Sunteți pe pagina 1din 14

Intrusion Detection in Homogeneous and

Heterogeneous Wireless Sensor Networks


Yun Wang, Student Member, IEEE, Xiaodong Wang, Student Member, IEEE,
Bin Xie, Senior Member, IEEE, Demin Wang, Student Member, IEEE, and
Dharma P. Agrawal, Fellow, IEEE
AbstractIntrusion detection in Wireless Sensor Network (WSN) is of practical interest in many applications such as detecting
an intruder in a battlefield. The intrusion detection is defined as a mechanism for a WSN to detect the existence of inappropriate,
incorrect, or anomalous moving attackers. For this purpose, it is a fundamental issue to characterize the WSN parameters such
as node density and sensing range in terms of a desirable detection probability. In this paper, we consider this issue according
to two WSN models: homogeneous and heterogeneous WSN. Furthermore, we derive the detection probability by considering
two sensing models: single-sensing detection and multiple-sensing detection. In addition, we discuss the network connectivity and
broadcast reachability, which are necessary conditions to ensure the corresponding detection probability in a WSN. Our simulation
results validate the analytical values for both homogeneous and heterogeneous WSNs.
Index TermsIntrusion detection, node density, node heterogeneity, sensing range, Wireless Sensor Network (WSN).

1 INTRODUCTION
A
Wireless Sensor Network (WSN) is a collection of
spatially deployed wireless sensors by which to
monitor various changes of environmental conditions
(e.g., forest fire, air pollutant concentration, and object
moving) in a collaborative manner without relying on any
underlying infrastructure support [1]. Recently, a number
of research efforts have been made to develop sensor
hardware and network architectures in order to effectively
deploy WSNs for a variety of applications. Due to a wide
diversity of WSN application requirements, however, a
general-purpose WSN design cannot fulfill the needs of all
applications. Many network parameters such as sensing
range, transmission range, and node density have to be
carefully considered at the network design stage, according
to specific applications. To achieve this, it is critical to
capture the impacts of network parameters on network
performance with respect to application specifications.
Intrusion detection (i.e., object tracking) in a WSN can
be regarded as a monitoring system for detecting the
intruder that is invading the network domain. Fig. 1
gives an example that sensors are deployed in a square
area 1 1 for detecting the presence of a moving
intruder. Note that in Fig. 1, as well as in Figs. 3 and 4, the
illustration of sensors and an intruder is based on a slide for
paper [2]. The intrusion detection application concerns
how fast the intruder can be detected by the WSN. If
sensors are deployed with a high density so that the union
of all sensing ranges covers the entire network area, the
intruder can be immediately detected once it approaches
the network area. However, such a high-density deploy-
ment policy increases the network investment and may be
even unaffordable for a large area. In fact, it is not necessary
to deploy so many sensors to cover the entire WSN area in
many applications [3], since a network with small and
scattered void areas will also be able to detect a moving
intruder within a certain intrusion distance. In this case, the
application can specify a required intrusion distance within
which the intruder should be detected. As shown in Fig. 1,
the intrusion distance is referred as 1 and defined as the
distance between the point the intruder enters the WSN,
and the point the intruder is detected by the WSN system.
This distance is of central interest to a WSN used for
intrusion detection.
In this paper, we derive the expected intrusion distance
and evaluate the detection probability in different applica-
tion scenarios. Given a maximal allowable intrusion
distance 1
ior
, we theoretically capture the impact on
the detection probability in terms of different network
parameters, including node density, sensing range, and
transmission range. For example, given an expected
detection distance 11, we can derive the node density
with respect to sensors sensing range, thereby knowing the
total number of sensors required for WSN deployment.
In a WSN, there are two ways to detect an object
(i.e., an intruder): single-sensing detection and multiple-sensing
detection. In the single-sensing detection, the intruder can be
successfully detected by a single sensor. On the contrary,
in the multiple-sensing detection, the intruder can only be
detected by multiple collaborating sensors [4]. In some
applications, the sensed information provided by a
single sensor might be inadequate for recognizing the
intruder. It is because individual sensors can only sense a
portion of the intruder. For example, the location of an
intruder can only be determined from at least three sensors
sensing data [5], [6], [7], [8]. In view of this, we analyze the
698 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008
. The authors are with the OBR Center of Distributed and Mobile
Computing, Department of Computer Science, University of Cincinnati,
Cincinnati, OH 45221-0030.
E-mail: {wany6, wangxd, xieb, wangdm, dpa}@email.uc.edu.
Manuscript received 15 May, 2007; revised 26 Oct. 2007; accepted 10 Jan.
2008; published online 28 Jan. 2008.
For information on obtaining reprints of this article, please send e-mail to:
tmc@computer.org, and reference IEEECS Log Number TMC-2007-05-0136.
Digital Object Identifier no. 10.1109/TMC.2008.19.
1536-1233/08/$25.00 2008 IEEE Published by the IEEE CS, CASS, ComSoc, IES, & SPS
intrusion detection problem under two application scenar-
ios: single-sensing detection and multiple-sensing detection.
According to the capability of sensors, we consider
two network types: homogeneous and heterogeneous
WSNs [9]. We define the sensor capability in terms of the
sensing range and the transmission range. In a heteroge-
neous WSN[10], [11], [12] some sensors have a larger sensing
range and more power to achieve a longer transmission
range. In this paper, we show that the heterogeneous WSN
increases the detection probability for a given intrusion
detection distance. On the other hand, a heterogeneous WSN
poses the challenge of network connectivity due to asym-
metric wireless link. The high-capability sensors have a
longer transmission range while low capability sensors
have a shorter transmission range. Due to this, the packet
sent by a high-capability sensor may reach the low-capability
sensor, while the low capability sensor may not be able to
send packets to the corresponding high-capability sensor
[13]. This motivates us to analyze the network connectivity
in this paper. Furthermore, in a heterogeneous WSN, high-
capability sensors usually undertake more important tasks
(i.e., broadcasting power management information or syn-
chronization information to all the sensors in the network),
it is also desirable to define and examine the broadcast
reachability from high-capability sensors. The network
connectivity and broadcast reachability are important con-
ditions to ensure the detection probability in WSNs. They
are formally defined and analyzed in this paper. To the best
of our knowledge, our effect is the first to address this issue
in a heterogeneous WSN.
The main contributions of this paper can be summarized
as follows:
. Developing an analytical model for intrusion
detection in WSNs, and mathematically analyzing
the detection probability with respect to various
network parameters such as node density and
sensing range.
. Applying the analytical model to single-sensing
detection and multiple-sensing detection scenarios
for homogeneous and heterogeneous WSNs.
. Defining and examining the network connectivity
and broadcast reachability in a heterogeneous WSN.
The remainder of the paper is organized as follows:
Section 2 presents the related work. Section 3 describes the
intrusion detection model. Section 4 analyzes the intrusion
detection in a homogeneous WSN, and Section 5 examines
the intrusion detection in a heterogeneous WSN. Section 6
studies the network connectivity and broadcast reachability
in a heterogeneous WSN. Simulation and verification
results are given in Section 7. Finally, the paper is
concluded in Section 8.
2 RELATED WORK
Intrusion detection is one of the critical applications in
WSNs, and recently, several approaches for intrusion
detection in homogeneous WSNs have been presented [3],
[14], [15], [16], [17]. The focus of these approaches aims at
effectively detecting the presence of an intruder. First, the
problem is investigated from the aspect of the network
architecture. Kung and Vlah [14] take advantage of a
hierarchical tree structure to effectively track the movement
of an intruder. The hierarchical tree consists of connected
sensors and is built upon expected properties of intruder
mobility patterns such as its movement frequency over a
region. Based on the hierarchical tree, it allows an efficient
record of an intruders moving information and supports
fast querying from the base station. Another tree structure
for tracking an intruder, called as a logic object-tracking
