A systematic review of routing attacks detection in wireless sensor networks

Wireless sensor networks (WSNs) consist of hundreds, or thousands of sensor nodes distributed over a wide area and used as the Internet of Things (IoT) devices to benefit many home users and autonomous systems industries. With many users adopting WSN-based IoT technology, ensuring that the sensor’s information is protected from attacks is essential. Many attacks interrupt WSNs, such as Quality of Service (QoS) attacks, malicious nodes, and routing attacks. To combat these attacks, especially on the routing attacks, we need to detect the attacker nodes and prevent them from any access to WSN. Although some survey studies on routing attacks have been published, a lack of systematic studies on detecting WSN routing attacks can be seen in the literature. This study enhances the topic with a taxonomy of current and emerging detection techniques for routing attacks in wireless sensor networks to improve QoS. This article uses a PRISMA flow diagram for a systematic review of 87 articles from 2016 to 2022 based on eight routing attacks: wormhole, sybil, Grayhole/selective forwarding, blackhole, sinkhole, replay, spoofing, and hello flood attacks. The review also includes an evaluation of the metrics and criteria used to evaluate performance. Researchers can use this article to fill in any information gaps within the WSN routing attack detection domain.


INTRODUCTION
Wireless sensor networks (WSNs) use various emerging IoT technologies, have limited infrastructure, and must maintain security while being connected to an unreliable internet (Alansari et al., 2018). WSNs are susceptible to a variety of routing attacks, which are classified according to their characteristics and behaviors. Internal vs external attacks compensate the first category. An outsider node disrupts the network during an external attack, whereas an insider node with a valid identity does the same during an internal attack (Fang et al., 2020). The second category is physical attack vs remote attack. In a In some applications, WSN security issues cause financial and privacy problems. Consequently, the security of WSNs has recently become a topic of high-level research. WSN's weak nodes located in an environment can be targeted and attacked easily. The ability to measure and store nodes efficiently tends to result in packet loss or low productivity due to energy constraints. To overcome the above issues, a robust routing attack detection must be designed that considers different performance metrics and uses the best method. Compared with current research, to the best of our knowledge, this study is the first to address advanced SLR frameworks in routing attack detection. Current similar review articles do not cover all twenty-four performance evaluation metrics or different methods that are used to develop routing attack detections for WSN. Moreover, current studies do not cover the relationship between diverse types of attacks, performance evaluation metrics and methods. Therefore, there is an urgent need for a comprehensive SLR on different routing attack detection systems. The intended audiences of this SLR are wireless sensor network administrators, service providers, end-users, and researchers who are willing to propose a method of attack detection or undertake additional research in the future to improve WSN security.
The objective of this SLR is to serve as a foundation for future research. The evaluation's aim is to analyze and comprehend routing attack detection techniques in WSNs. This is essential if more viable methods to improve current techniques or benefit from previous studies are to be developed. The next tentative brief section of the review is a formal statement that expands through the sections. Section 2 discusses the background of network layer attacks and suggest a possible solution for each attack. Section 3 establishes the methodology used in this article, while Section 4 describes the results, evaluates the hypotheses, discusses the various articles published by classifying the current detection based on different criteria, and finally brings forward the research trends and open issues in the field of WSN, while Section 5 summarizes the SLR and provides recommendations for further research.

BACKGROUND
The routing protocols are frequently vulnerable to attack because they are typically straightforward. Eight of the most significant routing attacks are wormhole, Sybil, Grayhole/Selective Forwarding, Blackhole, Sinkhole, Replay, Spoofing, and Hello Flood attacks. Below is a detailed explanation of each attack, including its strength and motivation. Additionally, each attack's severity and implications are discussed. Figure 1 shows various routing attack detections in WSN that were examined in this study.

