LB-IDS: Securing Wireless Sensor Network Using Protocol Layer Trust-Based Intrusion Detection System

Wireless sensor network (WSN) faces severe security problems due to wireless communication between the nodes and open deployment of the nodes. The attacker disrupts the security parameters by launching attacks at diﬀerent layers of the WSN. In this paper, a protocol layer trust-based intrusion detection system (LB-IDS) is proposed to secure the WSN by detecting the attackers at diﬀerent layers. The trust value of a sensor node is calculated using the deviation of trust metrics at each layer with respect to the attacks. Mainly, we consider trustworthiness in the three layers such as physical layer trust, media access control (MAC) layer trust


Introduction
WSN is widely used in many applications such as industrial monitoring, environmental monitoring, forest monitoring, health care, and military.e architecture of WSN is categorized into clustered and flat [1].In the flat architecture, the sensor nodes (SNs) communicate with the base station (BS) directly or by relaying the data through other nodes.When a WSN is clustered, the SNs are arranged within a specific area by forming a cluster.One node acts as a cluster head (CH) to control the whole communication between the nodes.e SNs communicate with the BS through the CHs.An SN exchange its information by forwarding the data to its CH, and then the CH sends the data directly to the BS or relaying the data through the CHs.Clustering is an important mechanism in WSN for many advantages such as energy efficiency, reduction in communication overhead, delay minimization, better communication, and topology management.
Security in WSN is a major issue during the past decade due to open deployment of SNs and wireless communications between them [2][3][4].e attacker disrupts the security attributes by launching attacks at different layers.At the physical layer, a malicious node can be attacked by denial of service (DoS) attack by jamming the physical channel [5][6][7][8][9].In this attack, an attacker continuously interferes with the frequencies used for communication by broadcasting unnecessary signals.
ese signals jam the network, and a genuine node denies to give services because it is busy in receiving the signals.
e codes in the SN can also be modified, and the node can be tampered or replaced with an untrusted node [1,7].At the MAC layer [10,11], the attacker disrupts the network availability by obtaining unfair channel priority, collisions, etc. e MAC layer include many types of attack such as back-off manipulation attack, RTS/CTS frame modification, guaranteed time slot attack, and collisions.At the network layer [12][13][14], the attacker attacks by disrupting the routing of data from source to the destination by acquiring control on the data.e attacker attacks using selective forwarding attack, sinkhole attack, wormhole attack, black hole attack, sybil attack, etc. Apart from the single protocol layer attack, there is another type of attack called as cross-layer attack where multiple layers are attacked [15][16][17].IDS plays an essential role in securing the WSN as a second wall, where it detects the misbehavior of the nodes that violates the security mechanisms [18][19][20][21][22][23].In WSN, it is difficult to use complex security mechanisms because it increases the energy consumption of a SN.erefore, WSNs are applying light-weight security mechanisms for protecting the network [24,25], and IDS is providing a platform by recording the misbehavior of the SNs and reporting it to the administrator for taking countermeasures.
IDS is mainly divided into anomaly detection and misuse detection [26,27].In misuse detection, there is prior knowledge about the attacks, and it is easy to detect the attacks.However, it is difficult to detect the unknown attacks.Unknown attacks are detected using anomaly detection.Anomaly detection compares the current operations of a node with the behavior and status of a normal node to check the misbehavior.In this paper, we have mainly focused on the anomaly detection system (IDS).However, many IDS schemes only work on particular type of attacks based on a single layer.It is needed to identify the cross-layer attack where an attacker attacks multiple layers at a time.It is difficult to identify such type of attacks because the attacker has different behavior at a time.To improve the detection of such attacks, the trust metrics are selected at each protocol layer, and the parameters have a high impact on the performance of the IDS.
