON MOBILE COMPUTING,

domain. The derived results can be applied to the other case r2 by replacing 2s with r2s . We first consider the detection probability that the intruder can be immediately detected once it enters the network domain. In other words, it has an intrusion distance D ¼ 0. The corresponding intrusion detection area r2 is S0 ¼ 2s . We then have Theorem 1 as follows: Theorem 1. The probability p1 ½D ¼ 0 that an intruder can be immediately detected once it enters a homogeneous WSN with node density and identical sensing range rs can be given by

p1 ½D ¼ 0 ¼ 1 e

r2s 2

ð2Þ

:

ðSÞm S e : P ðm; SÞ ¼ m!

ð3Þ

Therefore, the probability of no sensor in the immediate r2 s r2 r2 intrusion detection area S0 ¼ 2s is P ð0; 2s Þ ¼ e 2 . r2s Then, the complement of P ð0; 2 Þ is the probability that r2 there is at least one sensor located in S0 ¼ 2s . In this case, the intruder can be detected once it approaches the network with intrusion distance D ¼ 0. Thus, the probability that the intruder can be detected immediately by the WSN once2 it enters the WSN is p1 ½D ¼ 0 ¼ rs r2 1 P ð0; 2s Þ ¼ 1 e 2 . u t This result shows that the immediate detection probability p1 ½D ¼ 0 is determined by the node density and the sensing range. By increasing the node density or enlarging the sensing range, p1 ½D ¼ 0 can be improved. Immediate detection may need a large sensing range or a high node density, thus increasing the WSN deployment cost. We then consider the detection probability in a relaxed condition when the intruder is allowed to travel some distance in the WSN. Theorem 2. Suppose is the maximal intrusion distance allowable for a given application. The probability p1 ½D that the intruder can be detected within in the given homogeneous WSN can be derived as 2 2rs þ

JUNE 2008

p1 ½D ¼ ¼ 2rs e and pﬃﬃ 2 L Z r2 2rs þ 2s 2rs e dðÞ: E1 ðDÞ ¼

ð5Þ

2rs þ

VOL. 7,

2

rs 2

0

Proof. In Theorem 2, (4) gives the cumulative density function (CDF) of intrusion distance such as p1 ½D . Therefore, p1 ½D ¼ can be obtained from the differential of p1 ½D , and it can r2 s dðp1 ½DÞ ¼ 2rs eð2rs þ 2 Þ . dðÞ

be calculated as p1 ½D ¼ ¼ The average intrusion distance

E1 ðDÞ can be easily derived from the PDF of the intrusion

Proof. In a uniformly distributed WSN with node density , the probability of m sensors located within the area S follows the Poisson distribution [18]:

p1 ½D ¼ 1 e

NO. 6,

rs 2

:

ð4Þ

Proof. According to the definition of single-sensing detection model, the probability that the intruder can be detected within an intrusion distance of is equivalent to the probability that there is at least one sensor located in the r2 corresponding intrusion detection area S ¼ 2rs þ 2s . That is, p1 ½D ¼ 1 P ð0; S Þ while P ð0; S Þ is obtained from (3). The probability p1 ½D can further be r2 s represented as p1 ½D ¼ 1 P ð0; S Þ 2¼ 1 eð2rs þ 2 Þ . rs Then, it yields p1 ½D ¼ 1 eð2rs þ 2 Þ . u t Theorem 3. Let p1 ½D ¼ be the probability that the intruder is detected at an intrusion distance , > 0, and E1 ðDÞ be the average intrusion distance. Then,

distance (i.e., p1 ½D ¼ ). Since the intruder is assumed to move in the network along a straight path, and the network domain is a square area with size A ¼ L L, the pﬃﬃﬃ maximum distance the intruder may travel is 2L. Then, the average intrusionpﬃﬃ distance is given as E1 ðDÞ ¼ R 2L r2 R pﬃﬃ2L s p1 ½D ¼ dðÞ ¼ 0 2rs eð2rs þ 2 Þ dðÞ. u t 0 Theorems 1-3 indicate that the quality of intrusion detection in single-sensing detection scenario for a given WSN improves as the sensing range or the node density increases.

4.2 K-Sensing Detection In the k-sensing detection model, an intruder has to be sensed by at least k sensors for intrusion detection in a WSN. The number of required sensors depends on specific applications. For example, at least three sensors’ sensing information is required to determine the location of the intruder. Theorem 4. Let pk ½D ¼ 0 be the probability that an intruder is detected immediately once it enters a WSN with node density and sensing range rs in k-sensing detection model. It has 2 i k1 X rs r2s e 2 : ð6Þ pk ½D ¼ 0 ¼ 1 2i i! i¼0 Proof. According to (3), P ði;

r2s 2 Þ

is the probability that

there are i sensors located in the immediate detection r2 Pk1 r2s area S0 ¼ 2s . i¼0 P ði; 2 Þ is therefore the probability that there are less than k sensors in the area S0 . Further, P r2s 1 k1 i¼0 P ði; 2 Þ represents the probability that there are at least k sensors located in the area S0 . In this case, the intruder can be sensed by at least k sensors when it accesses the network boundary. Consequently, it P r2s can be said that pk ½D ¼ 0 ¼ 1 k1 i¼0 P ði; 2 Þ ¼ 1 i Pk1 ðr2s Þ r2s 2 is the probability of the intruder to i¼0 2i i! e be detected immediately when it enters the WSN domain under k-sensing detection scenarios.

u t

Theorem 5. Let pk ½D be the probability that the intruder is detected within the maximal intrusion distance in a k-sensing detection model for the given homogeneous WSN. Then, pk ½D can be calculated as

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

i k1 X S S e pk ½D ¼ 1 i! i¼0

Theorems 4-6 show that the quality of intrusion detection ð7Þ

r2 where S ¼ 2rs þ s : 2 Proof. S ¼ 2rs þ

r2s 2

703

in the k-sensing detection scenario for a given WSN improves as the sensing range and node density increase and

is the intrusion detection area with

decreases as k grows. If we relax the multiple-sensing

respect to the maximal intrusion distance . If there are at

detection to single-sensing detection2 by setting k ¼ 1.

least k sensors in the area S , the intruder can be sensed

Equation (8) is reduced to E1 ðDÞ ¼ e2rs 2i! , which shows (5) R pﬃﬃ2L r2s in another way (i.e., E1 ðDÞ ¼ 0 2rs eð2rs þ 2 Þ dðÞ).

