Lightweight models for detection of denial ‐ of ‐ service attack in wireless sensor networks

Wireless sensor networks (WSNs) are becoming more popular in recent times due to the availability of low cost, the short transmission range of sensor nodes and their easy deployment in different application areas; however, security is crucial for WSNs due to the nature of data they transmit in most cases in their locations. Sensor nodes transmit through an open medium and due to the short communication range of each sensor node, a node may need to transmit through many hops to a final destination. Denial ‐ of ‐ service (DoS) is one of the attacks that can be launched against WSNs to prevent legitimate nodes from transmitting/receiving data packets. Developing an attack detection and countermeasure system to mitigate the effect of DoS is not an easy task. This work proposes lightweight models for DoS attack detection in WSNs. We developed different lightweight models and algorithms for the detection and elimination of DoS in WSNs and experimented the same. The performance of data delivery ratio, delay, detection rate, energy consumption, and false ‐ positive was carried out. The experimental results show that the proposed scheme achieved a high true ‐ positive detection rate, low false ‐ positive detection rate, energy ‐ efficient, and high data reliability. Numerical examples are presented to further validate the effectiveness of the proposed scheme.


| INTRODUCTION
Wireless sensor networks (WSNs) have emerged as one of the recent technologies in the 21st century. WSNs consist of a set of interconnected independent devices called 'sensor motes' that can jointly measure changes such as temperature, pressure, noise level, humidity in the target area, and report to a data centre (base station) for further processing. The technology enables sensor nodes in WSNs to communicate with each other using wireless transceivers without pre-existing infrastructure. They provide distinctive opportunities for interaction between smart objects and their environment. They have been successfully used in many areas including smart parking, logistical and industrial applications, environmental ecological applications [1]. A typical sensor node is a small size, equipped with a smart sensor, a small processor, a short-range transceiver, with small batteries. The nodes exchange data packets among themselves to build a wide view of the target area [2].
Data routing plays a major role in WSNs. It is the process for transmitting sensed data from source nodes to a data centre through different routes in a network. Due to the unique characteristics of WSNs, routing security is an important research area. For the WSNs to remain functional for a longer period, resilience to sensor node failure is necessary. Thus, the method by which WSNs could fail is an attack on sensor nodes [3]. Many routing protocols have been proposed in the literature, but only a few considered security as a main challenge for WSNs [4][5][6]. Thus, security in WSNs should be considered as an important issue due to sensitive information they transmit over a wireless medium. Similar to wired network architecture, WSNs are organised in layers based on the Open Systems Interconnection (OSI) model [7,8]. Figure 1 shows a conceptual framework used to describe network connectivity in seven distinctive layers. These include the Physical layer, Data link-layer, Network layer, Transport layer, and Application layer.
In this article, we are considering only attacks at the network layer because the major function of this layer is routing [9]. Wide application areas of WSNs, mode of deployment, communication medium, the lack of pre-existing infrastructure, all these make them vulnerable to different kinds of attacks in which

| Motivation
Applications of WSNs have increased exponentially over the past decades. Similarly, there has been an increase in network attacks. DoS attacks are one of the WSN attacks; their main aim is to overwhelm the target sensor nodes with bogus data, drain their limited energy, and create energy holes within the network. Thus, operations of the WSNs will be affected and experience service disruption. There is a need to prevent/remove these attacks in the network. This work proposes a secure lightweight scheme applied to sensor nodes in the network.

| Problem statement
Next-generation sensor networks are predicted to be deployed in the Internet of Things (IoT) using heterogeneous sensor fabrics and following a service architecture where the sensor nodes/motes are equipped with different sensing, identification, and communication capabilities [15,16]. They are tasked to deliver different services to different users anytime, anywhere, and using anything to reach some of the areas of our lives that we could not fathom without the advances made in the sensor technology. Attackers exploit vulnerabilities of sensor nodes to launch attacks and compromise legitimate sensor nodes in WSNs. All compromised sensor nodes actively participate in the attack process, generate a large amount of useless data, and forward them towards the nodes [17]. As a result, it is important to prevent the attacks by having a secure deployable protection scheme applied to sensor nodes in WSNs. This work presents a lightweight, efficient, and scalable scheme for the detection of DoS attacks in WSNs. The objective of this article is to develop an effective algorithm and models to allow sensor nodes to communicate over the networks and detect DoS attacks as soon as possible and remove the attacks and also to minimise the impact of the false-positive attacks in WSNs.

