IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO.

XX, MARCH 20XX 1

Centralized and Distributed Intrusion Detection for

Resource Constrained Wireless SDN Networks
Gustavo A. Nunez Segura, Student Member, IEEE, Arsenia Chorti, Senior Member, IEEE,
and Cintia Borges Margi, Member, IEEE

Abstract—Software-defined networking (SDN) was devised to are referred to as software-defined wireless sensor networks
simplify network management and automate infrastructure shar- (SDWSN) and software-defined Internet of things (SDIoT),
ing in wired networks. These benefits motivated the application respectively [2], [3].
arXiv:2103.01262v1 [cs.CR] 1 Mar 2021

of SDN in wireless sensor networks to leverage solutions for

complex applications. However, some of the core SDN traits turn Network control centralization and data and control planes’
the networks prone to denial of service attacks (DoS). There separation are fundamental enablers of SDN programmability
are proposals in the literature to detect DoS in wireless SDN and network reconfiguration. On the other hand, these traits
networks, however, not without shortcomings: there is little focus turn the network prone to denial of service (DoS) attacks, a
on resource constraints, high detection rates have been reported vulnerability that is inadvertently passed on to SDWSNs and
only for small networks, and the detection is disengaged from
the identification of the type of the attack or the attacker. Our SDIoT [4] [5]. There are proposals in the literature to detect
work targets these shortcomings by introducing a lightweight, and mitigate DoS attacks in SDNs, and in fact, some of them
online change point detector to monitor performance metrics focused on SDWSNs and SDIoT. However, related solutions
that are impacted when the network is under attack. A key are not adapted to very restricted networks, such as out-of-
novelty is that the proposed detector is able to operate in either band connection for control packets between switches and
centralized or distributed mode. The centralized detector has
very high detection rates and can further distinguish the type of controllers. Additionally, most works reported high detection
the attack (from a list of known attacks). On the other hand, the rate only for small networks. Other shortcomings we noticed in
distributed detector provides information that allows to identify the literature are a lack of solutions capable to detect multiple
the nodes launching the attack. Our proposal is tested over IEEE types of DoS attacks, identify the type of the attack and the
802.15.4 networks. The results show detection rates exceeding attacker itself.
96% in networks of 36 and 100 nodes and identification of the
type of the attack with a probability exceeding 0.89 when using
With these challenges in mind, we propose a novel DoS
the centralized approach. Additionally, for some types of attack detector for constrained SDN networks based on change point
it was possible to pinpoint the attackers with an identification (CP) detection theory. Our main hypothesis is that detecting
probability over 0.93 when using distributed detectors. a change in the monitored network metrics can be used as an
Index Terms—Internet of things, wireless sensor networks, alert for an anomaly, i.e., for intrusion detection purposes. A
software-defined networking, intrusion detection, change point key novelty is that the proposed detector is able to operate
detection. in either centralized or distributed detection, which is not
common in SDN-based networks. In the centralized detection,
I. I NTRODUCTION a security application monitors the control packets overhead
and the data packets delivery rate of the network. If the

W IRELESS sensor networks (WSN) and Internet of

things (IoT) consist of wireless sensor equipped de-
vices that collect and relay information from physical and
application detects a change on the statistical properties of
one of these metrics, the network is considered under at-
tack. In the distributed detection, every node is in charge of
environmental phenomena. IoT WSN networks are known as detecting a change on its own local metrics and to inform
resource constrained networks because, typically, sensor de- the security application in case of a change. Notably, the
vices have processing, memory and energy limitations. Com- centralized detector that runs on the controller allows to
plex applications, with hundreds or thousands WSN nodes, identify with a very high rate the attack and further can dis-
may require a complex infrastructure, which is a challenge in tinguish the type of the attack from a list of known attacks. The
constrained networks. distributed detector that runs on individual nodes is also able to
Software-defined networking (SDN) was devised to simplify detect the DoS attacks with a high rate and further provides
network management and automate infrastructure sharing in information that allows to identify the nodes launching the
wired networks [1]. These benefits motivated the application attack.
of SDN in WSN and IoT to leverage solutions for complex We measured the performance of both approaches on the
applications. The fusion of SDN – WSN and SDN – IoT IT-SDN framework [12], simulating new-flow and neighbor
Gustavo A. Nunez Segura and Cintia Borges Margi are with Departamento information types of attacks in topologies of 36 and 100 nodes,
de Engenharia de Computação e Sistemas Digitais, Universidade de São Paulo, when all the sensor nodes were emulated as Tmote sky. Our
São Paulo 05508-010, Brazil. contributions are listed below:
Arsenia Chorti is with ETIS UMR8051, CY Université, ENSEA, CNRS,
F-95000, Cergy, France. 1) We developed DoS detectors suitable for restricted net-
Manuscript received – 19, 20–; revised – 26, 20–. works (IEEE 802.15.4).
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 2

TABLE I
R ELATED W ORK

Multiple types Attack type Resource constrained Attacker

Author High detection rate
of attack identification networks identification
Bhunia and Gurusamy [6] X
Jia et al. [7] X X
Ravi and Shalinie [8] X X
Yin et al. [9] X X
Miranda et al. [10] X X
Wang et al. [11] X X X X
Our proposal X X X X X

2) Our detectors do not need training data (as for example Bhunia and Gurusamy [6], Ravi and Shalinie [8], and Jia
do machine learning based detectors), they require only et al. [7] proposals have in common that all of them used
200 samples of the monitored time series when the machine learning techniques to detect DoS attacks, and also
network is not under attack to extract its statistics. all of them obtained high detection rate results, i.e., higher
3) We studied the parameterization of the centralized detec- than 90%. On the other hand, none of these three proposals
tor to optimize the detection speed versus the detection considered resource constraints or were evaluated on restricted
rate and studied the trade-off between the two. The networks. The main reason is because these are OpenFlow-
quickest detector achieved an attack identification rate based or require a high traffic of packets to monitor the
of more than 89%, increased to 99% for less agile network. About the other metrics, Jia et al. [7] proposed an
detectors. attack type identification algorithm and Ravi and Shalinie [8]
4) The decentralized detector is so lightweight that can proposed an attacker identification mechanism.
run on each individual Tmote sky node in the network, Yin et al. [9], Miranda et al. [10], and Wang et al. [11]
which allowed us to identify the region in which the proposals have in common that all of them considered resource
attack is launched, or even, the attacker itself with a constrained networks, but on the other hand did not attain high
probability exceeding 93%. detection rates. Concerning the other metrics, Miranda et al.
The remaining of the paper is organized as follows. In [10], and Wang et al. [11] proposed multiple types of attack
Section II the state of the art is summarized while in Section detection, and Yin et al. [9] and Wang et al. [11] proposed an
III the intrusion scenario is explained. Section III-A overviews attacker identification algorithm.
SDWSN security vulnerabilities, while Section IV presents The main shortcoming in the state of the art is the tradeoff
the mathematical background for the change point detector. In between detection rate and resources to execute the DoS
Section V and VI we present the centralized and distributed attack detector. The proposals that attained high detection
detectors, respectively, and discuss their results. Section VII rate were not suited for resource constrained networks, and
presents the overall attacker detection strategy and the discus- proposals that considered resource limitations did not attain
sion of the performance. Lastly, Section VIII concludes the high detection rates. As shown in Table I, our solution ob-
paper. tained high detection rates while it is well suited for resource
constrained networks. Additionally, our solution was able to
detect different types of DoS attack, identify the type of the
II. R ELATED W ORK
attack with high probability, and identify the area where the
In this section, we analyze works that propose solutions attacker is located, or even the attacker itself. Our proposal
for resource constrained SDN-based networks. Our focus is was the only one fulfilling the five metrics.
on proposals targeting DoS attacks detection and identifica- The present study builds upon our previous works in [13],
tion. The analysis is based on DoS attacks detection and [14], and [15]. In the first work [13] we analyzed the impact of
identification accuracy, type of DoS attacks detected, and the different types of attacks on various performance metrics and
consideration of resource constraints. identified the data packet delivery and the control overhead
Table I summarizes the main performance metrics of the rates as the most impacted. In [14], on the other hand, we
related work and our proposal. We chose five metrics for proposed a universal CP DoS detector that combined an offline
the comparison: i) the ability to achieve high detection rates and an online detector. Lastly, in [15] we moved to an entirely
i.e., equal or greater than 90%; ii) multiple types of at- online multimetric CP detector, which used two centralized
tack detection; iii) type of attack identification; iv) resources CP detectors independently optimized for different types of
limitations; and v) attacker identification. One general com- attack. This strategy allowed us to obtain high detection rates
ment is that most of the previous works reviewed here are for different attacks in topologies up to 100 nodes, and, more
OpenFlow-based, which limits their use in networks composed importantly, to identify the type of the attack we are detecting.
of constrained nodes because of limited frame sizes, memory It is also important to mention that unlike machine learning
constraints, and lack of dedicated control channel. Because of based detectors we do not need large training data sets; as
this, some papers did not include real devices emulation or will be shown, around 200 samples of the metric monitored
testbeds. suffice to extract its statistical characteristics. This turns our
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 3

