Securing Wireless Sensor Networks Using Machine Learning and Blockchain: A Review

: As an Internet of Things (IoT) technological key enabler, Wireless Sensor Networks (WSNs) are prone to different kinds of cyberattacks. WSNs have unique characteristics, and have several limitations which complicate the design of effective attack prevention and detection techniques. This paper aims to provide a comprehensive understanding of the fundamental principles underlying cybersecurity in WSNs. In addition to current and envisioned solutions that have been studied in detail, this review primarily focuses on state-of-the-art Machine Learning (ML) and Blockchain (BC) security techniques by studying and analyzing 164 up-to-date publications highlighting security aspect in WSNs. Then, the paper discusses integrating BC and ML towards developing a lightweight security framework that consists of two lines of defence, i.e, cyberattack detection and cyberattack prevention in WSNs, emphasizing the relevant design insights and challenges. The paper concludes by presenting a proposed integrated BC and ML solution highlighting potential BC and ML algorithms underpinning a less computationally demanding solution.


Introduction
Wireless Sensor Networks are the backbone that enables Internet of Things (IoT) at low cost and low power [1]. These networks have been considered for a wide range of applications, such as military, environmental, healthcare, and civilian, despite being vulnerable to attacks [2]. Indeed, Wireless Sensor Networks (WSNs) result in major concerns in terms of security. Concerns include the use of devices which have resource constraints in terms of energy, the adopted wireless broadcasting channels, the involvement of multi-hop relays, the dynamic network topology, variable medium-to-large network scales, heterogeneous sensor node fabrication, and most importantly, the different routing protocols employed. Securing WSNs is relevant to securing IoT [3], as the latter comprises one or more WSNs, which implies that developing prevention, detection, and mitigation security solutions for WSNs are essential for establishing secure and reliable IoT systems.
Classical WSN security techniques, such as spread spectrum, cryptography, and key management [4,5], may not efficiently detect attacks, and can demand sophisticated software and hardware changes, rendering these solutions insufficient to address WSN security concerns, as WSN devices constrain the network's power, storage, computational, and communication capabilities [6]. There has been growing interest in novel security paradigms, with cybersecurity companies investing as much as USD 119 billion to solve these problems [7]. This has led to newly evolved means aimed at strengthening WSN security against possible cyberattacks via Machine Learning (ML) and Blockchain (BC) [8].
Compared to classical techniques, ML techniques are particularly useful in WSNs and IoT applications, as computational complexity and communication overhead can be significantly decreased, no human intervention is required, and they perform better in dynamic environments. On the other hand, BC allows highly secure data transactions within any network similar to WSNs [9]. The fact that ML and BC can potentially provide promising solutions and effective mechanisms to protect and secure WSNs against cyberattacks has motivated several recent research works focused on evaluating the performance of BC and ML to secure WSNs. The performance of ML and BC is affected by the challenging characteristics of WSNs, such as its large generated data volume, which are extremely hard to manage, especially when considering highly dense networks. To this end, this paper attempts to answer the following overarching research questions. How is ML used to detect WSN cyberattacks? How is BC used to prevent WSN cyberattacks? How can the integration of ML and BC provide an effective framework to protect and secure WSNs against cyberattacks? Finally, What are the key technical challenges related to this integration? Thus, the main contributions of this survey are: (a) classification of WSN cyberattacks and the unique characteristics that complicate the design of effective detection and prevention mechanisms against cyberattacks; (b) a literature review of the existing Intrusion Detection System (IDS) architectures in the context of WSNs; (c) a comprehensive taxonomy of ML and BC along with an evaluation of relevant existing security techniques and challenges; (d) discussion of an integrated solution incorporating both technologies towards development of a WSN that is significantly immune against attacks; and (e) an ultimate overview of our approach to providing a lightweight and integrated ML and BC framework towards enhanced protection against cyberattacks in WSN contexts.
The rest of this paper is organized as follows: Section 2 reviews existing surveys on ML and BC solutions in the context of securing WSNs; Section 3 outlines the unique WSN characteristics that present network security challenges when developing such techniques; Section 4 illustrates the security requirements for designing a secure WSN; Section 5 classifies and defines cyberattacks that target WSNs; Section 6 discusses the underlying IDS architectures considered in conjunction with different WSN architectures; Section 7 extends the discussion to include different types of IDSs used for intrusion detection; Sections 8 and 9 focus on the respective taxonomies of ML and BC techniques used to detecting cyberattacks, along with related aspects; Section 10 explores the integration of BC and ML towards developing a lightweight security framework for WSNs and presents our approach to developing such a framework for cyberattack prevention and detection in WSN contexts; finally, Section 11 concludes this review.

Existing Surveys on ML and BC in WSN
This paper discusses ML and BC protection mechanisms in a comprehensive manner [10][11][12][13][14][15]; however, the emphasis is on securing WSNs. In this regard, a few previous surveys have focused on presenting state-of-the-art ML and BC techniques for WSN cybersecurity. Key surveys tackling WSN security are tabulated in Table 1, which highlights the different subtopics covered, including ML, BC, attack taxonomy, and ML-BC integration, among others. The surveyed sources were collected from popular academic databases, such as IEEE Xplore, Elsevier, and Scopus, as per the most recent citation provided by Google Scholar, and are detailed in Figure 1. Table 1 reveals that research work on ML techniques is the primary subject of existing survey papers in the literature. A number of surveys that were published between 2012 and 2017, such as [16], did not examine WSN-related ML techniques, instead jointly discussing methods adopted in both IoT and WSN. On the other hand, surveys similar to [16][17][18][19] focused primarily on WSN. The authors of [19] considered only Denial of Service (DoS) attacks over the five TCP/IP layers. The authors of [17] provided a generalized and comprehensive review of ML techniques adopted to support WSNs against their inherent limitations, including security. The paper specifically focused on ML methods used to detect outlying and misleading measurements. The authors of [14] discussed the different types of attacks targeting WSNs and associated proposed ML solutions. Protecting WSNs using several ML methods was discussed in [16]. The authors of [20] explored using ML techniques with WSNs, including anomaly detection, with a focus on Deep learning (DL) techniques. A different research direction was analyzed in [20,21], where the authors focused on a specific type of WSN. The authors of [20] presented ML learning techniques targeting advanced WSN systems, and [21] reviewed ML techniques to secure industrial WSN systems. The authors of [22] reviewed ML algorithms and considered using softwaredefined networking (SDN) as a solution that can help enhance the node efficiency, creating a new foundation for using ML schemes to secure WSNs. techniques. A different research direction was analyzed in [20,21], where the authors focused on a specific type of WSN. The authors of [20] presented ML learning techniques targeting advanced WSN systems, and [21] reviewed ML techniques to secure industrial WSN systems. The authors of [22] reviewed ML algorithms and considered using softwaredefined networking (SDN) as a solution that can help enhance the node efficiency, creating a new foundation for using ML schemes to secure WSNs.  Considering BC techniques, several reviews have been conducted on securing IoT through the use of BC, such as [7,[23][24][25][26][27][28][29][30]; however, [31] is the only article addressing BC for mitigating cyberattacks in WSNs. The study concluded that integrating BC techniques within WSNs has limitations, as BC is demanding in terms of both energy and computational complexity and is not expandable. Thus, to the best of our knowledge, our paper is the first work to review the integration of both technologies to improve WSN security, which is confirmed by Table 1. Considering BC techniques, several reviews have been conducted on securing IoT through the use of BC, such as [7,[23][24][25][26][27][28][29][30]; however, Ref. [31] is the only article addressing BC for mitigating cyberattacks in WSNs. The study concluded that integrating BC techniques within WSNs has limitations, as BC is demanding in terms of both energy and computational complexity and is not expandable. Thus, to the best of our knowledge, our paper is the first work to review the integration of both technologies to improve WSN security, which is confirmed by Table 1.  [32] 2018 [21] 2018 [16] 2020 [17] 2020 [18] 2021 [20] 2022 [22] 2021 [31] 2023 our work

WSN Security Requirements
The most important WSN security requirements include integrity, availability, scalability, non-repudiation, mutual authentication, confidentiality, and data freshness, defined in turn as follows: 1.
Integrity: transmitted messages cannot be tampered with due to illegal actions when moving from one node to the other.

2.
Availability: legitimate (and authenticated) nodes can effectively access the network/provided services. 3.
Scalability: the network should be able to cope with increases in size and to adapt to the dynamic addition and removal of various nodes, and node functionalities must be incorporated with sensor nodes for every service without affecting the network's security level. 4.
Mutual Authentication: the identities of any pair of nodes engaged in communication must be recognized before they interact.

5.
Non-repudiation: the nodes cannot deny the implemented operations or alter the messages they send. 6.
Confidentiality: the privacy of sensitive data transmitted over the network medium must be preserved by ensuring that any intruder or other neighboring network intercepting the communication channels cannot obtain any confidential information. 7.
Data Freshness: the data must be recent in order to ensure that no old messages have been replayed and that attackers cannot confuse the network by replaying captured messages [33,34].