We are mainly motivated from the method proposed by Wang et al. [1].e authors proposed an IDS for WSN using trust-based system.In this model, a trust is separately calculated for each SN at the physical layer, MAC layer, and network layer using trust metrics.Finally, each layer trust is combined to form a single overall trust value.is trust value is called as the direct trust value of node A on node B, where node A is the evaluator node or monitoring node.In this model, the monitoring node calculates the trust value of the monitored node by using the direct experience with the monitored node (according to the trust metrics).is may reduce the performance of the system by reducing the detection accuracy (DA) and increasing the false-positive rate (FPR) and false-negative rate (FNR).However, in our model, we have calculated the trust value of the monitored node by taking direct experience and the experiences of other nodes (neighbor nodes) with the monitored node. is increases the DA and reduces FPR.If the trust value of a monitored node is higher than a threshold, then the node is treated as a reliable or genuine node.e main motivation is also elaborated with respect to the three layers as follows.In [1], at the physical layer, energy consumption is considered as the trust metric for the trust value calculation.As jamming attack is considered, a node that jams the network has high energy consumption due to continuous signal generation.However, if a genuine node in the communication range has performed communication for a longer time, then it has a low energy, and this node is considered as a malicious node [1].erefore, we have calculated the trust using the direct experience and experiences (signal reception) of other neighbor nodes with the monitored node.At the MAC layer, back-off time is considered as the trust metric for the trust value calculation.As back-off manipulation attack is considered, a node that has less back-off time will get higher access to the channel for communication.However, if a genuine node in the communication range sends more messages for communication, then this node is considered as a malicious node [1], because it is getting more channel priority.erefore, we have calculated the trust using the direct experience and experiences (channel priority) of other neighbor nodes with the monitored node.At the network layer, the number of hops advertised is considered as the trust metric for the trust value calculation.As sinkhole attack is considered, a node that broadcasts less number of hops is considered as a malicious node.However, if a genuine node in the communication range has less number of hops, then this node is considered as a malicious node [1].erefore, we have calculated the trust by using the direct experience and experiences (hop count advertisement) of neighbor nodes with the monitored node. is increases the DA and reduces the FPR. is scheme is applicable for clustered and flat networks.e main contributions of this paper are stated as follows: (1) LB-IDS is proposed to detect the malicious nodes in the clustered WSN.In this method, a trust value of an SN is individually calculated at the physical layer, MAC layer, and network layer using the deviation of trust metrics.e deviation is calculated from the direct experience and experiences of the neighbor nodes with the monitored node.(2) e monitoring node or evaluator node estimates the trust value of the monitored node using the deviation factor.en, the individual trust values of each layer are combined to calculate the overall trust value of an SN.en, the trust value is transferred to the CH.en, the CH decides whether the SN is genuine or malicious using a threshold value.is trust value is updated at regular intervals.
(3) e analysis of LB-IDS is performed in terms of message complexity, memory overhead, energy consumption, and trust evaluation.(4) Simulation results show that LB-IDS performs better than the model by Wang et al. [1] in terms of DA, FPR, and FAR. e performance is analyzed by considering the jamming attack in the physical layer, back-off manipulation attack in the MAC layer, and sinkhole attack in the network layer, and finally cross-layer attack is also implemented at the network layer and MAC layer.e remaining portion of the paper is organized as follows.Section 2 presents the work done in the field of trustbased security in WSN.Section 3 describes the proposed LB-IDS model.Section 4 presents the trust estimation at each layer.Section 5 presents the analysis of the LB-IDS.Section 6 presents the results and discussion.At last, the conclusion and future work is presented in Section 7.