solution more lightweight and general, well suited for resource the number of control packets per minute between 16% and
constrained networks. 127% when there is only one attacker in the network, and
In the current work, we further extended our previous works the impact increases when increasing the number of attackers.
and proposed a distributed DoS attack detection approach Additionally, after several repetitions, this attack can saturate
based on metrics collected and analyzed on every node, in- the neighbors’ flow tables. In [13], we also investigated the
cluding the transmitting time, processing time, etc., hinting to impact of one topology discovery based attack [22] in SDWSN
the possibility of intrusion detection at PHY and it’s potential and showed that one attacker in the network was able to reduce
incorporation with physical layer security solutions [16]. From the data packets delivery rate between 5% to 18%. Multiple
this, we were able to implement our security solution in either attackers executing this attack were able to reduce the data
centralized or distributed detection according to the network packets delivery rate between 20% to 60%.
resources. The centralized approach requires more bandwith
while the distributed requires more of the nodes’ memory.
A. IT-SDN and DoS attacks
IT-SDN [12] is an SDWSN framework composed of the
III. SDWSN V ULNERABILITIES OVERVIEW
application layer, the control layer, and three communication
SDNs have a centralized architecture, where a controller, or protocols: the Southbound protocol, the Neighbor Discovery
multiple controllers and their interfaces constitute the control protocol, and the Controller Discovery protocol.
plane and are in charge of the of network’s configuration [17]. The sensing layer is composed of the wireless sensor
Because of this centralization, the controller has a global view devices used to collect data from the environment and relay
of the network topology and also can have access to traffic and data to sinks, this means the wireless sensor network itself.
performance information. The control plane is composed of the control servers in charge
In terms of security, SDNs have advantages and disadvan- of taking and installing routing decisions in the sensing layer
tages. The access to network’s traffic and performance data devices. The Southbound protocol defines the message formats
along with the controller’s global view, is a combination that for communication between the WSN and the controller. The
has been used to develop new security strategies [18]. Based Neighbor Discovery and the Controller Discovery protocols
on a centralized traffic analysis and security policies, the are often executed as a joint operation. All nodes in the
controller has an important role to determine if the network network use the Controller Discovery protocol to find a
is under attack and to reconfigure the network to mitigate the route to reach the controller and use the Neighbor Discovery
impact. On the other hand, SDNs are entirely controller-based. protocol to collect neighborhood information to then send it
This means, if the controller is compromised, the control plane to the controller.
is compromised, therefore, the whole network is compromised The controller uses the neighborhood information provided
as well. For this reason, the controller is tagged as a single to calculate routes according to a set of policies and proce-
point of failure, which turns SDN-based networks prone to dures. Then, the controller installs the routing rules on every
DoS attacks [19] [20]. node’s flow table. IT-SDN’s flow table is composed of four
In SDNs, the attackers can reach the control plane di- columns: matching criteria, action taken, action parameter, and
rectly through the controller or through network devices. flow usage. The matching criteria is an address or a flow ID.
An attacker can flood the network with control packets that The actions are: forward packet, drop packet, or receive packet.
will be forwarded to the controller, exhausting its processing The action parameter is typically the next hop and the flow
and communication resources. In the same way, an attacker usage is assessed as the number of updates since the entry was
can mislead other nodes in the network, inducing them to installed.
communicate with the controller at the same time, similar The Southbound protocol is composed of six packet types:
to a flooding attack. For example, an attacker sends several flow request, flow setup, flow ID register, acknowledgement,
data packets tagged with an unknown flow identifier. The neighbor report, and data packet. Next we define only the
neighbouring nodes receiving the packet will check on their ones involved in our scope. The WSN’s nodes use the flow
routing table to match the packet’s flow identifier with a rule request packet to ask the controller about an unknown route
but without success, therefore the nodes will request a flow and the controller replies with a flow setup packet that contains
rule from the controller. This type of attack impacts both the the route configuration. Moreover, the controller can change
controller and the network devices’ resources, leading to a any route configuration using this packet whenever a route
compromise of the entire network. calculation changes. The neighbor report packet contains the
In the case of SDWSN and IoT, the previous scenario is sender’s neighborhood information. The controller uses this
critical since network devices are resource constrained. To information to update the graph and recalculate routes. The
have a better idea about these constraints, we summarized nodes send a neighbor report to the controller on one of three
some IEEE 802.15.4 compliant platforms in Table II and com- conditions: the node detects one or more new neighbors, the
pare them with Raspberry Pi 3 specifications, a small single- node detects one or more nodes are no longer his neighbors,
board computer. Because of resources constraints, to deal with or there is a significant change on one or more neighbors’
saturation attacks, resource exhaustion, and complex security routing metric. A significant change is defined as a percentage
mechanisms become challenging. As shown in our previous of change of the current metric that can be defined according
work [13], a new-flow-based attack [21] is able to increase to the application.
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 4

TABLE II
WSN M OTES S PECIFICATIONS

Microprocessor Clock speed Flash memory RAM

Platform
model (MHz) (kB) (kB)
TelosB MSP430 8 48 10
SensorTag ARM Cortex-M3 48 128 20
RE-Mote ARM Cortex-M3 32 512 32
Raspberry Pi 3 4 x ARM Cortex-A53 1200 SD card 1 000 000

Fig. 1. False data flow forwarding attack: the attackers inside the network
send data packets to their neighbors using random or unknown identifiers. The Fig. 2. False neighbor information attack: the sensor node sends a neighbor
sensor nodes request a rule to the controller to treat this packet, the controller report to the controller and the attacker in the route (in the case there is one)
calculates the rule and send it to the sensor node modifies the neighborhood information before forwarding the packet to the
controller

In this work we tested our proposal when the network is ifies the packets that contain neighbor information.
under two different attacks: new-flow-based attack and neigh- The attackers do not intercept the neighbor information
bor information type of attack. The new-flow-based attack packets but modify the ones that use them to reach
[21] is characterized by the flooding of packets with the the controller. When receiving a neighbor information
objective to include new flows in the networks, and this is packet, the attacker modifies either the routing metric or
why this attack is commonly studied in SDN. The neighbor node identification number, then the packet continues
information attack targets important information sent from its normal route to reach the controller. The packets
all nodes to the controller to calculate routing rules. This exchange diagram for this attack is depicted in Fig.
attack has not been explored widely in the state of the art 2. This attack leads the controller to mistreat false
and from our previous work [13] we observed it significantly information as true and will send erroneous routing rules
disturbs the data and control packets delivery rate. Based on to the nodes.
IT-SDN characteristics, we adapted these two attacks to target
its security vulnerabilities, dubbed in the rest of this paper IV. O NLINE C HANGE P OINT D ETECTION
as the false data flow forwarding (FDFF) and the false
In this section we explain the basic of change point (CP)
neighbor information (FNI).
analysis and the algorithm we used for DoS attack detection in
1) The false data flow forwarding (FDFF) targets the SDWSN. Generally, change point problems have been phrased
controller via network’s devices. First, the attacker sends as hypothesis tests. The null hypothesis is established to rep-
data packets with unknown flow identifiers to its neigh- resent structural stability of the process, while the alternative
bors. The neighbors receive the packet and check the hypothesis contains one or multiple change points. The test
flow table to determine the action required, without suc- statistics may be viewed as two-sample tests adjusted for the
cess, thus ask a rule to the controller by sending a flow unknown break location, thus leading to max-type procedures.
rule request packet. The controller receives this packet, Often asymptotic relationships are derived to obtain critical
calculates the rule and replies sending a flow setup values for the tests. After the null hypothesis is rejected, the
packet. Fig. 1 shows the packets exchange during this location(s) of the break(s) need(s) to be estimated [23].
attack, which aims at increasing the network’s packet It was shown in [13] that FDFF attacks induce substantial
traffic and the controller’s and neighbors’ processing changes in mean control packet rates while FNI attacks induce
overhead. important changes in mean data packets delivery rates. From
2) The false neighbor information (FNI) attack mod- this analysis, we formulated the attack detection problem as
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 5