WSN Design Challenges and Unique Characteristics
WSN security solution design is highly affected by the unique features of these networks that make them more susceptible to cyberattacks than other technologies. This is primarily due to their challenging underlying infrastructure, which consists of a collection of sensor nodes utilizing scarce resources. The basic building blocks of a sensor node consist of four main units, namely, processing, sensing, communication, and power [31], as shown in Figure 2. The processing unit is the central unit, containing a processor or microcontroller that controls the sensor's activities and executes the communication protocols; however, it has limited storage memory. The processing unit is connected to the sensing unit by an Analog to Digital Converter (ADC). The sensing device captures surrounding data, which are then converted into an electrical signal by the ADC. The communication unit typically supports data exchange between the sensor and the other network elements using a transceiver. Finally, the power unit provides the electrical energy required by the other units using limited-lifespan batteries. Optional sensor hardware additions include power generation and mobilization units [35]. Certain nodes may include a location-finding unit for positional localization in reference to the node's neighbors. These special characteristics must be identified before they can be used in the design and development of more secure networks. The following points describe the dominant design considerations in WSNs in detail, which are further highlighted in Figure 3.  • WSNs can be used in a wide range of applications with different security requirements; however, they must be able to ensure privacy, confidentiality, integrity, freshness, and authentication. • Sensor nodes must be heterogeneous in terms of fabrication and energy-saving strategies, such as sleep, idle, and wake-up modes, which dictates the need to provide different underlying network architectures for the different heterogeneous applications.
• WSNs have many appealing applications, creating a need for different levels of secure functionalities and service requirements, such as secure node selection, data aggregation [36], localization, and routing. • Resource-constrained devices have limited memory, power, and transmitting bandwidth. For example, TelosB [37] is an ultra-low-power sensor with a a 16 bit processor and 8 MHz RISC microcontroller with only 10 Kb RAM, 48 Kb program memory, and 1024 Kb flash storage. The required total space for a typical code, such as TinyOS, which is the de facto standard operating system for wireless sensors, is approximately 4 Kb [38]. Therefore, any implemented security algorithm within the network must not be computationally demanding beyond these limitations. • Security algorithms must be able to manage unsupervised sensors, which could be exposed to physical attack by demolishing the hardware or to attackers equipping sensors with extra hardware to perform hidden or malicious functions prior to their being deployed in the network area. • Determining the adopted broadcast dynamic channel used as a wireless communication medium is challenging, as it is unattended and might be affected by collision and interference issues. WSN  The lack of fixed physical infrastructure is a significant design challenge due to the rapidly changing connectivity between nodes. • A dynamic underlying network topology results from node failure, deployment of new nodes, possible variations in node position (which is especially the case under harsh environmental conditions), node mobility. The resulting flexibility in terms of link connectivity presents a design challenge for security algorithms, which must be able to adapt to network node variations in order to obtain the extra measure of protection provided by monitoring of corrupted nodes. • WSN routing protocols have weaknesses, including malicious routing information injection, alteration, or spoofing, which might lead to network disruptions such as creation of routing loops, broadcasting of fake error messages to partition the network, attracting or repelling network traffic from particular nodes, extending or shortening route paths, and increasing end-to-end latency. These issues are likely to complicate the design of security routing techniques [39]. • Medium-to large-scale networks of hundreds or thousands of nodes deployed randomly or uniformly throughout the network field presents a challenge when designing security algorithms that are sufficiently flexible to support different security-level requirements. • The scalability of WSNs implies handling large amounts of data that may have inconsistent, noisy, erroneous, redundant, and missing values, which requires designing intelligent security approaches that can correctly interpret data to drive intelligent decision-making. • Data transmission over multi-hop relaying creates a significant threat, as relays could be eavesdroppers [40], and communicated data may be breached, tampered with, or forged. • Time synchronization is an issue, as nodes are independently controlled in the field. Local clocks should be coordinated to avoid synchronization uncertainties, which could cause sensed data to become ambiguous and unreliable. • Unexpected and unusual sensor behavior patterns may arise during WSN deployment in unpredictable and hazardous environments, potentially changing the entire historical pattern of the sensed data.
These characteristics render a completely secure WSN system almost impossible to establish, unlike its counterpart networks. The characteristics of WSN systems limit the available security options, including those similar to heavyweight classical security approaches such as spread spectrum, cryptography, and key management at either the device level or the overall network level. These options are demanding in terms of the resources required to protect the network. As existing security solutions for WSNs are insufficient due to these networks' unique characteristics, it is difficult to create lightweight and effective security mechanisms that can enable optimization of node resource usage while supporting network scalability and without compromising security, allow for a dynamic network topology with different possible configurations and node localization, and integrate heterogeneous hardware and software platforms for sensors to allow them to detect malfunctioning or faulty nodes.

Cyberattacks in WSN Contexts
Cyberattacks are the greatest challenge facing communication networks worldwide. The threat of cyberattacks affects any network's connectivity, availability, reliability, and confidentiality, limiting its efficient use. Mitigating this challenge is essential, especially because the frequency and the nature of attacks have increased tremendously over time [41]. For this reason, cyberattacks targeting WSNs have been the focus of several recent studies in the literature [4,[42][43][44][45][46]. Cyberattacks occur when good nodes are communicating over a communication link and intruder or eavesdropper nodes interfere with or disturb that link. This malicious activity usually aims to obtain, alter, or prevent the flow of data within the network using different means; therefore, this activity should be prevented, detected, and mitigated in order to maintain a reliable communication channel [47]. Malicious acts targeting WSNs have been classified in the literature in different ways: the first classification divides attacks into active or passive attacks; the second classification is based on the physical location of the attack relative to the network's physical position, using this distinction to divide attacks into inside or outside attacks; and the third classification is based on the disrupted stack Open Systems Interconnection (OSI) layer, dividing attacks into physical layer, data link layer, and network layer attacks [42,48]. Table 2 classifies a selection of classical attacks targeting WSNs and provides their definitions. A malicious node intercepts a message passing between two sensor nodes with the aim of modifying, injecting, or deleting content before relaying the message again.

Denial-of-Service
An attacker performs malicious activities to prevent original users from accessing system resources.

Distributed Denial-of-Service
A more powerful version of DoS attack that overwhelms the targeted nodes with excessive messages to exhaust their resources, leading to a system overload that prevents it from answering some or all legitimate messages.

Application
Deluge An attacker tries to remotely reprogram a sensor node.

Misdirection
An attacker forwards packets to the wrong destinations or paths by misdirecting packets or altering routes towards a malicious node. An attacker sends a large number of useless packets to a legitimate node, preventing it from communicating normally and consuming its resources.

Session Hijacking
An attacker exploits a valid session, pretends to be a victim node, and obtains fake access to the session.

Desynchronization
An attacker intercepts sequence numbers or controls flag packets that it attempts to forge; if the attacker can desynchronize two communicating nodes, the receiver node must request retransmission from the sender for the lost packet. Frequent retransmission consumes network resources and increases traffic over the network.

Reply
An attacker records the messages sent between nodes and re-transmits them later to waste the target node's resources.

Forwarding or Grayhole
A malicious node selectively, constantly, or randomly drops packets while forwarding the remaining packets to a particular destination, which happens when relay nodes do not forward messages they receive.

Neglect and Greed
A special case of selective forwarding attack in which the attacker arbitrarily drops some of the received packets while acknowledging the source node (neglect attack) or sends its own packets with higher priority to other nodes (greed attack) [49]. Homing An attacker analyzes traffic using a traffic pattern analysis algorithm to recognize the nodes with special responsibilities, such as cluster heads (CHs) or base station (BS), which are the attack targets. Afterwards, additional DoS attacks may be launched toward these nodes to jam or destroy them.

Spoofing
An attacker forges its identity by impersonating another node and falsifying the identity field in routing messages to launch DoS attacks by injecting fraudulent data packets, such as falsely advertising services to other nodes or providing incorrect routing and control information to compromise network operation [50].
Blackhole A malicious node, usually located in the center, does not forward traffic and drops the packets completely.

Wormhole
A collusion-based attack in which two or more malicious nodes create a low-latency data delivery tunnel between two or more malicious nodes to perform other attacks, such as a blackhole attack. For instance, the nodes may establish a low-latency tunnel by which one malicious node misroutes the packets to be forwarded and sends them to its partner using a faked routing path to disrupt routing operations in the network.

Sybil
A single attacker node assumes several identities or steals them from other authorized nodes to create several sybil nodes that can be virtually present in different neighborhoods, then attack the network to cause problems with multipath routing, network topology, storage access, and detection [50].

Sinkhole
A malicious node identifies itself as a blackhole to attract network traffic. The attacker observes path requests and falsely offers the shortest or most power-efficient paths to the BS. As the attacker is in the relay path between the communicating nodes, it is able to change or alter the packets passing between them [44]. An attacker broadcasts advertisement 'Hello' messages with high power, asking network nodes to join an existing WSN and tricking the nodes into believing that it is located in their neighborhood. The nodes choose to route their packets through the attacker, which has a longer transmission range than normal nodes, leading to additional delays and energy waste.

Collision
An attacker sends signals while another node is transmitting a message, causing interference that alters data packets or causes them to be considered invalid. Collision usually occurs when multiple nodes transmit data at the same frequency and data rate.

Denial of Sleep (Sleep Deprivation)
A Malicious node prevents legitimate nodes from entering low-power sleep mode, causing them to keep wasting their energy [51].

Power Exhaustion
In order to drain the victim node's power, an attacker sends packets over the channel continually by requesting calculations or the receipt or transmission of unnecessary data, which leads to starvation. The source of the attack can be a PC or laptop.

Unfairness
A malicious node continuously sends packets without waiting a reasonable time to let other nodes use the channel. This is a kind of exhaustion-based attack which disrupts equal load sharing in the WSN.

Jamming
An attacker sends a radio signal that interferes with the sensor network's use of certain radio frequencies.
Physical or Node Tampering An attacker physically accesses a compromised node and takes over the control, for example, to obtain sensitive information such as transmission keys [52,53]. Node Replication or Clone An attacker captures a compromised node, obtains access to the stored credentials, purposefully duplicates the node's identity, and then deploys clones in key positions of the WSN [54] to initiate different internal attacks. A camouflaged node deceives the other nodes and attract packets from them in order to either misroute the packets or eventually drop the packets.

Eavesdropping and Traffic Analysis
The most common attack on privacy, also called sniffing or snooping, where an attacker simply discovers the content of communications.

Passive Information Gathering
If the content of messages from network communication media, such as message identification numbers (IDs), nodes locations, and timestamps, is not encrypted then an attacker with the appropriate receiver can collect and observe the information.