Related Works
Securing wireless sensor network using trust-based schemes are very effective methods for supporting WSN against the security threats and vulnerabilities.Many research works are performed to secure the network using the trust-based models [28][29][30][31][32][33]. e trust-based models mainly use fuzzy models, probability models, statistical methods, weighting methods, etc. LB-IDS mainly focuses on the statistical method where it uses the average and deviation of trust metrics to detect an attack in a layer.
In [25,34,35], to determine the trust degree, the authors have used the fuzzy theory concept in the network.Feng et al. [34] proposed a trust evaluation algorithm (NBBTE) based on banding belief theory.In this scheme, a node finds the trust value of its neighboring node using the direct and indirect trust based on many trust factors.en, fuzzy model is used to know the level of trustworthiness of each neighbor node.en, DS evidence theory is used to aggregate the trust values to find a final trust level of a node.Wu et al. [35] proposed a trust model for securing WSN using fuzzy model and evidence model.Fuzzy set theory is used for finding trust level of the sensors, and evidence theory is used for aggregating the trust value.Shao et al. [25] proposed a trust model for WSN where the trust recommendations provided by the sensors are evaluated using fuzzy model.In [36,37], the authors calculated the trust value of a sensor node using probability distribution method.Ganeriwal et al. [36] proposed a method that is based on distributed reputation framework.It uses watchdog technique to observe behaviors of nodes.Luo et al. [37] used identity labels for the sensor nodes to design a dynamic trust management scheme.In [24,[38][39][40][41][42], the authors used the weighting method for trust calculation and evaluation.Atakli et al. [38] used weighting method to detect malicious activity in the network by maintaining the hierarchy and continuous monitoring.Shaikh et al. [41] detected the malicious nodes in a clustered network by finding group trust for a node.Yao et al. [42] proposed a parameter and localized based trust management scheme to provide security to WSN.Li et al. [24] proposed a simple and dependable trust model for clustered environment of WSN.Jiang et al. [40] used direct as well as indirect trust for trust calculation of a sensor node in WSN.Direct trust calculation includes energy, data, and communication trusts.Indirect trust calculation includes the recommendations from the neighbor nodes for the monitored node.Ishmanov et al. [43] measured the weightage of misbehavior of a node for the detection of malicious nodes in the network.Bao et al. [44,45] proposed a trust model for WSN using weighting parameters and reduced the false-positive rate using statistical methods.Zhang et al. [46] proposed a trust model based on cloud model for clustered WSN.Rajeshkumar et al. [47] proposed an adaptive trust-based acknowledgment IDS using active successful deliveries.In this method, Kalman filter is used to estimate the trust factor of a node.In [48], we have proposed a physical layer IDS to provide security at the physical layer.
is method only detects the denial of service attack due to jamming attack.It lacks security at MAC layer and network layer.
From the literature discussed above, it is observed that selecting proper trust metrics to calculate the trust of an SN is very essential.erefore, to design an IDS, the behavior of the nodes should be monitored.In this work, we have selected the proper trust metrics at each layer for trust calculation and detected the behavior of a node according to the attack.To the best of our knowledge, very less work has been done in this area to design a protocol layer trust-based IDS.In this paper, the trust is calculated at each layer by considering the deviation of trust metrics.
en, the overall trustworthiness of a sensor node is estimated by combining the individual trust values.

System Model
e system model describes about the topology and communication, and also about the attack models used in this work.