tree, is developed by Lin et al. [15]. The logic object tracking
tree reduces the communication cost for data updating and
querying by taking into account the physical network
topology. In particular, the logic object tracking tree targets
to balance the update cost and the query cost so as to
minimize the total communication cost.
Second, the intrusion detection problem has been
considered from the constraint of saving network resources.
For example, Chao et al. [16] have addressed the issue of
tracking a moving intruder by power-conserving operations
and sensor collaboration. To achieve this, the authors
defined a set of novel metrics for detecting a moving
intruder and developed two efficient sleep-awake schemes
called PECAS and MESH, to minimize the power con-
sumption. Ren et al. [3] further studied the trade-off
between the network detection quality (i.e., how fast the
intruder can be detected) and the network lifetime. There-
fore, the sensor coverage had to be carefully designed
according to the detection probability with respect to
specific application requirements. The authors then pro-
posed three wave sensing scheduling protocols to achieve
the bounded worst case detection probability.
Rather than a static WSN architecture as the above
approaches, Liu et al. [17] have modeled the intrusion
detection problem in a mobile WSN, where each sensor is
capable of moving. The authors have given the optimal
strategy for fast detection and shown that mobile WSN
improves its detection quality due to the mobility of sensors.
In this paper, we address the intrusion detection
problem from the other angle. Most of the above efforts
consider intrusion detection and its efficiency in terms of
the single-sensing model in a homogeneous WSN. Instead
of the network architecture and detecting protocol design,
we provide a comprehensive theoretical analysis on the
intrusion detection in both homogeneous and heteroge-
neous WSNs [18]. The detection probability is theoretically
captured by using underlying network parameters, and
thus, our work is of paramount importance for a network
WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 699
Fig. 1. Intrusion detection in a WSN.
planner to design WSNs for intrusion detection applica-
tions. To the best of our knowledge, this is the first work
that considers the intrusion detection problem in a
heterogeneous WSN and provides fundamental analytical
results on it. The analytical results indicate the improve-
ment on the detection quality in a heterogeneous WSN, as
compared to a homogeneous WSN, either for the single-
sensing detection or the multiple-sensing detection scenar-
ios. Furthermore, we have modeled the network connectiv-
ity and broadcast reachability in a heterogeneous WSN [19],
which serve as the necessary conditions for achieving
desirable detection probability.
3 INTRUSION DETECTION MODEL AND DEFINITIONS
Our intrusion detection model includes a network model,
a detection model, and an intrusion strategy model. The
network model specifies the WSN environment. The
detection model defines how the intruder can be detected
and the intrusion strategy illustrates the moving policy of
the intruder.
3.1 Network Model
We consider a WSN in a two-dimensional (2D) plane with
` sensors, denoted by a set N i
1
. i
2
. . . . . i
`
, where i
i
is the ith sensor. These sensors are uniformly and indepen-
dently deployed in a square area 1 1. Such a random
deployment results in a 2D Poisson point distribution of
sensors. All sensors are static once the WSN has been
deployed. In particular, we consider two WSN types:
homogeneous and heterogeneous WSNs. In a homogeneous
WSN, each sensor has the same sensing radius of i
:
, and the
transmissionrange of i
r
. Asensor canonly sense the intruder
within its sensing coverage area that is a disk with radius i
:
centered at the sensor. Denote the node density of the
homogeneous WSN as `. We then focus on a heterogeneous
WSN with two types of sensors, as shown in Fig. 2:
. Type I sensor that has a larger sensing range i
:1
,
as well as a longer transmission range i
r1
, and
. Type II sensor that has a smaller sensing range i
:2
,
as well as a shorter transmission range i
r2
.
The densities of Type I and Type II sensors are represented
as `
1
and `
2
, respectively. Fig. 2 shows a heterogeneous
WSN, where both Type I and Type II sensors follow the
2D Poisson point distribution. In a homogeneous or
heterogeneous WSN, a point is said to be covered by a
sensor if it is located in the sensing range of any sensor(s).
The WSN is thus divided into two regions, the covered
region, which is the union of all sensor coverage disks, and
the uncovered region, which is the complement of the
covered region within the area of interest . In our network
model, the intruder does not know the sensing coverage
map of the WSN.
3.2 Detection Model
There are two detection models in terms of how many
sensors are required to recognize an intruder: single-
sensing detection model and multiple-sensing detection
model. It is said that the intruder is detected under the
single-sensing detection model if the intruder can be identified
by using the sensing knowledge from one single sensor.
On the contrary, in the multiple-sensing detection model, the
intruder can only be identified by using cooperative
knowledge from at least / sensors (/ is defined by specific
application requirements). For simplicity of expression,
multiple sensing and /-sensing are interchangeable in the
following discussion:
In order to evaluate the quality of intrusion detection in
WSNs, we define three metrics as follows:
. Intrusion distance. The intrusion distance, denoted
by 1, is the distance that the intruder travels
before it is detected by a WSN for the first time.
Specifically, it is the distance between the point
where the intruder enters the WSN and the point
where the intruder gets detected by any sensor(s).
Following the definition of intrusion distance, the
Maximal Intrusion Distance (denoted by , 0)
is the maximal distance allowable for the intruder
to move before it is detected by the WSN.
. Detection probability. The detection probability is
defined as the probability that an intruder is
detected within a certain intrusion distance (e.g.,
Maximal Intrusion Distance ).
. Average intrusion distance. The average intrusion
distance is defined as the expected distance that
the intruder travels before it is detected by the WSN
for the first time.
3.3 Intrusion Strategy Model
As illustrated in Figs. 3 and 4, we consider two intrusion
strategies for the movement of the intruder in a WSN. If the
intruder (say, a panzer) already knows its destination
before entering the network domain, it follows the
shortest path to approach the destination. In this case, the
intrusion path is a straight line 1
1
from the entering point
to the destination, as illustrated in Fig. 3. The main idea
behind this strategy is that the straight movement causes
the least risk for the intruder due to the least area that it has
to explore by following a straight line toward the destina-
tion. The corresponding intrusion detection area o
1
is
determined by the sensors sensing range i
:
and intrusion
distance 1
1
, as shown in Fig. 3. It is because the intruder
can be detected within the intrusion distance 1
1
by any
sensor(s) situated within the area of o
1
.
700 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008
Fig. 2. Heterogeneous WSN deployment.
On the contrary, if the intruder does not know its
destination, it moves in the network domain in a
random fashion. We consider that the intruder tends to
minimize the overlapping on its path. Thus, the intrusion
path of the intruder can be regarded as a nonoverlapping
curved line 1
2
, and the intrusion area accordingly is a
curved band o
2
, as illustrated in Fig. 4.
In the above two strategies, if the intruder travels the
same distance, i.e., 1
1
1
2
, the corresponding intrusion
detection areas approximately satisfy o
1
o
2
. Therefore,
we adopt a straight path in the following discussion, and
the analytical results can be directly applied to the case of
the curved path. Furthermore, the intruder can start its
intrusion from the network boundary or a random point
inside the network domain. For example, the intruder can
be dropped from the air and starts from any point in the
network domain.
4 INTRUSION DETECTION IN A HOMOGENEOUS
WIRELESS SENSOR NETWORK
In this section, we present the analysis of intrusion
detection in a homogeneous WSN. We derive the detection
probability for single-sensing detection and /-sensing
detection.
4.1 Single-Sensing Detection
In the single-sensing detection model, the intruder can be
recognized once it moves into the sensing coverage disk
of any sensor(s). According to the intrusion strategy, the
intruder may access the network domain from any point
of the network boundary or a random point in the
network domain. When the intruder starts from a point of
the network boundary, as shown in Fig. 5, given an
intrusion distance 1 ! 0, the corresponding intrusion
detection area o
1
is almost an oblong area. This area
includes a rectangular area with length 1 and width 2i
:
and a half disk with radius i
:
attached to it. It has
o
1
2 1 i
:

i
2
:
2
. 1
According to the definition of single-sensing detection,
the intruder is detected if and only if there exists at least
one sensor within this area o
1
. Otherwise, the intruder is
not detected. Similarly, when the intruder starts from a
random point in the network domain, the corresponding
intrusion detection area is o
1
2 1 i
:
i
2
:
, as shown
in Fig. 6. In the following analysis, we focus on the case that
the intruder starts from the boundary of the network
WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 701
Fig. 3. Intrusion strategy 1.
Fig. 4. Intrusion strategy 2.
Fig. 5. The intruder starts from the boundary of the WSN.
Fig. 6. The intruder starts form a random point in the WSN.
domain. The derived results can be applied to the other case
by replacing
i
2
:
2
with i
2
:
.
We first consider the detection probability that the
intruder can be immediately detected once it enters the
network domain. In other words, it has an intrusion
distance 1 0. The corresponding intrusion detection area
is o
0

i
2
:
2
. We then have Theorem 1 as follows:
Theorem 1. The probability j
1
1 0 that an intruder can be
immediately detected once it enters a homogeneous WSN with
node density ` and identical sensing range i
:
can be given by
j
1
1 0 1 c
`
i
2
:
2
. 2
Proof. In a uniformly distributed WSN with node density `,
the probability of i sensors located within the area o
follows the Poisson distribution [18]:
1i. o
o`
i
i!
c
o`
. 3
Therefore, the probability of no sensor in the immediate
intrusion detection area o
0

i
2
:
2
is 10.
i
2
:
2
c
`
i
2
:
2
.
Then, the complement of 10.
i
2
:
2
is the probability that
there is at least one sensor located in o
0

i
2
:
2
. In this
case, the intruder can be detected once it approaches the
network with intrusion distance 1 0. Thus, the
probability that the intruder can be detected immedi-
ately by the WSN once it enters the WSN is j
1
1 0
1 10.
i
2
:
2
1 c
`
i
2
:
2
. tu
This result shows that the immediate detection prob-
ability j
1
1 0 is determined by the node density and the
sensing range. By increasing the node density or enlarging
the sensing range, j
1
1 0 can be improved.
Immediate detection may need a large sensing range or a
high node density, thus increasing the WSN deployment
cost. We then consider the detection probability in a relaxed
condition when the intruder is allowed to travel some
distance in the WSN.
Theorem 2. Suppose is the maximal intrusion distance
allowable for a given application. The probability j
1
1
that the intruder can be detected within in the given
homogeneous WSN can be derived as
j
1
1 1 c
` 2i
:

i
2
:
2
_ _
. 4
Proof. According to the definitionof single-sensing detection
model, the probability that the intruder can be detected
within an intrusion distance of is equivalent to the
probability that there is at least one sensor located in the
corresponding intrusion detection area o

2i
:

i
2
:
2
.
That is, j
1
1 1 10. o

while 10. o

is obtained
from (3). The probability j
1
1 can further be
represented as j
1
1 1 10. o

1 c
`2i
:

i
2
:
2

.
Then, it yields j
1
1 1 c
`2i:
i
2
:
2

. tu
Theorem 3. Let j
1
1 be the probability that the intruder is
detected at an intrusion distance , 0, and 1
1
1 be the
average intrusion distance. Then,
j
1
1 2`i
:
c
` 2i:
i
2
:
2
_ _
and
1
1
1
_

2
p
1
0
2`i
:
c
` 2i
:

i
2
:
2
_ _
d.
5
Proof. In Theorem 2, (4) gives the cumulative density
function (CDF) of intrusion distance such as j
1
1 .
Therefore, j
1
1 can be obtained from the differential
of j
1
1 , and it can be calculated as j
1
1
d j11
d
2`i
:
c
`2i:
i
2
:
2

. The average intrusion distance
1
1
1 can be easily derived from the PDF of the intrusion
distance (i.e., j
1
1 ). Since the intruder is assumed to
move in the network along a straight path, and the
network domain is a square area with size 1 1, the
maximum distance the intruder may travel is

2
p
1. Then,
the average intrusion distance is given as 1
1
1
_

2
p
1
0
j
1
1 d
_

2
p
1
0
2`i
:
c
`2i
:

i
2
:
2

d. tu
Theorems 1-3 indicate that the quality of intrusion detection
in single-sensing detection scenario for a given WSN
improves as the sensing range or the node density
increases.
4.2 K-Sensing Detection
In the /-sensing detection model, an intruder has to be sensed
by at least / sensors for intrusion detection in a WSN. The
number of requiredsensors depends onspecific applications.
For example, at least three sensors sensing information is
required to determine the location of the intruder.
Theorem 4. Let j
/
1 0 be the probability that an intruder is
detected immediately once it enters a WSN with node density
` and sensing range i
:
in /-:ci:iiq detection model. It has
j
/
1 0 1

/1
i0
i
2
:
`
_ _
i
2
i
i!
c

i
2
:
2
`
. 6
Proof. According to (3), 1i.
i
2
:
2
is the probability that
there are i sensors located in the immediate detection
area o
0

i
2
:
2
.

/1
i0
1i.
i
2
:
2
is therefore the probability
that there are less than / sensors in the area o
0
. Further,
1

/1
i0
1i.
i
2
:
2
represents the probability that there
are at least / sensors located in the area o
0
. In this case,
the intruder can be sensed by at least / sensors when
it accesses the network boundary. Consequently, it
can be said that j
/
1 0 1

/1
i0
1i.
i
2
:
2
1

/1
i0
i
2
:
`
i
2
i
i!
c

i
2
:
2
`
is the probability of the intruder to
be detected immediately when it enters the WSN
domain under /-sensing detection scenarios. tu
Theorem 5. Let j
/
1 be the probability that the intruder is
detected within the maximal intrusion distance in a
/-:ci:iiq detection model for the given homogeneous WSN.
Then, j
/
1 can be calculated as
702 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008
j
/
1 1

/1
i0
o

`
_ _
i
i!
c
o

`
where o

2i
:

i
2
:
2
.
7
Proof. o

2i
:

i
2
:
2
is the intrusion detection area with
respect to the maximal intrusion distance . If there are at
least / sensors in the area o

, the intruder can be sensed


by the / sensors, and the / sensors could collaborate
with each other to recognize the intruder. From (3),
1i. o

`
i
i!
c
o

`
denotes the probability that i sen-
sors are located in the area of o

. Then,

/1
i0
1i. o

/1
i0
o`
i
i!
c
o`
is the probability that less than / sensors
are located in the area o

. Thus, the complement of

/1
i0
1i. o

, 1

/1
i0
o

`
i
i!
c
o

`
is the probability that
there are at least / sensors located in the area o

. If this is
the case, the intruder can be sensed by at least / sensors
from the WSN with probability 1

/1
i0
o `
i
i!
c
o`
before it travels a distance of . Finally, the probability
j
/
1 that the intruder is detected within the maximal
intrusion distance in /-sensing detection model can be
derived as j
/
1 1

/1
i0
o`
i
i!
c
o`
. tu
Theorem 6. Let 1
/
1 be the average intrusion distance in the
/-:ci:iiq detection model for the given WSN with node
density ` and sensing range i
:
, it has
1
/
1
/