by the k sensors, and the k sensors could collaborate with each other to recognize the intruder. From (3), i ðS Þ S P ði; S Þ ¼ i! e denotes the probability that i senP sors are located in the area of S . Then, k1 i¼0 P ði; S Þ ¼ Pk1 ðS Þi S is the probability that less than k sensors i¼0 i! e are located in the area S . Thus, the complement of Pk1 ðS Þi S Pk1 is the probability that i¼0 P ði; S Þ, 1 i¼0 i! e there are at least k sensors located in the area S . If this is the case, the intruder can be sensed by at least k sensors P ðS Þi S from the WSN with probability 1 k1 i¼0 i! e before it travels a distance of . Finally, the probability pk ½D that the intruder is detected within the maximal intrusion distance in k-sensing detection model can be Pk1 ðS Þi S . t u i¼0 i! e

derived as pk ½D ¼ 1

Theorem 6. Let Ek ðDÞ be the average intrusion distance in the k-sensing detection model for the given WSN with node density and sensing range rs , it has P r2s i r2s 2 k k1 i¼0 2 e : ð8Þ Ek ðDÞ ¼ 2rs i! Proof. Ek ðDÞ is the average intrusion distance. Then, Sk ¼ Ek ðDÞ 2rs is the average intrusion detection area, and Ek ðDÞ 2rs is the average number of sensors located in the area of Sk . Based on the definition of k-sensing detection model, k sensors are required to identify the intruder. Thus, the average number of sensors located in the average intrusion detection area should be equal to k, that is, Ek ðDÞ 2rs ¼ k. Considering the case when the intruder is detected immediately once it enters the WSN domain, the average intrusion distance is Ek ðDÞ ¼ 0, while Ek ðDÞ 2rs ¼ 0. In this case, Ek ðDÞ 2rs ¼ k does not hold. Thus, it is necessary to eliminate this boundary effect, and we get Ek ðDÞ 2rs ¼ kð1 pk ½D ¼ 0Þ. By replacing pk ½D ¼ 0 by (7)

r s

Note that there is no closed form solution for the integral in (5), but it matches with (8) when L rs .

5

INTRUSION DETECTION IN A HETEROGENEOUS WIRELESS SENSOR NETWORK

In a heterogeneous WSN, as defined in Section 3.1, we consider two types of sensors: Type I and Type II with the node density of 1 and 2 , respectively. A Type I sensor has the sensing range rs1 , and the sensing coverage is a disk of area S1 ¼ r2s1 . A Type II sensor has the sensing coverage of S2 ¼ r2s2 with the sensing range rs2 . Without loss of generality, we can assume that rs1 > rs2 in our network model. In a heterogeneous WSN, any point in the network domain is said to be covered if the point is under the sensing range of any sensor (Type I, Type II, or both). In this section, we present the analysis of intrusion detection probability of a heterogeneous WSN in singlesensing detection and multiple-sensing detection models.

5.1 Single-Sensing Detection We denote the intrusion distance by Dh in the given heterogeneous WSN. Again, an intruder may be detected by the WSN once it approaches the network boundary, and the corresponding intrusion distance is Dh ¼ 0. This leads to the following theorem. Theorem 7. The probability p1 ½Dh ¼ 0 that an intruder can be immediately detected once it enters the given heterogeneous WSN in a single-sensing detection model can be represented by p1 ½Dh ¼ 0 ¼ 1 e1

r2 s1 2

e2

r2 s2 2

ð9Þ

:

Proof. According to the single-sensing detection model, the intruder is detected if and only if one of the following conditions is satisfied: . .

The intruder enters into the sensing coverage area of any Type I sensor(s). The intruder enters into the sensing coverage area of any Type II sensor(s).

following Theorem 4, we further obtain Ek ðDÞ 2rs ¼ P Pk1 r2s i r2s r2s 2 . Finally, the average k k1 i¼0 P ði; 2 Þ ¼ k i¼0 ð 2 Þ e

In the Cartesian coordinate system, as illustrated in

intrusion distance in the k-sensing detection model for

intruder, and y-axis is the network boundary. If a Type

the given WSN can be calculated as P r2s i r2s 2 k k1 i¼0 2 e : Ek ðDÞ ¼ 2rs i!

Isensor is located inside the half disk S1 ¼

Fig. 7, suppose point (0, 0) is the starting position of the r2s1 2

, which is

centered at the point (0, 0) with radius rs1 , the first condition holds. Similarly, the second condition holds if t u

there is a Type II sensor inside the half disk S2 ¼

r2s2 2

,

which is centered at the point (0, 0) with radius rs2 . Then,

704

IEEE TRANSACTIONS ON MOBILE COMPUTING,

Fig. 7. Intrusion detection at the start point ðDh ¼ 0Þ.

S1 is P1 ð0; S1 Þ ¼ e1 S1 ¼ e

, and the probability of 2

no Type II sensor inside S2 is P2 ð0; S2 Þ ¼ e2 S2 ¼ e2

r

s2 2

.

Considering Type I and Type II, sensors are independently deployed according to our heterogeneous WSN model, the probability of neither Type I sensor nor Type II sensor that senses the intruder is P1 ð0; S1 ÞP2 ð0; S2 Þ ¼ 2 2 e1

r s1 2

e2

r s2 2

. Thus, the probability of at least one sensor

(either Type I or Type II) around the boundary that can 2 sense2 the intruder is 1 P1 ð0; S1 ÞP2 ð0; S2 Þ ¼ 1 e1 e2

r s2 2

r s1 2

. Therefore, the probability that the intruder is

detected immediately once it enters the network domain 2 2 can be represented as p1 ½Dh ¼ 0 ¼ 1 e1

r s1 2

e2

r s2 2

.

u t

Theorem 8. Suppose is the maximal intrusion distance allowable for the intruder to travel within the given heterogeneous WSN in single-sensing detection. The probability p1 ½Dh that the intrusion distance Dh is less than can be calculated as 0

0

Theorem 9. The probability p1 ½Dh ¼ that the intruder is detected at an intrusion distance ð > 0Þ when it travels within the given heterogeneous WSN in single-sensing detection can be derived as 0

where r2si ; ði ¼ 1; 2Þ: 2

ð10Þ

.

At least one Type I sensor is located in the area of S10 . If condition 1 does not hold, at least one Type II sensor is located in the area of S20 .

0

p1 ½Dh ¼ ¼ 2ð1 rs1 þ 2 rs2 Þeð1 S1 þ2 S2 Þ ;

0

Proof. The probability of an intruder to be detected within the maximal intrusion distance is equivalent to the probability of at least one sensor (either Type I or Type II) inside the corresponding intrusion detection area S0 . For Type I sensors, the intrusion detection area S10 is the region that includes a rectangular area with length and width 2rs1 , as well as a half disk with r2 radius rs1 , as shown in Fig. 8. It gives S10 ¼ 2rs1 þ 2s1 . Similarly, the intrusion detection area for Type II sensors r2 is S20 ¼ 2rs2 þ 2s2 . Then, we obtain the maximal intruS sion detection area with respect to as S0 ¼ S10 S20 . The intruder can be detected within the intrusion distance if one of the following conditions is satisfied: .