Wormhole attacks
In a wormhole attack, the attacker connects two network nodes physically separated from one another using a quick communication path called a wormhole tunnel as can be seen in Fig. 2. This communication platform can be an Ethernet cable, high-speed wireless communication, or fiber optic communication. When the wormhole tunnel is implemented, the attacker captures the packets directed by the nodes on one side of the network and spreads them through the wormhole tunnel on the other side. The wormhole nodes behave completely transparently, making them invisible to the network; therefore, it is operational even without network IDs or cryptographic keys (Ma et al., 2017). Table 1 displays the comparative analysis of currently available wormhole attack detections in literature.

Sybil attacks
The 1973 book "Sybil" is about Shirley Mason, a mental health patient with multiple false identities (Schreiber, 1973). Sybil was named after the WSN nodes with false identities for this rationale. The most vulnerable peer-to-peer networks to Sybil attacks are distributed networks. In its most basic form, Fig. 3 shows how a malicious node uses the Sybil attack to place itself in a position of multiple other nodes. Sybil's attack can stop redundancy in   (Mukherjee et al., 2016) distributed networks by falsifying other nodes' identities and preventing accurate distribution. Each identity should be linked to a physical node to defend against Sybil attacks. There are two ways to achieve the stated objective. The first method is direct acknowledgment, in which the node checks the accuracy of its interacting node directly. A second method is a form of indirect acknowledgment in which the verified node accepts or rejects the other node. The following are three ways to detect a Sybil attack: Evaluating the radio source Determining the critical correctness for pre-distributed keys Node Registration and Location discovery.

Grayhole/Selective forwarding (SF) attacks
Multi-step routing networks forward packets safely and unchanged to the parent node. Attacker nodes employing grayhole/selective forwarding may decide not to forward or drop specific packets or alter them before forwarding. A standard grayhole/selective forwarding attack is that the attacker node avoids sending any packet to the next node and deletes them. As shown in Fig. 4, if an attacker node feels threatened by its neighbors, it explores a different path and decides to leave the current path (La, Fuentes & Cavalli, 2016).
Since the attack is conducted through authenticated nodes, the authentication mechanisms must be improved to detect and prevent grayhole/selective forwarding attacks. So far, several solutions have been proposed to deal with these types of attacks, such as: Attack identification through the concept of node authentication.   The concept of a multithreaded data stream.
Detection using the heterogeneous network theory.

Blackhole attack
In a blackhole attack, the attacker pulls traffic to the network by broadcasting fake routing information to find the shortest path. This malicious node pretends to have the shortest path while sending fake messages. As a result, the source node ignores the routing table and utilizes this node to send packets. The blackhole node then begins to drop the sent packets, as shown in Fig. 5, causing a network service interruption or provision.
The network may suffer severe damage because of a blackhole attack; however, neighboring nodes can quickly identify the malicious nodes by keeping an eye on their activity. A risky fake route will be proposed that will not deliver the packets to their intended location if the malicious node responds to the request message before the valid node does. The malicious node will disrupt the network and drop the packets, disrupting packet movement in the network. Table 4 displays the comparative analysis of currently available blackhole attack detections in literature.

Sinkhole attacks
Sinkhole attacks are one of the most appealing but dangerous attacks in WSNs. This attack is notable for its ability to launch another attack in the middle of the attack. The sinkhole attack uses a node with false information and specifications to fool neighboring nodes into sending their data to the attacker node. At this time, the attacker can apply any changes to the information, including changing the packet, rejecting packets, or utilizing other attacks. Figure 6 illustrates a simulation of a sinkhole attack.   In WSNs, communication is hop-to-hop, meaning the packet is conveyed from one node to another to reach the destination. In this case, the nodes usually choose a path that has a lower hop and selects a node as its parent, which is in a less hop count path, known as an optimal path. The attack starts when a sensor node decides to show itself as desirable to other nodes (Isidro & Ashour, 2021). Because of optimal path selection in WSNs, nodes try to select the best path, which also has the least cost to transmit their packets. The cost may include several factors such as processing, energy consumed, distance and load. Therefore, a malicious node in the sink attack somehow shows itself to its neighbors that they think it has the lowest cost and the shortest path to the sink. In this case, the attack enters its primary phase, as neighboring nodes select the malicious node as their parent and send information to it by lack of knowledge that the node will announce fake and false information about its distance to the base station entirely unrealistic. At this time, a penetration range is created in the network, massive network traffic comes to this node, and much information gets changed or forged. The malicious node can be a laptop-class type with several process power and energy and can continue to sabotage for a long time (Reji et al., 2017). Table 5 displays the comparative analysis of currently available sinkhole attack detections in literature.