a hypothesis test, examining whether a change has occurred implying that T Son (m, l) is calculated on-line for every l in
in the mean value of the time series observed for these two the monitoring period. The procedure stops if the test statistic
metrics. exceeds the value of the threshold function F (m, l). As soon
Regarding the CP methodologies that incorporate the serial as this happens, the null hypothesis is rejected and a CP is
dependence of the observations into the statistical analysis, detected. The following properties should hold for τ (m),
we can distinguish between parametric and non-parametric
approaches. Focusing on non-parametric anomaly detection, lim P r{τ (m) < ∞|H0 } = α, (5)
m→∞
i.e., without relying on assumptions regarding the underlying
statistical model, we note it has typically been considered ensuring that the probability of false alarm is asymptotically
for the detection of anomalies in networks’ traffic. As an bounded by α ∈ (0, 1), and,
example, Tartakovsky et al. [24] proposed an algorithm for lim P r{τ (m) < ∞|H1 } = 1, (6)
anomaly detection in computer network traffic, Wang et al. m→∞
[25] proposed a a cumulative sum (CUSUM) based proposal ensuring that under H1 the asymptotic power is unity. Under
for the detection of SYN attacks, and Skaperas et al. [26] [27] these conditions, F (m, l) is defined as,
used mean change point analysis to detect anomalies on video
content popularity. F (m, l) = cvon,α g(m, l), (7)
In this work, we employed a CUSUM based algorithm to where: (i) cvon,a is the critical value determined from the
detect changes in the mean value of control overhead and data asymptotic behavior of the stopping time procedure under H0
packets delivery rate time series. This decision allowed us to by letting m → ∞, (ii) and g(m, l) is the weight function
alleviate the need for any parametric model with respect to the defined as:
impact of the attack [14]. Then, in [15] we proposed two major γ
√
 
novelties in the detector: first, we moved to a purely online l l
g(m, l) = m 1 + (8)
detector, unlike [14] in which a hybrid offline-online algorithm m l+m
was presented; secondly, we monitored in parallel multiple
where the sensitivity parameter γ ∈ [0, 1/2).
metrics, increasing the detection vector space to different types
The online algorithm uses the standard CUSUM detector
of attack and provided a probabilistic identification of the type ct
[28], with test statistic denoted by T Son . Its corresponding
of the attack. ct
critical value is denoted by cvon,α and the stopping rule
To outline the online CP algorithm, let {Xn : n ∈ N} be
by τct (m). The sequential CUSUM detector is denoted by
the time series of the metric monitored. Using Wold’s theorem
E(m, l),
we can assume that, for X1 , ..., XN , each sample is expressed

as Xn = µn + Yn , where {µn , n ∈ N} is the mean of the time E(m, l) = X m+1,m+l − X 1,m (9)
series and {Yn : n ∈ N} is a random zero mean term, so that The standard CUSUM test is expressed as:
we can rewrite Xn as: 1
ct −2
( T Son (m, l) = lΩ
bm E(m, l), (10)
µ + Yn , n = 1, . . . , m + k ∗ − 1
Xn = (1) where Ω b m is the estimated long-run covariance, defined as in
µ + Yn + I, n = m + k∗ , . . .
(4), that captures the dependence between observations. Then,
where k ∗ ∈ N∗ represents the unknown time of change and the stopping rule τct (m), is defined as:
µ, I ∈ Rr represent the mean parameters before and after k ∗ , ct ct
respectively. In the present we assume a period of no change τct (m) = min{l ∈ N : kT Son (m, l)k1 ≥ cvon,α g(m, l)},
in the mean of at least m samples, i.e., during the first m (11)
ct
samples of our observation there is no change so that: where the `1 norm is involved to modify T Son so that it can be
compared to a one dimensional threshold function. The critical
ct
µ1 = . . . = µm (2) value, cvon,α , is derived from the asymptotic behavior of the
stopping rule under H0 :
During this period, our detector “learns” in real-time the
statistics of the observed time series, and, the mean value in
particular. Finally, the statistical hypothesis test is articulated lim P r{τ (m) < ∞} (12)
m→∞
as,  ct
kT Son (m, l)k1

ct
= lim P r sup > cvon,α
H0 : I = 0 m→∞ 16l6∞ g(m, l)
(3) ( )
H1 : I 6= 0. kW (t)k1 ct
= P r sup > cvon,α = α (13)
The on-line sequential analysis belongs to the category of t∈[0,1] tγ
stopping time stochastic processes. In general, a chosen on-
where W (t) denotes the Brownian motion with mean 0 and
line test statistic T Son (m, l) and a given threshold F (m, l)
variance t. The on-line critical values were computed using
define the stopping time τ (m):
( Monte Carlo simulations, considering that,
min{l ∈ N : T Son (m, l)> F (m, l)}, W (t)
τ (m) = (4) ct
cvon,α = sup γ
, (14)
∞, if T Son (m, l)< F (m, l) ∀l ∈ N, t∈[0,1] t
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 6

∗
Lastly, the estimated on-line CP, k̂on , is derived directly
from the value of the stopping time τ (m), as,
∗
k̂on = m + {τ (m)|τ (m) < ∞}. (15)
Summarizing, the overall algorithm has 3 main steps:
• Step 1: define the values of the quantities m, γ, the
confidence level α, and set l.
• Step 2: after collecting m samples of the metric, Γ(m, l)
(10) and the weight function in (8) are calculated for
every l on the monitoring period to then apply (12).
• If a CP is detected, the online process stops. Conversely,
if the period l ends, a new monitoring period is defined.

V. C ENTRALIZED D ETECTION
In [13], it has been shown that FDFF and FNI attacks have
a significant impact on the data packets delivery rate and the
Fig. 3. SDWSN architecture based on IRTF RFC 7426 document [29]
control packets overhead. A centralized intrusion detection,
first proposed in [14] and [15], can be used to determine if
the network is under attack based on monitoring of these two detection rate and the speed of detection and the other for
metrics; here we propose to use parallel detectors for both validation. In particular, we used the first set to determine
and to identify the type of the attack based on which detector the optimal values of {m, γ} (both parameters explained in
triggers an alert first. In detail, an attack is classified as a FDFF Section IV) for each type of attack and each observed metric.
or a FNI attack based on the following reasoning: Then, using the values determined for {m, γ}, we executed the
1) If a CP is detected in the mean value of the data packets CP detector algorithm over the validation sets to evaluate the
delivery rate or control packets overhead, we determine performance achieved. We performed simulations on square
that the network is under attack; grids with either 36 or 100 nodes and we varied the number
2) If the CP is first detected in the control packets overhead, of intruders (attackers) in three proportions: 5%, 10% and 20%
the attack is classified as FDFF; conversely, if the CP is of the total of nodes in the network.
detected first in the data packet delivery rate, the attack First, we executed the algorithm on the first set for m ∈
is classified as FNI. {100, 150, 200} and γ ∈ {0, 0.15, 0.25, 0.35, 0.45, 0.49} to
Our proposal is based on the SDN architecture proposed determine the values that provide the best performance for
in the IRTF RFC 7426 [29], depicted in Fig. 3, for which different trade-offs between the detection rate DR and the
the management plane’s purpose is to ensure the network is detection time median DT M . The DR is the ratio of suc-
running optimally. To accomplish this, the management plane cessfully detected attacks over the total number of attacks. The
establishes communication with the network devices using the DT M , is the median of the number of samples required to
Southbound Interface to obtain information about the network detect the attack. From that, we introduced a “detection score”
operation. Then, this information is shared with the modules in metric to capture the relative importance that is given to the
the Application Plane using the Network Services Abstraction DR versus the DT M (which focuses on detecting changes on
Layer. a signal or a time series as quickly as possible after they occur
We monitor the number of control packets and data packets [30]). The proposed detection score metric, PDS , is defined
sent by every node, and the number of data packets received as:
by the data sink. Every node sends a packet to a management PDS (A, B) = A(1 − S) + B(DR), A + B = 1, (16)
sink every two minutes, then these data are sent to the
security module in the Application Plane. The security module where A and B are constants to determine the rela-
calculates the metrics, constructs the time series and runs the tive weight of each term, and S = DTl M with l the
CP detector algorithm explained in Section IV. Whenever a CP number of samples monitored after the attack starts. We
is detected, the module raises an alarm indicating the metric used five combinations of A and B, where (A, B) ∈
where the CP was detected. This information could be sent {(1, 0), (0.8, 0.2), (0.5, 0.5), (0.2, 0.8), (0, 1)}, to compare the
to the controller to implement mitigation strategies, which is results when prioritizing the speed of detection (A > B)
outside the scope of this work. versus when prioritizing the detection rate (A < B).
During evaluation, two CP detectors were running in paral-
lel. One detector for monitoring the control packets overhead
A. Experimental setup and the other one for monitoring the data packets delivery
We generated a dataset comprising 480 simulations, divided rate. The validation set comprised both FDFF and FNI attack
in 240 simulations of FNI attacks and 240 simulations of FDFF simulations, 50% of each one, including all chosen topologies
attacks. Then, we split each subgroup in two sets: one set for and attack intensity levels. In the validation stage we used
parameterization to capture different trade-offs between the the optimal pairs (m, γ) identified for each pair (A, B) to
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 7