JUNE 2008

Note that P1 ð0; S10 Þ ¼ e1 S1 is the probability of no Type I 0 sensor in the area of S10 , and P2 ð0; S20 Þ ¼ e2 S2 is the probability of no Type II sensor in the area of S20 . The first condition can be satisfied with the probability of 1 P1 ð0; S10 Þ, and the second condition holds with the probability of P1 ð0; S10 Þð1P2 ð0; S20 ÞÞ. Thus, 1P1 ð0; S10 Þ þ P1 ð0; S10 Þð1 P2 ð0; S20 ÞÞ ¼ 1 P1 ð0; S10 ÞP2 ð0; S20 Þ represents the probability of at least one sensor (either Type I or Type II) that can detect the intruder within the maximal intrusion detection area S0 . Finally, the probability that the intrusion distance Dh is less than can be derived 0 0 2 S2 a s p1 ½Dh ¼ 1 P1 ð0; S10 ÞP2 ð0; S20 Þ ¼2 1 e1 S1 e . r r2 s1 s2 Further, we get p1 ½Dh ¼ 1e1 ð2rs1 þ 2 Þ e2 ð2rs2 þ 2 Þ . t u

p1 ½Dh ¼ 1 e1 S1 e2 S2 ; where Si0 ¼ 2rsi þ

NO. 6,

Fig. 8. Intrusion detection in the heterogeneous WSN ðDh ¼ Þ.

from (3), the probability that no2 Type I sensor lies inside r 1 2s1

VOL. 7,

Si0 ¼ 2rsi þ

r2si ; ði ¼ 1; 2Þ: 2

ð11Þ

Proof. Equation (10) gives the CDF of intrusion distance in a single-sensing detection scheme. Therefore, the probability p1 ½Dh ¼ that the intruder is detected at an intrusion distance can be derived by the differential of p1 ½Dh . ½Dh Þ ¼ 2ð1 rs1 þ 2 rs2 Þeð1 S1 þ2 S2 Þ ¼ It has p1 ½Dh ¼ ¼ dðp1dðÞ 0

1 r2 þ2 r2 s1 s2 Þ ð21 rs1 þ22 rs2 þ 2

2ð1 rs1 þ 2 rs2 Þe

0

. Then, based on

the PDF of an intrusion detection distance such as p1 ½Dh ¼ , it is easy to obtain the expected intrusion distance as

E1 ðDh Þ ¼

pﬃﬃ Z 2L

0

0

2ð1 rs1 þ 2 rs2 Þeð1 S1 þ2 S2 Þ dðÞ:

0

This is because the maximum intrusion distance that the intruder could travel in the square network domain is pﬃﬃﬃ 2L by following a straight path. u t

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

Theorems 7-9 indicate that the quality of intrusion detection in single-sensing detection scenario for a given heterogeneous WSN increases with the increasing of sensing range and node density. In addition, the existence of high-capability sensors improves the network detection probability further due to a larger sensing range.

5.2 K-Sensing in a Heterogeneous WSN In the k-sensing detection model of a heterogeneous WSN with two types of sensors, at least k sensors are required to detect an intruder. These k sensors can be any combination of Type I and Type II sensors. For instance, if three sensors are required to detect an intruder for a specific application, the intruder can be detected by any of the following sensor combinations: 1. 2. 3. 4.

pk ½Dh ¼ 0 ¼ 1 ¼1

705

m¼0

i P ðj; S ÞP ðm j; S Þ 1 1 2 2 j¼0

m¼0

P ðj; j¼0 1

Xk1

hXm

Xk1 Xm

r2s1 r2 ÞP2 ðm j; s2 Þ : 2 2 u t

Theorem 11. Let pk ðDh Þ be the probability that the intrusion distance is less than ð > 0Þ in the k-sensing detection model, is the maximal intrusion distance allowable for an intruder to move in the given heterogeneous WSN. It has " # k1 X m X 0 0 P1 j; S1 P2 m j; S2 ; pk ½Dh ¼ 1 m¼0 j¼0 ð13Þ 2 r where Si0 ¼ 2rsi þ si ; ði ¼ 1; 2Þ: 2 Proof. From (3), P1 ðj; S10 Þ is the probability that j Type I

three Type I sensors, three Type II sensors, one Type I sensor and two Type II sensors, and two Type I sensors and one Type II sensor.

sensors are located in the intrusion detection area S10 ¼ 2rs1 þ

r2s1 2

. P2 ðm j; S20 Þ is the probability of

ðmjÞ Type II sensors located in the corresponding

Theorem 10. Let pk ðDh ¼ 0Þ be the probability that an intruder can be immediately detected once it enters the given heterogeneous WSN in the k-sensing detection model. It has " # k1 X m X r2s1 r2s2 : P1 j; pk ½Dh ¼ 0 ¼ 1 P2 m j; 2 2 m¼0 j¼0 ð12Þ Proof. According to k-sensing detection model, an intruder is detected immediately once it enters the network if and only if at least k sensors are located within their half sensing disk centered at the intrusion start point (as j

intrusion detection area S20 and S20 ¼ 2rs2 þ P1 ðj; S10 ÞP2 ðm

j; S20 Þ

r2s2 2

. Then,

represents the probability of

m sensors, consisting of j Type I sensors and ðm jÞ Type II sensors can sense the intruder within the intrusion S detection area S10 S20 with respect to . If m ¼ k, P1 ðj; S10 ÞP2 ðm j; S20 Þ stands for the probability that the intruder can be detected by the WSN within intrusion distance . Since these m sensors can be any combination P 0 0 of sensor types, m j¼0 P1 ðj; S1 ÞP2 ðm j; S2 Þ is the probability that there are totally m sensors can sense the P Pm 0 0 intruder. Then, k1 m¼0 ½ j¼0 P1 ðj; S1 ÞP2 ðm j; S2 Þ is the

illustrated in Fig. 7). Based on (3), P1 ðj; S1 Þ ¼ ðS1j!Þ eS1 is

probability that there are at most ðk 1Þ (i.e., less than k)

the probability of j Type I sensors that can sense the

sensors that can sense the intruder within the intrusion S detection area S10 S20 . Consequently, the probability