| Contributions
Considering the limited power source and resourceconstrained sensor nodes, we propose lightweight security models for the detection of DoS attacks (LSDoS) in clusterbased WSNs. The scheme provides trust network management techniques. The main aim of using 'trust' is to ascertain that the WSNs work efficiently by detecting and removing compromised sensor nodes in the networks. The scheme assesses the current trust values of all the cluster heads in the data centre to monitor a cluster head's behaviours in the network.
In addition, we develop a model that correctly classifies sensed data in the network into three categories to minimise false-positive rates and false-negative rates.
Finally, we develop models for quality of service (QoS) to increase the security of applications in WSNs. The following factors are considered: availability, reliability, and serviceability (ARS) to ensure that the integrity of data transmitted during network operation is maintained.
To the best of our knowledge, all these approaches used in this article have not been used together to detect and prevent DoS attacks in WSNs in the previous research works.
The rest of this paper is organised as follows. Section 2 discusses related work. Section 4 presents performance evaluation and discussion of results. Finally, conclusion and future work are discussed in Section 5.

| RELATED WORK
DoS attacks is now one of the major threats in WSNs. The main aim of DoS attacks is to deplete the limited energy of sensor nodes and waste communication bandwidth. Thus, the attacks slowly reduce the general performance as well as the functionality of the WSNs. In recent years, many approaches have been developed in the literature to prevent DoS attacks in WSNs. Table 1 presents the comparison for DoS attacks.
Mansouri et al. [18] proposed the detection of DoS attacks in WSNs based on clustering. The method is divided into two phases: control sensor nodes election and detection and prevention of compromised sensor nodes. The authors recursively applied Low Energy Algorithm Adaptive Clustering Hierarchy (LEACH) algorithm [19] for selecting cluster heads which are considered as control sensor nodes. The numerical results obtained show that the approach gives significant results in terms of detection rate and time detection.
However, this approach may not be able to detect the attackers if their number is in a range of two digits (i.e. 10 upward).
Fouchal et al. [20] proposed a recursive-clustering-based approach for DoS attacks in WSNs. The approach recursively clusters sensor nodes until a required granularity is achieved. The authors developed a Fast and Flexible Unsupervised Clustering Algorithm (FFUCA) based on ultrametric properties. The main principle of FFUCA is deducing the behaviour (i.e. cluster seeds and thresholds) of the sensor nodes according to a given proximity criterion and aggregating member sensor nodes in clusters. Performance evaluation shows that the proposed scheme can detect more false alerts than compared protocols. However, this approach is not mathematically proved.
Securing WSNs from DoS attacks using artificial intelligence and the CLIPS expert system tool is proposed in [21]. The authors developed a system that would protect a WSN from DoS attacks after one or more sensor nodes on the network have been compromised and reprogrammed by an attacker. This scheme eliminates the need to rely on tamperproof packaging to protect sensitive data and cryptographic keys which are stored on sensor nodes. With the proposed method, if an attacker can obtain the keys and used them to send false routing information, the network would be able to detect such compromised sensor nodes by using artificial intelligence and an expert system developed. However, the implementation of this approach was not carried out. It is difficult to ascertain the efficiency of this approach compared to previous approaches.
Zhang et al. [22] proposed testing and defending methods against DoS attack in state estimation (MADoS). The approach focussed on how wireless sensor and actuator networks (WSAN) can discover if it is below. They formulated the detection problem as a hypothesis testing problem if and only if the statistics of the communication channel are known a priori. In addition, they proposed two defence countermeasures. The first uses a secured packet coding approach to partly compensate for the previous packet loss, and the second uses the sensor's transmission power to resist the jamming effect brought by the DoS attack. However, this is not compared with previous related work and only three test results were obtained, indicating that the proposed scheme may not be efficient.
Osanaiye et al. [23] present DoS for resource availability in WSNs, deployment location, and possible countermeasures. The authors described a taxonomy of DoS attacks at different layers of the WSNs. They further categorised the network structure of DoS in WSNs into three, namely hierarchical defence, standalone defence, and distributed defence. However, the results of the research work are not enough to support the proposed approach.
Dhuria and Sachdeva [3] proposed the detection and prevention of DoS attacks in WSNs. The authors introduced two methods-a lightweight two-way authentication method to prevent the majority of DoS attacks and traffic analysis methods for data filtering to detect and prevent DoS attacks in WSNs. Simulation results show that the proposed scheme can detect and prevent DoS attacks in WSNs. However, the authors did not compare the proposed scheme with other related work to prove the effectiveness of the proposed methods.
AI Al-issa et al. [24] proposed machine learning techniques to detect DoS attacks in WSNs. The authors used LEACH technique to collect large data sets representing WSN features in different attacking scenarios. The data sets used contain regular profiles and several DoS attack scenarios in WSNs. The results of the experiment show that techniques achieved a higher true-positive rate of 99.86% and a lower false-positive rate of 0.05%. This approach is not scalable.