Network Model.
e network model consists of a WSN that is clustered.A cluster in the network has a CH and SNs.
e SNs communicate with each other using wireless communication.e SNs can directly communicate with the base station (BS) using wireless communication or indirectly through other SNs.e CHs can communicate with each other using wireless communication.
e CH has high processing and high computing capability.It is assumed that the CH has high battery power.In this model, an SN evaluates its neighbor using the LB-IDS model.en, the trust value is periodically transferred to the CH. e trust is periodically updated at the CH in Δt time.Here, each node applies the watchdog technique, where a node monitors its neighbor nodes continuously by updating the trust value.Figure 1 shows the clustered WSN framework.e individual trust is calculated at each layer, and it is finally aggregated to generate the overall trust of an SN. e trust metrics are considered as the behavior of the nodes at each layer.ese parameters are used for trust calculation at each layer.
e model for LB-IDS is shown in Figure 2, and the notations used in this paper are presented in Table 1.In this model, an SN monitors its neighbor node by estimating the trust value at each layer such as physical layer, MAC layer, and network layer.Most of the attacks are mainly on the network layer because this layer is mainly used for routing the data in the network [1].
erefore, we have only considered these three layers to estimate final trustworthiness of an SN [1,48].Firstly, the trust metrics are chosen to calculate trust at each layer.e trust metrics at the physical layer are energy consumption of an SN and the number of messages received from the SN. e trust metrics at the MAC layer are back-off time and the number of successful transmission.e trust metrics at the network layer is the number of hops advertised.In the later sections, we have justified why these parameters are considered for individual trust calculation at each layer.e overall trust of an SN is calculated by aggregating all individual trusts of each layer.en, the overall trust value of the SN is forwarded to the CH. e CH finds whether the SN is malicious or genuine using the thresholding scheme.
Let T jk (t) is the overall trust value of node k at time t, calculated by node j. is is represented as follows: where T PHY jk (t) is the trust calculated at the physical layer (PHY) by considering the deviation, T MAC jk (t) is the trust calculated at the MAC layer (MAC) by considering the deviation, and T NET jk (t) is the trust calculated at the network layer (NET) by considering the deviation.e sum of the weight parameters λ 1 , λ 2 , and λ 3 are 1 (λ 1 + λ 2 + λ 3 � 1).e value of individual weight λ ϵ [0, 1]. e values of the weights are decided according to the IDS, i.e., whenever there is attack at the physical layer, the λ 1 will be considered by the IDS as 1 and the rest of λ 2 and λ 3 are considered as 0. However, at the time of cross-layer attack between the MAC layer and network layer, λ 2 and λ 3 values are given equal weights and λ 1 is considered as 0. To reduce the complexity of the network, we have chosen parameters according to the requirement.We have considered the minimum number of parameters that are mostly suitable to detect the attacks at each layer.e trustworthiness of a node is updated periodically after a Δt time: where T jk (t − Δt) represents the past trust value of node j on node k. e weight value μ ϵ varies between 0 and 1. e value of μ depends on the IDS. is weight factor describes the priority of previous trust value and current trust value to generate the new trust value for a node.From equation (2), it is observed that the past experience is also considered because the overall trust should take the previous and current trust values.In the next section, we have computed the trust values at each layer.
where i is the information that may be correct or incorrect depending on the IDS, e denotes the information expected, and m denotes the information which has malicious content.In this layer, energy consumption (Ecm) and the number of messages received (Nmr) are considered as the i to detect the malicious nodes in the network.Figure 3 shows the jamming attack where the malicious node k sends continuous signal to the genuine node j.In this model, we assume that the number of messages (nm) generated for a genuine node in a particular time interval is smaller than the number of messages generated by a malicious node (nm′), where nm ′ > nm.In this model, the number of messages generated follows the pseudorandom number uniform distribution pattern.

Attack at the MAC Layer.
At the MAC layer, getting a channel priority is a major factor.erefore, we have considered back-off manipulation attack where the malicious node attacks the system by modifying the backoff time.Here, back-off time is random in nature.It is manipulated by lowering the back-off time, so that the priority of getting the channel access increases.is increases the number of successful transmissions (Nst).In this layer, back-off time (Bt) parameter and the number of successful message transmission (Nst) parameter are considered as i to detect the malicious nodes in the network.Figure 4 shows the back-off time manipulation attack where the malicious node k sends continuous signal to the genuine node j by getting the channel priority in less time.

Attack at the Network Layer.
At the network layer, routing information is mainly affected by the attackers by advertising incorrect information in the network like the minimum hop count.In this work, we have considered the sinkhole attack.In this attack, the malicious node send regular updates by advertising bogus routing information like low hop count.From Figure 5, it is observed that the malicious node 2 advertises minimum hop count to the destination (to the source node 1).
e node 1 then forwards the data in the direction of node 2. e data may Journal of Computer Networks and Communications be selectively forwarded to the next node or all packets are dropped.We assume that the node advertises the low hop count information in the route reply packet (RREP) during route discovery in Ad hoc On Demand Distance Vector routing protocol (AODV) [1].erefore, the sinkhole attack needs to be detected.In this layer, hop count (hp) parameter is considered as i to detect the malicious nodes in the network.