Replay or Duplication
An attacker copies a stream of messages between communicating nodes, then replays the stream to one or more of the nodes [55] Active attacks threaten network integrity and reduce availability by continuously attempting to modify the content of the network packets or flooding the victim nodes with surplus packets. The different types of active attacks are based on the underlying stack layer disrupted by the attack, as shown in Figure 4 [42,48]. Attacks such as link jamming, physical tampering, or node replication are hardware-oriented attacks that affect the node's physical layer. These attacks are more likely to occur when the sensor is exposed to a harsh environment or open to an adversary; therefore, they are unlikely to occur when the sensor node is placed in a secure indoor location. Other attacks, such as collision, exhaustion, and unfairness, are executed against the Media Access Control (MAC) protocol at the data link layer. These attacks cause collisions that result in packet re-transmission; therefore, copies of the same packets must traverse the network, overwhelming the communication channel and wasting limited sensors energy. The most common attacks, such as sinkhole, wormhole, blackhole, selective forwarding (grayhole), 'Hello' flooding, sybil, spoofing, and altered or replayed routing information attacks, all interrupt the network layer. These attacks prevent proper packet delivery to the destination through methods such as taking advantage of the multi-hop routing protocol, in which any node routes passing through malicious nodes are unable to deliver packets or are intentionally redirected to incorrect nodes. Examples of attacks impacting the functionality of the transport layer include session hijacking, flooding, and de-synchronization attacks. For example, flooding results in node failure, as the attacker consumes node resources by sending multiple connection requests. Attacks that target the application layer include selective forwarding, deluge, and clock skewing. The most difficult to detect among these attacks is selective forwarding, as the attacker does not block packet forwarding entirely, and only drops or alters some of the received packets from selected nodes. Deluge allows the sensor nodes to be reprogrammed remotely, and clock skewing disrupts those sensors that require synchronization for successful communication. Unlike active attacks, passive attacks do not affect network integrity, instead compromising network confidentiality. These attacks sniff and read unauthorized messages through the communication channels between nodes without disrupting their communication or interrupting network processes. Passive attacks may make the network more vulnerable to other kinds of attacks, such as camouflaged adversaries, physical tampering, eavesdropping, and traffic analysis.  Internal attacks are initiated from within the network's physical boundaries. These attacks control and utilize other network nodes to execute malicious acts. An inside attack can obtain the network transmission key or other network information from the transmitted packets within the network, then use this information to attack the entire network. A typical example of an internal attack is when an attacker takes advantage of a dump security implementation at an unsecured sensor node or a non-updated device's firmware, which allows the attacker to turn sensing devices into malicious nodes. The attacker then utilizes the node's network connectivity with other nodes to extract network data using eavesdropping, interfering, or misrouting. External attacks are initiated from beyond the network boundaries; therefore, they cannot obtain network information, such as node identification numbers or transmission keys, making attack recognition easier [48]. In addition, external attackers require powerful wireless transceivers to listen to data packets inside the network in order to accomplish malicious activities such as eavesdropping, replay, injection, and interference. Figure 5 depicts scenarios for external and internal attacks targeting a WSN.
In terms of OSI layers, the physical and network layers experience the most threatening attacks. The physical layer possesses a broadcasting channel and a dynamic topology, which allows attackers to easily listen to or sniff the communication channel and establish attacks. While, the network layer has a weak routing protocol that attackers can exploit to execute malicious acts. Another form of attack can be initiated over several WSN stack layers; such attacks across multiple layers include DoS and Man-in-the-middle (MITM) attacks [38]. DoS attacks are numerous, and include jamming and node tampering at the physical layer, collision, exhaustion, denial of sleep, unfairness at the data link layer, homing, blackhole, grayhole, wormhole, sinkhole, spoofing, 'Hello' flooding, TDMA scheduling, sybil, and replay attacks at the network layer, as well as flooding and desynchronization at the transport layer [56]. MITM attacks work as a relay between two victims [6]; this type of attack can be passive, where the attacker eavesdrops or intercepts the data traveling on the network between two legitimate nodes without altering the data, such as eavesdropping at the physical layer, or it can be active, where the attacker can delay, drop, or modify the content of a packet, such as a replay attack at the network layer [57].

Architecture of WSN vs. Architecture of IDS
Intrusions are similar to attacks in that they aim to disturb the network's normal operation or obtain access to the network's information. The IDS is the network's line of defense, designed to detect violations and tell the controller, or BS, to react appropriately.

Naive or Flat-Based WSN Architecture for Centralized IDS
In a centralized architecture, better known as a Naive WSN architecture, a central BS collects all the information sensed by all network nodes and forwards the collected information to the cloud IoT server. Similarly, in a centralized IDSs, the BS acts as a global reference that performs computationally demanding tasks to monitor and filter data traffic to facilitate attack detection. Several studies have considered executing the IDS at both the BS level and at the remote server level connected to the IoT cloud, which is called a multi-layer IDS scenario. This approach has multiple limitations, including attack detection latency, considerable communication overhead, and high energy consumption. Latency occurs when data traffic analysis is delayed until the information reaches the BS. Communication overhead is caused by the need to transmit all sensed information to the central BS over the communication link, increasing energy consumption as the node's distance relative to the central unit increases [58]. Due to these limitations, centralized IDS architectures are typically used only in very small networks.

Naive or Flat-Based WSN Architecture for Stand-Alone IDS
The opposite philosophy to centralized IDS is stand-alone IDS, which is a node-centric architecture. Each node individually uses an IDS detection model to detect any possible attack locally without needing to exchange any information with the adjacent nodes or a central BS unit. This approach does not exhibit latency when detecting node attacks or introducing communication overhead; however, energy consumption at the node level is higher than in a centralized IDS, and the nodes have lower battery life.

Naive or Flat-Based WSN Architecture for Distributed or Cooperative IDS
This approach assumes that each node has its own local IDS model to monitor the data traffic, then involves all network nodes in deciding whether an intrusion is present in the network based on the detected indicators. If a locally measured indicator is weak or inconclusive, the involved node can initiate a cooperative global intrusion detection proce-dure in which all network nodes cooperatively participate in reaching a global decision. Otherwise, if an intrusion is locally detected with sufficient evidence, the involved node can independently alert the rest of the nodes to the presence of a violation in the network. This approach reduces false attack stimulus events, which relate to scenarios in which a violation alarm is triggered even though no real threat is in progress within the network. In this approach, node power consumption is higher and node battery life is lower than the stand-alone IDS due to the an additional optional cooperative procedure.

Naive or Flat WSN Architecture for Agent-Based IDS
Agent-based IDS involves installing the detection model in a selected subset of sensor nodes, which are called Monitor Nodes (MNs), to reduce the detection overhead faced by the stand-alone and distributed approaches. In tis approach, selected nodes perform detection in addition to their normal sensing, communication, and routing activities in the case of flat WSN architecture. Agents' tasks are relocated to another predefined subset of nodes after a certain period of time or when performing a specific mission, which improves IDS detection efficiency and increases network lifetime. Agent-based IDS is especially suitable for WSNs, as nodes near the BS can be excluded from communicating all of their samples when developing the reference ML model at the BS because they do not contribute much to the determination of hypersphere of the developed ML model. Agent-based IDS is typically preferred over centralized IDS architecture, especially for networks with geographically dispersed nodes, as in a centralized approach the nodes consume more power when transmitting their data to the central location.

Hierarchical WSN Architecture for Distributed or Cooperative IDS
A WSN's hierarchical architecture is a variation of centralized architecture, which can be implemented as cluster-based or tree-based. In a cluster-based architecture all sensor nodes are partitioned into clusters, whereas in a tree-based architecture the nodes are partitioned into trees according to their topographical area. The nodes in a tree-based architecture are organized into a routing tree rooted at the BS. Cluster-based architectures can be static or dynamic. In static clustering the sensors are divided proactively into several clusters at the time of network deployment, while in dynamic clustering the formation of clusters is triggered reactively by detecting the event of interest. In a distributed IDS, the detection model is placed in every sensor network node, allowing nodes to collaborate in order to detect possible intrusions. The clear advantage of implementing a combined hierarchical and distributed architecture is that the communication overhead is significantly lower than in other approaches, as both hierarchical and distributed architectures involve less communication exchange between nodes [58]. A disadvantage of this approach is the need for each network node to have sufficient energy, processing, and storage capacity. Studies have considered using multi-layer instead of distributed IDS, with heterogeneous detection models placed only at the BS and CHs.

Types of IDS
IDS-based mechanisms are effective and lightweight solutions for detecting abnormal behavior in WSN sensor nodes. An IDS requires an IDS agent or detector node that analyses the network traffic to detect a abnormal behavior. Intrusion detection at the IDS agent level involves three phases: collection, processing, and action. Network data traffic is collected during a specific time period, then this collected information is processed according to a particular detection mechanism. Detection approaches can be classified as misuse-based, anomaly-based, and specification-based detection. In misuse-based or signature-based detection, the system searches for specific patterns or signatures to identify and detect an intrusion. This approach easily detects known attacks, but cannot detect new or unknown attacks. In specification-based detection, a set of rules or specifications have been set as a reference for normal system operation; any deviation from these specifications triggers an abnormal behavior alert, allowing the system to take proper preventive actions accordingly. This approach has a low false positive rate; however, developing the required specifications is very time-consuming. Anomaly-based detection systems learn the normal behavior profile from normal network traffic and create a reference model accordingly. This model is then used to detect any deviation from the learned pattern or behavior exceeding a certain estimated threshold for use in identifying intrusions [32].
Anomaly-based detection is adaptive, and can detect new and unknown attacks efficiently; however, it has a higher false positive rate compared to previous approaches, as any deviation from the normal behavior profile is considered an attack even though it might be due to normal activity of an unlearned profile or a faulty node producing abnormal activities [15]. Especially in critical infrastructure applications, these types of anomalies are just as harmful as those caused by intruders, and should be identified by the developed reference model [32]. Anomaly-based detection is practical, flexible, computationally feasible, bandwidth (BW) and both spectrally and memory efficient [21]; therefore, it is widely used to secure WSNs. For this reason, the focus of this survey is on anomaly-based detection.
Anomaly-based detection techniques are classified into statistical and ML approaches. The stochastic network behavior in normal conditions is measured during a specific time window and is used to establish a baseline for future detection of patterns that are different from normal traffic [58]. However, the approach continuously generates other reference profiles with a given score for comparison to the reference profile during traffic monitoring. In this approach, the IDS is able to detect an anomalous occurrence if the score is above a certain threshold. On the other hand, ML approaches use classification algorithms to detect intrusions and malicious activities. ML classification algorithms build models capable of classifying packets to distinguish between normal and abnormal packets through training. The model is installed at the sensor level, and can classify upcoming packets after training. The advantage of ML is the ability of models to learn from experience without being explicitly reprogrammed, allowing them to be improved automatically [15,59].

ML and Cyberattack Detection
ML algorithms are used to build self-learning classifiers consisting of behaviors, which are able to act without human intervention by using mathematical techniques based on specialized datasets. These algorithms enhance the network nodes' ability to learn without being explicitly programmed. Such models are used to make future predictions based on new input data. ML algorithms are currently used in various applications, such as smart cities, energy, agriculture, intelligent transportation systems, industry and manufacturing, search engines, social media, cyberattack detection, spam email filtering, and recommendation systems. Different ML techniques are used to improve the functionalities of WSNs, such as data sensing, CH selection, routing and optimal path determination, data aggregation, minimizing packet delivery latency, duty cycle management, quality of service (QoS) provisioning, resource management, and to increase network lifetime. ML algorithms have been used to design lightweight detection and mitigation systems to secure WSNs against cyberattacks. They allow sensor nodes to detect possible attacks and immediately take appropriate actions to mitigate the impact of an attack by triggering an alarm, determining the degree of the risk, and isolating the attacker node from the next round of network progress [60]. The ML pipeline spans data collection and pre-processing feature selection, model training using proper ML algorithms, hyperparameter tuning, model testing, validation, and deployment.