intruder within the corresponding intrusion detection r2s1 2

ðmjÞ

2 Þ , and P2 ðm j; S2 Þ ¼ ðSðmjÞ! eS2 is the

pk ðDh Þ that the intruder travels with distance less

probability of ðm jÞ Type II sensors that can sense the

than before being detected by the given heterogeneous

area S1 ¼

intruder within the area of S2 ¼

r2s2 2

. Consequently,

P1 ðj; S1 ÞP2 ðm j; S2 Þ represents the probability of m sensors (j Type I sensors plus m j Type II sensors) that can sense the intruder at the start point. Since these m sensors can be any combination of sensor types, Pm j¼0 P1 ðj; S1 ÞP2 ðm j; S2 Þ is the probability that there are totally m sensors that can sense the intruder in S the intrusion detection area of S1 S2 . Therefore, Pk1 Pm m¼0 ½ j¼0 P1 ðj; S1 ÞP2 ðm j; S2 Þ is the probability of at most ðk 1Þ (less than k) sensors that can sense the intruder when it approaches the WSN. Finally, the probability that the intruder can be immediately detected once it enters the heterogeneous WSN in the k-sensing detection model is equivalent to the complement of Pk1 Pm m¼0 ½ j¼0 P1 ðj; S1 ÞP2 ðm j; S2 Þ, yielding

WSN in the k-sensing detection model can be derived hP i P m 0 0 as pk ðDh Þ ¼ 1 k1 P m¼0 j¼0 1 ðj; S1 ÞP2 ðm j; S2 Þ ¼ i Pk1 hPm r2s1 r2s2 1 m¼0 P ðj; 2r þ ÞP ðmj; 2r þ Þ . t u 1 s1 2 s2 j¼0 2 2 Theorem 12. Let Ek ðDh Þ be the average intrusion distance under the k-sensing detection model in the given heterogeneous WSN. Then hP i P r2s1 r2s2 m k k1 m¼0 j¼0 P1 j; 2 P2 m j; 2 : ð14Þ Ek ðDh Þ ¼ 2rs1 1 þ 2rs2 2 Proof. Ek ðDh Þ is the average intrusion distance in the heterogeneous WSN. Then, the corresponding average intrusion detection areas for Type I and Type II sensors are S1 ¼ 2rs1 Ek ðDh Þ and S2 ¼ 2rs2 Ek ðDh Þ, respectively. While the node densities of Type I and Type II sensors are 1 and 2 . The average number of Type I sensors that with the intruder during its invasion is N1 ¼ 1 S1 .

706

IEEE TRANSACTIONS ON MOBILE COMPUTING,

At the same time, the average number of Type II sensors that hit the intruder in its intrusion is N2 ¼ 2 S2 . In the k-sensing detection model, k sensors are required to detect the intruder, it has N1 þ N2 ¼ 1 S1 þ 2 S2 ¼ 2rs1 Ek ðDh Þ1 þ 2rs2 Ek ðDh Þ2 ¼ k. The only exception is 2rs1 Ek ðDh Þ1 þ 2rs2 Ek ðDh Þ2 ¼ 0 while Ek ðDh Þ ¼ 0 in the case of immediate intrusion detection. In view of this, we eliminate this boundary effect (i.e., Ek ðDh Þ ¼ 0) and obtain kð1 pk ½Dh ¼ 0Þ ¼ 2Ek ðDh Þrs1 1 þ 2Ek ðDh Þrs2 2 . Substituting pk ½Dh ¼ 0 with (12), iwe further obtain Pk1 hPm r2s1 r2s2 k m¼0 j ¼ 0 P1 ðj; 2 ÞP2 ðm j; 2 Þ ¼ 2Ek ðDh Þrs1 1 þ 2Ek ðDh Þrs2 2 . Consequently, the average intrusion distance for k-sensing model in the heterogeneous WSN can be derived as hP i P r2s1 r2s2 m k k1 m¼0 j¼0 P1 j; 2 P2 m j; 2 : Ek ðDh Þ ¼ 2rs1 1 þ 2rs2 2 u t Theorems 10-12 indicate that the quality of intrusion detection in the k-sensing detection scenario for a given heterogeneous WSN improves with the increase in the sensing range and the node density and decreases as k grows. In addition, the existence of high-capability sensors further improves the network detection quality due to the enlarged sensing coverage.

5.3 Incorporating Node Availability It should be noted that the above analytical results (Theorems 1-12) can be extended to the scenario that a power management scheme is adopted as follows: A power management scheme in WSNs is greatly desirable due to power constraint on common sensors. Sensor power can be put on/off periodically to save energy in most of the WSN applications [16], [21], [22]. Thus, it is appropriate to take the node availability rate into consideration in our analysis. The most basic prescheduled independent sleeping approach can be implemented by a Random Independent Sleeping (RIS) scheme. In this scheme, time is divided into cycles based on a time synchronization method. At the beginning of a cycle, each sensor independently decides whether to become active with probability p or go to sleep with probability 1 p. Thus, the network lifetime is increased by a factor up to 1=p [23]. Here, we incorporate this RIS scheme in our analysis of intrusion detection in terms of node availability. We assume all sensors have the same availability probability, denoted by pa , which means each sensor has the probability of 1 pa to be off in every sensing period. Note that the Poisson stream has its characteristics. If a Poisson stream with mean rate is split into k substreams such that the probability of a job that is going to be the ith substream is pi , each substream is also Poisson distributed with a mean rate of pi [24]. In our network model, all sensors are randomly deployed and conform to a Poission distribution. Therefore, our above analysis can be extended to incorporate RIS scheme with a node availability rate pa by replacing the previous node densities , 1 , and 2 with pa , pa 1 , and pa 2 , respectively, in the above derivation of Theorems 1-12 for either homogeneous or heterogeneous WSN.

VOL. 7,

NO. 6,

JUNE 2008

For instance, in Theorem 1, the probability p1 ½D ¼ 0 that the intruder can be immediately detected once it enters a homogeneous WSN with node density , sensing range rs , and node availability pa can be given by r2 s

p1 ½D ¼ 0 ¼ 1 epa 2 :

ð15Þ

It is clear that (15) is reduced to (2) for pa ¼ 1.