/1
i0
i
2
:
2
`
_ _
i
c

i
2
:
2
`
2i
:
`i!
. 8
Proof. 1
/
1 is the average intrusion distance. Then,
o
/
1
/
1 2i
:
is the average intrusion detection area,
and ` 1
/
1 2i
:
is the average number of sensors
located in the area of o
/
. Based on the definition of
/-sensing detection model, / sensors are required to
identify the intruder. Thus, the average number of sensors
located in the average intrusion detection area should be
equal to /, that is, ` 1
/
1 2i
:
/. Considering the
case when the intruder is detected immediately once it
enters the WSN domain, the average intrusion distance is
1
/
1 0, while ` 1
/
1 2i
:
0. In this case, `
1
/
1 2i
:
/ does not hold. Thus, it is necessary to
eliminate this boundary effect, and we get ` 1
/
1
2i
:
/1 j
/
1 0. By replacing j
/
1 0 by (7)
following Theorem 4, we further obtain ` 1
/
1 2i
:

/

/1
i0
1i.
i
2
:
2
/

/1
i0

i
2
:
2
`
i
c

i
2
:
2
`
. Finally, the average
intrusion distance in the /-sensing detection model for
the given WSN can be calculated as
1
/
1
/

/1
i0
i
2
:
2
`
_ _
i
c

i
2
:
2
`
2i
:
`i!
.
ut
Theorems 4-6 show that the quality of intrusion detection
in the /-sensing detection scenario for a given WSNimproves
as the sensing range and node density increase and
decreases as / grows. If we relax the multiple-sensing
detection to single-sensing detection by setting / 1.
Equation (8) is reduced to 1
1
1
c

i
2
:
2
`
2i
:
`i!
, which shows (5)
in another way (i.e., 1
1
1
_

2
p
1
0
2`i
:
c
`2i
:

i
2
:
2

d).
Note that there is no closed form solution for the integral
in (5), but it matches with (8) when 1 ) i
:
.
5 INTRUSION DETECTION IN A HETEROGENEOUS
WIRELESS SENSOR NETWORK
In a heterogeneous WSN, as defined in Section 3.1, we
consider two types of sensors: Type I and Type II with the
node density of `
1
and `
2
, respectively. A Type I sensor
has the sensing range i
:1
, and the sensing coverage is a
disk of area o
1
i
2
:1
. A Type II sensor has the sensing
coverage of o
2
i
2
:2
with the sensing range i
:2
. Without
loss of generality, we can assume that i
:1
i
:2
in our
network model. In a heterogeneous WSN, any point in the
network domain is said to be covered if the point is under
the sensing range of any sensor (Type I, Type II, or both).
In this section, we present the analysis of intrusion
detection probability of a heterogeneous WSN in single-
sensing detection and multiple-sensing detection models.
5.1 Single-Sensing Detection
We denote the intrusion distance by 1
/
in the given
heterogeneous WSN. Again, an intruder may be detected
by the WSN once it approaches the network boundary,
and the corresponding intrusion distance is 1
/
0. This
leads to the following theorem.
Theorem 7. The probability j
1
1
/
0 that an intruder can be
immediately detected once it enters the given heterogeneous
WSN in a single-sensing detection model can be represented by
j
1
1
/
0 1 c
`
1
i
2
:1
2
c
`
2
i
2
:2
2
. 9
Proof. According to the single-sensing detection model,
the intruder is detected if and only if one of the following
conditions is satisfied:
. The intruder enters into the sensing coverage area
of any Type I sensor(s).
. The intruder enters into the sensing coverage area
of any Type II sensor(s).
In the Cartesian coordinate system, as illustrated in
Fig. 7, suppose point (0, 0) is the starting position of the
intruder, and y-axis is the network boundary. If a Type
Isensor is located inside the half disk o
1

i
2
:1
2
, which is
centered at the point (0, 0) with radius i
:1
, the first
condition holds. Similarly, the second condition holds if
there is a Type II sensor inside the half disk o
2

i
2
:2
2
,
which is centered at the point (0, 0) with radius i
:2
. Then,
WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 703
from (3), the probability that no Type I sensor lies inside
o
1
is 1
1
0. o
1
c
`1o1
c
`1
i
2
:1
2
, and the probability of
no Type II sensor inside o
2
is 1
2
0. o
2
c
`2o2
c
`2
i
2
:2
2
.
Considering Type I and Type II, sensors are indepen-
dently deployed according to our heterogeneous WSN
model, the probability of neither Type I sensor nor Type
II sensor that senses the intruder is 1
1
0. o
1
1
2
0. o
2

c
`1
i
2
:1
2
c
`2
i
2
:2
2
. Thus, the probability of at least one sensor
(either Type I or Type II) around the boundary that can
sense the intruder is 1 1
1
0. o
1
1
2
0. o
2
1 c
`
1
i
2
:1
2
c
`
2
i
2
:2
2
. Therefore, the probability that the intruder is
detected immediately once it enters the network domain
can be represented as j
1
1
/
0 1 c
`1
i
2
:1
2
c
`2
i
2
:2
2
. tu
Theorem 8. Suppose is the maximal intrusion distance
allowable for the intruder to travel within the given
heterogeneous WSN in single-sensing detection. The prob-
ability j
1
1
/
that the intrusion distance 1
/
is less than
can be calculated as
j
1
1
/
1 c
`
1
o
0
1
c
`
2
o
0
2
.
where o
0
i
2i
:i

i
2
:i
2
. i 1. 2.
10
Proof. The probability of an intruder to be detected within
the maximal intrusion distance is equivalent to the
probability of at least one sensor (either Type I or
Type II) inside the corresponding intrusion detection
area o
0

. For Type I sensors, the intrusion detection


area o
0
1
is the region that includes a rectangular area
with length and width 2i
:1
, as well as a half disk with
radius i
:1
, as shown in Fig. 8. It gives o
0
1
2i
:1

i
2
:1
2
.
Similarly, the intrusion detection area for Type II sensors
is o
0
2
2i
:2

i
2
:2
2
. Then, we obtain the maximal intru-
sion detection area with respect to as o
0

o
0
1

o
0
2
. The
intruder can be detected within the intrusion distance if
one of the following conditions is satisfied:
. At least one Type I sensor is located in the area
of o
0
1
.
. If condition 1 does not hold, at least one Type II
sensor is located in the area of o
0
2
.
Note that 1
1
0. o
0
1
c
`
1
o
0
1
is the probability of no Type I
sensor in the area of o
0
1
, and 1
2
0. o
0
2
c
`2o
0
2
is the
probability of no Type II sensor in the area of o
0
2
. The
first condition can be satisfied with the probability of
1 1
1
0. o
0
1
, and the second condition holds with the
probability of 1
1
0. o
0
1
11
2
0. o
0
2
. Thus, 11
1
0. o
0
1

1
1
0. o
0
1
1 1
2
0. o
0
2
1 1
1
0. o
0
1
1
2
0. o
0
2
represents
the probability of at least one sensor (either Type I or
Type II) that can detect the intruder within the maximal
intrusion detection area o
0

. Finally, the probability


that the intrusion distance 1
/
is less than can be derived
a s j
1
1
/
1 1
1
0. o
0
1
1
2
0. o
0
2
1 c
`1o
0
1
c
`2o
0
2
.
Further, we get j
1
1
/
1c
`12i:1
i
2
:1
2

c
`22i:2
i
2
:2
2

. tu
Theorem 9. The probability j
1
1
/
that the intruder is
detected at an intrusion distance 0 when it travels
within the given heterogeneous WSN in single-sensing
detection can be derived as
j
1
1
/
2`
1
i
:1
`
2
i
:2
c
`1o
0
1
`2o
0
2