| PROPOSED SYSTEM ARCHITECTURE
Network architecture for our proposed scheme consists of sensor nodes SNs (n i s) and a base station (BS). Considering the limited power source of each sensor node in WSNs, the network is divided into finite K clusters (i.e. C k such that k = 1,2,…., K) in order to minimise energy consumption during data transmission. Each cluster consists of a cluster head (CH) and member nodes. Member nodes with communication radius d less than or equal to the distance threshold value do [25] belong to the same cluster. Thus, every sensor node in the network could meet the free space model which can efficiently minimise energy consumption. The CHs are selected from sensor nodes of each cluster in order to ensure a better energy balance while maintaining the best detection coverage. The average number of sensor nodes per cluster and a finite number of CHs (i.e. CH k such that k = 1,2,…., K) in the network is obtained using Equation (1). Assuming that a CH belongs to a cluster in a network. A method in [26] is used to partition the network into different clusters and for uniform distribution of CHs within the network as shown in Figure 2. The group leaders, CHs, are responsible for managing the communication in clusters while SNs are the members of clusters. Their major responsibility is to detect and respond to some type of input from the physical environment.
Data transmission between the n i s and base station is divided into the intra-cluster transmission and inter-cluster data transmissions.
Intra-cluster transmission: During intra-cluster transmission, n i s only transmit to their corresponding CHs. Energy dissipation by the CH is linearly dependent on the number of n i s in each cluster.
Inter-cluster transmission: During inter-cluster transmission, CHs transmit the aggregated data received from member nodes to the base station for further analysis and processing.
Thus, due to the broadcast nature of the transmission medium of n i s, they are often placed in a hostile or dangerous environment that makes them vulnerable to various attacks. We are more interested in DoS attacks because of wide application areas of WSNs and their limited power source. The aims of DoS attacks are: � to drain limited energy of sensor nodes; � to prevent legitimate sensor nodes from receiving sensor data from sender nodes; � to disrupt the communication of two sensor nodes by using all the bandwidth that their connection has to offer.

| Adversary nodes
The adversary nodes are set of malicious nodes in a network to cause loss of data either directly or through other means with the aim of launching a DoS attack [27]. These sets of nodes can be classified into the following: (a) Legitimate nodes: These are normal sensor nodes in which their main responsivities have not been compromised by malicious nodes or other entities. The main functions of the normal node are to sense environmental data and data transmission. The legitimate nodes of the network include relay nodes, cluster heads, and base station. (b) Compromised nodes: These are legitimate sensor nodes but their main responsibilities have taken over by the attackers to prevent them from the normal transmission. Some nodes that have been compromised in the network are shown in Figure 2. (c) Injected sensor nodes: These types of nodes may be either legitimate nodes with normal sensing capabilities or more powerful nodes with high processing power. (d) A laptop-class adversary: This type of adversary can broadcast with high transmission power and a battery capacity that can sustain the node for a longer period as compared to normal nodes [28].
Sensor nodes transmit through a wireless medium; this makes legitimate nodes vulnerable to DoS attacks launched by the adversarial nodes in the networks. The adversary node launches the attack by initiating the malicious node in the network to transmit useless data packets from several ends of the network towards the target nodes to disrupt data transmission of normal nodes within the network. Abbreviations and meanings of some of the terms used in this work are contained in 2.

| Assumptions
The following are assumed for this work: � All communication links between the n i s and their corresponding CHs are bi-directional � n i s are randomly distributed within the network area � If a n i is compromised, its data is also compromised � Each cluster C k maintains a CH, CH k , and member nodes n i s � SNs communicate with a CH within fixed radio range � Adversaries aim to disorder the communication of the entire network with DoS attacks � The base station is located outside the network and has unlimited memory and power. Therefore, base station security issue is ignored � Our security scheme is assumed to be a hierarchical structure.