Cross-Layer Attack.
In cross-layer attack, a malicious node in the network attacks two or more layers at a time.In this model, we have considered the back-off manipulation attack and sinkhole attack at the MAC layer and network layer, respectively.e attacker gets high priority of accessing the channel and advertises minimum hop count information.is attack should also be detected by the LB-IDS.Figure 6 shows the cross-layer attack by the malicious node k on the MAC layer and network layer.

Estimation of Trust
In this section, we have estimated the trust at the physical layer, MAC layer, and network layer.e physical layer of the protocol layer represents the transmission of bits and receiving of bits [48].
erefore, energy consumption is a trust metric for the transmission of or receiving a message of length l M bits.According to the jamming attack at the physical layer, an attacker continuously transmits signals or packets, due to which energy consumption occurs.erefore, Ecm and Nmr 6 Journal of Computer Networks and Communications are considered as the trust metrics for trust estimation at the physical layer.Here, the monitoring node j collects recommendations from its neighbor nodes after the time period Δt.ese recommendations are the Ecm and Nmr values generated by direct experience of the neighbor nodes with monitored node k. e average of the recommendations (Ecm and Nmr) are calculated as follows: Ecm n , where Rec Ecm and Rec Nmr are the average of the recommendations collected after Δt time, respectively, and n is the number of neighbor nodes.e Ecm provided by the neighbor node to the monitoring node j is computed by the energy consumed in transmission during the Δt time and it is represented as follows [49]: where From equations ( 7) and (8), it is observed that if ΔEcm k (t) and ΔNmr k (t) are greater than the average values, then the trustworthiness of the node reduces.e final trust at the physical layer is calculated as follows: where α 1 and α 2 belong to [0, 1] and the sum is 1 (α 1 + α 2 � 1).e values of α 1 and α 2 depend on the IDS system.

Estimation of MAC Layer Trust.
At the MAC layer, backoff time Bt and the number of successful message transmission Nst are considered as the trust metrics to calculate the deviations.e MAC layer of the protocol layer is mainly used for accessing the channel.erefore, back-off time is a trust metric for the successful transmission of a message.According to the back-off manipulation attack in the MAC layer, a malicious node shortens the back-off time to get quicker channel access.en, it successfully transmits the messages to the neighbor nodes with a high channel priority.erefore, Bt and Nst are considered as the trust metrics for trust estimation at the MAC layer.Here, the monitoring node j collects recommendations from its neighbor nodes after the time period Δt.ese recommendations are the Bt and Nst values generated by direct experience of the neighbor nodes with monitored node k. e average of the recommendations (Bt and Nst) are calculated as follows: Bt n , Nst n , (10) where Rec Bt and Rec Nst are the average of the recommendations collected after Δt time, respectively, and n is the number of neighbor nodes.After calculation of Rec Bt and Rec Nst , the relative deviation of the trust metrics of node k (monitored node) are represented as follows: where Dv Bt and Dv Nst are the deviations of trust metrics, respectively.
From equations ( 12) and ( 13), it is observed that when ΔBt k (t) is lesser than average, the node is less trustworthy, Journal of Computer Networks and Communications and when ΔNst k (t) is greater than average the node has less trustworthiness.e final trust at the MAC layer is calculated as follows: where β 1 and β 2 belong to [0, 1] and the sum is 1 (β 1 + β 2 � 1).e value of β 1 and β 2 depends on the IDS system.e value of β depends on the IDS.ese weight factors β 1 and β 2 describe the priority of back-off time and the number of successful message transmission to generate the trust value of a node at the MAC layer.