Replay attack
The furthermost standard direct attack in contrast to a routing protocol is to target the routing data between the nodes. Unprotected routing in WSNs causes such vulnerabilities on routing because each node in the WSNs can perform as a router, and thus can promptly affect routing data (Chaki & Ashour, 2021). By replay attack, intruders can cause routing loops, wrong error packets, network division, increase end-to-end latency, and increase or shorten the path. Figure 7 displays a simulation of replay attack.
The Code Verification Identity Packet can be used to deal with replay attacks, which are attached to the original packet. The recipient can identify the fake or modified packet by adding a packet confirming the code's identity. Furthermore, counters and timestamps can be used in the packet being sent to counteract the repetition of routing information. In general, a solution to such attacks can be found by validating nodes and encoding data packets (Pathan, 2016). Table 6 displays the comparative analysis of currently available replay attack detections in literature.

Spoofing attacks
Spoofing is a direct and standard attack against the routing protocol. This attack aims to obtain the path of information exchange between two nodes. Attackers will be able to create routing loops, attract or decline network traffic, extend, or shorten resource paths, generate false error messages, segment the network, and ultimately increase end-to-end traffic (Huan, Kim & Zhang, 2021). Figure 8 illustrates a simulation of a spoofing attack. The common solution for this type of attack is authentication and validation.

Hello flood attacks
A Hello Flood attack is one of the more recent attacks on WSNs. In a few protocols, nodes must broadcast Hello packets to let other nodes know they exist. A node that receives a Hello packet assumes that it is within the sender's node's radio range. This concept might be untrustworthy, and a laptop-class attacker could convince any network node that the  attacker is one of its neighbors. It can only re-distribute overhead packets to the public, as seen in Fig. 9, with the possibility of each network node retrieving them. The most straightforward defense against a Hello Flood attack is to examine a link on both sides before doing an evocative action on a packet established from a link. Hence, this  joint action loses effectiveness when an attacker has a reliable receiver, such as its robust sender. An attacker can effectively create a wormhole in this way. The above method cannot effectively detect and prevent Hello Flood Attacks because the link between these nodes and the attacker is bidirectional. A solution to this problem is that each node authenticates its neighbors with an authentication protocol from a secure base station. If the protocol directs packets in mutual directions of the link, Hello Flood Attacks can be  banned when the attacker has a robust transmitter since the protocol checks both directions of the link. In a multi-step topology, hello flood attacks are typically used to broadcast a packet that every node should receive. The self-organized and decentralized nature of secure, highsensitivity WSNs poses a significant challenge. It is possible to use global knowledge as a security measure. When the topology is well-formed or altered, or when network scope is constrained. For example, in relatively small WSNs with one hundred nodes or less that have no non-virtual nodes at the development stage, each node can send information to its neighbors and transmit its geographic location to the base station after the initial topology is formed (Sayed & Ashour, 2021). The base station can map the entire network's topology using the above information. The reason for changing the topology is due to radio interactions or node errors. The nodes renovate a base station with proper information periodically and cause the base station to map the network topology accurately (Khan et al., 2016). Table 8 displays the comparative analysis of currently available hello Flood attack detections in literature.

SURVEY METHODOLOGY
The methodology for Systematic Literature Review (SLR) is illustrated in this section. The researchers conducted an SLR using the instructions provided by the authors with a focus on WSN routing attack detections. Moreover, the research questions and the motivating factors are mentioned in this section. The articles were chosen from the different data sources listed below. A particular search strategy was also classified to find the articles in the domain. The research articles are then carefully analyzed against the inclusion and exclusion criteria listed below before being chosen for review. Table 9 lists the research questions and their rationales to determine the state of the art in routing attack detection in WSN.