.
where o
0
i
2i
:i

i
2
:i
2
. i 1. 2.
11
Proof. Equation (10) gives the CDF of intrusion distance in a
single-sensing detection scheme. Therefore, the probabil-
ity j
1
1
/
that the intruder is detected at an intrusion
distance can be derived by the differential of j
1
1
/
.
It has j
1
1
/

dj
1
1
/

d
2`
1
i
:1
`
2
i
:2
c
`1o
0
1
`2o
0
2

2`
1
i
:1
`
2
i
:2
c
2`1i:12`2i:2
`
1
i
2
:1
`
2
i
2
:2
2

. Then, based on
the PDF of an intrusion detection distance such as
j
1
1
/
, it is easy to obtain the expected intrusion
distance as
1
1
1
/

_

2
p
1
0
2`
1
i
:1
`
2
i
:2
c
`
1
o
0
1
`
2
o
0
2

d.
This is because the maximum intrusion distance that the
intruder could travel in the square network domain is

2
p
1 by following a straight path. tu
704 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008
Fig. 7. Intrusion detection at the start point 1
/
0. Fig. 8. Intrusion detection in the heterogeneous WSN 1
/
.
Theorems 7-9 indicate that the quality of intrusion
detection in single-sensing detection scenario for a given
heterogeneous WSN increases with the increasing of
sensing range and node density. In addition, the existence
of high-capability sensors improves the network detection
probability further due to a larger sensing range.
5.2 K-Sensing in a Heterogeneous WSN
In the /-sensing detection model of a heterogeneous WSN
with two types of sensors, at least / sensors are required to
detect an intruder. These / sensors can be any combination
of Type I and Type II sensors. For instance, if three sensors
are required to detect an intruder for a specific application,
the intruder can be detected by any of the following sensor
combinations:
1. three Type I sensors,
2. three Type II sensors,
3. one Type I sensor and two Type II sensors, and
4. two Type I sensors and one Type II sensor.
Theorem 10. Let j
/
1
/
0 be the probability that an intruder
can be immediately detected once it enters the given
heterogeneous WSN in the /-:ci:iiq detection model. It has
j
/
1
/
0 1

/1
i0

i
,0
1
1
,.
i
2
:1
2
_ _
1
2
i,.
i
2
:2
2
_ _
_ _
.
12
Proof. According to /-sensing detection model, an intruder
is detected immediately once it enters the network if and
only if at least / sensors are located within their half
sensing disk centered at the intrusion start point (as
illustrated in Fig. 7). Based on (3), 1
1
,. o
1

o
1
`
,
,!
c
o1`
is
the probability of , Type I sensors that can sense the
intruder within the corresponding intrusion detection
area o
1

i
2
:1
2
, and 1
2
i,. o
2

o
2
`
i,
i,!
c
o2`
is the
probability of i, Type II sensors that can sense the
intruder within the area of o
2

i
2
:2
2
. Consequently,
1
1
,. o
1
1
2
i,. o
2
represents the probability of
i sensors (, Type I sensors plus i, Type II sensors)
that can sense the intruder at the start point. Since these
i sensors can be any combination of sensor types,

i
,0
1
1
,. o
1
1
2
i,. o
2
is the probability that there
are totally i sensors that can sense the intruder in
the intrusion detection area of o
1

o
2
. Therefore,

/1
i0

i
,0
1
1
,. o
1
1
2
i,. o
2
is the probability of
at most / 1 (less than /) sensors that can sense the
intruder when it approaches the WSN. Finally, the
probability that the intruder can be immediately detected
once it enters the heterogeneous WSN in the /-sensing
detection model is equivalent to the complement of

/1
i0

i
,0
1
1
,. o
1
1
2
i,. o
2
, yielding
j
/
1
/
0 1

/1
i0

i
,0
1
1
,. o
1
1
2
i,. o
2

_ _
1

/1
i0

i
,0
1
1
,.
i
2
:1
2
1
2
i,.
i
2
:2
2

_ _
.
tu
Theorem 11. Let j
/
1
/
be the probability that the intrusion
distance is less than 0 in the /-:ci:iiq detection
model, is the maximal intrusion distance allowable for an
intruder to move in the given heterogeneous WSN. It has
j
/
1
/
1

/1
i0

i
,0
1
1
,. o
0
1
_ _
1
2
i,. o
0
2
_ _
_ _
.
where o
0
i
2i
:i

i
2
:i
2
. i 1. 2.
13
Proof. From (3), 1
1
,. o
0
1
is the probability that , Type I
sensors are located in the intrusion detection area
o
0
1
2i
:1

i
2
:1
2
. 1
2
i ,. o
0
2
is the probability of
i, Type II sensors located in the corresponding
intrusion detection area o
0
2
and o
0
2
2i
:2

i
2
:2
2
. Then,
1
1
,. o
0
1
1
2
i,. o
0
2
represents the probability of
i sensors, consisting of , Type I sensors and i,
Type II sensors can sense the intruder within the intrusion
detection area o
0
1

o
0
2
with respect to . If i /,
1
1
,. o
0
1
1
2
i,. o
0
2
stands for the probability that the
intruder can be detected by the WSN within intrusion
distance . Since these i sensors can be any combination
of sensor types,

i
,0
1
1
,. o
0
1
1
2
i,. o
0
2
is the prob-
ability that there are totally i sensors can sense the
intruder. Then,

/1
i0

i
,0
1
1
,. o
0
1
1
2
i,. o
0
2
is the
probability that there are at most / 1 (i.e., less than /)
sensors that can sense the intruder within the intrusion
detection area o
0
1

o
0
2
. Consequently, the probability
j
/
1
/
that the intruder travels with distance less
than before being detected by the given heterogeneous
WSN in the /-sensing detection model can be derived
as j
/
1
/
1

/1
i0

i
,0
1
1
,. o
0
1
1
2
i,. o
0
2

_ _

/1
i0

i
,0
1
1
,. 2i
:1

i
2
:1
2
1
2
i,. 2i
:2

i
2
:2
2

_ _
. tu
Theorem 12. Let 1
/
1
/
be the average intrusion distance under
the /-:ci:iiq detection model in the given heterogeneous
WSN. Then
1
/
1
/

/

/1
i0

i
,0
1
1
,.
i
2
:1
2
_ _
1
2
i,.
i
2
:2
2
_ _ _ _
2i
:1
`
1
2i
:2
`
2
. 14
Proof. 1
/
1
/
is the average intrusion distance in the
heterogeneous WSN. Then, the corresponding average
intrusion detection areas for Type I and Type II sensors
are o
1
2i
:1
1
/
1
/
and o
2
2i
:2
1
/
1
/
, respectively.
While the node densities of Type I and Type II sensors
are `
1
and `
2
. The average number of Type I sensors
that with the intruder during its invasion is `
1
`
1
o
1
.
WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 705
At the same time, the average number of Type II sensors
that hit the intruder in its intrusion is `
2
`
2
o
2
. In the
/-sensing detection model, / sensors are required to
detect the intruder, it has `
1
`
2
`
1
o
1
`
2
o
2

2i
:1
1
/
1
/
`
1
2i
:2
1
/
1
/
`
2
/. The only exception is
2i
:1
1
/
1
/
`
1
2i
:2
1
/
1
/
`
2
0 while 1
/
1
/
0 in the
case of immediate intrusion detection. In view of this, we
eliminate this boundary effect (i.e., 1
/
1
/
0) and
obtain /1 j
/
1
/
0 21
/
1
/
i
:1
`
1
21
/
1
/
i
:2
`
2
.
Substituting j
/
1
/
0 with (12), we further obtain
/