ML Methodology
Several studies have developed and investigated effective ML techniques for cyberattack detection and mitigation. Figure 6 illustrates the generalized methodology of an ML algorithm applied to ML-based IDS. The workflow includes several phases corresponding to dataset collection, data preprocessing, features selection and extraction, ML model training, hyperparameter tuning, and model testing and validation. The first step is the availability of a dataset, which can be balanced (using of an equal number of samples for each attack type in addition to normal class samples) or imbalanced (consisting of an unequal distribution of the classes in the dataset). The next step is data preprocessing, which involves several stages: class rebalancing and sample size reduction, missing value imputations, cleaning or feature removal, data normalization, and transformation (i.e., encoding labeled data). The advantage of balancing the dataset before using it in training is to avoid bias towards the majority class. This is followed by feature selection, which involves determining an optimal set of features to help reduce dataset dimensionality, especially when considering a large dataset that may have irrelevant, redundant, erroneous, and correlated features. A lower number of dataset dimensions lead to less computational and training time being required. The reduced dataset is then utilized to train the ML model. Optimal hyperparameter values can be obtained by applying efficient tuning techniques. The final step is testing and validation, which entails using several evaluation metrics to assess ML model performance, such as the probability of detection P d , probability of false alarm P f a , probability of misdetection P md , positive prediction value PPV, accuracy (ACC), F1-score, root mean square error RMSE, and receiver operating characteristics (ROC). Unsupervised learning ML algorithms only use the inputs while learning, as the associated outputs are not provided; the learning process is performed by classifying the provided input data into groups called clusters, and any new input is classified within its corresponding group. Clustering and dimensionality reduction are the two main categories of unsupervised learning. Semi-supervised learning works by combining a small amount of labeled data with a large amount of unlabeled data. In reinforcement learning, neither the inputs nor their corresponding outputs are provided, and the relationship between the input and the output is learned by interaction with the surrounding environment and a reward scheme. The reward scheme depends on the learning algorithm's performance when achieving a certain task such that a reward is provided if it achieves high performance. A popular example of reinforcement learning is Q-learning.

Deep Learning
DL requires a larger amount of data samples; therefore, more processing time and power are required than with classical ML techniques, which is not favorable in resource-constrained WSN contexts. DL models are more suitable for classification and prediction tasks in IoT applications that generate unstructured data, such as images, audio, and video.
DL techniques such as recurrent neural networks (RNN), deep belief networks, and Convolutional Neural Network (CNN) are largely used for security preservation and attack detection, due to their fundamental constraints when applied to WSNs. The computational complexity associated with their training, inference, and adaptation makes their use in sensor devices impractical. Several studies have been conducted on using DL techniques, such as [72], where the authors used autoencoder neural networks with a single hidden layer of neurons for lower complexity, which suits resource-constrained WSN contexts. The authors of [75] proposed a hybrid DL model using CNN and long short-term memory (LSTM) for blackhole and grayhole attack detection. The same techniques, CNN and LSTM, were used by the authors of [76] to detect DoS attacks. The authors of [77] investigated the performance of different DL techniques, including Deep Neural Network (DNN), CNN, RNN, and CNN, in combination with RNN for a single detection layer against DoS attacks. The authors of [78] proposed a DL model using a restricted Boltzmann machine with different numbers of hidden layers. The authors of [79] proposed a DL using CNN for the detection of DoS, UR2, R2L, and probe attacks. They proposed a hybrid algorithm consisting of the whale optimization technique and artificial bee colony optimization technique. Overall, both ML and DL techniques are promising for efficient IDSs in WSNs and IoT thanks to their ability to process high-dimensional data, extract useful features from network traffic payloads, and determine complex nonlinear relationships between inputs and outputs to enable informed and intelligent decisions on the part of networks.

Deep Reinforcement Learning
Adapting to new or constantly evolving attacks is a major drawback in classical ML and DL algorithms due to their dependence on the fixed features of existing attacks provided by the dataset for the learning process, which limits the implementation of algorithms in applications that are vulnerable to dynamic intrusions [80]. Research activities have searched for a more efficient solution by integrating DL methods with RL, which has proved effective in various IDS applications for detecting sophisticated types of cyberattacks, especially in real-time and adversarial environments [80]. For instance, attacks that affect both the physical and MAC layers were effectively detected using a proposed deep reinforcement learning (DRL) model that relied only on partial observations. In [81], a new DRL-based IDS for WSNs was designed considering link invulnerability and node importance.

Federated Learning
Federated Learning (FL) supports a distributed approach to perform model training at the sensor node, unlike ML or DL. WSN nodes sense and collect the data readings, then use the locally collected data for model training [82]. Afterwards, the full locally obtained model parameters in the network are shared with a powerful node, referred to as an aggregator, usually the IoT cloud server. The aggregator then merges the received trained model parameters and generates a global model that is deployed to all WSN nodes. A system based on FL structures is more robust and privacy-preserving than a traditional ML-or DLbased IDSs, because the sensor nodes collaboratively build a global learning model while safely preserving all training data locally at the sensor storage location. In a traditional MLor DL-based IDSs, large volumes of raw data are continuously transmitted from sensors to the BS, which involves significant channel interference and energy consumption, keeping in mind that only a small fraction of the data readings are anomalous.
Recent studies have addressed the challenges of applying FL in the context of WSNs, as FL requires additional overhead and complexity, which may affect detection accuracy and convergence speed. Anomalous samples represent a very small fraction of the local data, meaning the accuracy of the training process is reduced because only the node's locally collected data is used for training, and the local dataset may lack enough training data for certain types of attacks. The node's resource heterogeneity and dynamic physical topology could lead to unexpected inconsistencies during the training process. Different nodes collect different numbers of data samples for training, meaning that attacks might only appear in very few nodes, and the same type of attack may have diverse distribution patterns at different nodes. This imbalanced distribution of data can slow down the training process at the aggregator and reduce performance due to diverging weights; thus, reducing the number of rounds required or the learning process to reach convergence is necessary in the context of a WSN in order to reduce power consumption.
Fast iteration convergence is a challenge when considering that training data samples at the local nodes are not independent and identically distributed (iid) in FL, as is the case with other ML techniques. This challenge is caused by issues such as non-uniform placement of sensors in space, faulty sensors, and high packet loss rates. Despite this, several studies support the assumption that the data samples collected at the sensor nodes are iid, as training on iid data is likely to converge faster than training on non-iid data. However, this assumption is not applicable in FL.
A promising clustering FL approach has recently been examined in the literature to solve these challenges. WSN nodes in a clustering architecture, known as MNs, send their observations to their current CHs, which performs the learning process on the aggregated data at the local cluster level. Each CH then uploads its model parameters to the FL cloud server through the BS, where they are combined into a global model with the minimum possible frequency to reach convergence [83]. This clustering approach can help to reduce overall network energy consumption, as one aggregated transmission is much more energyefficient than multiple separate transmissions, especially when the data size is large [15]. In addition, it can help reduce communication overhead, as data compression is possible in this approach [82]. A clear challenge with the clustering FL approach is the need to optimize the number of the CHs and the number of cluster members (CMs) per cluster, in addition to the possibility that a CH may fail to train or send its local model to the server.
The different approaches mentioned above share a common challenge related to the high number of transmissions required for the BS or the aggregator to broadcast the parameters of the developed model with the rest of the nodes in the WSN, which introduces a different communication overhead that requires high energy consumption [84,85].

ML Challenges in WSN
This section discusses challenges introduced by network resources, application and routing algorithms, the classical ML framework and, cross-layer attack detection when implementing ML techniques for the detection of cyberattacks targeting WSNs.

Challenges Related to Constrained Resources
ML algorithm selection should include consideration of the computational complexity, memory usage, and balance between the quality of learning and the associated energy budget, as the developed models are intended for deployment on resource-scarce devices. Continuous or periodic collection of network traffic results in big data issues, leading to a prominent challenge for the ML framework [86]. Moreover, the frequency of uploading data samples is different from one network scenario to another. For instance, certain networks are configured to put sensor nodes into deep sleep mode in order to conserve network energy; however, important readings may be missed in these scenarios, and a body of knowledge may be lost. Another example involves the possibility that network resource consumption may not be relative to the frequency of global aggregation and model training accuracy [87].

Challenges Related to Applications and Routing Algorithms
Developing a suitable ML security model to detect attacks for diverse WSN applications is challenging, especially for mission-critical, highly sensitive, real-time, and adversarial environment applications. It is preferable that anomaly detection be performed locally at the local sensor nodes to avoid any communication with other nodes, the BS, or the IoT cloud due to high security requirements, which are not feasible for resource-scarce nodes. Another cyberattack detection challenge is the attacker's ability to exploit the routing algorithm and compromise its individual forwarding steps to attack the network. The purpose of these actions is to disrupt the routing and communication process by misdirecting or alternating the routing information or broadcasting fake information. The IDSs, on the other hand, can take advantage of the known behavior associated with the routing algorithm to build models of legitimate operation and compare them to the real exchange of routing messages between the nodes. Routing attacks belong to the network layer, and include sybil, 'Hello' flooding, sinkhole, blackhole, grayhole, and wormhole attacks [88,89]. Using secure routing protocols as a prevention technique and deploying proper ML-based IDS should be considered when securing these networks.

Challenges Related to the ML Framework
Pre-processing, feature selection and extraction, and hyperparameter tuning are essential for the success of any ML model learning process; however, collecting labeled data is not always possible in WSNs, as certain attacks may only appear in very few nodes and with low frequency. Thus, selecting an algorithm that can use minimally labeled data in a way that is sufficient for the learning process is crucial. Data reduction is required to reduce the processing time of the learning proccess on large datasets, especially for large-scale WSNs. ML preprocessing includes the process of adjusting the raw data to a format that can be used to train an ML model, such as removing features, sample size reduction, class rebalancing, missing data imputation, data normalization, encoding labeled data, and changing the data type of certain features. The process of reducing redundancy and correlation by selecting the most informative features during feature extraction while dropping irrelevant or partially relevant features from the dataset can be classified as follows: filter-based, wrapper-based, or embedded-based. Filter-based methods filter out irrelevant features independently of the learning algorithm, making it much faster and computationally effective than other methods and more suitable for WSNs [90]. Stacked-based feature extraction has been used as well; it combines several feature selection algorithms ordered as a stack and executed one after another, then applied to the dataset [91].
Hyperparameters are the set of parameters or arguments that are set manually before training and optimizing the ML model structure for better classification. These parameter value ranges are different for each ML algorithm. Hyperparameter selection significantly affects prediction results. Default parameters are the initial values that are pre-established when no values are explicitly provided. Optimized hyperparameters can be determined manually or automatically. Manual hyperparameter tuning is time-consuming, especially with a high number of possible combinations. Optimization algorithms can automate the process of finding the hyperparameters' this is called hyperparameter optimization. Different approaches include Bayesian optimization, grid search, random search, genetic algorithms, and particle swarm optimization. Several parameter combinations can be identified via search to determine the set of parameters that provide better detection results. Hyperparameter tuning is time-consuming when additional hyperparameters are added, as the number of parameter search combinations increases.