Abbreviations Meanings
Average number of sensed data received by a CH k at time t μ Factor ranges between 0 and 1 (i.e. 0 < μ < 1). It shows the vulnerability of the long-term average behaviour to the current traffic variation.

| Analytical model of a sensor network experiencing a DoS attack
The analytical model of a WSN experiencing a DoS attack involves two types of network operation namely normal operation and attack operation. Normal operation: The traffic flow in normal network operation is transmitted from the nodes to the data centre for processing and storage. During the transmission, a node may receive sensed data from member nodes within its transmission range. A CH node receives higher traffic flow both from normal nodes and malicious nodes in a network. We assume that every malicious node transmits data packet towards a target node u. Thus, in the presence of the DoS attack, the total data packet received by u in a given period needs to be observed by the detection scheme which is expressed as follows.
where β i u;i denotes the normal traffic flow from legitimate node i, and β j u;j denotes the attack traffic from a malicious node j in Y to the legitimate node. If the average time for data packet transmission and processing at node i is denoted by a i then the rate at which the data packet arrives at u is expressed as follows.
τ i u;i denotes traffic rate for a legitimate node, τ j u;j denotes traffic rate for the attack node.
Attack operation: This type of operation considers the entire data packets transmitted from malicious nodes towards a set of target sensor nodes in the network. The total data packets received at node u is a collection of the individual data packet of both the normal node and the malicious node. Thus, a joint effort is required to detect malicious data packets that are transmitted towards the legitimate nodes in the network.

| Network model
In a WSN, sensor nodes are deployed in a sensing region to measure changes in the area of interest and periodically transmit to the base station through the CHs. It is more preferable for sensor nodes to transmit through the CHs because it can not only significantly minimise the energy consumption of sensor nodes but can also effectively minimise the signal propagation and channel fading effects associated with long-distance transmission [29][30][31].
We model the WSNs with a base station BS as a graph G(N ∪ BS, E), where N corresponds to the set of sensor nodes randomly deployed in the network. BS = n N+1 = z denotes the base station (destination node) and E denotes the directional links between the nodes. Moreover, the first set deployment of sensor nodes is assumed to be normal (legitimate) nodes. The set of sensor nodes is represented as N = {S A ,n 1 , n 2 , …, n N , n N+1 }, where S A and n N+1 are source and destination nodes respectively and n i ' s = i's are sensor nodes of the network with added functionalities (relay sensory data, cluster heads for data aggregation and retransmission).
Victim nodes are expressed as a set of nodes C = {C 0 , C 1 , C 2 , …, C u−1 }, where C ∈ N, such that every target node u of set C is a legitimate node of the network, and Thus, as new sensor nodes are added into the network due to the death or physical damage, some of these nodes may be compromised and become malicious nodes. Adversary nodes, Y, are set of malicious nodes in the network and expressed as follows.
After deployment of sensor nodes, the BS generates unique IDs and sends them to all the nodes in the network. Each sensor node stores its ID and routing information of the nearest neighbouring node in its tabu (memory). The tabu contains node's ID, location of the neighbouring node, and hop count. Sensor nodes in each cluster transmit their readings to the CH; the CHs in the network aggregate the readings, perform pre-processing on the received data and transmit the aggregated data to the base station for further processing. Based on this mode of data transmission, end-to-end sensed data transmission is susceptible to DoS attacks.
The following attributes exist for each path between sensor nodes n i and n j .
Transmission rate factor TR i,j (t) denotes the rate at which sensed data is transmitting from node n i to node n j over a period of time t. Data transmission DT i,j (t) denotes the amount of sensed data transmitted from node n i to node n j at time t. It is assumed to be the same for all legitimate sensor nodes. Estimated value XV i,j (t) denotes the estimated value of the amount of sensed data transmitted to a neighbouring node at time t. Transmission threshold T θ : Every hop delay consists of the transmission delay over the wireless path and the queuing delay in the buffer of a receiver node. T θ represents the amount of data queued at node n i, [32]. Probability of a transmission failure Pr i : Pr i represents the probability of a transmission failure over the path n i →n j due to energy depletion, data hijacking, bad channel quality or collisions when sensor node n i transmits to sensor node n j .

| Data transmission
A source node that has data to transmit to the CH through the neighbouring nodes establishes a three-way handshake connection protocol to avoid data collision during transmission [33,34]. First, it checks its tabu if paths to a CH do exist or not. If the paths exist, the source node transmits to a neighbouring node n i through an efficient path using Equation (4).