/1
i0

i
, 0
1
1
,.
i
2
:1
2
1
2
i,.
i
2
:2
2

_ _
21
/
1
/
i
:1
`
1

21
/
1
/
i
:2
`
2
. Consequently, the average intrusion dis-
tance for /-sensing model in the heterogeneous WSN can
be derived as
1
/
1
/

/

/1
i0

i
,0
1
1
,.
i
2
:1
2
_ _
1
2
i,.
i
2
:2
2
_ _ _ _
2i
:1
`
1
2i
:2
`
2
.
tu
Theorems 10-12 indicate that the quality of intrusion
detection in the /-sensing detection scenario for a given
heterogeneous WSN improves with the increase in the
sensing range andthe node density anddecreases as / grows.
In addition, the existence of high-capability sensors further
improves the network detection quality due to the enlarged
sensing coverage.
5.3 Incorporating Node Availability
It should be noted that the above analytical results
(Theorems 1-12) can be extended to the scenario that a
power management scheme is adopted as follows: A power
management scheme in WSNs is greatly desirable due to
power constraint on common sensors. Sensor power can be
put on/off periodically to save energy in most of the
WSN applications [16], [21], [22]. Thus, it is appropriate to
take the node availability rate into consideration in our
analysis.
The most basic prescheduled independent sleeping
approach can be implemented by a Random Independent
Sleeping (RIS) scheme. In this scheme, time is divided into
cycles based on a time synchronization method. At the
beginning of a cycle, each sensor independently decides
whether to become active with probability j or go to sleep
with probability 1 j. Thus, the network lifetime is
increased by a factor up to 1,j [23]. Here, we incorporate
this RIS scheme in our analysis of intrusion detection in
terms of node availability. We assume all sensors have the
same availability probability, denoted by j
o
, which means
each sensor has the probability of 1 j
o
to be off in every
sensing period. Note that the Poisson stream has its
characteristics. If a Poisson stream with mean rate t is split
into / substreams such that the probability of a job that is
going to be the ith substream is j
i
, each substream is also
Poisson distributed with a mean rate of j
i
t [24]. In our
network model, all sensors are randomly deployed and
conform to a Poission distribution. Therefore, our above
analysis can be extended to incorporate RIS scheme with a
node availability rate j
o
by replacing the previous node
densities `, `
1
, and `
2
with j
o
`, j
o
`
1
, and j
o
`
2
, respectively,
in the above derivation of Theorems 1-12 for either
homogeneous or heterogeneous WSN.
For instance, in Theorem 1, the probability j
1
1 0 that
the intruder can be immediately detected once it enters a
homogeneous WSN with node density `, sensing range i
:
,
and node availability j
o
can be given by
j
1
1 0 1 c
jo`
i
2
:
2
. 15
It is clear that (15) is reduced to (2) for j
o
1.
6 NETWORK CONNECTIVITY AND BROADCAST
REACHABILITY IN A HETEROGENEOUS
WIRELESS SENSOR NETWORK
Based on our network model, Theorems 1-12 statistically
characterizetheintrusiondetectionprobabilityinterms of the
intrusion distance, the node density, the sensing range, and
the node heterogeneity. Given a maximal allowable intrusion
distance, a predefined detection probability, and the sensor
capability (i.e., sensing range), the network planner can
calculate the required node density by using Theorems 1-12.
Hereafter, the network planner knows the number and type
of sensors that have to be deployed in the WSN.
However, detecting the intruder is the first step in
intrusion detection. To operate successfully, a WSN must
provide satisfactory connectivity so that sensors can com-
municate for data collaboration and reporting to the
administrative center (i.e., base station). The sensing data
may have to be reported to the base station, which may be in
any location of the network [25]. If the network connectivity
is not assured, it is meaningless even the sensor(s) detect the
presence of the intruder. Zhang and Hou [26] have proven
that in a homogeneous WSN, if the transmission range is
equal to or higher than twice of the sensing range, a given
coverage probability guarantees a connectivity probability.
In this manner, when the coverage is satisfied in the
homogeneous WSN, the network connectivity is also
statistically guaranteed so that it allows two sensors to
communicate with each other. However, in a heterogeneous
WSN, the deployment of sensors with different capability
complicates the network operation with the asymmetric
links. Specifically, a sensor with longer transmission range
(i.e., Type I sensor) might reach some sensors with shorter
transmission range (i.e., Type II sensors), while the Type II
sensors may not be able to reach the Type I sensor. The
network connectivity has to be reconsidered.
In a heterogeneous WSN, sensors mainly use a broadcast
paradigm for communication [12] and high-capacity sensors
usually undertake more important tasks (i.e., for broad-
casting power management information or synchronization
information to all the sensors). This motivates us to examine
two fundamental characteristics of a heterogeneous WSN.
The definitions are listed below:
. Network connectivity. The probability that a packet
broadcasted from any sensor (either Type I or
Type II sensor) can reach all the other sensors in
the network.
. Broadcast reachability. The probability that a packet
broadcasted from any Type I sensor can reach all the
other sensors in the network.
706 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008
Given node densities and the transmission ranges of
different sensors deployed in a WSN, we can calculate the
network connectivity or the broadcast reachability. On the
other hand, if the required network connectivity (or broad-
cast reachability) is specified, we can compute the required
transmission ranges in terms of node density. Thus, the
minimal transmission power can be obtained for the
purpose of power efficiency.
In [27], Bettstetter has proved the following lemma on
the network connectivity of WSNs using sensors with
different transmission ranges.
Lemma 1. Given is a WSN with ` uniformly distributed
sensors. These ` sensors consist of J different sensor types,
i.e., there are `
,
sensors of type , with transmission range i
r,
,
such that `

J
,1
`
,
for , 1. . . . . J, and `
,
) 1 for 8,.
Let 1coi be the probability that the WSN is connected, and
1ioi be the probability that no sensor is isolated in the
WSN. It has
1coi 1ioi. 16
for 1ioi close to 1.
Based on Lemma 1, we then have Theorem 13 and 14
as follows:
Theorem 13. Consider a heterogeneous WSN consisting of
independently deployed Type I and Type II sensors with
node densities `
1
and `
2
and transmission range i
r1
and
i
r2
i
r1
i
r2
, respectively. The upper bound of the network
connectivity is
1
`
coi

_
1 c
`1`2i
2
r2
_
`
. 17
Proof. In a heterogeneous WSN, network connectivity
requires that a packet broadcasted from any sensor
(either Type I or Type II) can reach all the other sensors
of the network. Note an arbitrary sensor , as illustrated
in Fig. 9. If there is one Type I sensor (e.g., 1) located in
the area of o
r1
i
2
r1
while outside of the area
o
r2
i
2
r2
, a packet generated from sensor may not
be able to reach sensor 1. This is because sensor 1 may
be out of sensor s transmission range if sensor is a
Type II sensor with transmission range i
r2
, and i
r2
< i
r1
.
In view of this, for a packet generated from sensor to
be received by all the other sensors in WSN, at least one
sensor (either Type I or Type II) should lie in the area of
the smaller transmission range o
r2
. Further, if all the
sensors has at least one neighbor in the relatively smaller
transmission range o
r2
, the network is connected.
Assuming all the other ` 1 sensors except are
connected, with probability 110. o
r2
1c
`
1
`
2
i
2
r2
,
there is at least one sensor located in the smaller
transmission range o
r2
. Then, sensor can broadcast its
packet to at least one of the other ` 1 sensors, and the
packet can further be broadcasted to all the sensors in
the network. Thus, we obtain the conditional probability
1

coi
1 c
`
1
`
2
i
2
r2
. Due to the fact that sensor
is chosen arbitrarily and the statistical independence
for all the sensors, the probability that the other
` 1 sensors are connected can be calculated as
1
`1
coi
1 c
`1`2i
2
r2
_ _
`1
. Finally, the upper bound
of the network connectivity can be derived as
1
`
coi
1

coi
1
`1
coi
1 c
`
1
`
2
i
2
r2
_ _
`
. tu
Theorem 14. Consider a heterogeneous WSN consisting of
independently deployed Type I and Type II sensors, with
node densities `
1
and `
2
and transmission range i
r1
and
i
r2
i
r1
i
r2
, respectively. The upper bound of the network
broadcast reachability is
1
`
/i