(a) FDFF attack

(a) FDFF attack

(b) FNI attack

Fig. 4. Topology example for 36 nodes with 10% of nodes behaving as
attackers: there is one SDN controller, two sinks, and three attackers. The
green circle represents the radio range of all nodes. positions for 36 nodes
when 10% of nodes are attackers

(b) FNI attack

Fig. 5. Topology example for 100 nodes with 10% of nodes behaving as
maximize the metric PDS (A, B). Whenever a CP was de- attackers: there is one SDN controller, two sinks, and ten attackers. The green
tected, we stopped the detectors, declared the network under circle represents the radio range of all nodes.
attack, and determined which metric triggered the detector.
If the detector monitoring the control overhead was triggered
first, we declared an FDFF attack, alternatively, if the detector packet every 30 seconds and one management packet every
monitoring the data packet delivery rate was triggered first, 2 minutes, both with payload of 10 bytes. The data packets
we declared an FNI type of attack. contained the application information and the management
The SDWSN implementation uses IT-SDN, without chang- packets contained the information required by the network
ing the default configuration [12], and the simulations were management plane [32]. The data packets delivery rate and
performed using COOJA simulator [31], emulating Tmote sky the control packets overhead were observed every two minutes,
motes. We used fully bidirectional square grid topologies with considering the exchange of messages in the whole network
36 and 100 nodes, one controller, two sinks: one sink to receive during this window of time. The delivery rate was calculated
data packets and the other one to receive management packets. by dividing the number of data packets successfully received
The controller was in the center of the grid and the sinks by the number of data packets sent. The control packets
were in the middle of the grid edge, since this location gave a overhead was quantified as the number of control packets sent.
better performance in terms of delay, control overhead, energy Since we took samples every two minutes, we decided to run
consumption, and delivery rate according to [12]. The attackers each single simulation for 10 hours. During the first 8 hours
were distributed into the network semi-randomly under the the network operated normally (i.e., for 240 samples there
condition that two or more attackers can not be neighbors and was no change), then the attack was triggered. This imposed
this distribution remains equal on every scenario replication. a bound m < 240. Table III summarizes the simulation’s and
Figs. 4 and 5 show the attackers distribution for 36 nodes and IT-SDN’s most important parameters.
100 nodes, respectively, when 10% of nodes are attackers. The
green circle around the controller represents the devices’ radio B. Results analysis
range. As explained in Section V-A, we separated our dataset in
The sensor nodes were programmed to transmit one data two groups, one to determine the values of m and γ that
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 8

TABLE III TABLE IV

S IMULATION PARAMETERS γ THAT MAXIMIZES PDS

Simulation parameters γ
PDS
Topology Square grid α = 0.90 α = 0.95 α = 0.99
Number of nodes 36 and 100 Best γ for control overhead CP detector
Simulation time 36000 s A = 1 and B = 0 0.45 0.45 0.45
Node boot interval [0, 1] s A = 0.8 and B = 0.2 0.35 0.35 0.45
A = 0.5 and B = 0.5 0.25 0.35 0.45
Number of sinks 2
A = 0.2 and B = 0.8 0.25 0.25 0.35
Sinks position Middle of the grid edge
A = 0 and B = 1 0 0 0
controller position center
Best γ for delivery rate CP detector
Data traffic rate 1 packet every 30 seconds
A = 1 and B = 0 0.45 0.45 0.45
Management traffic rate 1 packet every two minutes A = 0.8 and B = 0.2 0 0.15 0.15
Data payload size 10 bytes A = 0.5 and B = 0.5 0 0 0.15
Management payload size 10 bytes A = 0.2 and B = 0.8 0 0 0
Data traffic start time [2, 3] min A = 0 and B = 1 0 0 0
Radio module power 0 dB
Distance between neighbors 50 m
Attacks begins after 28800 s are for γ = {0, 0.15}. Opposite, in Fig. 6c we observed that
prioritizing the detection rate, the higher values of PDS are
IT-SDN parameters for γ = {0, 0.15, 0.25}, reaching PDS = 1.
Controller retransmission timeout 60 s Fig. 7 shows the average value of PDS for the case of FNI
ND protocol Collect-based attack. Opposite to the results in Fig. 6, in this case they were
Link metric ETX not as clear-cut as the case for the FDFF attack because lower
Neighbor report max frequency 1 packer per minute values of γ maximized PDS when A = B = 0.5 and B = 1,
CD protocol none which means the detection rate component has more influence
Flow setup source routed on PDS than the detection speed component.
Route calculation algorithm Dijkstra From these results we infered that varying γ we are able to
Route recalculation threshold 10% configure our detector to prioritize faster detection or accuracy.
Flow setup types regular or source routed On the other hand, the response is different for both attacks.
Flow table size 10 entries In Table IV we show the values of γ that maximized PDS . In
cases where more than one value provided the same or very
comparable results, we chose one of them arbitrarily.
maximizes PDS and the other one to evaluate the performance 2) Centralized detector performance: For this part we set
of our proposal using these values. In Section V-B1 we analyze up two detectors running simultaneously using m = 200.
the results of the training experiments and in Section V-B2 we The first experiment was devised to identify the type of the
analyze our proposal performance. attack based on the first detector triggered. Fig. 8 shows the
1) Optimizing m and γ: The main objective of the these probability of the control overhead CP detector being triggered
experiments was to determine the parameters {m, γ} that first in case of FDFF attack. These results showed that in the
could provide the best detection performance based on the worst case the detector monitoring the control overhead has
metric PDS . We calculated the PDS metric for all topologies, a probability between 0.89 and 0.98 of being triggered first
attack scenarios and combinations of m and γ. Then we in case of FDFF attack. In case of FNI attack, the detector
analyzed the results for α ∈ {0.90, 0.95, 0.99}. The first monitoring the data packets delivery rate was triggered first in
results showed that in 90% of all cases PDS was maximized 100% of the events, as shown in Fig. 9. These results showed
when m = 200, turning this value a universally optimal choice that there is evidence to support the conjecture drawn up in
and the m value used for the remaining of the analysis. This our previous works about the relation metric / attack.
means that when running the online detector, no training is Next we analyze the detection performance using the pa-
required, other than the observation of 200 samples of normal rameters that maximize PDS . Fig. 10 depicts the detection
network operation. rate DR and the metric 1 − S when the network is under
For the next part, we separated the results grouping each FDFF attack. Considering both DR and 1 − S the results for
attack by monitoring metric: for the FDFF attack we analyzed A = 0.8 provided the best trade off.
the control overhead CP detection results, and for the FNI Fig. 11 shows the detection rate and the detection speed
attack we analyzed the data packets delivery rate CP detection metrics for the FNI attack using the identified values of γ.
results, based on the results in [14]. Fig. 6 shows the average In terms of detection speed, A = 0 obtained the fastest
value of PDS as a function of γ and α for the case of detection, as intuitively expected based on the results from
FDFF attack. In Fig. 6a we observed that in the case of Fig. 7. Comparing the results for A = 1 and A = 0, we can
prioritizing faster detection (i.e. A = 1) the higher results maximize DR at the cost of 0.03 in 1−S, which is equivalent
of PDS are for γ = {0.35, 0.45} and the lower results of PDS to 1.8 samples. On the other hand, if we are looking for fastest
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 9