Search strategy
The focus has been on routing attack detection techniques since 2016. The articles under consideration for this review are from the past 6 years. We define the search words as the first step in figuring out the search string based on the theme and the suggested research questions. The search keywords were "attacks" and "wireless sensor network." The significant watchwords were associated using the logical operators "AND" and "OR." After several evaluations, we chose the supplementary search strings that provide an adequate amount of related research. We do this by considering the keywords in Table 11   This article provides the metrics to evaluate the performance of routing attack detection in WSN.
Q3. What are the current research trends and unaddressed issues in WSN?
This article aids researchers in understanding the current state of the art and potential future directions for WSN.

Article selection process
The research questions are first framed as part of the methodology used in the article selection process. The selection and search processes are aided by structuring the search string. The articles that have been published in English are considered. The scoping review process is conducted under the PRISMA (Prevention and Recovery Information System for Monitoring and Analysis) flow diagram (Peters et al., 2015) to comprehend the most recent advancements and research on detecting routing attacks depicted in Fig. 10. The search process is concluded by categorizing the routing attacks to ensure that this survey is comprehensive. Most of the articles were discarded because their abstracts were not found, or their titles did not meet the screening criteria.

Inclusion and exclusion criteria
As shown in Fig. 10, which is a PRISMA flow diagram for article selection, the underlying study generated a total of 1,428 articles from various quality publishers between 2016 and 2022, as mentioned in Table 9. The inclusion and exclusion criteria, listed in Table 12, are implemented to select the significant related research. Therefore, the number of articles was lowered to 783. The number of chosen articles was reduced to 122 based on their titles and abstracts. Following that, 122 articles were examined and thoroughly scrutinized based on the content that matched our classification of routing attack detections in WSN, finally generating 87 articles based on the content. After checking the title, abstract, and comprehensive published research, the essential research articles are selected in accordance with the established criteria to ensure that the findings are relevant to this research article.

Year-wise selection
From the articles which are selected for review, Fig. 11 shows the number of articles published year-wise. To provide a current and relevant literature review, articles from the last 6 years were selected from 2016 to 2022.
Publisher-wise selection Figure 12 shows the number of articles which were selected and published by well-known scholarly publishers between 2016 and 2022. Overall, of 13 different quality publishers are selected for inclusion of their articles in this SLR article. Three articles are selected from Wiley, three articles are selected from Tech Science, 23 articles are selected from Springer,   Table 12 Inclusion and exclusion criteria.

Inclusion criteria Exclusion criteria
The study focuses on routing attack detections in WSNs.
The articles that focus on other layer attacks.
The articles that are only written in English. The articles that are not written in English.
The publications from the scholarly publishers and peer-reviewed journals.
The articles that that are not from a reputable publisher or not peer reviewed.
The articles published in WoS and ISI indexed journals. The articles which are preprint, patents, white articles, keynote speeches, and editorials.
four articles are selected from ScienceDirect, two articles are selected from Sage, 10 articles are selected from MDPI, four articles are selected from InderScience, one article is selected from IGI Global, eight articles are selected from IEEE, six articles are selected from Hindawi, one article is selected from Exeley and seven articles are selected from Elsevier. Moreover, 15 articles are selected from Google Scholar as it ranks individual articles by considering the publication source, the author, the full text of each document, and the quantity and recency of citations.

Selection per performance evaluation metric
Overall, of 24 different performance evaluations metrics were defined in process of developing this article in which True Detection Rate (TDR), Energy Consumption, Packet delivery Ratio (PDR), Detection Accuracy and communication overhead are the most used metrics in 24, 21, 14, 14 and 13 articles. Figure 13 shows the number of articles used the other metrics. neighbor-based detection methods which gained the highest rank. RSS and trust-based gained second place as they are used by six articles each.

Selection per routing attack
This article is the review of 87 different articles from 2016 to 2022 in which some of the articles focused on more than one attack. As per the statistical analysis which is provided in Fig. 15 and the number of articles overviewed the specific attacks, we can sort out the routing attack severity as per the following: wormhole attack (14 articles), Sybil Attack (24 articles), Grayhole/selective forwarding attack (27 articles), blackhole attack (21 articles), sinkhole attack (13 articles), replay attack (six articles), Spoofing attack (five articles) and hello flood attacks (four articles).