-
where S A denotes source node, E c (n i ) is the current energy level of a neighbouring node, d A,i is the distance between the S A and n i. However, if the path does not exist, it broadcasts path request routing information (PREQ) to the neighbouring nodes to create paths to the CH. PREQ format is shown in Table 3.
where S A _ID denotes source node identification, SN_ID denotes sensor node identification, hop count h(i) refers to the number of intermediate sensor nodes through which sensed data must pass between the SA and CH node. A neighbouring node that receives path request routing information (PREQ) updates its tabu with this routing information and subsequently forwards it to the next node, this process continues until it gets to the CH. Thus, each node in a cluster in which its path does exist sends path reply (PREP) back to the SA in the reverse way through which the PREQ was sent as shown in Table 4. t 2i is time taken for PREP to get to the S A . This process enables the S A to construct multiple paths between the sensor nodes and transmits sensed data through an efficient path to the CH node using Equation (4). Step-by-step data transmission from source nodes to the CHs is presented in Algorithm 1.

Algorithm 1 Data Transmission from source nodes to CHs
Begin 1. Input S A , n i 's, and CH k 2. If a path exists between S A and CH k then 3. Transmit sensed data to n i using Equation (2) 4. If data has not reached the CH k then 5. n i = n iþ1 ; 6. end if 7. else 8. Broadcast path request to all nodes in cluster k using PREQ and PREP formats 9. Go to step 2 10. end if 11. End

| Detection of malicious sensor nodes in WSNs
WSNs in most cases are deployed in the area of interest and left unattended for a long period. Sensor nodes communicate with each other through a wireless medium. These attributes make networks vulnerable to different attacks-the DoS attack in particular. In this work, the following methods are used to detect malicious nodes.
The proposed detection scheme sports a malicious node by comparing the energy dissipation of the nodes with the estimated energy. Normal nodes dissipate energy slowly during network operation. Conversely, malicious nodes use additional energy to launch DoS attacks in the network. A node can be identified as a malicious node if there is a significant difference between the energy consumption rate (E F ) and the threshold energy value E θ of sensor nodes. Let E R denote real energy consumption and E X denote estimated energy values of sensor nodes. E F is expressed as follows.
where E θ is expressed as where m denotes the malicious node, E X denotes the average estimated energy value, and E R denotes the average real energy consumption. We believe that energy dissipation, E F , for all legitimate sensor nodes will approximately have the same values during a round time. However, if the value of E F is greater than E θ in a given period, then there is high probability that some nodes have been comprised and DoS attack is suspected in the network. In addition to confirm that a network is under attack, data packets' transmission rate is further used to establish the presence of DoS attack in the network and it is presented as follows.

| Traffic intensity
The rate of the attack on traffic increases as the number of compromised nodes increases in the network, assuming that all such nodes are participating in the attack process. If the value of the traffic intensity of the sensor node is lower than or equal to the traffic threshold value during a round time, the node is considered as a legitimate node such that TR i,j (t) ≤ EV i,j (t).
However, if the value of traffic intensity is greater than the traffic threshold value such that TR i,j (t) > EV i,j (t), then the nodes may have performed the attack as behaviour of DoS. The traffic intensity between two nodes is expressed as follows: where μ ranging between 0 and 1(i.e. 0 < μ < 1) is the weighted factor showing the vulnerability of the long-term average behaviour to the current bandwidth variation. The higher the value of μ, the more dependence on the current variation. Deviation of incoming traffic from the average at time t is expressed as follows: During network operation, attackers launch DoS by constantly sending useless data to the CHs. The cumulative data transmission deviation would be noticeably higher than the expected data transmission. TR i,j (t) and D k, in (t) are sensitive to the transmission rate and average incoming traffic respectively. The deviation from average D A is the sign of such an attack. D A is the incoming traffic received by CH k at time t and is expressed as follows: Thus, if the D A k;in is greater than a CH bandwidth threshold level Φ, this increase in bandwidth is another signal that the network is under DoS attack. However, we expect D A k;in to be much lower than Φ if there is no DoS attack.