(a) A = 1 and B = 0 (b) A = B = 0.5 (c) A = 0 and B = 1

Fig. 6. Metric PDS in function of γ and α for FDFF attack: (a) shows PDS when prioritizing quickest detection, (b) shows PDS when giving the same
weight to detection speed and detection rate, and (c) shows PDS when prioritizing detection rate

(a) A = 1 and B = 0 (b) A = B = 0.5 (c) A = 0 and B = 1

Fig. 7. Metric PDS in function of γ and α for FNI attack: (a) shows PDS when prioritizing quickest detection, (b) shows PDS when giving the same
weight to detection speed and detection rate, and (c) shows PDS when prioritizing detection rate

Fig. 9. Probability of data packets delivery rate CP detector being triggered

first in case of FNI attack
Fig. 8. Probability of control overhead CP detector being triggered first in
case of FDFF attack
means a lag of 3 samples in average with respect to the fastest
detection result obtained.
detection, DR drops to 0.90 or below. Summarizing Section V, we split our dataset in two sets: one
The last scenario we analyzed was the detection perfor- for identifying the optimal values of m, γ and the other one
mance irrespective of the type of the attack. In this case for validation. We chose the pairs (m, γ) that maximized the
both detectors were running simultaneously in a network detection performance metric PDS based on the results from
prone to both FDFF and FNI attacks. The results in Fig. 12 the experiments on the training dataset. Our results showed
showed a detection rate over α when A = 0, 0.2, 0.5, 0.8 for that in 90% of cases m = 200 maximized the metric PDS .
α = 0.90, 0.95. When α = 0.99, DR = α for A = 0, 0.2 only. With respect to γ, we observed that using γ = 0.45, 049 we
This means, if we want to maximize the detection rate we need reduced the time to detect the attack but this had an adverse
to use the configuration for A = 0, 0.2. In terms of detection effect on the detection rate. Conversely, when γ = 0, 0.15 we
speed, as shown in Fig. 12b, to maximize the detection rate maximized the detection at the cost of delaying the detection.
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 10

(a) Detection rate (b) Detection speed

Fig. 10. Detection performance of FDFF attack using γ and m values that optimize PDS for five different cases: {A, B} =
{{1, 0}, {0.8, 0.2}, {0.5, 0.5}, {0.2, 0.8}, {0, 1}}

(a) Detection rate (b) Detection speed

Fig. 11. Detection performance of FNI attack using γ and m values that optimize PDS for five different cases: {A, B} =
{{1, 0}, {0.8, 0.2}, {0.5, 0.5}, {0.2, 0.8}, {0, 1}}

(a) Detection rate (b) Detection speed

Fig. 12. Detection performance of FDFF and FNI attacks using γ and m values that optimize PDS for five different cases: {A, B} =
{{1, 0}, {0.8, 0.2}, {0.5, 0.5}, {0.2, 0.8}, {0, 1}}

Then, we tested the CP detectors on the validation dataset node). To the best of our knowledge, intrusion detection at
using the parameters values chosen before. Results showed the individual sensor level breaks new ground. In case of a
that we were able to detect the attack with DR ≥ α when CP detected, the sensor warns the controller about it (which in
B > A. On the other hand, if we prioritize fastest detection, turn sends this information to the security application through
the detection rate drops to 0.93 or below. In conclusion, we the Network Services Abstraction Layer and the security
provided concrete evidence to support the relation between application decides whether the network is under attack or
monitored metric and the type of attack. not).

Our goal is to investigate whether the detection of FDFF and

VI. D ISTRIBUTED D ETECTION FNI attacks is feasible on individual nodes. Our hypothesis is
In this section we explain our distributed detection proposal that it could be possible if metrics related to the number of
for DoS attacks in SDWSN. The central idea is to implement control packets exchange and the active state time (i.e., the
one CP detector on individual nodes (potentially on every time the node is not on sleeping mode) are monitored. To
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 11

test our hypothesis, we run the CP detector on every node On the other hand, the percentage of nodes reporting an alarm
and monitored the following metrics: the processing time, the increased to over 33% when monitoring either the processing
transmitting time, the number of control packets received, and time, the transmitting time, or the control packets received.
the number of control packets transmitted. The processing The percentage of nodes reporting an alarm increases in
time is the time the node remains with the microprocessor general with the network size, obtaining the highest result
in active state and the transmitting time is the time the when monitoring the transmitting time and the lowest result
node remains with the radio module turned on transmitting when monitoring the control packets transmitted. In brief,
packets. In the experiments presented below based on Contiki for 36 nodes the percentage of nodes reporting alarms with
3.0, both metrics can be obtained using Energest [33], a PDR ≥ 0.90 was similar when monitoring either the pro-
tool to monitor device’s hardware usage. Furthermore, the cessing time, transmitting time, or control packets received.
number of control packets received or transmitted can be However, for 100 nodes the results when monitoring the trans-
obtained by programming every node to print every packet mitting time were clearly over the results when monitoring any
sent and received and using COOJA simulator’s serial output of the other metrics. In the hypothetical case where the nodes
this information can be copied in a text document. have resources to monitor only one metric, the transmitting
time is the one that provides the best trade off in terms of
percentage of nodes reporting an alarm.
A. Experimental setup and results
Subsequently, we analyzed the position of nodes in the
We used a dataset of 120 simulations divided in two groups: network and their detection probabilities. For this analysis we
half for the FDFF attack and the other half for the FNI chose the time based metric and the control packets based
attack. For both attacks we simulated grid topologies of 36 metric with better detection. Fig. 15 shows the heat maps
and 100 nodes where 10% of nodes were attackers. For these for 36 nodes when monitoring the transmitting time and the
experiments we prioritized detection accuracy over detection control packets received. From these results we make two
speed, thus we configured the detector using γ = 0 and set observations: i) in the case monitoring the transmitting time,
the target α = 0.99. In the case of the monitoring period of the neighbors of the attackers had higher detection probability
no change, we set m = 200 according to the results obtained than nodes farther; and ii) in the case monitoring the control
in Section V to maximize the detection performance. packets received, excluding the controller and the node on
We evaluated the detection performance on every node the lower left corner, all nodes reporting an alarm were in
monitoring each metric separately, i.e., running only one the attacker’s neighborhood and had a PDR = 1. For 100
detector at time due to memory constraints on the nodes. For nodes we observed a similar behavior when monitoring the
this evaluation we calculated the detection probability of every control packets received (Fig. 16b), but when monitoring the
node on each scenario. We maintained the same simulation transmitting time (Fig. 16a) we observed that high detection
parameters and attackers positions used for the centralized probability is not exclusive for attackers’ neighbors and it is
detection experiments. The parameters are summarized in spread all over the topology. This happened because when
Table III and the attackers position are represented in Figs. the network was under attack, the number of control packets
4 and 5. Our detection performance analysis is based on three increased and this impacted the radio usage of all nodes
perspectives under the condition the network is under attack: forwarding those packets. On the other hand, the control
(i) probability of CP detection on each node; (ii) percentage packets received is a metric that impacts only the node that
of nodes reporting with high detection rates; (iii), and location receives the packet. In Section VII we explore how to use
of nodes reporting high detection rates. node’s location and address to identify the attackers.
1) Results for FDFF attack: Fig. 13 shows the detection 2) FNI: Fig. 17 shows the detection probability density
probability distribution when the network is under FDFF attack distribution results when the network was under an FNI attack.
for 36 and 100 nodes. This means, the percentage of the For 36 nodes (Fig. 17a) we observed a similar behavior for
total number of nodes with very low (0 ≤ PDR ≤ 0.25), all four metrics: high density in probabilities around 0 and
low (0.25 < PDR ≤ 0.50), high (0.50 < PDR ≤ 0.75), 0.20 that decreased as the detection probability grew, being
or very high (0.75 < PDR ≤ 1.00) detection rates. In the the result for control packets received the one with highest
case of 36 nodes, as shown in Fig. 13a, we noticed there is density in probabilities over 0.6. In the case of 100 nodes, the
a large percentage of nodes that have a very high detection results for control packets transmitted maintained the behavior
rate for FDFF attacks when monitoring the processing time observed for 36 nodes, with high density in probabilities
or the transmitting time. The results in the case of 100 nodes between 0 and 0.20 that decreased for higher probabilities.
(Fig. 13b) showed as well that for time based metrics a large The results for processing time, transmitting time, and control
portion of the network will identify with very high detection packets received showed high detection probability density
rates the attacks. around 0.20 and 0.50. Then, for detection probabilities over
Next, we further zoomed in detection probabilities greater 0.90, the highest density was for the transmitting time. The
than 0.90, shown in Fig. 14. when the network is under FDFF reason why we observed more impact on the transmitting time
attack for topologies with 36 (Fig. 14a) and 100 (Fig. 14b) and the control packets received is because this attack leads to
nodes. For the case of 36 nodes, when monitoring the control a network reconfiguration using wrong neighborhood informa-
packets transmitted around 12% of nodes reported an alarm in tion. First, the network reconfiguration means several control
at least 90% of times the network was under an FDFF attack. packets from the controller to the nodes, which increases this
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 12

(a) 36 nodes (b) 100 nodes

Fig. 13. Detection probability distribution of FDFF attack: Comparison of detection probability when monitoring the processing time, transmitting time,
control packets received, and control packets transmitted. The “x” axis represents the detection probability divided in four groups: [0, 0.25), [0.25, 0.50),
[0.50, 0.75]), and [0.75, 1]. The “y” axis represents the percentage of the total nodes that obtained this detection probability. (a) shows the results for 36
nodes and (b) shows the results for 100 nodes.