Estimation of Network Layer
Trust.At the network layer, hop count hp is considered as the trust metric to calculate the deviation.e network layer of the protocol layer is mainly used for routing.erefore, hop count is used as the route metric for the successful delivery of the message.According to the sinkhole attack at the network layer, a malicious node advertises bogus route information.It may advertise low hop count in the path for reliable data delivery.erefore, hp is considered as the trust metric for trust estimation at the network layer.Here, the monitoring node j collects recommendations from its neighbor nodes after the time period Δt.ese recommendations are the hp values generated by direct experience of the neighbor nodes with monitored node k.
e average of the recommendations (hp) is calculated as follows: where Rec hp is the average of the recommendations collected after Δt time and n is the number of neighbor nodes.After calculation of Rec hp , the relative deviation of the trust metric of node k (monitored node) is represented as follows: where Dv hp is the deviation of trust metric.
. hp k (t) denotes the hop count at time t and Δhp k (t) is the hop count during Δt time (between node j and node k).Now, we calculate the individual trust using the hp as follows: From equation (17), it is observed that when Δhp k (t) is lesser than the average the node has less trustworthiness.Here, T hp jk (t) is the trust T NET jk (t) at the network layer.

Analysis of LB-IDS
In this section, we have analyzed the message complexity, memory overhead, energy consumption, and trust evaluation of LB-IDS.

Message Complexity.
e message complexity of LB-IDS scheme depends on the individual trust calculation of a layer.Let there exists a clustered WSN, where c denotes the number of clusters existing, and the average number of SNs in a cluster is n.If the average number of neighbors for an SN is p, then n × p communication occurs to calculate the overall trust values of the SNs in a cluster in Δt time.erefore, the message complexity to calculate the overall trust T jk (t) of all SNs in a cluster is O(n × p).For c clusters, the time complexity of the clustered WSN is O(n × p × c).
Figure 7 shows the message overhead in a cluster network with 50 SNs.According to LB-IDS, if node j estimate the trust value of node k then it requires a recommendation message from those n neighbors those have a direct experience with node k. en, the total number of messages N to compute the trust value of k is n.For 50 SNs, the total number of messages is 50 × n avg , where n avg is the number of average neighbors that provides the recommendation message.From Figure 7, it is observed that when the number of average neighbors increases, the number of messages in the network also increases.

Memory Overhead.
From the above scenario, if a single cluster is considered, then n × p communication occurs to calculate the overall trust values in a cluster.If a recommendation message of length l M bits is received from a neighbor node for trust calculation, then the whole cluster requires (n × p × l M ) memory overhead.Hence, the memory overhead to calculate the overall trust values of a clustered WSN is (n × p × c × l M ).

Energy Consumption.
From the above scenario, if a single cluster is considered, then n × p communication occurs to calculate the overall trust values of a cluster.Let a message of length l M bits is transmitted from a neighbor node for trust calculation, and the energy consumed is η joules.For receiving the message, let energy consumed is ρ joules.en, the whole cluster consumes (n × ρ + n × p × η) joules.erefore, the energy consumption of the clustered WSN is (n × ρ + n × p × η) × c joules during Δt time.
Figure 8 shows the energy consumption in a cluster network with 50 SNs.According to LB-IDS scheme, if a node j estimates the trust value of node k, then it requires a recommendation message from those n neighbors those have a direct experience with node k. e message size in this simulation is considered to be 4 bytes, and the energy consumption is taken as 3.12 μJ/bit [49].Hence, for 4 bytes transmission, 99.84 μJ energy is consumed.For receiving a message of size 4 bytes, 74.88 μJ energy is consumed because the energy consumption to receive a bit is taken as 2.34 μJ [49].From Figure 7, it is observed that when the number of average neighbors increases the energy consumption also increases in the network.

Trust Evaluation.
In LB-IDS, we have considered the trust calculation of an SN using the direct experience and experience of the neighbor nodes with node k. erefore, the hybrid of indirect experience and direct experience gives better detection accuracy because in direct trust computation, the monitoring node uses only its experience with other nodes, which may be incorrect.