| Lightweight evaluation in clusters
Complex methods may not be infeasible to evaluate sensor nodes due to their limited computation capacity and resource-constrained. We develop lightweight models to evaluate the trust values of sensor nodes. The CH k in a cluster C k counts the successful delivery ratios of its legitimate sensor nodes. The current trust sensor nodes n i in the C k is defined as follows: where T(n i ) Ck denotes the trust value factor of n i , and S(n i ) and F(n i ) denote the number of successful and unsuccessful data transmissions of n i per round respectively. The current trust values of cluster head k T(CH k ) are calculated in Equation (10): Thus, when the number of unsuccessful transmissions in the CH k increases, the expression 1 FðCH k Þ decreases the trust value of C k . Thus, Equation (12) soon decreases the trust value of the CH k . A node n i is a malicious node for a CH k if it has transmitted to CH k at least once and F(n i ) ≥ S(n i ).
Therefore, a node in which the detection factor values of all its models developed above are more than the threshold values is termed a malicious node. Once the CHs detect that there are malicious nodes in the network and the communication channels are under DoS attacks, they forward the routing information of that node to the base station. The base station receives the information; it generates fresh IDs and sends them to all sensor nodes except all the malicious nodes. It deletes all communication paths of the malicious nodes from neighbouring nodes. If a sensor node does not have an ID, it cannot create any communication path. Therefore, other nodes will not be able to communicate with it. Similarly, the malicious nodes will not be able to communicate with other nodes, they become isolated. Detection of DoS attack flowchart is presented in Figure 3.

| Trust computation in the data centre
Cluster head nodes intermittently forward the current trust aggregated data to the data centre. Thereafter, the data centre computes the aggregated trust value of sensor nodes n N as follows: It classifies the aggregated trust value into three groups as follows 192 - where These two cofactors f 1 and f 2 represent one-fourth and half of the average trust value of all sensor nodes in the network. f 1 and f 2 are used to vary the size of the three groups.

| Quality of service in wireless sensor networks
Since the existence of ubiquitous computing, sensor nodes are embedded in electronic devices. These wide range of applications have made WSNs an integral part of our lives [35]. Security issues must be resolved in order to fully exploit the potential applications of WSNs [36]. We further address security issues to include QoS in addition to security models we have developed to increase the security of applications in WSNs. The following factors: availability, reliability, and serviceability (ARS) are used to ensure that the integrity of data transmitted during network operation is maintained. QoS is a measurable level of service requirements to be met during data transmission from source nodes to a data centre. Conventional schemes of using sensor nodes and integrating ARS into WSNs to attain QoS can effectively improve not only the reliability of the overall networks but also the security challenges in WSNs [37]. Reliability of a network is the probability of its survival in a period. Due to resource-constrained and mode of data transmission of sensor nodes, individual nodes can fail or compromise. Thus, techniques to increase sensed data ARS during network utilization are necessary. We develop models for the three factors in order to maintain QoS under a range of network constraints. Average Time between Failure (ATF) and Average Time to Repair (ATR) are the terms used to express the factors for each sensor node. Average Time between Failure in a network with N sensor nodes is expressed as follows.
It is assumed that the failure rate (λ) of each sensor node is the same.

| Availability
Availability of each sensor node is measured as the probability that a network stays fully operational over a period of time. The availability of a sensor node is expressed as Considering the availability of individual sensor nodes, the ATF should be maximised while ATR should be minimised during network operation in a given period. Percentage of failed sensor nodes (n F ) in a WSN is expressed as where f i is the number of failed sensor nodes and N is the number of nodes in the network.

| Reliability
Reliability is the ability of a network to successfully transmit sensed data from source nodes through the CHs to a data centre in a given period of time. It is expressed in terms of probability as follows.
where t denotes time in seconds of the network survivability.
3.9.3 | Serviceability Serviceability of a system is defined as the probability that a failed system will restore to the initial operation. It is closely related to the repair rare. It is expressed as follows.
The service requirements are expressed in some measurable metrics domains: additive, multiplicative and concave. Considering the representation for WSNs in Section 3.
Let ℓ(n 1 , n 2 ) denote the weight of each link with respect to metric ℓ on route R from S A to n N. Then, ℓ is said to be additive metric.
Concave: ℓ is said to be a concave metric if ℓ(R) = min (ℓ(E)) such that.