Selection per different metrics for wormhole attack
Overall, 14 different performance evaluations metrics are used by the articles on wormhole attack detection. As shown in Fig. 16, Efficiency gained the highest rank as it is used by four articles.

Selection per different metrics for Sybil attack
Overall, 19 different performance evaluations metrics are used by the articles on Sybil attack detection. As shown in Fig. 17, True Detection Rate (TDR) gained the highest rank as it is used by 10 articles.

Selection per different metrics for Grayhole/SF attack
Overall, 21 different performance evaluations metrics are used by the articles on Grayhole/SF attack detection. As shown in Fig. 18, Energy Consumption gained the highest rank as it is used by nine articles. Selection per different metrics for blackhole attack Overall, 19 different performance evaluations metrics are used by the articles on Blackhole attack detection. As shown in Fig. 19, True Detection Rate (TDR) gained the highest rank as it is used by seven articles. Selection per different metrics for sinkhole attack Overall, 14 different performance evaluations metrics are used by the articles on Sinkhole attack detection. As shown in Fig. 20, Energy Consumption gained the highest rank as it is used by six articles.

Selection per different metrics for replay attack
Overall, nine different performance evaluations metrics are used by the articles on Replay attack detection. As shown in Fig. 21, Packet delivery Ratio (PDR) and True Detection Rate (TDR) gained the highest rank as they are used by two articles.

Selection per different metrics for spoofing attack
Overall, 10 different performance evaluations metrics are used by the articles on Spoofing attack detection. As shown in Fig. 22, Resource Consumption gained the highest rank as it is used by two articles.

Selection per different metrics for hello flood attack
Overall, nine different performance evaluations metrics are used by the articles on Hello Flood attack detection. As shown in Fig. 23, Energy Consumption gained the highest rank as it is used by two articles.

DISCUSSION
The systematic literature review has revealed the following facts and findings against each research question. Q1. What are the limitations of WSN routing attack detections? The following are the limitations of WSN routing attack detections which are to be addressed proposing detection techniques for any kind of routing attacks.

Memory and capacity
Each sensor is a tiny device with a slight volume of memory and storage space for storing the codes (Isidro & Ashour, 2021). With the intention of consuming an efficient detection, it is vital to reduce the code size. Energy It is the most significant constraint for WSNs capabilities. It is assumed that nodes cannot easily insert or recharge after the deployment of WSNs. The impact of the added security code on energy should be taken into consideration when a cryptographic function or protocol is implemented inside the nodes. In other words, when designing a detection tool, it is essential to determine its impact on the node's lifespan. The extra energy consumed by the nodes is because of the required processing to execute detection, transfer of securityrelated data, and ultimately safely storing parameters.

Unknown transmission
In general, communications are wireless because of the packet-based routing in WSNs, and this means the data transfer is uncertain. Packets may be broken due to channel errors or because of network congestion. The result is the loss of the packets. The vital security packets do not get to the correct destination or get lost if protocols are not adequately managed.

Collision
Even if the channel is reliable, the connection itself may be uncertain. It is due to the nature of the WSNs transmission. If the packets collide in the middle of their way, the transfer operation will fail. In high-density networks, this can be a severe obstacle, which may lead to packets loss.

Delay
Multi-route routing network congestion (Pulmamidi, Aluvalu & Maheswari, 2021) and processing nodes can lead to increased delays, which may result in a lack of synchronization in WSNs. The synchronization is crucial for WSNs where the detection systems depend on critical event reports or broadcasting cryptographic keys. Node seizure attacks Sensors may be deployed in environments that are accessible to the attacker. So, the probability that a sensor node will be exposed to a physical attack is reasonably more than a server residing in a safer place (Isidro & Ashour, 2021). By taking over the node, it is possible for an attacker to read the valuable information that can include cryptographic keys. Q2. What performance evaluation metrics are considered when WSN detects routing attacks?
Overall, of twenty-four performance evaluation metrics were identified during the development of this SLR article in which Table 13 displays the articles which use the most 12 common metrics according to different type of attack detection. Figure 13 displays the number of articles for each metrics therefore the most used metrics are: TDR, energy consumption, PDR, detection accuracy, communication overhead, FDR, throughput, FPR, computation overhead, efficiency, network lifetime and end-to-end delay.
Q3. What are the current research trends and unaddressed issues in WSN?
In recent years, research on WSNs security has become more prominent. In the design of WSNs, there are several factors and open research issues that need to be considered.