6

NETWORK CONNECTIVITY AND BROADCAST REACHABILITY IN A HETEROGENEOUS WIRELESS SENSOR NETWORK

Based on our network model, Theorems 1-12 statistically characterize the intrusion detection probability in terms of the intrusion distance, the node density, the sensing range, and the node heterogeneity. Given a maximal allowable intrusion distance, a predefined detection probability, and the sensor capability (i.e., sensing range), the network planner can calculate the required node density by using Theorems 1-12. Hereafter, the network planner knows the number and type of sensors that have to be deployed in the WSN. However, detecting the intruder is the first step in intrusion detection. To operate successfully, a WSN must provide satisfactory connectivity so that sensors can communicate for data collaboration and reporting to the administrative center (i.e., base station). The sensing data may have to be reported to the base station, which may be in any location of the network [25]. If the network connectivity is not assured, it is meaningless even the sensor(s) detect the presence of the intruder. Zhang and Hou [26] have proven that in a homogeneous WSN, if the transmission range is equal to or higher than twice of the sensing range, a given coverage probability guarantees a connectivity probability. In this manner, when the coverage is satisfied in the homogeneous WSN, the network connectivity is also statistically guaranteed so that it allows two sensors to communicate with each other. However, in a heterogeneous WSN, the deployment of sensors with different capability complicates the network operation with the asymmetric links. Specifically, a sensor with longer transmission range (i.e., Type I sensor) might reach some sensors with shorter transmission range (i.e., Type II sensors), while the Type II sensors may not be able to reach the Type I sensor. The network connectivity has to be reconsidered. In a heterogeneous WSN, sensors mainly use a broadcast paradigm for communication [12] and high-capacity sensors usually undertake more important tasks (i.e., for broadcasting power management information or synchronization information to all the sensors). This motivates us to examine two fundamental characteristics of a heterogeneous WSN. The definitions are listed below: .

.

Network connectivity. The probability that a packet broadcasted from any sensor (either Type I or Type II sensor) can reach all the other sensors in the network. Broadcast reachability. The probability that a packet broadcasted from any Type I sensor can reach all the other sensors in the network.

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

Fig. 9. Transmission range in heterogeneous case.

Given node densities and the transmission ranges of different sensors deployed in a WSN, we can calculate the network connectivity or the broadcast reachability. On the other hand, if the required network connectivity (or broadcast reachability) is specified, we can compute the required transmission ranges in terms of node density. Thus, the minimal transmission power can be obtained for the purpose of power efficiency. In [27], Bettstetter has proved the following lemma on the network connectivity of WSNs using sensors with different transmission ranges. Lemma 1. Given is a WSN with N uniformly distributed sensors. These N sensors consist of J different sensor types, i.e., there are Nj sensors of type j with transmission range rxj , P such that N ¼ Jj¼1 Nj for j ¼ 1; . . . ; J, and Nj 1 for 8j. Let P ðconÞ be the probability that the WSN is connected, and P ðnoiÞ be the probability that no sensor is isolated in the WSN. It has P ðconÞ ﬃ P ðnoiÞ;

ð16Þ

for P ðnoiÞ close to 1. Based on Lemma 1, we then have Theorem 13 and 14 as follows: Theorem 13. Consider a heterogeneous WSN consisting of independently deployed Type I and Type II sensors with node densities 1 and 2 and transmission range rx1 and rx2 ðrx1 > rx2 Þ, respectively. The upper bound of the network connectivity is

N 2 N Pcon ¼ 1 eð1 þ2 Þrx2 :

ð17Þ

Proof. In a heterogeneous WSN, network connectivity requires that a packet broadcasted from any sensor (either Type I or Type II) can reach all the other sensors of the network. Note an arbitrary sensor A, as illustrated in Fig. 9. If there is one Type I sensor (e.g., B) located in the area of Sx1 ¼ r2x1 while outside of the area Sx2 ¼ r2x2 , a packet generated from sensor A may not be able to reach sensor B. This is because sensor B may be out of sensor A’s transmission range if sensor A is a Type II sensor with transmission range rx2 , and rx2 < rx1 . In view of this, for a packet generated from sensor A to be received by all the other sensors in WSN, at least one sensor (either Type I or Type II) should lie in the area of the smaller transmission range Sx2 . Further, if all the

707

sensors has at least one neighbor in the relatively smaller transmission range Sx2 , the network is connected. Assuming all the other N 1 sensors except A are 2 connected, with probability 1P ð0; Sx2 Þ ¼ 1eð1 þ2 Þrx2 , there is at least one sensor located in the smaller transmission range Sx2 . Then, sensor A can broadcast its packet to at least one of the other N 1 sensors, and the packet can further be broadcasted to all the sensors in the network. Thus, we obtain the conditional probability 2 A Pcon ¼ 1 eð1 þ2 Þrx2 . Due to the fact that sensor A is chosen arbitrarily and the statistical independence for all the sensors, the probability that the other N 1 sensors are connected can be calculated as h i 2

N1 ¼ 1 eð1 þ2 Þrx2 Pcon

ðN1Þ

. Finally, the upper bound

of the network connectivity can h iN be derived as 2 N A N1 Pcon ¼ Pcon Pcon ¼ 1 eð1 þ2 Þrx2 . u t Theorem 14. Consider a heterogeneous WSN consisting of independently deployed Type I and Type II sensors, with node densities 1 and 2 and transmission range rx1 and rx2 ðrx1 > rx2 Þ, respectively. The upper bound of the network broadcast reachability is

N 2 2 PbrN ¼ 1 e1 rx1 e2 rx2 :

ð18Þ

Proof. Different from the network connectivity, broadcast reachability is the probability that a packet broadcasted from any Type I sensor can reach all the other sensors in the WSN. As illustrated in Fig. 9, A 2 N is an arbitrary sensor in the WSN. It has the responsibility to receive the packet broadcasting from any Type I sensor(s). In order for A to receive the packet, it has to be in the transmission range of at least one of the other N 1 sensors. In other words, sensor A should not be isolated from the rest of the network, and at least one sensor can reach A in its transmission range. The probability of no Type I sensor in its transmission range 2 from A is P1 ð0; r2x1 Þ ¼ e1 rx1 . The probability that no type II sensor lies in its transmission range from A 2 is P2 ð0; r2x2 Þ ¼ e2 rx2 . Then, P1 ð0; r2x1 ÞP2 ð0; r2x2 Þ ¼ 2 2 e1 rx1 e2 rx2 is the probability that neither Type I sensors nor Type II sensors can reach sensor A. Therefore, the probability that at least one sensor can 2 2 reach A is 1 e1 rx1 e2 rx2 . Due to statistical independence among all sensors, the probability that the other ðN 1Þ sensors are reachable from the broadcast h iðN1Þ 2 2 can be calculated as PbrN1 ¼ 1e1 rx1 e2 rx2 . Consequently, we obtain the upper bound of broadcast h iN 2 2 u t reachability as PbrN ¼ 1 e1 rx1 e2 rx2 . The results in this section indicate that for a given heterogeneous WSN, the network connectivity and broadcast reachability is enhanced with the increase of node density and transmission range. Furthermore, the broadcast

708

IEEE TRANSACTIONS ON MOBILE COMPUTING,

VOL. 7,

NO. 6,

JUNE 2008

Fig. 10. Intrusion detection probability (single and three-sensing) in the homogeneous WSN.