| Attack detection rates
The rate of traffic attack increases with the number of malicious nodes in the network, assuming that all such nodes are participating in the attack process. If the malicious nodes are deployed at different locations in the network as shown in Figure 2, more data packets will be generated from the distributed nodes. The network parameters that have a direct effect on the performance of the detection scheme are the initial energy of the sensor node and the number of nodes in the network.
The performance of various proposed schemes can be used to measure its accuracy and efficiency [38]. We further use the following metrics to determine the detection of DoS attacks accuracy for the proposed scheme. The false-positive (FP) rates and false-negative (FN) rates [36]. Each of the alarm rate is defined below: The false-positive (FP) rate is defined as the fraction of the total number of legitimate nodes classified as malicious nodes, over the total number of sensor nodes.
FP ¼ Data packets wrongly classified as malicious nodes Total number of sensor nodes The false-negative (FN) rate: The false-negative rate is defined as the fraction of the total number of malicious nodes classified as legitimate nodes, over the total number of sensor nodes.

FN ¼ Data packets wrongly classified as legitimate nodes Total number of sensor nodes ð21Þ
True-positive (TP) rate: true positive rate is the fraction of malicious nodes classified as malicious to the total number of nodes.
True-negative (TN) rate: true negative rate is the fraction of normal nodes classified as legitimate nodes out of the total number of nodes. Accuracy: Accuracy is defined as the percentage of malicious and legitimate nodes which are identified correctly with respect to all sensor nodes in the networks. The accuracy of the proposed scheme can be determined by Detection rate (DR): The detection rate is defined as the percentage of malicious nodes correctly classified as malicious nodes to the total number of malicious and legitimate nodes. It is determined using the expression below.
Detection time: Detection time is the time it takes for a scheme to identify an attack during detection. A good detection method requires a low false alarm and a high detection rate. Therefore, the effectiveness of the scheme can be determined by comparing the false alarm rate, detection rate, average data packet delay, and detection time.

| PERFORMANCE EVALUATION
We evaluate the performance of the attack detection scheme based on the total number of attacks successfully detected using the simulation parameters in Table 4 and different false alarms. We have conducted simulations with NS-2 to evaluate the performance of our proposed method and compared the performances with the related work. Simulation is performed over a network area of 100 m � 100 m with 100 randomly distributed sensor nodes. We generated random traffic to the CH k to simulate DoS attacks. Thereafter, we run the algorithm which has been shown in Figure 4. Other simulation parameters are listed in Table 5. The following metrics are used to measure the performance of the proposed methods and presented as follows. Figure 3 shows the percentage of sensed data delivery ratio as the number of malicious nodes varied from one node to five nodes. The data delivery ratio decreases as the number of malicious nodes increases in the network. The reason is that data are dropped before the malicious nodes are identified and removed from the network. In addition, malicious nodes may receive data from legitimate nodes and refuse to transmit them further. Thus, as the number of malicious nodes increases, the total data delivery ratio decreases in the network.

| Delay
Delay is one of the metrics we used for analysing network performance. It is the difference in time when sensed data is transmitted from the sender node and when it is successfully delivered at the destination node. Figure 5 shows the effect of delay between two different networks. We looked at data transmission delay in a normal network (no malicious node) and when there is/are attacker(s) (malicious nodes) in the network. In the absence of a malicious node, there is no delay in the network. Thus, as the number of attackers increases, the delay increases in the network as shown in the figure. This is due to the time the attackers used to intercept the message being transmitted, read the content, modify it, and send it to the destination node. Tables 5 and 6 show simulation results of the detection delay for both linear traffic surge and sudden traffic surge scenarios of the DoS attack. The tables show the relationship of the false alarm rate and detection delay measured in terms of the number of the data packets received, number of the spoofed data packets in the network, and computing time. The traffic pattern changes for both scenarios after the start of the attack. The attacker's traffic rapidly increased during a DoS attack.

| Detection rate
We investigated the detection rate of our approach and compared it with two related work to detect DoS attacks in the network as shown in Figure 6. The detection rate is the percentage of the number of DoS attackers detected to the number of attackers in the network. Our scheme is able to detect the malicious nodes present in the network as 100% while the detection rate in MADoS and FFUCA is 80.4% and 60.1%, respectively. The reason is based on the four stages of DoS attack detection we used for our approach. Thus, LSDoS performed better than the other two related schemes.