Challenges Related to Cross-Layer Attack Detection
Most of the existing techniques only mitigate specific types of attacks belonging to a single stack layer, excluding attacks on other layers. For instance, the network layer IDS can only detect routing attacks, and cannot recognize attacks belonging to the MAC, physical, or transport layers. It is essential to develop a cross-layer IDS that can detect different possible attacks that may occur at different WSN layers. Attacks can be identified by exploiting the information across the different layers to correlate the cross-layer features among them, such as between the MAC and network layers [86,88,89].

Datasets
Datasets are needed during the learning process to train and test ML models; therefore, dataset reliability and size are crucial to obtaining accurate results [92]. For instance, datasets that are large enough to have samples of normal traffic allow ML algorithms to learn normal network behavior, enabling the detection of unknown attacks by considering any deviation beyond the known usual behavior as unusual. It is challenging for the system to differentiate between the characteristics or signatures of a specific intrusion and a malfunction, which may cause false positives. Overall, any dataset collection for a specific network scenario should be performed over a sufficient time period to collect a sufficient volume of samples for each data class. Dataset parameters such as whether the dataset is balanced or imbalanced, the number of samples per class, dataset size, and dataset dimensionality can influence the selection of a proper ML classification technique and affect the behavior of the ML classifier.
Dataset quality affect the performance of ML models. First, ML algorithms used with a certain dataset may not be applicable for other datasets, as they may have differences in the number of classes to be distinguished, number of instances or samples for each class, and number of attributes that differentiate each class. Second, dataset characteristics such as being labeled or not (i.e., balanced or imbalanced), the number of features (i.e., dataset dimensionality), and feature importance can affect model quality. Feature extraction methods are usually used to filter out potential and relevant features. Third, the criticality and real-time nature of the WSN application at the time of data collection may result in noisy samples and irrelevant features, which can affect the final classification results and the ability of the trained model to differentiate between normal and abnormal behavior. For instance, increasing attack timespan traces and capture size can be used to control the imbalance within the dataset, thereby enhancing the learning process and allowing the algorithm to learn more differences between normal and attack samples. In addition, retraining ML models is possible, and can take place periodically during network progress as new or unknown attacks occur, allowing an ML model to modify its behavior and improve its detection accuracy.
Specialized datasets that consider the long list of cyberattacks targeting WSNs, whether collected using real-time experiments or computer-simulated, are limited. WSN-DS [92], NSL-KDD and its predecessor KDD Cup 1999 [93], CICIDS2017 [94], and UNSW-NB15 [95] are the most commonly used datasets been utilized for training and testing ML-based detection models in the context of securing WSNs. It is worth mentioning that none of these datasets except for WSN-DS are tailored to the need of developing ML models for WSNs, which motivates a need to generate new datasets or collect actual logs of real normal network data and simulated attacks.

Evaluation Metrics
Two types of cyberattack classifications are present in the literature, based on the number of classes (i.e., attacks): binary classification, in which there are only two classes, attack or normal; and multi-class classification, in which the number of considered classes is greater than two if more than one attack has been detected and sampled in the dataset. In both cases, the testing phase in the process of developing a ML model involves different evaluation metrics, which can include P d , P f a , P md , positive prediction value (PPV), ACC, Error rate (ERR), geometric Mean (GM), root mean square error (RMSE), normalized RMSE, normalized RMSE (NRMSE), receiver operating characteristics (ROC), and F1 − score, which can be expressed as follows: where T P , T N , F P , and F N are the number of true positives, true negatives, false positives, and false negatives, respectively, as per the confusion matrix illustrated in Figure 7. These attributes are estimated after dataset testing and are calculated from the generated confusion matrix. P d , called the sensitivity, recall, and detection rate or true positive rate, corresponds to the number of correctly detected attacks vs. the total number of attacks. P f a , or the false alarm rate, corresponds to the number of incorrectly detected attacks vs. the total number of normal traffic instances. P md , or the false negative rate, is the number of undetected attacks vs. the total number of normal traffic instances. ACC is the measure of correctly detected traffic instances, whether normal or attack, vs. the total number of detected samples. ERR is the complement of ACC; it is the misclassification rate, which provides a measure of incorrectly detected traffic instances vs. the total number of detected samples. PPV represents the total number of correctly detected attacks vs. the total number of correctly and incorrectly detected attacks [96]. The F1-score or F-measure represents the harmonic mean of precision and recall; it uses F N and F P to efficiently classify noisy or imbalanced data [97]. High ACC, P d , PPV, F1-score, and GM and low P f a and P md values generally indicate that an ML model has the potential to accurately detect attacks while ensuring that a low number of attacks go undetected. In addition, RMSE and NRMSE are used to evaluate different cyberattack detection methods numerically, and can be expressed mathematically as where i is the index of the evaluated sample, A i is the actual value,Â i is the estimated or predicted value, and N is the total number of tested samples. NRMSE is defined as a measure of a model's predictive power against simple prediction using the mean of the observed data, and facilitates comparison between models with different scales; it is calculated as follows: NRMSE = RMSE A where A represents the mean of the observed data values, which can be replaced with a range defined as the difference between the maximum and the minimum values of the observed samples. The ROC curve plot indicates the tradeoff between P d (the Y-axis) and P md (the X-axis). Preferably, the area under the ROC curve should be close to unity; low values are an indication of weak model performance in terms of detection [98]. NRMSE can be interpreted as a fraction of the overall range that is typically resolved by the model. A lower RMSE is preferable. This value is minimized when the predicted value matches the true observed value from the environment.
Evaluation metrics such as PPV, ACC, ERR, and F1-score are computed using values from the confusion matrix in both columns, and as such are sensitive to any change, especially with an imbalanced dataset. These metrics change as the distribution of data changes, even if the classifier's performance does not [96]. However, GM can be used with both balanced and imbalanced data, even if its calculation involves values from both columns of the confusion matrix, because the changes in the class distribution cancel each other out.
Other evaluation metrics commonly used to assess the ability of ML models to detect cyberattacks targeting WSNs are related to the required memory usage, buffer size, computational complexity, processing time, and prediction time, which are other elementary evaluation metrics. On-chip memory usage considers the random access memory (RAM) and Flash memory in the microcontroller unit, usually measured in kilobytes (KB). The amount of RAM directly affects processing speed. A larger amount can handle more data; however, WSN nodes have relatively low on-chip memory, which means that ML models must require low amounts of on-chip memory and be optimized for efficiency. Buffer size affects the rate of false alarms, as the node buffer usually stores certain fields of monitored traffic data that can be used as input for the detection model running within the nodes. In certain scenarios, a specific MN is responsible for monitoring its neighbors, listening to messages within radio range, and continuously examining traffic to look for intruders.

BC and Cyberattack Prevention
One of the earliest data security techniques of major significance is digital timestamping, which was proposed by the authors of [99] in 1991 and has drawn the attention of industry and academia ever since. The work in [99] proposed using a family of cryptographically secure collision-free hash functions, digital signatures, and linking schemes to preserve the sequential occurrence of the client's requests in the network. Digital timestamping is the precursor of the well-known BC technique [100], which is discussed in the following subsections.

BC Background
A BC is a set of blocks, with each block being a combination of an individual set of transactions. The number of transactions in each block depends on the block size and the transaction size. The blocks are linked using cryptographical sequential digital signatures [101,102]. These signatures are chained utilizing a hash value that involves data from the previous and current blocks to preserve the authenticity of the block's content against any data tampering [100,103]. The chain starts with a genesis block, which is the first block in the chain [104], and each subsequent block is added based on a distributed consensus with a hash value and timestamp. The shared ledger in each node connected to the BC network is updated through a consensus algorithm with each added block. The consensus mechanism ensures a common ledger database that is difficult to tamper with and has unified content on all nodes. Figure 8 depicts the general structure of the block. Each block consists of a block header and block body. The block header contains that block's metadata, including its version number, previous block hash, nonce, Merkle root, timestamp, and nBits, while the block body consists of the transactions embedded in the block [105]. An explanation of each component is provided below.  [106]. The Merkle tree is used to verify the validity of the transactions instead of downloading the entire chain. Figure 8 illustrates the Merkle tree's structure, which is represented through the individual hashes of the transactions or leaf nodes; each set of child hashes is combined and hashed again up the tree until the root is reached [102]. BC eliminates the need for a third-party central authority, as it is distributed or decentralized and comprises all committed transactions in the network; this makes it useful for securing cryptocurrency systems. In addition, BC has an ideal architecture for many applications that require ensuring distributed transactions between nodes and decentralizing computation and management in a trustless environment [107]. Using BC in IoT systems can reduce security risks by safely storing data, routing, accessing resources, and authenticating identities [108]. As discussed in [109], BC is a promising approach for securing data and authenticating identities in IoT because of its peer-to-peer (P2P) distributed ledger, which supports scalability and faster settlement for coordinating and securing joining nodes. However, the challenge of applying BC in WSN is its high demand in terms of storage and computational complexity, which causes additional delays and reduces network throughput. BC is often costly in terms of communication, memory usage, and power consumption, while sensor devices are typically designed to be low-cost with restricted resources; however, the cost of setting up and maintaining a centralized database can be reduced with BC. A node's idle state can be fully utilized in terms of the device's computational, storage, and bandwidth capabilities, thereby lowering overall network calculation and storage costs.
Overall, using BC to secure a WSN has many advantages; however, it is difficult to develop lightweight BC security mechanisms that carefully consider the tradeoffs between BC security and WSN design factors in terms of power and latency [110]. This work aims to investigate how BC can effectively protect sensor nodes from possible cyberattacks and determine its appropriateness for WSN applications.

BC Features
The main keywords or features that describe BC are illustrated below.