Fig. 11. Average intrusion distance (single and three-sensing in the homogeneous WSN.

reachability is always higher than the network connectivity under the same network parameters.

approaches 1 when the sensing range increases to a certain threshold. For example, in the single-sensing detection, the intruder can be detected with probability 1 if the sensing range exceeds 50, whereas in three-sensing detection, the intruder can be almost surely detected if the sensing range exceeds 90. In addition, we can see that the detection probability grows fast when the sensing range is far from the threshold and grows slowly when it approaches the threshold. Fig. 10 shows that the sensing range significantly impacts the detection probability of a homogeneous WSN. To investigate the influence of a sensor’s sensing range on an average intrusion distance of a WSN, we fix the number of sensors as N ¼ 500 and vary the sensing range from 0 to 30 meters. Fig. 11 presents the average intrusion distance in single-sensing and three-sensing detection scenarios. It can be observed that the average intrusion distance drops dramatically with an increase of the sensing range. This is because the increase of sensing range significantly enhances the network coverage. Fig. 11 also shows that under the same network parameters, the average intrusion distance in single-sensing detection decreases more quickly than in three-sensing detection. This is because with the increase in a sensor’s sensing range, more area can be monitored by one sensor than by three sensors. In the simulation, we also show how to improve the detection efficiency by assuring the network connectivity so that the sensor can adjust its sleep period. In the normal state, each sensor keeps awake for 80 percent of a cycle ðpa ¼ 0:8Þ. If an intruder is detected by a sensor, an alarming message is broadcasted by the sensor over the entire network. Then, all the sensors receiving the massage keep awake for 100 percent of a cycle ðpa ¼ 1:0Þ. The results in Figs. 10 and 11 show a similar trend that for a given sensing range, the average intrusion distance drops if the waking time of the sensor is longer ð1:0 > 0:8Þ.

7

SIMULATION

AND

VERIFICATION

We have performed a simulation-based verification of our analytical results in both homogeneous and heterogeneous WSNs. The simulation is carried out for single-sensing and k-sensing detection models. The analytical and simulation results are compared by varying the sensing range, transmission range, node density, and node availability. In the simulation, sensors are deployed in accordance with a uniform distribution in a squared network domain. The intruder moves into the network domain from a randomly selected point on the network boundary. Monte-Carlo simulation is performed, and each data point shown in the following figures is the average of 500 simulation results. The analytical results are calculated by using Theorems 1-14. For successive simulation runs, the sensors are uniformly redistributed in the network domain.

7.1 Verification for Homogeneous WSNs We simulate the intrusion detection in a homogeneous WSN. There are 500 sensors uniformly deployed in a 1,000 1,000 square meters, and the node density is ¼ 0:0005 per square meter. The sensing range changes from 0 to 100 meters and the maximal allowable intrusion distance is set as 50 meters. Fig. 10 illustrates the detection probability of the analytical and simulation results. It can be seen in Fig. 10 that the analytical results match the simulation results pretty well, which indicates the correctness of our analytical model. The detection probability increases with the increase of the sensors’ sensing range. It is because the increase of sensing range improves the network coverage. At the same time, the single-sensing detection probability is higher than that of three-sensing detection. This is because the k-sensing detection imposes a more strict requirement on detecting the intruder (e.g., at least k ¼ 3 sensors are required). Fig. 10 also demonstrates that the detection probability in single-sensing detection or three-sensing detection

7.2 Verification for Heterogeneous WSNs The purpose of the simulation in this part is to verify the analytical results on intrusion detection in heterogeneous WSNs. To examine the effect of introducing high-capability sensors (e.g., Type I sensors) on the network intrusion

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

Fig. 12. Intrusion detection probability under heterogeneous case.

detection probability, we fix the number of Type II nodes at 200, and the number of Type I nodes varies from 10 to 150. The sensing range rs1 and rs2 are set as 120 meters and 40 meters, respectively. Again, the maximal allowable intrusion distance is set as ¼ 50 meters. Fig. 12 demonstrates the analytical and simulation results on the intrusion detection probability and clearly shows the verification of our analytical expressions with simulation results. Note that we also plot the results in homogeneous WSN (marked as “homo”) by reducing the more powerful Type I nodes to normal Type II nodes, in contrast to the performance of heterogeneous case (marked as “heter”). As expected, Fig. 12 shows that the intrusion detection probability in the heterogeneous WSN increases at a much faster rate than in the homogeneous WSN, as the number of Type I sensors is increased. Especially in the more demanding multiple-sensing (i.e., three-sensing) detection case, the intrusion detection probability increases even more quickly in heterogeneous WSN than in homogeneous case. This substantiates our intuition that the introduction of high-capability sensors can dramatically improve the intrusion detection quality of WSNs. It is also shown in Fig. 12 that the intrusion detection probability increases as the node density grows (e.g., by increasing the number of Type I sensors) under all simulation scenarios. This is because the node density plays a critical role in the intrusion detection quality of WSNs. In addition, for a given parameter k and sensor capabilities, the figure indicates how to choose the number and the type of sensors to achieve a certain intrusion detection probability.

Verification for Network Connectivity and Broadcast Reachability In this part, we verify our analysis on the network connectivity and broadcast reachability. The analytical results shown in Figs. 13 and 14 are calculated by using Theorems 13 and 14. In the simulation, an adjacency matrix is constructed to represent the digraph of the network topology. The depth-first-search algorithm is employed to check the network connectivity by selecting a random sensor as the starting node and the broadcast reachability by choosing a

709

Fig. 13. Effects of transmission range on the broadcast reachability in heterogeneous WSN.

random Type I sensor as the broadcast initiator. The simulation considers 200 Type I sensors and 300 Type II sensors. In the homogeneous WSN, the transmission range of Type I sensors is set equally to that of Type II sensor (i.e., rx1 ¼ rx2 ). While in the heterogeneous WSN, the transmission range of Type I sensors is set twice as much as that of Type II sensors (i.e., rx1 ¼ 2rx2 ). The transmission range of Type II sensor rx2 is varied from 40 meters to 100 meters in both homogeneous and heterogeneous cases. Fig. 13 shows that the network connectivity and broadcast reachability increase rapidly with the increase of sensors’ transmission range and approach 1 after certain threshold. In addition, it can be observed that the broadcast reachability increases much faster than the network connectivity as the transmission range of sensors grows. This is because the network broadcast reachability considers the broadcast from Type I sensors, while the network connectivity takes broadcast from both Type I and Type II sensors into account. Note that in homogeneous WSN, the

7.3

Fig. 14. Effects of Type I sensors on the broadcast reachability in heterogeneous WSN.