_
1 c
`1ir1
2
c
`2i
2
r2
_
`
. 18
Proof. Different from the network connectivity, broadcast
reachability is the probability that a packet broadcasted
from any Type I sensor can reach all the other sensors
in the WSN. As illustrated in Fig. 9, 2 N is an
arbitrary sensor in the WSN. It has the responsibility to
receive the packet broadcasting from any Type I
sensor(s). In order for to receive the packet, it has
to be in the transmission range of at least one of the
other ` 1 sensors. In other words, sensor should
not be isolated from the rest of the network, and at least
one sensor can reach in its transmission range. The
probability of no Type I sensor in its transmission range
from is 1
1
0. i
2
r1
c
`1ir1
2
. The probability that no
type II sensor lies in its transmission range from
is 1
2
0. i
2
r2
c
`
2
i
2
r2
. Then, 1
1
0. i
2
r1
1
2
0. i
2
r2

c
`
1
i
r1
2
c
`
2
i
2
r2
is the probability that neither Type I
sensors nor Type II sensors can reach sensor .
Therefore, the probability that at least one sensor can
reach is 1 c
`
1
i
r1
2
c
`
2
i
2
r2
. Due to statistical inde-
pendence among all sensors, the probability that the
other ` 1 sensors are reachable from the broadcast
can be calculated as 1
`1
/i
1c
`1ir1
2
c
`2i
2
r2
_ _
`1
.
Consequently, we obtain the upper bound of broadcast
reachability as 1
`
/i
1 c
`1ir1
2
c
`2i
2
r2
_ _
`
. tu
The results in this section indicate that for a given
heterogeneous WSN, the network connectivity and broad-
cast reachability is enhanced with the increase of node
density and transmission range. Furthermore, the broadcast
WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 707
Fig. 9. Transmission range in heterogeneous case.
reachability is always higher than the network connectivity
under the same network parameters.
7 SIMULATION AND VERIFICATION
We have performed a simulation-based verification of our
analytical results in both homogeneous and heterogeneous
WSNs. The simulation is carried out for single-sensing and
/-sensing detection models. The analytical and simulation
results are compared by varying the sensing range,
transmission range, node density, and node availability.
In the simulation, sensors are deployed in accordance with
a uniform distribution in a squared network domain. The
intruder moves into the network domain from a randomly
selected point on the network boundary. Monte-Carlo
simulation is performed, and each data point shown in
the following figures is the average of 500 simulation
results. The analytical results are calculated by using
Theorems 1-14. For successive simulation runs, the sensors
are uniformly redistributed in the network domain.
7.1 Verification for Homogeneous WSNs
We simulate the intrusion detection in a homogeneous
WSN. There are 500 sensors uniformly deployed in a
1,000 1,000 square meters, and the node density is `
0.0005 per square meter. The sensing range changes from 0
to 100 meters and the maximal allowable intrusion distance
is set as 50 meters. Fig. 10 illustrates the detection
probability of the analytical and simulation results.
It can be seen in Fig. 10 that the analytical results match
the simulation results pretty well, which indicates the
correctness of our analytical model. The detection prob-
ability increases with the increase of the sensors sensing
range. It is because the increase of sensing range improves
the network coverage. At the same time, the single-sensing
detection probability is higher than that of three-sensing
detection. This is because the /-sensing detection imposes
a more strict requirement on detecting the intruder
(e.g., at least / 3 sensors are required).
Fig. 10 also demonstrates that the detection probability
in single-sensing detection or three-sensing detection
approaches 1 when the sensing range increases to a certain
threshold. For example, in the single-sensing detection, the
intruder can be detected with probability 1 if the sensing
range exceeds 50, whereas in three-sensing detection, the
intruder can be almost surely detected if the sensing range
exceeds 90. In addition, we can see that the detection
probability grows fast when the sensing range is far from
the threshold and grows slowly when it approaches the
threshold. Fig. 10 shows that the sensing range significantly
impacts the detection probability of a homogeneous WSN.
To investigate the influence of a sensors sensing range on
an average intrusion distance of a WSN, we fix the number
of sensors as ` 500 and vary the sensing range from 0 to
30 meters. Fig. 11 presents the average intrusion distance in
single-sensing and three-sensing detection scenarios. It can
be observed that the average intrusion distance drops
dramatically with an increase of the sensing range. This is
because the increase of sensing range significantly enhances
the network coverage. Fig. 11 also shows that under the
same network parameters, the average intrusion distance
in single-sensing detection decreases more quickly than in
three-sensing detection. This is because with the increase in
a sensors sensing range, more area can be monitored by
one sensor than by three sensors.
In the simulation, we also show how to improve the
detection efficiency by assuring the network connectivity so
that the sensor can adjust its sleep period. In the normal
state, each sensor keeps awake for 80 percent of a cycle
j
o
0.8. If an intruder is detected by a sensor, an
alarming message is broadcasted by the sensor over the
entire network. Then, all the sensors receiving the massage
keep awake for 100 percent of a cycle j
o
1.0. The results
in Figs. 10 and 11 show a similar trend that for a given
sensing range, the average intrusion distance drops if the
waking time of the sensor is longer 1.0 0.8.
7.2 Verification for Heterogeneous WSNs
The purpose of the simulation in this part is to verify the
analytical results on intrusion detection in heterogeneous
WSNs. To examine the effect of introducing high-capability
sensors (e.g., Type I sensors) on the network intrusion
708 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008
Fig. 10. Intrusion detection probability (single and three-sensing) in the
homogeneous WSN.
Fig. 11. Average intrusion distance (single and three-sensing in the
homogeneous WSN.
detection probability, we fix the number of Type II nodes at
200, and the number of Type I nodes varies from 10 to 150.
The sensing range i
:1
and i
:2
are set as 120 meters and
40 meters, respectively. Again, the maximal allowable
intrusion distance is set as 50 meters.
Fig. 12 demonstrates the analytical and simulation
results on the intrusion detection probability and clearly
shows the verification of our analytical expressions with
simulation results. Note that we also plot the results in
homogeneous WSN (marked as homo) by reducing the
more powerful Type I nodes to normal Type II nodes,
in contrast to the performance of heterogeneous case
(marked as heter).
As expected, Fig. 12 shows that the intrusion detection
probability in the heterogeneous WSN increases at a much
faster rate than in the homogeneous WSN, as the number of
Type I sensors is increased. Especially in the more
demanding multiple-sensing (i.e., three-sensing) detection
case, the intrusion detection probability increases even
more quickly in heterogeneous WSN than in homogeneous
case. This substantiates our intuition that the introduction
of high-capability sensors can dramatically improve the
intrusion detection quality of WSNs.
It is also shown in Fig. 12 that the intrusion detection
probability increases as the node density grows (e.g., by