| Detection accuracy
We performed many rounds of simulation where a different number of normal nodes are deployed per round. We also varied the number of attackers against the number of nodes for each round of the experiment. We performed simulation on the developed algorithm by assigning two malicious nodes for every 10 normal nodes and continue progressively up to 100 nodes. Figure 7 shows the simulation result for DoS attack detection by varying the number of attacks from 2 to 20. Initially, the detection accuracy for the three algorithms is almost most the same when the number of nodes is between 10 and 20 nodes. Thereafter, we could see that as the number of attackers increases the performance of the FFUCA and decreases MADoS, while the LSDoS maintains its consistency. It achieves 36.2% more detection accuracy compared to the two algorithms.

| Average data packet delay
Average end-to-end data packet delay against the number of sensor nodes was investigated and the result is presented in Figure 8. We observe that as the number of sensor nodes increases, the number of sensor nodes vulnerable to DoS attacks likewise increases. This obviously affects data transmission and results in data packet loss in the network. Thus, average data packet's delay in our scheme is least among the three schemes; hence it performs better than the other two related schemes.

| Energy consumption
Energy consumption is an important metric in WSNs which directly influences the network lifetime. Presence of malicious nodes in WSNs increase bandwidth and computational overhead with bogus data injected into the network. This depletes the battery resource of sensor nodes and causes energy drain. Figure 9 shows the energy consumption comparison between a normal network and network with malicious nodes. Thus, the more the number of malicious nodes in the network, the more energy is depleted.
In addition, the real energy consumption and the energy estimation of the malicious nodes are compared in Figure 10. Initially, the real energy consumption and the energy estimate result are the same. Thereafter, as the malicious nodes launch DoS attacks, they consume more energy due to the extra energy used to launch the attacks. Thus, the energy estimation result becomes different from the real energy consumption of the malicious nodes. The difference between energy estimation and real energy consumption leads to the detection of malicious nodes in the network.

| Throughputs of clusters
Throughput is defined as the total number of sensed data successfully delivered to the destination node over the simulation time. The higher the value of the throughput means the better performance of the scheme. Comparisons of throughputs of the clusters for three different conditions is shown in Figure 11. The throughputs of clusters without malicious nodes (our scheme) are much higher than that of clusters with malicious nodes (without security protection). Initially, throughputs of clusters with our scheme and without our scheme are close to each other; however, over time the throughputs in our scheme perform much better than the scheme without protection. In the clusters with malicious nodes, the throughputs considerably decrease by 12.9 kbps. Thus, after the malicious nodes are detected and their information is sent to the base station, the base station generates unique new IDs and sends them to all legitimate nodes. Therefore, malicious nodes cannot interact with other legitimate nodes in the network as discussed in Section 3. Hence, the throughputs of clusters in LSDoS may not be higher than that in the normal network.
The simulation result for the availability and reliability of sensor nodes to reveal QoS during network operation is presented in Figure 12. We observe that sensor nodes have more lifetime and they can reliably transmit their data to the data centre. The reason is that our approach is able to detect and remove all malicious nodes in the network. Thus, it extends the WSN's lifetime utilization.
We investigate network throughput after the implementation of the models and the graph is presentenced in Figure 13. Sensor node availability is measured if it is able to transmit successfully to its corresponding CH within the allocated time. It takes a value of 0, if it cannot transmit within the allocated time or 1, if the node can transmit.

| CONCLUSION AND FUTURE WORK
In this article, we present an approach for detecting and removing DoS attacks in WSNs. The method of detection is based on using cluster heads which are monitoring the traffic intensity in clusters. A unique method is used for the selection of the cluster heads. We further developed algorithms and implemented them to detect malicious nodes in the network F I G U R E 1 2 Availability and reliability on average time between failure F I G U R E 1 3 Transmission rate for sensed data per sec 198 -ABIDOYE AND KABASO using a network simulator, ns-3. The results show that the proposed scheme can effectively detect and eliminate DoS attacks in WSNs. It gives significant results in terms of energy consumption, time detection, data reliability, throughput, and detection rate. It provides a better load of repartition between node sensors. In the future, we wish to implement our scheme in a real testbed for this will help us to check if the scheme meets the resource constraints of WSNs.