710

IEEE TRANSACTIONS ON MOBILE COMPUTING,

broadcast reachability is equivalent to the network connectivity since there are no asymmetric links. Next, the simulation is carried out to see the effect of Type I sensors on the network connectivity and broadcast reachability. We fix the number of Type II sensors as n2 ¼ 300 and vary the number of Type I sensors from 10 to 300. The transmission ranges are set as rx1 ¼ 140 meters and rx2 ¼ 70 meters for Type I and Type II sensors, respectively. Similar to the results shown in Fig. 12, we compare the results in homogeneous WSN with that in heterogeneous WSN by reducing Type I sensors to Type II sensors. Fig. 14 shows the analytical and simulation results, and they match with each other closely. From the figure, network connectivity and broadcast reachability are improved while increasing Type I sensors. This is because some sensors that are originally isolated or unreachable from the rest of the network are now connected or reachable in the network after the introduction of Type I sensors. In addition, the results indicate that even a small increase of Type I sensor significantly improves the broadcast reachability, while network connectivity only improves gradually. This also implies that the node heterogeneity does affect the broadcast reachability much more dramatically than it does to the network connectivity.

[6]

[7] [8]

[9]

[10]

[11]

[12] [13]

[14] [15]

8

CONCLUSION

This paper analyzes the intrusion detection problem in both homogeneous and heterogeneous WSNs by characterizing intrusion detection probability with respect to the intrusion distance and the network parameters (i.e., node density, sensing range, and transmission range). Two detection models are considered: single-sensing detection and multiple-sensing detection models. The analytical model for intrusion detection allows us to analytically formulate intrusion detection probability within a certain intrusion distance under various application scenarios. Moreover, we consider the network connectivity and the broadcast reachability in a heterogeneous WSN. Our simulation results verify the correctness of the proposed analytical model. This work provides insights in designing homogeneous and heterogeneous WSNs and helps in selecting critical network parameters so as to meet the application requirements.

[16]

[17]

[18]

[19]

[20]

[21] [22]

REFERENCES [1] [2] [3]

[4]

[5]

D.P. Agrawal and Q.-A. Zeng, Introduction to Wireless and Mobile Systems. Brooks/Cole Publishing, Aug. 2003. B. Liu and D. Towsley, “Coverage of Sensor Networks: Fundamental Limits,” Proc. Third IEEE Int’l Conf. Mobile Ad Hoc and Sensor Systems (MASS), Oct. 2004. S. Ren, Q. Li, H. Wang, X. Chen, and X. Zhang, “Design and Analysis of Sensing Scheduling Algorithms under Partial Coverage for Object Detection in Sensor Networks,” IEEE Trans. Parallel and Distributed Systems, vol. 18, no. 3, pp. 334-350, Mar. 2007. S. Banerjee, C. Grosan, A. Abraham, and P. Mahanti, “Intrusion Detection on Sensor Networks Using Emotional Ants,” Int’l J. Applied Science and Computations, vol. 12, no. 3, pp. 152-173, 2005. S. Capkun, M. Hamdi, and J. Hubaux, “GPS-Free Positioning in Mobile Ad-Hoc Networks,” Proc. 34th Ann. Hawaii Int’l Conf. System Sciences, Jan. 2001.

[23] [24] [25]

[26]

[27]

VOL. 7,

NO. 6,

JUNE 2008

N. Bulusu, J. Heidemann, and D. Estrin, “Gps-Less Low Cost Outdoor Localization for Very Small Devices,” IEEE Personal Comm. Magazine, special issue on smart spaces and environments, 2000. D. Niculescu, “Positioning in Ad Hoc Sensor Networks,” IEEE Network, vol. 18, no. 4, pp. 24-29, July-Aug. 2004. Y. Wang, X. Wang, D. Wang, and D.P. Agrawal, “Localization Algorithm Using Expected Hop Progress in Wireless Sensor Networks,” Proc. Third IEEE Int’l Conf. Mobile Ad hoc and Sensor Systems (MASS ’06), Oct. 2006. P. Traynor, R. Kumar, H. Choi, G. Cao, S. Zhu, and T.L. Porta, “Efficient Hybrid Security Mechanisms for Heterogeneous Sensor Networks,” IEEE Trans. Mobile Computing, vol. 6, no. 6, June 2007. J.-J. Lee, B. Krishnamachari, and C.J. Kuo, “Impact of Heterogeneous Deployment on Lifetime Sensing Coverage in Sensor Networks,” Proc. First Ann. IEEE Comm. Soc. Conf. Sensor and Ad Hoc Comm. and Networks, pp. 367-376, Oct. 2004. V.P. Mhatre, C. Rosenberg, D. Kofman, R. Mazumdar, and N. Shroff, “A Minimum Cost Heterogeneous Sensor Network with a Lifetime Constraint,” IEEE Trans. Mobile Computing, vol. 4, no. 1, pp. 4-15, 2005. M. Yarvis, N. Kushalnagar, H. Singh, A. Rangarajan, Y. Liu, and S. Singh, “Exploiting Heterogeneity in Sensor Networks,” Proc. IEEE INFOCOM, 2005. I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “A Survey on Sensor Networks,” IEEE Comm. Magazine, vol. 40, no. 8, pp. 102-114, Aug. 2002. H. Kung and D. Vlah, “Efficient Location Tracking Using Sensor Networks,” Proc. IEEE Wireless Comm. and Networking Conf., vol. 3, pp. 1954-1961, Mar. 2003. C.-Y. Lin, W.-C. Peng, and Y.-C. Tseng, “Efficient in-Network Moving Object Tracking in Wireless Sensor Networks,” IEEE Trans. Mobile Computing, vol. 5, no. 8, pp. 1044-1056, 2006. C. Gui and P. Mohapatra, “Power Conservation and Quality of Surveillance in Target Tracking Sensor Networks,” Proc. 10th Ann. Int’l Conf. Mobile Computing and Networking (MobiCom ’04), pp. 129-143, 2004. B. Liu, P. Brass, O. Dousse, P. Nain, and D. Towsley, “Mobility Improves Coverage of Sensor Networks,” Proc. Sixth ACM Int’l Symp. Mobile Ad Hoc Networking and Computing (MobiHoc ’05), pp. 300-308, 2005. X. Wang, Y. Yoo, Y. Wang, and D.P. Agrawal, “Impact of Node Density and Sensing Range on Intrusion Detection in Wireless Sensor Networks,” Proc. 15th Int’l Conf. Computer Comm. and Networks (ICCCN ’06), Oct. 2006. Y. Wang, X. Wang, D.P. Agrawal, and A.A. Minai, “Impact of Heterogeneity on Coverage and Broadcast Reachability in Wireless Sensor Networks,” Proc. 15th Int’l Conf. Computer Comm. and Networks (ICCCN ’06), Oct. 2006. C. Bettstetter, “On the Minimum Node Degree and Connectivity of a Wireless Multihop Network,” Proc. Third ACM Int’l symposium on Mobile ad hoc Networking and Computing (MobiHoc ’02), pp. 80-91, 2002. A. Ephremides, “Energy Concerns in Wireless Networks,” IEEE Wireless Comm., vol. 9, no. 4, pp. 48-59, Aug. 2002. L. Wang and Y. Xiao, “A Survey of Energy-Efficient Scheduling Mechanisms in Sensor Networks,” Mobile Network Applications, vol. 11, no. 5, pp. 723-740, 2006. S. Kumar, T.H. Lai, and J. Balogh, “On K-Coverage in a Mostly Sleeping Sensor Network,” Proc. 10th Ann. Int’l Conf. Mobile Computing and Networking (MobiCom ’04), pp. 144-158, 2004. R. Jain, The Art of Computer Systems Performance Analysis: Techniques for Experimental Design, Measurement, Simulation and Modeling. Wiley-Interscience, 1991. A. Durresi, P.V.K. , S. Iyengar, and R. Kannan, “Optimized Broadcast Protocol for Sensor Networks,” IEEE Trans. Computers, vol. 54, no. 8, pp. 1013-1024, Aug. 2005. H. Zhang and J. Hou, “On Deriving the Upper Bound of -lifetime for Large Sensor Networks,” Proc. Fifth ACM Int’l Symp. Mobile Ad Hoc Networking and Computing (MobiHoc ’04), pp. 121-132, 2004. C. Bettstetter, “On the Connectivity of Wireless Multihop Networks with Homogeneous and Inhomogeneous Range Assignment,” Proc. IEEE Vehicular Technology Conf. (VTC ’02), vol. 3, pp. 1706-1710, Sept. 2002.