Hardware
Each node must be small enough, lightweight, and low volume while having all the necessary components. For example, in some applications, the node should be as small as a matchbox; sometimes, the node's size is limited to one cubic centimeter (Alansari et al., 2021). It should be light enough to hang in the air with the wind in terms of weight. At the same time, each node must have minimal power consumption, low cost, and be compatible with environmental conditions. These are all limitations that challenge the design and construction of sensor nodes.

Connectivity
A sensor network has graph connectivity as its inbuilt connectivity. Each node has connections to several other nodes in its vicinity because of the nodes' wireless connections and public broadcasting. Efficient algorithms for collecting data and applications for tracking network objects, such as spanning trees, are considered (Siddiqui & Ashour, 2021). Hence, the traffic is such that the data travels from some node to another; connectivity management should be done carefully. An essential step in the management of network connectivity is the initial setup. Nodes that have not had any initial communication before should be able to communicate with one another once they are hired and started to work. Connectivity management algorithms should be able to subscribe to new nodes in the initial setup and removes the nodes which do not work for any reason. The connectivity dynamics of the sensor network properties are an issue that challenges security. Providing dynamic connectivity management methods that can cover security issues is one of the great ideas for future studies.

Reliability
Each node can be broken or destroyed entirely by environmental events, such as an accident or explosion, or can fail when the energy source is exhausted (Alansari, Siddique & Ashour, 2022). The purpose of tolerance or reliability is that node failure should not affect the overall network performance and build a reliable network using unreliable components.

Scalability
The network should be scalable concerning the number of nodes and the allocation of nodes. In other words, the sensor network should be able to work with hundreds, thousands, and even millions of nodes and support the density of different nodes' distribution. In several applications, nodes are randomly distributed, and environmental factors displace no possibility of distribution with a specific and uniform density of nodes. As a result, the density should be flexible, ranging from a few to one hundred nodes. The various approaches also have an impact on the scalability problem. For instance, they will not work in a specific density or with a certain number of nodes. Specific techniques, on the other hand, are scalable.

Overall cost
As the number of nodes is high, each node's cost reduction is critical. The number of nodes sometimes reaches millions which, in this case, the cost reduction of the node, even in small quantities, has a significant effect on the total price of the network.

Environmental conditions
A wide range of WSNs applications is related to environments in which humans cannot be present. Like chemical, microbial, or nuclear-contaminated environments or underwater studies, space, or military environments due to the presence of the enemy. In the forest and Inhabitants of animals, the presence of human beings will escape them. In each case, the environmental conditions should be considered in the design of the nodes. For example, in the sea or wet environments, the sensor node must be placed in a chamber that does not transmit moisture.

Communication media
In WSNs, nodes communicate wirelessly through radio media, Infrared Radiation (IR), or other optical media. The infrared connection is cheaper and easier to build, but it only works in a direct line.

Power consumption of nodes
The WSNs nodes must have low power consumption. Sometimes the power supply of a battery is a 1.2 V with a flow of 0.5 amps per hour, which should provide the necessary power for a long time, for example, nine months. In many applications, the battery is not replaceable. Therefore, battery life establishes the life of the node. Moreover, a node acts as a pathfinder, receiving information (by the sensor) or running a command (by the actuator). Faulty operation of a node removes it from the connections and would cause network reorganization and rerouting of the packets (Alansari, Prasanth & Belgaum, 2018). Designing the node's hardware, using low power consumption components, and providing the possibility of a sleep mode for the entire node or each section is essential.