•
Data immutability: data are protected using cryptographic hashes unique to each block, disallowing manipulation or alteration after registration in the BC network. • Decentralization: the absence of a trusted supervised centralized authority; decentralization ensures a lower failure rate, makes the network less prone to malicious attacks, and reduces reliance on a third party. • Transparency: every involved node in the network is aware of the updated stored data. • Security and Resilience: any data manipulation requires the approval of more than half of the miner nodes, which is extremely difficult to obtain practically. • Data Encryption: the provision of public and private keys for data encryption and decryption, respectively, via the use of an asymmetric encryption algorithm for every two communicating nodes; the public key is shared between all nodes in the network to encrypt the data, and the targeted receiver can decrypt the data using its own private key. Smart contract: a piece of code that adds customizability to a BC. It represents an arrangement and executes itself automatically under a predetermined set of rules and conditions without a third party. Smart contracts can be used for node verification and authentication. The input of the smart contract is the transaction, which is executed with a corresponding code that consists of the value, address, functions, and state to generate the output events (see Figure 9) [112].

Types of BC
There are four primary types of BC platforms: public (or permissionless), private (or permissioned), consortium (or federated), and hybrid ( Figure 10). A BC is a fully or partially decentralized architecture that authenticates sensor devices joining the network and accepts or rejects transactions. A public BC is completely distributed; it allows any node to join the BC with similar access rights, generate new blocks, and validate data blocks. Public access to the BC provides data availability, transparency, and confidentiality. Examples of public BC platforms include Ethereum and Kadena [113]. A private BC has a central authority (or network manager) that determines which nodes may join, and does not provide each node with equal rights to perform tasks [114]. It differs from a public BC in that it restricts node participation and access to the BC depending on the authorization provided by the network [115]. Examples of private BC platform include Hyperledger Fabric, Hyperledger Burrow, IOTA, Quorum, Corda, Tendermint, Symbiont, HydraChain, Exonum, and Multichain. Both types, private and public, have disadvantages; for instance, public BCs tend to have a longer validation period for new data than private BCs, while private BCs are more exposed to certain types of cyberattacks. Compared to public BCs, several research works have considered private BCs to be advantageous when used in IoT systems, particularly in terms of network latency, due to the additional time required by public BCs to obtain consensus between all peers. PA private BC is fully controlled by one organization, and trust comes from preselecting which nodes are authorized to use the shared ledger and to verify transactions; as there are fewer trust difficulties, fewer security measures are necessary between nodes, creating a more responsive network, which is needed in IoT deployments in terms of scalability. Another advantage of private BC implementation is higher data privacy, as network data are limited to the private network and are entirely controlled by the network manager. Changes can only be made by certain nodes within the network, though all network nodes can read the data within the private BC. The role of network miners, called voters, validators, or peers, is to approve transactions and maintain copies of the BC ledger, which helps to secure and stabilize the private BC network. Because only a few nodes are delegated to publish blocks within the network in a private BC, they are more vulnerable to certain attacks types, as the authority may modify or tamper with rules or even data, and the organization may choose to revoke their BC to a previous time instant [116]. When using a private BC for an IoT application, all nodes are identified before deployment using a Certificate Authority (CA) or Membership Services Provider, which releases identities, or key pairs, for IoT nodes. Each IoT node's registration is performed on the BC using its cryptographic hardware identity hash. Node registration is performed by mapping an IoT device's public keys and their identities, which must be stored on the BC [24]. This stops the BC from receiving information from unauthorized IoT nodes, securing it against potential attacks. A consortium BC is a type of permissionless BC; it is partially decentralized, as it is governed by a group of preselected nodes that directly participate in the consensus mechanism, instead of a single central entity as in a private BC. A consortium BC is more decentralized than a private BC, and provides better security; however, establishing a consortium requires cooperation between a number of key nodes (sometimes called organizations), which presents logistical challenges and increases potential risk in cases where a majority of the consortium wants to tamper with the BC. A hybrid BC refers to a customizable BC architecture that combines features of both private and public BCs. Hybrid BCs are best suited for systems that cannot be fully private or public and involve a lack of trust, such as IoT, supply chains, finance, and banking.

Performance Evaluation Metrics
The performance of a BC security system used in a WSN depends on the effectiveness of its peer trust, node authentication, access control, smart contracts, consensus mechanisms, resources management, and big data processing and storage. There are multiple performance criteria of interest, including transaction throughput, response time, latency, storage overhead, and energy consumption, which are the most commonly used metrics for security analysis of BC-based WSNs, and can be defined as follows [117]: Storage Overhead: the storage capacity required for BC operations, which may exceed the node's storage capabilities due to the large amount of data accumulated by security tasks [118]. • Residual energy: the remaining energy in the sensor nodes; this metric is important to consider for energy-related attacks which shorten the network lifetime by wasting nodes' energy by launching malicious activities [119].
Other metrics include processing frequency, percentage of central processing unit (CPU) usage, computational complexity of encryption [120], and processing time of trust evaluation. In addition, the authors of [121] used the probability of attack success and strength of attack detection to evaluate secure mechanisms using BC. The probability of attack detection identifies how efficiently a secured mechanism can distinguish between legitimate and malicious entities targeting an IoT network, while attack strength is determined by an attacker's ability to compromise a certain node and force the network to behave maliciously.

Securing WSNs Using BC
A typical BC procedure in a P2P WSN begins when a transaction is launched between two sensor nodes. This transaction is hashed and broadcast to the P2P network. The nodes involved in the interaction sign the transaction using their public keys, as several nodes are involved in the forwarding path in a multi-path forwarding scenario. The transactions are verified and validated based on the consensus mechanism in terms of data and identity by miners or voters, then disseminated, stored, and grouped into a block. The new block is sent to the BC P2P network to be added to the chain when complete. The chain is shared, immutable, and tamper-proof across the participant nodes ( Figure 11).
Two architectures are most common to build BC-based security systems in WSN contexts, namely, centralized ( Figure 12) and cluster-based ( Figure 13) [122]. In addition, there are two types of nodes, full and lightweight [123]. Full or Aggregator nodes store the complete ledger locally; therefore, they have access to the complete transaction history in the chain. In a WSN, a full node is usually a BS or CH. Lightweight nodes do not store a complete ledger; they only store the BC transactions with high importance and what is relevant to their operation, placing their "trust" in their associated full nodes. These nodes are usually the terminal nodes or CM. In this way, the download and storage requirements of these nodes are reduced. These architectures align with private BCs; however, it is not recommended to have a single central node similar to a BC or a CH as a master authority in charge of authentication and trust management in order to avoid any critical points of vulnerability in the network.

BC Challenges in WSNs
• Scalability and Storage: the amount of generated data grows exponentially with an increase in the number of devices deployed in different IoT applications, which leads to an increase in the rate of transaction execution and in the storage capacity needed to keep the ledger up to date [124]. Scalability becomes a severe bottleneck with an increasing number of transactions, and limits the practical development of BC in WSN contexts. With BC technology, blocks are not stored in a central server; however, a subset of the nodes need to keep a copy of the entire ledger in their own limited storage, which means that maintaining enough storage space for the ledger may not be feasible. Moreover, the size of the ledger increases over time, while most of nodes have low storage capacity of 10 KB to 100 KB memory at the most. The ledger storage requirement remains an open research issue. According to [125], certain IoT devices are limited to up to 8 MB of memory, most of which is used for storing the software that manages the device; therefore, lightweight mechanisms that limit the ledger size and allow it to be stored by each node are highly recommended. The authors of [118] defined three strategies for data storage by IoT sensors: full storage, in which all nodes store the full current data; partial storage, in which each node stores only part of the data, allowing it to be restored when combined with data from other nodes; and persistent storage, in which low-priority or old data can be stored in a remote centralized database. Similar criteria can be suggested to reduce storage overhead. Efficient consensus protocols, optimizing block size, sharding, pruning, lighting protocols, and off-chain storage have been proposed in the literature to address scalability issues. For instance, PBFT is considered a suitable protocol for fixed and small-size networks, although it is not scalable for larger numbers of IoT devices [126]. Sharding is one of the newer mechanisms to support scalability; it aims to split the overhead of processing transactions between multiple 'shards', or subgroups, of consensus nodes. These groups work in parallel to maximize performance while significantly avoiding the overhead due to duplication of communication, computation, and storage per full node, allowing the system to scale to larger networks [127]. Scalability can be increased by pruning the size of blocks on the BC, which includes removing older transactions to control memory usage [128]. Lighting protocols aim to lower the verification process period by only allowing full nodes to store the complete ledger, with lightweight nodes only keeping a portion of it. In off-chain storage, only hashes are stored in the ledger, whereas actual data are stored off-chain i.e., in the cloud, to support the scalability in dense WSNs. • Consensus mechanisms: common consensus mechanisms such as PoA, PoS, and PoC are primarily designed to work for monetary transactions, and are not suitable for adoption in WSNs and constrained-resource IoT devices [129]. PoW is not common in IoT and WSN applications, as it is demanding in terms of computational power; while PoC is energy efficient, it depends on a node's storage capacity and monetary stake, and monetary stakes do not exist in IoT and WSNs [130]. In addition, the most commonly known consensus mechanisms do not perform as desired in their raw mode because of massive requirements and scalability issues [131]. • Communication Overhead and Synchronization: a significant amount of communication overhead is required to synchronize the BC copies, as there is a need to forward every verified transaction to all peers. Establishing keys and authenticating nodes with cryptography, which is determined by the encryption type (either asymmetric or symmetric), causes high communication overhead and key storage [118]. Time consistency during time synchronization between sensor nodes requires exchanging a number of messages depending on synchronization frequency. • Computation Overhead: heterogeneous IoT devices have different processing capabilities for running encryption and decryption, which leads to variations in processing time. Integrating a BC into the sensor network enables a logical peer-to-peer network to validate and store transactions locally, which is straightforward for personal computers or workstations; however, it might be difficult for tiny sensors with limited computational resources. • Complexity and Energy Wastage: most widely employed BCs use PoW as a consensus mechanism, where the network participants must solve a mathematical problem or cryptographic puzzle in order to validate and authenticate transactions. PoW uses a significant amount of computational resources, causing energy losses; therefore, it is not practically suitable for IoT networks [30,111]. In addition, severe latency affects WSN stability in delay-sensitive applications [132]. • Guaranteeing Security: many malicious activities target IoT and WSNs. A single attack can harm a large number of devices or be used to destroy another system, as monitor nodes can be turned into malicious nodes to launch further attacks. The network's ability to manage advanced cyberattacks is degraded due to the constrained resources of IoT devices. However, a BC relies on sophisticated hash functions, which require heavy computation and consensus mechanisms that consume network bandwidth. • Compatibility and Standardization: standardization for BC security applications is needed in to ensure that devices meet a reasonable set of standards and have fundamental security and privacy capabilities and to diminish risks associated with cyberattacks against IoT devices [133].
BC in WSN and IoT may never become a reality unless the storage, battery life, computation power, and bandwidth availability of sensor devices are improved [134]. Securing a network using a BC with resource-constrained devices remains challenging [111], and researchers are currently seeking lightweight mechanisms that can solve problem of excessive resources consumption by sensor networks when using BC to secure WSN and IoT networks against possible attacks such as data manipulation and tampering.