(a) 36 nodes (b) 100 nodes

Fig. 14. Percentage of nodes with detection probability larger than 90% for the FDFF attack: Comparison of detection probability when monitoring the
processing time, transmitting time, control packets received, and control packets transmitted. The “y” axis represents the percentage of the total nodes with
high detection probability. (a) shows the results for 36 nodes and (b) shows the results for 100 nodes.

metric on these nodes. Then, since the reconfiguration is based time, where 11% of nodes obtained a PDR ≥ 0.90. The
on wrong information, the number of packets retransmission percentage of nodes reporting an alarm when monitoring the
increases, increasing the transmitting time metric as well. transmitting time with PDR ≥ 0.90 is higher for 100 nodes
than for 36 nodes because of two reasons: there were more
To confirm previous results, we calculated the percentage of nodes using an attacker to reach the controller, which increased
nodes reporting an alarm with probabilities PDR ≥ 0.90. Fig. the percentage of nodes affected; and the distance between the
18 shows these results for 36 and 100 nodes. For 36 nodes, attackers and the controller was larger for 100 nodes, which
2.7% of nodes obtained a PDR ≥ 0.90 when monitoring either means more nodes participated in the forwarding when doing
the control packets received or the control packets transmitted. the network’s reconfiguration. For this case, we consider our
Since 2.7% represent less than one node, we consider that our proposal is able to detect when the network is under an FNI
distributed proposal is not able to detect an FNI attack in a attack with high probability but only when monitoring the
small topology with a probability above 0.90. For 100 nodes, transmitting time metric.
the highest result was for the case monitoring the transmitting
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 13

(a) Transmitting time (b) Control packets received

Fig. 15. Detection probability heat maps for 36 nodes when the network is under FDFF attack. Each square represents a node in the network and the number
inside them is the detection probability result. The red squares with an “A” inside are the attackers. (a) shows the results when monitoring the transmitting
time and (b) shows the results when monitoring the control packets received.

(a) Transmitting time (b) Control packets received

Fig. 16. Detection probability heat maps for 100 nodes when the network is under FDFF attack. Each square represents a node in the network and the number
inside them is the detection probability result. The red squares with an “A” inside are the attackers. (a) shows the results when monitoring the transmitting
time and (b) shows the results when monitoring the control packets received.

Notwithstanding the detection performance of FNI attack, per group. Each sample of this time series represented the
in Fig. 13 we observed a high density of nodes reporting sum of time series of all nodes in the group, thus we executed
alarms in probabilities over 0.50 when monitoring the control one CP detector per group. Fig. 20 shows PDR results for 36
packets received and the transmitting time, thus we decided and 100 nodes when monitoring the control packets received.
to investigate the location of those nodes in the topology. Excluding the groups that contained the controller, in all
We observed that in the cases monitoring the control packets cases the detection probability achieved is better than the
received, as shown in Fig. 19, some nodes around the attackers one obtained by any of the nodes individually. This indicates
concentrated the higher detection probability values, but others that with data aggregation we lose granularity but we gain in
also close to the attacker had detection probabilities around detection rates.
zero. The question arises as to why this is observed; the
reason being that neighbouring nodes with higher detection Summarizing Section VI, we evaluated our CP detection
probabilities used the attacker to route their packets toward proposal on networks under FDFF and FNI attack, monitor-
the controller, thus the network misconfiguration reached them ing four metrics obtained from each node: processing time,
first. From these results, a second strategy based on data transmitting time, control packets received, and control packets
aggregation was motivated, analyzing CP detection per regions transmitted. Our results showed in case of FDFF attack, at least
(areas). To this end, we divided the 36 nodes in four groups 33% of the total of nodes obtained a detection probability
and the 100 nodes in nine groups and created one time series equal or over 90% when monitoring the processing time,
the transmitting time, or the control packets received. In the
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 14

(a) 36 nodes (b) 100 nodes

Fig. 17. Detection probability distribution of FNI attack: Comparison of detection probability when monitoring the processing time, transmitting time, control
packets received, and control packets transmitted. The “x” axis represents the detection probability divided in four groups: [0, 0.25), [0.25, 0.50), [0.50, 0.75]),
and [0.75, 1]. The “y” axis represents the percentage of the total nodes that obtained this detection probability. (a) shows the results for 36 nodes and (b)
shows the results for 100 nodes.

(a) 36 nodes (b) 100 nodes

Fig. 18. Percentage of nodes with detection probability of FNI attack larger than 90%: Comparison of detection probability when monitoring the processing
time, transmitting time, control packets received, and control packets transmitted. The “y” axis represents the percentage of the total nodes with high detection
probability. (a) shows the results for 36 nodes and (b) shows the results for 100 nodes.

cases when the network was under a FNI attack were not the network to identify the attacker’s address or location based
satisfactory and thus we introduced a second strategy based on the alarms reported by the nodes.
on data aggregation. Our results showed that using this strategy In this section we present and evaluate an algorithm to locate
we increased the detection probability but lost in granularity. attackers when the network is under an FDFF or FNI attack.
We separate our analysis by the type of attack; in subsection
VII-A we explain and present the results for the FDFF attack
VII. ATTACKER DETECTION
and in subsection VII-B we do the same for the FNI attack.
The results discussed in Sections VI-A and V showed
that the CP detectors for DoS attacks worked for both cen-
tralized and distributed detection, but also we observed that A. Attacker detection in FDFF attack
the distributed detection provides information that infers the Our results in Figs. 15 and 16 showed that when monitoring
attackers’ location. In this direction, our proposal explores the the control packets the attackers’ neighbors had a PDR = 1,
SDN’s characteristics by using the controller’s global view of and when monitoring the transmitting time the attackers’
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 15

(a) 36 nodes (b) 100 nodes

Fig. 19. Detection probability heat maps when the network is under FNI attack. Each square represents a node in the network and the number inside them
is the detection probability result. The red squares with an “A” inside are the attackers. (a) shows the results for 36 nodes and (b) shows the results for 100
nodes.

(a) 36 nodes (b) 100 nodes

Fig. 20. Detection probability heat maps when the network is under FNI attack. Each square represents a group of nodes and the number inside them is the
detection probability result aggregating the control packets received information of all nodes in the group. (a) shows the results for 36 nodes and (b) shows
the results for 100 nodes.

neighbors had a PDR ≥ 0.90. Based on these findings, our Algorithm 1 FDFF attackers identification
proposal is to identify the attackers’ IDs based on the alarms Wait alarms{nodes}
reported by their neighbors. To accomplish this, the Secu- request graph information{nodes}
rity module in the application plane requests neighborhood for n in alarms do
information to the controller and executes the Algorithm 1, suspects = Extract neighbors(n)
presented in the following. for s in suspects do s counter++
if s counter == total neighbors then
As explained in Algorithm 1, the Security module waits
s = attacker
for an alarm(s) and then requests from the controller the
end if
neighborhood information of the nodes reporting. The alarms
end for
received are represented by the vector alarms{nodes}.
end for
Then, the Security module extracts the neighbors of each node
in the vector alarms{nodes} and stores them in the vector
suspects. Each suspect has a counter which represents the
times a node is declared a suspect. Lastly, the controller checks
packets received. The heat map shows the probability that each
if the counter of the suspect is equal to the number of its
node has of being identified as attacker. We observed that for
neighbors. In that case, the suspect is declared as attacker.
the case monitoring transmitting time (Fig 21a), in addition
Fig. 21 depicts the attacker identification results for 36 to the three attackers, seven benign nodes were identified
nodes when monitoring the transmitting time and the control as attackers as well. The probabilities of those nodes being
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 16