Results and Discussion
e performance of LB-IDS is evaluated by comparing the results of the three performance metrics such as detection accuracy, false-positive rate (FPR), and false-negative rate (FNR) with the results of Wang's scheme.Detection accuracy calculates the accuracy of IDS in detecting the malicious nodes.FPR and FNR calculate at what ratio the detection accuracy is true or false.
e computer simulations are performed using MATLAB R2015a.e machine in which the simulation is performed has 6 Gb RAM, core i7 processor, and Windows 10 platform.e LB-IDS scheme is compared with the most recent Wang et al. [1] scheme, which is also based on protocol layer trust.
e performance metrics for the simulation are de ned as follows: (1) Detection accuracy: the number of malicious SNs detected from the total number of malicious SNs present in the network.(2) False-positive rate (FPR): the number of genuine SNs detected as malicious from the total number of genuine SNs.(3) False-negative rate (FNR): the number of malicious SNs detected as genuine from the total number of malicious SNs.

Simulation Setup.
e simulation is set in an area of size 100 × 100 m 2 .e area is considered as a cluster network with 1 CH and 50 sensor nodes.e nodes are randomly deployed using the coordinates (x, y), which are generated using randi().e communication range of an SN is set to be 20 m.In this simulation, we have considered 4 types of attack such as (1) jamming attack, (2) back-o manipulation attack, (3) sinkhole attack, and (4) cross-layer attack.To evaluate the LB-IDS scheme, we have varied the attackers from 2-25% of the SNs.For example, if 10% nodes are added as malicious, then 5 SNs are malicious in the network.At the physical layer, an SN is created as malicious by transmitting 1-10 messages of size 4 bytes during Δt time.Similarly, in this layer, a node is created as genuine by transmitting 1-3 messages of size 4 bytes.e Nmr is generated using the randi().
e energy consumption for sending a bit is 3.12 μJ/bit [49].At the MAC layer, the malicious SN is created by setting the back-o time between 10 and 25 μs.Similarly, for a genuine node, the back-o time is set between 20 and 30 μs. e Bt is generated using the randi().At the network layer, a node is created as malicious by setting the hp between 1 and 2 and for a genuine node, it is set between 1 and 5. e hp is generated using randi().e values of α 1 , α 2 , β 1 , and β 2 are set to 0.5.We have considered equal weightage to all the parameters used for trust calculation in LB-IDS.When the jamming attack is implemented at the physical layer, then the value of λ 1 is taken as 1 and rest of λ 2 and λ 3 are taken as 0. Similarly, for the back-o manipulation attack at the MAC layer, λ 2 1, and the rest of the λ values are 0.For the sinkhole attack at the MAC layer, λ 3 1, and the rest of the λ values are 0. At the time of cross-layer attack implementation, λ 2 and λ 3 values are given equal weights (0.5) and λ 1 is considered as 0. Table 2 shows the simulation setup.

Results
. Figure 9 shows the calculation of trust value of a malicious node under di erent types of attacks.It is observed that when a malicious node uses jamming attack, the trust value is below 0.8.Similarly, when a malicious node uses back-o manipulation attack, cross-layer attack, and