BC in the Literature
BC is a dynamic technology that has spurred tremendous technological advances in many fields in the last few years. BC has been recently proposed as a method to secure the systems applications associated with IoT, such as smart homes, supply chains, smart agriculture, and smart grids [135]. The recent focus in the literature has shifted to securing WSNs using BC, despite the challenging characteristics and performance limits discussed in Section 9.6. BC characteristics, which drive many WSN design challenges include ledger size, block size, number of transactions per block, smart contracts, miner selection criteria, number of miners, selected BC type, and hash function specifications. Using BC to secure WSNs includes proposing mechanisms to protect data sharing, establish trust, authenticate identities, secure routing tables, and secure localization against dangerous cyberattacks such as sybil, spoofing, DoS, message substitution, and replay attacks (see Table 3). The rest of this section examines BC techniques presented in the literature while highlighting their advantages and drawbacks.
Malicious node detection is one of the main applications of BC in the context of WSNs [31], and is the focus of [136], where the authors studied the use of BC in conjunction with smart contracts to identify malicious nodes. The authors proposed a trust model using smart contracts based on the processing delay, forwarding rate, and response time as evaluation metrics to distinguish malicious and benign nodes. The result of the detection process was then recorded in the BC. The work in [136] established that the proposed method is effective in terms of detecting malicious nodes and allows detection process traceability; however, the adopted traditional consensus method, PoW, is computationally demanding and is unsuitable for resource-limited WSN nodes.
Another major application is maintaining data authenticity, which is ensured using node authentication and trust management [52,106,109,[136][137][138][139][140][141][142][143]. Trust management is tied to authentication mechanisms, which identify end-communicating nodes and ensure data validity and confidentiality. The authors of [138] proposed a BC-based trust model and node authentication using a smart contract at gateway nodes such as CHs and BS to reduce energy consumption, claiming that the model takes 0.000250 s, unlike Ethereum BC, which requires 14 s to achieve the same results. The benefits of this type of model were further discussed in [140] through a test-bed experiment, which was conducted to determine whether a BC-based data-driven trust mechanism could reduce network transaction throughput in the presence of grayhole and blackhole attacks. The authors of [143] examined ways of reducing the communication overhead associated with BC by reducing the size of public and private keys. This reduction was achieved in [139] by employing Hyperel-liptic Curve Cryptography (HECC), which can potentially provide a similar security level to other key generators along with a lower key size. Another practical implementation of integrating BC into a WSN to protect data against tampering was discussed and evaluated in [52,106,141,142]. The performance evaluation in [106] indicated that the computational complexity associated with evaluating the hash function increased as the amount of sensed data increased, as the ledger size increased accordingly, resulting in reduced data transfer efficiency in the network. The work of [52] proposed limiting the size of each BC and setting a time window with a circular buffer mechanism to minimize BC length as a solution to this limitation. The authors of [52] considered a hash and an additional time interval measure to determine nodes' reliability levels, which is equivalent to the dynamic value of the accumulated trust points of a certain node. This reliability level was controlled (increased or decreased) by tracking a ledgerchecking message. The experimental results of [52] indicated that the proposed trust mechanism could reduce both communication overhead and memory requirements. A different approach to protecting data integrity was proposed in [120], where the authors focused on using a cryptographic algorithm in conjunction with a private BC to protect data during transmission between nodes. The authors proposed a methodology integrating BC and Advanced Encryption Standard (AES) symmetric encryption in a WSN system, with the hash value used to encrypt data during the transaction and AES used in the data transport layer as an encryption/decryption process carried out between any two communicating nodes. This methodology reduces resources consumption while protecting the network against linking, MITM, and Distributed denial of service (DDoS) attacks. The method proposed in [120] is not scalable, however, as it is limited to the use of private BCs. The authors of [129] proposed and simulated a new model for a consensus algorithm that can reduce the time required for mining. The results presented in [129] confirmed that the proposed model can potentially protect the network against spoofing and injecting phantom devices; however, the software associated with the model cannot be updated.
Protecting the network routing process using a BC was the focus of the work in [141,144,145]. The authors of [144] proposed a BC-based routing protocol that uses a BC to store the network's activities and broadcast the status of the nodes. In [144], the aim of the authors was to secure the route determination process by avoiding untrusted nodes and to resolve the load-balancing issues associated with routing. The authors of [141] proposed using the a BC-block approach with flow routing tables instead of converting the entire SDN-enabled WSN network to a BC network, thereby preventing tampering with flow entries. This approach reduces the energy consumption associated with traditional BC algorithms; the results obtained in [141] using a simulated Riverbed model indicate that the proposed scheme can provide security against MITM, replay, and blackhole attacks, though with increased energy consumption and end-to-end delay. A different distributed ledger-based technology was considered in [142] as an effective lightweight network to authenticate and protect routing tables against sybil attacks in addition to protecting the network against fake identities more broadly. However, the proposed network in [142] is time-consuming, not scalable, and has a centralized architecture. The authors of [145] proposed a trust model for a decentralized architecture to secure WSN routing through a dual BC model. The first model is public and implements a PoW consensus to authenticate aggregating nodes (ANs), while the second model is private and uses PoA for authenticated sensor nodes. The PoW mechanism enhances the security level of the unauthenticated public BC, which includes the BSs, though at the cost of high computational complexity. On the other hand, PoA is less computationally complex, helping to reduce the overhead of the resource-limited AN, which is included in the authenticated private BC. Node integrity is evaluated using a trust evaluation metric to determine the legitimate nodes that take part in the routing process; however, the security analysis in [145] indicated that the proposed approach could be vulnerable to smart contract-based attacks resulting from possible bugs in smart contract code, such as integer underflow, overflow, parity multisig, timestamp dependency, transaction ordering dependence, call stack depth attack, and re-entrancy.
The authors of [109,139,146] proposed BC-based identity authentication mechanisms for sensor nodes joining the network. The authors of [109] proposed a secure identity authentication mechanism in a hierarchical architecture for a multi-WSN environment using public and private BC, where the former includes the BS and terminal users as miners, while the latter is composed of all authenticated CHs. This technique minimizes communication overhead, as sensing nodes are not connected directly to the unauthenticated public BC; therefore, frequent node authentication is not required. The focus of [146] was on securing an identity authentication scheme against worm attacks by using the IOTA Tangle BC to store the authentication data safely; however, the network proposed in [146] relies on a single point, namely, sink nodes, to authenticate other nodes, which means that the network has a centralized architecture. Another approach was proposed in [147], where the authors considered a sequential detection scheme that starts by validating the hash value of the node's ID, followed by validation of the node signature by each node, and ends with a voting technique that determines whether the node is malicious or benign. The results from the different stages are then used to decide whether a suspect node is kept or eliminated. The authors of [147] revealed that the security level of the proposed BC method is improved compared to other classical approaches in the literature; however, the latency introduced by the three combined phases could potentially be higher than classical approaches. The authors of [148] proposed another decentralized authentication and trust model, which stores the authentication and trust information in the BC and uses a subjective probability as a reputation level. The technique is limited by the origin block problem, which causes the system to misbehave in cases where malicious values are included in the first block in the chain.
Localizing WSN nodes accurately is another application, and was addressed in [149] by investigating a decentralized BC-based trust management model. Their model relied on a trust value consisting of both behavior and data trust values evaluated by a selected number of trusted nodes, such as the number of successful and unsuccessful interactions between sensor nodes and feedback metrics related to the integrity of each beacon node. Though the simulated results in [149] indicate that the proposed scheme outperforms other current techniques in several aspects, it requires an additional number of transactions associated with the evaluation processes, and lacks a complexity analysis of the proposed technique. Test-bed experiments using a data-driven trust mechanism to reduce network transaction throughput.
[52] Physical or logical data tampering Limits the size of the BC and uses a time window with a circular buffer mechanism to reduce the BC's length. [149] Attacks on the localization process Uses both behaviour and data trust values to determine the reliability level.

BC-ML Integration
It is evident from Sections 8 and 9 that BC technology has been found in the literature to be a useful framework for securely recording data transactions in a tamper-proof ledger with the help of embedded mechanisms such as consensus and smart contracts, whereas ML provides efficient classification models to identify attacks. Therefore, when considering integrated BC and ML approaches, BC technology can help to securely store data generated by WSN devices. This generates huge amounts of data, which can then be modified and organized to safely train ML classifiers, potentially achieving high detection accuracy. It is notable that the output of the ML detection process can be securely stored on the BC network to preserve the integrity of the detection process results. Figure 14 depicts key features of the integrated BC-ML security approach. Despite the potential benefits and the fact that their integration is possible, inevitable, and beneficial, integrating these two technologies simultaneously poses new challenges when adopted in any WSN application. Most of the existing literature has studied ML and BC separately when considering securing WSNs, unlike other IoT applications such as smart grids and supply chains. However, the gains to be achieved and the challenges faced when seeking to combine these two technologies for securing WSNs have not yet been extensively explored in the literature due to its being a relatively new research direction.
In this regard, our approach is to have two lines of defense utilizing the integration of BC and ML. The first line of defense is attack prevention using BC, while the second line of defense is attack detection using ML. In case the first line of defense fails to prevent an attack, the second should verify and examine the incoming traffic for any sign of vulnerability, alerting the network to the presence of a malicious attack [150].
The emphasis of this section is on those research works that consider BC-ML integration to secure WSNs, as discussed in Section 10.1. Following a discussion of the important open issues and research challenges involved in the interrelationship and integration of both technologies to protect WSNs against cyberattacks, which is detailed in Section 10.2, this section is closed by detailing our proposed approach to an integrated BC-ML solution.