Algorithm 2 FDFF attackers identification 2 results show detection probabilities over 37% in areas without
Wait alarms{nodes} attackers. The first impression is that, in the case we track
request graph information{nodes} the attackers based on the alarm received from one group,
for n in alarms do this could lead to false positives because of the detection
s = suspect(n) probability in areas without attackers. Thus, we analyzed the
s counter++ detection speed on every group.
if s counter == total neighbors then Fig. shows the 1 − S metric (normalized DM T ) for 36 and
s = attacker 100 nodes when monitoring the control packets received. For
end if 36 nodes (Fig. 24a), our results showed that group 1 (the group
end for without an attacker) has the lowest 1 − S, which means this
is the last group reporting an alarm. However, in the case of
100 nodes (Fig. 24b) the results did not show a similar trend.
misidentified as attackers ranged from 0.10 to 1.00, which In conclusion, with respect to attacker identification, for the
means that some nodes were misidentified in all cases. In the FDFF attach we proposed Algorithm 2 that was shown to iden-
case monitoring the control packets received (Fig. 21b), all the tify attackers with a probability over 0.93 when monitoring the
attackers were correctly identified in all cases. On the other transmitting time, and a identification probability equal to 1
hand, 3 more nodes were misidentified in all the cases as well. when monitoring the control packets received. Conversely, for
the FNI attack we did not observe a reliable relation between
We observed that the main problem of our identification any metric and the presence of attackers in the groups.
algorithm was on the corners of the grid.1 To solve this
problem, we modified the suspects declaration in Algorithm
VIII. C ONCLUSION
1so that the node reporting also chooses one of its neighbors
as suspect by inspecting the address of the node with the In this work we proposed a centralized and a decentral-
highest frequency of exchanges during the last ten samples. We ized intrusion detection algorithm for WS-SDN constrained
chose ten samples because the slower detection when γ = 0 is networks based on CP detection. The main strengths of our
1 − S = 0.84 = 9.6 samples in average (Fig. 10b). Algorithm proposal is the high detection rates, the identification of the
2 shows the FDFF attacker identification algorithm after the type of the attack and the localization or even identification of
modification. The results showed that the modification solved the attacker in some cases. The centralized approach provides
the misidenfitication problem. a global view of the attack and allows us to identify the type of
In Fig. 22 we observed that monitoring either the trans- the attack; on the other hand the distributed detection provides
mitting time or the control packets received, there were information to identify the nodes launching the attack.
no misidentifications. When monitoring the control packets We evaluated our proposals through simulations using IT-
received the identification probability was 1.00 for all the SDN, Contiki-3.0 and the COOJA simulator, emulating Tmote
attackers, while when monitoring the transmitting time the sky motes. We simulated topologies of 36 and 100 nodes,
identification probability was between 0.85 and 1.00. When varying the number of attackers in 5%, 10%, and 20% of
evaluating the identification algorithm for 100 nodes (Fig. 23) the total of nodes in the topology. We parameterized the
we obtained excellent results as well; no misidentifications and centralized detector to either maximize the detection rate or the
identification probabilities over 0.93. In fact, when monitoring detection speed. Our results showed detection rates over 96%
the control packets received the identification probability was in networks of 36 and 100 nodes when using the centralized
1.00 for all the attackers approach and were able to identify the type of the attack with
a probability over 0.89. Furthermore, we observed a FDFF
attackers’ identification with probability over 0.93 when using
B. Attacker detection in FNI attack
the distributed detection.
The results in subsection VI-A2 showed that for the case As future work, we envisage to develop a full implemen-
of FNI attacks, the percentage of nodes with high detection tation of both approaches and compare their impact on the
probability was low and also not all attackers’ neighbors network performance and resource usage and to integrate both
detected the attack, opposite to the observed for the FDFF implementations to obtain the benefits of both approaches.
attack. Because of this, we evaluated the attacker detection Furthermore, we intend to explore the use of machine learning
based on data aggregation. Our objective was to, at least, based fusion to tackle the identification of the attacker in the
identify the area where the attacker was located. case of the FNI attack.
From Fig. 20 we noticed that our FNI detection strategy
based on data aggregation increased the detection probability
if compared with our initial approach, running the detector on ACKNOWLEDGMENT
every node. On the other hand, the data aggregation strategy This study was financed in part by the Coordenação
de Aperfeiçoamento de Pessoal de Nı́vel Superior - Brasil
1 The reason for is because the corners have only two neighbors, and
(CAPES) - Finance Code 001 and by the ELIOT project
those neighbors are also in the attackers’ neighborhood. This means, all the
times our algorithm identified the attacker, automatically the corners were (ANR-18-CE40-0030 / FAPESP 2018/12579-7). Gustavo A.
misidentified as attackers as well. Nunez Segura is supported by Universidad de Costa Rica.
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 17

(a) Transmitting time (b) Control packets received

Fig. 21. Attackers identification probability using Algoritmh 1 when the network is under an FDFF attack: case of 36 nodes. Each square in the map represents
a node in the network. The number in the squares represent the probability of this node being classified as attacker.(a) shows the results when monitoring the
transmitting time and (b) shows the results when monitoring the control packets received

(a) Transmitting time (b) Control packets received

Fig. 22. Attackers identification probability using Algorithm 2 when the network is under an FDFF attack: case of 36 nodes. Each square in the map represents
a node in the network. The number in the squares represent the probability of this node being classified as attacker.(a) shows the results when monitoring the
transmitting time and (b) shows the results when monitoring the control packets received

R EFERENCES [8] N. Ravi and S. M. Shalinie, “Learning-driven detection and mitigation

of ddos attack in iot via sdn-cloud architecture,” IEEE Internet of Things
[1] D. Kreutz, F. M. V. Ramos, P. E. Verı́ssimo, C. E. Rothenberg, Journal, vol. 7, no. 4, pp. 3559–3570, 2020.
S. Azodolmolky, and S. Uhlig, “Software-Defined Networking: A Com-
[9] D. Yin, L. Zhang, and K. Yang, “A DDoS Attack Detection and
prehensive Survey,” Proc. IEEE Proc., vol. 103, no. 1, pp. 14–76, Jan
Mitigation With Software-Defined Internet of Things Framework,” IEEE
2015.
Access, vol. 6, pp. 24 694–24 705, 2018.
[2] H. I. Kobo, A. M. Abu-Mahfouz, and G. P. Hancke, “A Survey on
Software-Defined Wireless Sensor Networks: Challenges and Design [10] C. Miranda, G. Kaddoum, E. Bou-Harb, S. Garg, and K. Kaur, “A
Requirements,” IEEE Access, vol. 5, pp. 1872–1899, 2017. collaborative security framework for software-defined wireless sensor
[3] S. Bera, S. Misra, and A. V. Vasilakos, “Software-defined networking networks,” IEEE Transactions on Information Forensics and Security,
for internet of things: A survey,” IEEE Internet of Things Journal, vol. 4, pp. 1–1, 2020.
no. 6, pp. 1994–2008, 2017. [11] R. Wang, Z. Zhang, Z. Zhang, and Z. Jia, “ETMRM: An Energy-efficient
[4] S. W. Pritchard, G. P. Hancke, and A. M. Abu-Mahfouz, “Security Trust Management and Routing Mechanism for SDWSNs,” Computer
in software-defined wireless sensor networks: Threats, challenges and Networks, vol. 139, pp. 119 – 135, 2018.
potential solutions,” in 2017 IEEE 15th International Conference on [12] R. C. A. Alves, D. A. G. Oliveira, G. A. Nunez Segura, and C. B.
Industrial Informatics (INDIN), 2017, pp. 168–173. Margi, “The Cost of Software-Defining Things: A Scalability Study of
[5] F. Restuccia, S. D’Oro, and T. Melodia, “Securing the internet of things Software-Defined Sensor Networks,” IEEE Access, vol. 7, pp. 115 093–
in the age of machine learning and software-defined networking,” IEEE 115 108, Aug 2019.
Internet of Things Journal, vol. 5, no. 6, pp. 4829–4842, 2018. [13] G. A. N. Segura, C. B. Margi, and A. Chorti, “Understanding the
[6] S. S. Bhunia and M. Gurusamy, “Dynamic attack detection and mitiga- Performance of Software Defined Wireless Sensor Networks Under
tion in IoT using SDN,” in 27th Int. Telecommun. Netw. and Appl. Conf. Denial of Service Attack,” Open Journal of Internet Of Things (OJIOT),
(ITNAC), Nov 2017, pp. 1–6. 2019, special Issue: Proc. Int. Workshop Very Large Internet of Things
[7] Y. Jia, F. Zhong, A. Alrawais, B. Gong, and X. Cheng, “Flowguard: (VLIoT 2019) in conjunction with the VLDB 2019 Conf. Los Angeles,
An intelligent edge defense mechanism against iot ddos attacks,” IEEE United States.
Internet of Things Journal, vol. 7, no. 10, pp. 9552–9562, 2020. [14] N. S. Gustavo, S. Skaperas, A. Chorti, L. Mamatas, and B. M. Cintia,
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 18