Journal of Computer Networks and Communications
sinkhole attack, the trust values are below 0.74, 0.67, and 0.62, respectively.It is also observed that when the number of iterations or observations increases, the trust value gains stability.However, when the number of iteration is between 1 and 4, the trust value fluctuates due to less number of trust value data.From equation (2), we combined the previous experience with the current experience, and this leads to stability of the trust values.ese trust threshold values are used to detect the malicious nodes in the network.
Figure 10 shows combined detection accuracy of Wang et al. [1] and LB-IDS scheme under different types of attacks.It is observed that the detection accuracy of LB-IDS is greater than Wang et al. [1] scheme under different attacks.From Table 3, it is observed that when the number of malicious nodes increases in the network, the average DA reduces.When jamming attack is implemented, the average detection accuracy of Wang et al. [1] and LB-IDS are 87.33% and 89.83%, respectively.When back-off manipulation attack is implemented, the average detection accuracy of Wang et al. [1] and LB-IDS are 89.66% and 92.16%, respectively.When cross-layer attack is implemented, the average detection accuracy of Wang et al. [1] and LB-IDS are 93.66% and 95%, respectively.When sinkhole attack is implemented, the average detection accuracy of Wang et al. [1] and LB-IDS are 95.53% and 96.83%, respectively.
Figure 11 shows the combined result comparison of LB-IDS with Wang et al. [1] scheme.It is observed that the FPR of LB-IDS is lower than that of Wang et al. [1] scheme under different attacks.From Table 4, it is observed that when the number of malicious nodes increases in the network, the average FPR increases.When jamming attack is implemented, the average FPR of Wang et al. [1] and LB-IDS are 18% and 15.66%, respectively.When back-off manipulation attack is implemented, the average FPR of Wang et al. [1] and LB-IDS are 15.16% and 13.16%, respectively.When cross-layer attack is implemented, the average FPR of Wang et al. [1] and LB-IDS are 10% and 8.66%, respectively.When      [1] and LB-IDS are 8.33% and 6.66%, respectively.Figure 12 shows the combined result comparison of LB-IDS with Wang et al. [1] scheme.It is observed that the FNR of LB-IDS is lower than that of Wang et al. [1] scheme under different attacks.From Table 5, it is observed that when the number of malicious nodes increases in the network, the average FNR increases.When jamming attack is implemented, the average FNR of Wang et al. [1] and LB-IDS are 16% and 15%, respectively.When back-off manipulation attack is implemented, the average FNR of Wang et al. [1] and LB-IDS are 13.50% and 11.66%, respectively.When cross-layer attack is implemented, the average FNR of Wang et al. [1] and LB-IDS are 6.8% and 6.66%, respectively.When sinkhole attack is implemented, the average FPR of Wang et al. [1] and LB-IDS are 8.33% and 6.66%, respectively.

Conclusion
e proposed LB-IDS secures the WSN by detecting the jamming attack, back-off manipulation attack, sinkhole attack, and cross-layer attack at the physical layer, MAC layer, and network layer, respectively.e threshold values of the trust at each layer are used for detecting the malicious nodes and genuine nodes in the network.From the results, it is observed that LB-IDS performs better than that of Wang et al. [1] scheme in terms of detection accuracy, false-positive rate, and false-negative rate.e analysis for LB-IDS is also performed in terms of message complexity, memory overhead, energy consumption, and trust evaluation.LB-IDS will be a better security solution for the clustered WSN.In future, we will implement and validate the proposed LB-IDS using wireless transceiver modules deployed in an outdoor environment.

4. 1 .
Estimation of Physical Layer Trust.At the physical layer, Ecm and Nmr are considered as the trust metrics to calculate the deviations.

Figure 9 :
Figure 9: Trust values at different types of attacks.
3.2.Attack Model.In the attack model, we have discussed those attacks that are used for evaluating the performance of LB-IDS.e attacks are described with respect to each layer such as physical layer, MAC layer, and network layer.

Table 1 :
Notation and description.
N t is the number of messages transmitted by node k to the neighbor node.From N t , we can know the number of messages received Nmr at the neighbor node.After calculation of Rec Ecm and Rec Nmr , the relative deviation of the trust metrics of node k (monitored node) are represented as follows: where Dv Ecm and Dv Nmr are the deviations of trust metrics, respectively.ΔEcm k (t) is Ecm k (t − Δt) − Ecm k (t) and ΔNmr k (t) is Nmr k (t − Δt) − Nmr k (t).Ecm k (t) denotes the energy consumed at time t and ΔEcm k (t) is the energy consumed during Δt time (between node j and node k).
denotes the back-off time at time t and ΔBt k (t) is the back-off time during Δt time (between node j and node k).Now, we calculate the individual trust using the Bt and Nst parameters as follows:

Table 3 :
Average of detection accuracy.

Table 5 :
Average of false-negative rate.

Table 4 :
Average of false-positive rate.