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

Yun Wang received the BS degree in computer science and engineering in 2001 at Wuhan University, Hubei, China, and then entered the PhD program in computer science and engineering at Wuhan University, where she specialized in multimedia communication. She joined the Center for Distributed and Mobile Computing, Department of Electrical and Computer Engineering and Computer Science, University of Cincinnati, Ohio, in 2004, as a PhD student. Her research activities include fundamental design issues in wireless sensor networks such as sensor deployment, energy efficiency, positioning, and network security. She also performs research on wireless MAC protocol design in wireless ad hoc networks and audio and video processing in multimedia communication. She is a student member of the IEEE. Xiaodong Wang received the BS degree in communication engineering in 1995, the MS degree in electric engineering in 1998, and the PhD degree in computer engineering from the University of Cincinnati, Cincinnati, Ohio, in 2005. He joined China Telecom in 1998, where he worked on communication protocols for telecommunication. From June 2000 to July 2002, he worked on GSM base station software development at Bell-labs China, Beijing. His research activities included wireless MAC protocols and energy saving for wireless sensor networks. He joined Motorola in 2005. He is currently with the OBR Center of Distributed and Mobile Computing, Department of Computer Science, University of Cincinnati. He is a student member of the IEEE. Bin Xie received the BSc degree from Central South University, Changsha, China, the MSc and PhD degrees (with honors) in computer science and computer engineering from the University of Louisville, Kentucky. As a research associate, he is currently with the Department of Computer Science, University of Cincinnati. He is the author of the book entitled Heterogeneous Wireless Networks—Networking Protocol to Security and published more than 30 papers in international conference proceedings and journals. His research interests are focused on ad hoc networks, sensor networks, wireless mesh networks, integrated WLAN/MANET/cellular with Internet, in particular the fundamental aspects of mobility management, performance evaluation, Internet/wireless infrastructure security, and wireless network capacity. In addition to his academic experience, he has six years of industry experience, including ISDN, 3G, and Lucent Excel programmable switching systems. He is an IEEE senior member.

711

Demin Wang received the BS degree in computer science and the MS degree in safety technology and engineering from the University of Science and Technology of China, Hefei, China, in 2000 and 2003, respectively. He is currently working toward the PhD degree in computer science and engineering at the University of Cincinnati, Cincinnati, Ohio. His research interests include coverage and energy problems in wireless sensor networks, implementation of wireless sensor networks, and wireless mesh networks. He is an IEEE student member. Dharma P. Agrawal is the Ohio board of regents distinguished professor of computer science and the founding director for the Center for Distributed and Mobile Computing, Department of ECECS, University of Cincinnati, Ohio. He was a visiting professor of ECE at the Carnegie Mellon University, where he was on sabbatical leave during the Autumn 2006 and Winter 2007 Quarters. He has been a faculty member at the North Carolina State University, Raleigh, North Carolina, from 1982 to 1998) and the Wayne State University, Detroit, from 1977 to 1982). His recent research interests include resource allocation and security in mesh networks, efficient query processing and security in sensor networks, and heterogeneous wireless networks. He is a coauthor of an introductory textbook on wireless and mobile computing that has been widely accepted throughout the world, and a second edition was published in 2006. The book has been has been reprinted both in China and India and translated to Korean and Chinese languages. He is also a coauthor of a book on ad hoc and sensor networks published in the spring of 2006 and has been named as a best seller by the publisher. He has given tutorials and extensive training courses in various conferences in the USA and numerous institutions in Taiwan, Korea, Jordan, Malaysia, and India on ad hoc and sensor networks and mesh networks. He is an editor for the Journal on Parallel and Distributed Systems, International Journal on Distributed Sensor Networks, International Journal of Ad Hoc and Ubiquitous Computing, and International Journal of Ad Hoc and Sensor Wireless Networks. He served as an editor of the IEEE Computer magazine, the IEEE Transactions on Computers, and the International Journal of High Speed Computing. He has been the program chair and general chair for many international conferences and meetings. He has received numerous certificates and awards from the IEEE Computer Society. He was awarded a “Third Millennium Medal” by the IEEE for his outstanding contributions. He has also delivered the keynote speech for five international conferences. He also has five patents in wireless networking area. He has also been named as an ISI Highly Cited Researcher in Computer Science. He is a fellow of the IEEE, the ACM, the AAAS, and the WIF. . For more information on this or any other computing topic, please visit our Digital Library at www.computer.org/publications/dlib.