(a) Transmitting time (b) Control packets received

Fig. 23. Attackers identification probability using Algorithm 2 when the network is under an FDFF attack: case of 100 nodes. Each square in the map
represents a node in the network. The number in the squares represent the probability of this node being classified as attacker.(a) shows the results when
monitoring the transmitting time and (b) shows the results when monitoring the control packets received

(a) 36 nodes (b) 100 nodes

Fig. 24. Detection speed (1-S metric) for FNI detection by data aggregation when monitoring the control packets received. (a) shows the results for 36 nodes
and (b) shows the result for the case of 100 nodes

“Denial of Service Attacks Detection in Software-Defined Wireless http://www.sciencedirect.com/science/article/pii/S0140366419313830

Sensor Networks,” in SecSDN IEEE Int. Conf. Commun. (ICC), Dublin, [20] D. B. Rawat and S. R. Reddy, “Software defined networking architec-
Ireland, Jun. 2020. ture, security and energy efficiency: A survey,” IEEE Commun. Surveys
[15] G. A. N. Segura, A. Chorti, and C. B. Margi, “Multimetric online intru- Tuts., vol. 19, no. 1, pp. 325–346, Firstquarter 2017.
sion detection in software-defined wireless sensor networks,” in 2020 [21] S. Shin and G. Gu, “Attacking software-defined networks: A first
IEEE Latin-American Conference on Communications (LATINCOM), feasibility study,” in Proceedings of the Second ACM SIGCOMM
2020, pp. 1–6. Workshop on Hot Topics in Software Defined Networking, ser. HotSDN
[16] A. Chorti, C. Hollanti, J.-C. Belfiore, and H. V. Poor, “Physical layer ’13. New York, NY, USA: Association for Computing Machinery,
security: A paradigm shift in data confidentiality,” in Physical and Data- 2013, p. 165–166. [Online]. Available: https://doi.org/10.1145/2491185.
Link Security Techniques for Future Communication Systems, M. Baldi 2491220
and S. Tomasin, Eds. Cham: Springer International Publishing, 2016, [22] S. Khan, A. Gani, A. W. Abdul Wahab, M. Guizani, and M. K. Khan,
pp. 1–15. “Topology discovery in software defined networks: Threats, taxonomy,
[17] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson, and state-of-the-art,” IEEE Communications Surveys Tutorials, vol. 19,
J. Rexford, S. Shenker, and J. Turner, “OpenFlow: Enabling Innovation no. 1, pp. 303–324, 2017.
in Campus Networks,” SIGCOMM Comput. Commun. Rev., vol. 38, [23] A. Aue and L. Horvath, “Structural breaks in time series,” Journal
no. 2, pp. 69–74, Mar. 2008. of Time Series Analysis, vol. 34, no. 1, pp. 1–16, 2013. [Online].
[18] I. Ahmad, S. Namal, M. Ylianttila, and A. Gurtov, “Security in Software Available: https://onlinelibrary.wiley.com/doi/abs/10.1111/j.1467-9892.
Defined Networks: A Survey,” IEEE Commun. Surveys Tuts., vol. 17, 2012.00819.x
no. 4, pp. 2317–2346, Fourthquarter 2015. [24] A. G. Tartakovsky, A. S. Polunchenko, and G. Sokolov, “Efficient com-
[19] M. P. Singh and A. Bhandari, “New-flow based ddos attacks puter network anomaly detection by changepoint detection methods,”
in sdn: Taxonomy, rationales, and research challenges,” Computer IEEE Journal of Selected Topics in Signal Processing, vol. 7, no. 1, pp.
Communications, vol. 154, pp. 509 – 527, 2020. [Online]. Available: 4–11, 2013.
IEEE INTERNET OF THINGS JOURNAL, VOL. XX, NO. XX, MARCH 20XX 19

[25] Haining Wang, Danlu Zhang, and K. G. Shin, “Change-point monitoring

for the detection of dos attacks,” IEEE Transactions on Dependable and
Secure Computing, vol. 1, no. 4, pp. 193–208, 2004.
[26] S. Skaperas, L. Mamatas, and A. Chorti, “Real-time algorithms for the
detection of changes in the variance of video content popularity,” IEEE
Access, vol. 8, pp. 30 445–30 457, 2020.
[27] ——, “Real-Time Video Content Popularity Detection Based on Mean
Change Point Analysis,” IEEE Access, vol. 7, pp. 142 246–142 260,
2019.
[28] S. Fremdt, “Asymptotic distribution of the delay time in page’s
sequential procedure,” Journal of Statistical Planning and Inference,
vol. 145, pp. 74 – 91, 2014. [Online]. Available: http://www.
sciencedirect.com/science/article/pii/S0378375813002139
[29] E. Haleplidis, K. Pentikousis, S. Denazis, J. H. Salim, D. Meyer,
and O. Koufopavlou, “Software-defined networking (SDN): Layers and
architecture terminology,” Internet Research Task Force (IRTF), Tech.
Rep., 2015.
[30] H. V. Poor and O. Hadjiliadis, Quickest detection. Cambridge Univer-
sity Press, 2008.
[31] F. Osterlind, A. Dunkels, J. Eriksson, N. Finne, and T. Voigt, “Cross-
Level Sensor Network Simulation with COOJA,” in Proc. IEEE Conf.
Local Comput. Netw. (LCN), Nov 2006, pp. 641–648.
[32] T. Luz, G. Nunez, C. Margi, and F. Verdi, “In-network performance
measurements for Software Defined Wireless Sensor Networks,” in 16th
IEEE Int. Conf. Netw., Sens. and Control (ICNSC 2019), May 2019.
[33] A. Dunkels, F. Osterlind, N. Tsiftes, and Z. He, “Software-based
on-line energy estimation for sensor nodes,” in Proceedings of the
4th Workshop on Embedded Networked Sensors, ser. EmNets ’07.
New York, NY, USA: Association for Computing Machinery, 2007, p.
28–32. [Online]. Available: https://doi.org/10.1145/1278972.1278979

Gustavo A. Nunez Segura is a PhD candidate at Universidade de São

Paulo. He received the M.Sc. degree (2018) in Electrical Engineering from
Universidade de São Paulo and the B.Sc. in Electrical Engineering from
Universidad de Costa Rica. His main research interests include energy
consumption and security in wireless sensor networks and software-defined
networking

Arsenia Chorti is an Associate Professor in Communications and Networks

at ETIS UMR8051, CY Univesrity, ENSEA, CNRS in France since 2017 and
has served as a Lecturer at the University of Essex, UK from 2013 to 2017. She
is a chartered engineer from the Technical Chambers of Greece since 2007,
Senior IEEE member since 2020, a member of the IEEE P1951.1 Working
Group on Smart Cities Standardization and of the IEEE INGR Working Group
on Security. Between 2017-2020 she has served as a member of the IEEE
Teaching Awards Committee. Her research interests include physical layer
security and wireless communications, context awareness, root cause analysis
and anomaly detection.

Cintia Borges Margi obtained her Ph.D. in Computer Engineering at

University of California Santa Cruz (2006) , and her Habilitation (Livre
Docencia) (2015) in Computer Networks from the University of Sao Paulo.
She is Associate Professor in the Computer and Digital Systems Engineering
department at Escola Politecnica – Universidade de São Paulo (EPUSP) since
2015, where she started as Assistant Professor in 2010. During 2007-2010
she was Assistant Professor at Escola de Artes, Ciencias e Humanidades
da Universidade de São Paulo (EACH-USP). Her research interests include:
wireless sensor networks and software-defined networking.