Related Work
Integrating the technologies of ML and BC to secure WSNs has been considered in the literature in several different directions, namely, secure routing, secure authentication, malicious nodes detection, and trust mechanism, as outlined in Table 4.  Securing WSN routing protocols using an integrated BC-ML approach has been considered in [151,[155][156][157]. The proposed framework in [155] relies on the BC network to securely record the routing information via the use of a registration contract, token contract, and token transactions, as well as to preserve data integrity by the use of PoA due to its high processing efficiency. The routing protocol of the proposed framework in [155] exploits a reinforcement learning algorithm to dynamically provide trusted routes. The results in [155] confirm that the average packet delay is reduced by 81% compared to state of the art techniques thanks to the trusted queue length information released in the proposed framework [155], while the use of PoA helps to reduce token transaction latency. A PoA-based BC was considered in the proposed framework of [156] as well, which utilized a deep learning selection model through CNN to provide the validators required for the PoA smart contract instead of randomly selecting them. The proposed PoA-DL consensus mechanism was shown to require a steady latency that is less than the average transaction delays of the state-of-the-art techniques, and enhances the transaction processing capacity due to the preselected and limited number of validators. Another deep learning method, referred to as Fully Decentralized Generative Adversarial Network (FDGAN), was proposed in [157] in conjunction with GAN, IDS, and BC to design a new routing protocol named Block Chain enabled secured Routing Protocol (GBCRP).
Malicious node detection techniques using integrated ML and BC methods were the focus in [122,[152][153][154]. The isolated forest algorithm anomaly detection model was studied in [153]; this model it is not computationally demanding and can deliver good detection performance, especially in the case of high-volume and high-dimensional processed data. The BC helps to ensure safe storage and adequate updating of the isolated forest global detection model by providing the required trusted blocks (isolated trees) to form the model. The results reported by [153] indicate that the proposed anomaly detection model integrating BC and the isolated forest algorithm can achieve a high detection level and accuracy rate for all types of attacks while requiring less communication and storage overhead compared to other similar BC-based anomaly detection models, as it only stores the detection model and not the detection results. A joint identity management and secure routing model was proposed in [154], in which the GA-SVM and GA-DT ML techniques were examined for the detection of malicious nodes. It was shown that GA-SVM is better than GA-DT in terms of detection accuracy; the outcome of the GA-DT process determines whether the node continues to be involved in the routing process or whether its registration in the BC network is revoked, and the safety of the routing transactions is secured using the PoA consensus mechanism. It was shown in [154] that when removing MNs, the packet delivery rate increased to 99.72%. Another consensus mechanism known as Verifiable Byzantine Fault Tolerance (VBFT) was used to validate transactions in [152], while the use of the HGB-ML classifier was proposed for detecting MN. Furthermore, [152] proposed storing data associated with normal nodes in an Interplanetary File System (IFS) to generate hashed chunks that can be then stored in the BC. Extensive comparisons were performed in [152], showing high precision of at least 98% obtained using HGB, which is more than could be achieved by its counterparts, and further demonstrating the lower transaction costs of VBFT compared to PoW. Our prior work in [122] proposed a BC-based identity management and secure authentication mechanism using a Gaussian NB detection module to mitigate possible internal DoS attacks targeting CH nodes.

Research Challenges
Developing a lightweight integrated framework that combines BC and ML while being WSN-compatible is a research area that remains in its infancy, and many open issues and challenges must be carefully addressed. The challenges associated with such systems combine the challenges related to each individual technology. Key technical challenges can be segmented into integration performance, scalability, lightweight architectures and schemes, managing network resources, legal issues, and vulnerabilities.

•
Integration performance: BC and ML integration performance depends on each technology's performance; however, having both technologies operating within the same system rsises the idea of using each technology to improve the functional performance of the other. For example, ML model detection performance can be degraded by data tampering. In this regard, BC can protect the data transactions used to train the ML models along with the recorded decisions (i.e., output) of attack classification with confidence, disallowing tampering. These records can be reviewed and audited at any time by authorized nodes, and can be used to improve future ML detection decisions. In this way, incremental ML models can improve their future decision-making to detect novel attacks and handle drift in networks that change dynamically over time [65]. • Scalability: a measure of how well systems are used in conjunction with WSNs, scalability is related to network capacity in terms of the number of nodes that can join and the transaction volume that can be generated and processed over the network. The selection of the BC type and consensus mechanism highly affect scalability. For instance, the PBFT and PoA consensus mechanisms can improve transaction throughput compared to PoW, which usually supports only a few dozen transactions per second. Frequent authentication and peer trust requirements coupled with increased ledger size as the number of nodes and data increase present a challenge when aiming for a scalable ML-BC integrated security framework; however, many solutions have been presented in the literature that support scalability when employing BC technology. Among these solutions is the use of a hybrid BC, which utilizes a public BC connected to multiple private BCs wherein each private BC operates with one WSN. This structure limits the transaction volume and size of the ledger, ensuring better scalability. Among the known consensus mechanisms, voting or multiparty consensus works better with private BCs, and their combination is a candidate for use in cooperative WSNs. Another consensus mechanism is Proof-of-Authentication (PoAh), proposed in [158] for resource-scarce networks, adn which could be tested for WSNs. ML algorithms, on the other hand, can be used to code smart contracts for a more scalable approach to effective detection of malicious nodes.
• Lightweight schemes: to reduce overhead, the development and refinement of lightweight BC-ML integrated schemes while maintaining the same desired security level is essential. Deploying BC involves many elements, such as trust, authentication, access control, smart contracts, and consensus mechanisms, and each element can be implemented using a variety of options. The complexity of a BC can be refined by considering lightweight schemes in terms of storage, processing, and communication for each element involved in the deployed BC. For instance, in [152] the authors suggested Interplanetary File System (IPFS) to record the detection process, with the aim of reducing the cost of data storage in WSN; however, they did not consider the communication overhead required to upload and download data between IPFS and BS. In terms of consensus, PBFT and PoA are preferable, as they offer reduced computation and delay compared to PoW. • Vulnerability: the ultimate goal of combining ML and BC into one system is the potential increase in security level; however, this integration does not completely eliminate threats. The root of these possible threats can be understood by considering that even though data my be safely protected by BC, it could be susceptible to tampering before it is securely recorded in the ledger. Considering the two approaches for BC implementation, namely, public and private, a public BC is open and accessible to all nodes, whereas a private BC is not. Therefore, a is preferable when higher levels of security are desired [159]. However, private BCs limit access to the large amount of data required to develop an efficient ML model, especially with the amount of continuously developed attack types, which makes an ML-BC integrated system vulnerable to newly developed attacks. Other possible threats might be due to malfunctioning or faulty sensors, or even sensors equipped with extra hardware allowing them to be operated maliciously, and which cannot be detected unless physically tested. These challenges add up when considering that nodes can become malicious and threaten the network security after joining the network. In addition, smart contracts can be vulnerable to possible smart contractbased attacks due to bugs in the smart contract code. ML can be used for smart contract verification and vulnerability detection [160]. • Managing network resources: limited-resource sensor nodes represent a key technical challenge when developing an ML-BC integrated solution considering encryption, trust and authentication, and validation of transactions through consensus. The ledger grows exponentially over time, and eventually may not fit within a node's memory. These technical challenges in terms of storage and processing translate into high power consumption, extending across all aspects of system design. The authors of [161] suggested a solution to this problem by switching to symmetric instead of asymmetric BC encryption in order to simplify the system's computational complexity. The computational complexity can be reduced using a simplified method for hash function calculation, such as SHA-256 [161]. Another proposed direction is dedicating specific nodes with high capabilities, such as CHs and BS nodes, for ledger storage, with other nodes only keeping the constant-length hash value of the data in the ledger to be referenced when needed. In addition, old data can be migrated from the CHs and BS toward the IoT cloud or external storage (i.e., IPFS). • Legal issues: proliferation of different standards or a lack of security regulation can represent a challenge when designing systems involving two different technologies.
Setting standards for such integrated solutions can potentially be done at the level of manufacturing and fabrication, that is, at the sensor stage.
Overall, a substantial amount of future research needs to be directed toward designing a robust ML-BC integrated solution to secure WSNs before they can be expected to work smoothly. A lightweight framework must be designed that considers sensor resource constraints and is able to effectively secure WSNs in terms of establishing trust in a trustless environment. Specially-developed consensus mechanisms, application-specific smart contracts, simple transaction verification, an alternative to block mining, and optimized architectures that balance computation and communication consumption between nodes are vital to promoting such integration in WSN applications. In this regard, we propose the BC-ML integrated system depicted in Figure 15. The proposed system includes an ML detection model that detects the malicious behaviour of nodes using neighboring information. The ML model can identify unknown types of attacks by recognizing any deviation from the normal operation of a system as malicious [162], which allows it to use transfer learning to detect new and unknown attacks by transferring its knowledge of known attacks [163]. Concurrently, a BC-based prevention model avoids possible attempts by malicious nodes to modify their data. The BC records the ML detection process securely on the BC ledger in order to maintain its integrity. Furthermore, an smart contract is used for identity management to prevent malicious nodes from becoming authorized to access the BC network (if they are newly deployed) or to revoked their access (should malicious behaviour be detected). In addition, a trust smart contract ensures end-to-end trustworthiness between communicating nodes and limits the negative impact caused by attacks to only the affected part of the network, specifically when a cluster-based architecture is employed [134]. Smart contracts can host ML models to establish trust between nodes, making smart contracts more effective. It has been proposed to use ML models to detect smart contract-based attacks or vulnerable smart contracts deployed by malicious nodes; however, studies have revealed that smart contracts may not be able to process ML tasks with high computational needs [164]. The proposed overall BC structure is a multi-layer or hybrid one, with private BCs deployed for internal authentication in the network and a public BC deployed between the BS and IoT cloud.

Conclusions
Several countermeasures to secure WSNs have been considered in this review, and extensive research efforts have been made to address the related security threats. However, at present these networks cannot manage the computational overhead necessary to implement many of the proposed defensive strategies. ML and BC are two promising technologies that we have focused on in this study for ensuring secure WSNs. In this paper, we have aimed to investigate the integration of both technologies towards a lightweight security framework for WSNs. Our review began by discussing existing surveys on ML and BC in WSN contexts, then provided a taxonomy of ML and BC approaches for WSN-related cyberattack detection and prevention. We next discussed related work and open issues for future research associated with both technologies. Finally, we illustrated the integration of ML and BC to secure WSNs, surveyed related work, and discussed the associated challenges. Finally, we ended our review by proposing the use of an integrated ML and BC system in two lines of defense to enhance the security of WSNs. In our future work, we will consider the implementation of the proposed framework and examine the performance of the integrated system with the goal of enhancing the security of WSNs.