Increasing the network lifetime
WSNs typically have a short lifetime due to the nodes' insufficient power supply. Additionally, a network node's location can occasionally exacerbate the problem. For instance, a node only one hop away from a sink quickly runs out of energy from an excessive workload. On the other hand, if it fails, the sink will be disconnected from the entire network, and WSNs will stop working. Some solutions involve the network structure; for example, an automated structure is a great way to address the problem. The automated structure makes most of its decisions locally (Maheswari, Raju & Reddy, 2019). As a result, the node's and network's lifetime increase even though the transmission traffic through it decreases. Any WSN with an uneven node distribution will experience the issue of early energy depletion on nodes with low-density regions. To ensure that crucial nodes are used as less as possible, it would be appropriate in these circumstances to implement power management within the nodes and provide some power awareness solutions. Since distributed nodes in the sensor/actuator field share resources, effective task management, and power management will lengthen the network lifetime. Providing appropriate structural patterns, management methods, and intelligent power algorithms to grow the network lifetime worth further investigation.

Real-time communication and co-ordination
In some applications, the network response speed is crucial such as the system for detecting and preventing the spread of fire or theft prevention system. The packets must be instantaneously updated in the immediate display of pressure on the monitor. A way to realize the system's real-time connectivity is to set a deadline for packets. In the media access control layer, packets with the shortest deadlines will be sent sooner. The duration of the cut-off depends on its application. Respectively, another critical issue is event report delivery to the sink in order of occurrence. Otherwise, the network may not respond appropriately. One more issue is the coordination of the network with the related reports given to the sink of a specific area in case of an event. For example, assume in a military application that some sensors to detect the occurrence of enemy units and some tools to destroy them are considered. Several sensors inform the sink of the presence of an enemy. The network must start the operation in the entire area immediately; otherwise, with the response of the first sink, the enemy soldiers are dispersed, and the operation is defeated. However, the issue of instant communication and coordination in sensor networks, especially in large-scale and uncertain conditions, is still a topic of research.

Unpredictable factors
WSNs are a function of many uncertainties. Unpredictable natural factors such as floods, earthquakes, problems caused by wireless communication and radio disturbance, node failure, sensor failure, dynamics structure, network routing, the addition of new nodes and the removal of old nodes, automated nodes replacement, or by natural factors. The issue is how to develop, from a network layer perspective, an outlook in such a situation that is a solid, large-scale entity with a reliable operational capability which will be addressed in this SLR.

Limitations of this SLR
This review only took a limited set of databases and journals into account.
Additionally, only a few keywords and string combinations have been used to search the literature. This review has not considered any articles that were published prior to 2016.
This review primarily focuses on routing attack detections rather than application, transport, datalink, or physical layer attacks on WSNs.

CONCLUSIONS
This article provides a systematic literature review of routing attack detection methods and metrics used by 87 articles from 2016 to 2022 using a PRISMA flow diagram. The selected articles are based on eight routing attacks: wormhole, Sybil, Grayhole/selective forwarding, blackhole, sinkhole, replay, spoofing, and hello flood attacks. Although the impact of routing attacks over WSNs manifested over recent years, inconsiderable attention was given to implementing decent routing attack detection. The outcomes of this study designated that different routing attack detection techniques and algorithms can be successfully employed on WSNs. Consequently, the study has endowed new tendencies and potentials for future researchers. This study allows wireless sensor network administrators, service providers, and end-users to undertake additional research in the future to improve the security of WSNs. Having a clear goal and foresight in any field can significantly contribute to advancing technology in that field. In the future, we aim to introduce some techniques that can be used by researchers interested in WSNs and the security dimension of these networks. Introducing new and combined methods can get better results and enhance the security of WSNs, such as: The use of node clustering or distributing techniques in the network and the use of hedge mechanisms to provide new methods in the critical management area. The use of elliptical bending encryption math for efficiently swapping keys between network nodes.

ADDITIONAL INFORMATION AND DECLARATIONS Funding
The authors received no funding for this work.