increasing the number of Type I sensors) under all simulation
scenarios. This is because the node densityplays a critical role
in the intrusion detection quality of WSNs. In addition,
for a given parameter / and sensor capabilities, the figure
indicates how to choose the number and the type of sensors
to achieve a certain intrusion detection probability.
7.3 Verification for Network Connectivity and
Broadcast Reachability
In this part, we verify our analysis on the network
connectivity and broadcast reachability. The analytical
results shown in Figs. 13 and 14 are calculated by using
Theorems 13 and14. In the simulation, an adjacency matrix is
constructedtorepresent the digraphof the networktopology.
The depth-first-search algorithm is employed to check the
network connectivity by selecting a random sensor as the
starting node and the broadcast reachability by choosing a
random Type I sensor as the broadcast initiator. The
simulation considers 200 Type I sensors and 300 Type II
sensors. In the homogeneous WSN, the transmission range
of Type I sensors is set equally to that of Type II sensor
(i.e., i
r1
i
r2
). While in the heterogeneous WSN, the
transmission range of Type I sensors is set twice as
much as that of Type II sensors (i.e., i
r1
2i
r2
). The
transmission range of Type II sensor i
r2
is varied from
40 meters to 100 meters in both homogeneous and hetero-
geneous cases.
Fig. 13 shows that the network connectivity and broad-
cast reachability increase rapidly with the increase of
sensors transmission range and approach 1 after certain
threshold. In addition, it can be observed that the broadcast
reachability increases much faster than the network con-
nectivity as the transmission range of sensors grows. This is
because the network broadcast reachability considers the
broadcast from Type I sensors, while the network con-
nectivity takes broadcast from both Type I and Type II
sensors into account. Note that in homogeneous WSN, the
WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 709
Fig. 13. Effects of transmission range on the broadcast reachability in
heterogeneous WSN.
Fig. 14. Effects of Type I sensors on the broadcast reachability in
heterogeneous WSN.
Fig. 12. Intrusion detection probability under heterogeneous case.
broadcast reachability is equivalent to the network con-
nectivity since there are no asymmetric links.
Next, the simulationis carriedout to see the effect of Type I
sensors on the network connectivity and broadcast reach-
ability. We fix the number of Type II sensors as i
2
300
and vary the number of Type I sensors from 10 to 300.
The transmission ranges are set as i
r
1
140 meters and
i
r2
70 meters for Type I and Type II sensors, respectively.
Similar to the results shown in Fig. 12, we compare the
results in homogeneous WSN with that in heterogeneous
WSN by reducing Type I sensors to Type II sensors.
Fig. 14 shows the analytical and simulation results, and
they match with each other closely. From the figure,
network connectivity and broadcast reachability are im-
proved while increasing Type I sensors. This is because
some sensors that are originally isolated or unreachable
from the rest of the network are now connected or reachable
in the network after the introduction of Type I sensors. In
addition, the results indicate that even a small increase of
Type I sensor significantly improves the broadcast reach-
ability, while network connectivity only improves gradu-
ally. This also implies that the node heterogeneity does
affect the broadcast reachability much more dramatically
than it does to the network connectivity.
8 CONCLUSION
This paper analyzes the intrusion detection problem in both
homogeneous and heterogeneous WSNs by characterizing
intrusion detection probability with respect to the
intrusion distance and the network parameters (i.e.,
node density, sensing range, and transmission range).
Two detection models are considered: single-sensing
detection and multiple-sensing detection models. The
analytical model for intrusion detection allows us to
analytically formulate intrusion detection probability with-
in a certain intrusion distance under various application
scenarios. Moreover, we consider the network connectivity
and the broadcast reachability in a heterogeneous WSN.
Our simulation results verify the correctness of the
proposed analytical model. This work provides insights in
designing homogeneous and heterogeneous WSNs and
helps in selecting critical network parameters so as to meet
the application requirements.
REFERENCES
[1] D.P. Agrawal and Q.-A. Zeng, Introduction to Wireless and Mobile
Systems. Brooks/Cole Publishing, Aug. 2003.
[2] B. Liu and D. Towsley, Coverage of Sensor Networks: Funda-
mental Limits, Proc. Third IEEE Intl Conf. Mobile Ad Hoc and
Sensor Systems (MASS), Oct. 2004.
[3] S. Ren, Q. Li, H. Wang, X. Chen, and X. Zhang, Design
and Analysis of Sensing Scheduling Algorithms under Partial
Coverage for Object Detection in Sensor Networks, IEEE
Trans. Parallel and Distributed Systems, vol. 18, no. 3, pp. 334-350,
Mar. 2007.
[4] S. Banerjee, C. Grosan, A. Abraham, and P. Mahanti,
Intrusion Detection on Sensor Networks Using Emotional
Ants, Intl J. Applied Science and Computations, vol. 12, no. 3,
pp. 152-173, 2005.
[5] S. Capkun, M. Hamdi, and J. Hubaux, GPS-Free Positioning in
Mobile Ad-Hoc Networks, Proc. 34th Ann. Hawaii Intl Conf.
System Sciences, Jan. 2001.
[6] N. Bulusu, J. Heidemann, and D. Estrin, Gps-Less Low Cost
Outdoor Localization for Very Small Devices, IEEE Personal
Comm. Magazine, special issue on smart spaces and environments,
2000.
[7] D. Niculescu, Positioning in Ad Hoc Sensor Networks, IEEE
Network, vol. 18, no. 4, pp. 24-29, July-Aug. 2004.
[8] Y. Wang, X. Wang, D. Wang, and D.P. Agrawal, Localization
Algorithm Using Expected Hop Progress in Wireless Sensor
Networks, Proc. Third IEEE Intl Conf. Mobile Ad hoc and Sensor
Systems (MASS 06), Oct. 2006.
[9] P. Traynor, R. Kumar, H. Choi, G. Cao, S. Zhu, and T.L. Porta,
Efficient Hybrid Security Mechanisms for Heterogeneous
Sensor Networks, IEEE Trans. Mobile Computing, vol. 6, no. 6,
June 2007.
[10] J.-J. Lee, B. Krishnamachari, and C.J. Kuo, Impact of Hetero-
geneous Deployment on Lifetime Sensing Coverage in Sensor
Networks, Proc. First Ann. IEEE Comm. Soc. Conf. Sensor and
Ad Hoc Comm. and Networks, pp. 367-376, Oct. 2004.
[11] V.P. Mhatre, C. Rosenberg, D. Kofman, R. Mazumdar, and
N. Shroff, A Minimum Cost Heterogeneous Sensor Network
with a Lifetime Constraint, IEEE Trans. Mobile Computing,
vol. 4, no. 1, pp. 4-15, 2005.
[12] M. Yarvis, N. Kushalnagar, H. Singh, A. Rangarajan, Y. Liu, and
S. Singh, Exploiting Heterogeneity in Sensor Networks, Proc.
IEEE INFOCOM, 2005.
[13] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci,
A Survey on Sensor Networks, IEEE Comm. Magazine, vol. 40,
no. 8, pp. 102-114, Aug. 2002.
[14] H. Kung and D. Vlah, Efficient Location Tracking Using Sensor
Networks, Proc. IEEE Wireless Comm. and Networking Conf., vol. 3,
pp. 1954-1961, Mar. 2003.
[15] C.-Y. Lin, W.-C. Peng, and Y.-C. Tseng, Efficient in-Network
Moving Object Tracking in Wireless Sensor Networks,
IEEE Trans. Mobile Computing, vol. 5, no. 8, pp. 1044-1056,
2006.
[16] C. Gui and P. Mohapatra, Power Conservation and Quality of
Surveillance in Target Tracking Sensor Networks, Proc. 10th
Ann. Intl Conf. Mobile Computing and Networking (MobiCom 04),
pp. 129-143, 2004.
[17] B. Liu, P. Brass, O. Dousse, P. Nain, and D. Towsley, Mobility
Improves Coverage of Sensor Networks, Proc. Sixth ACM Intl
Symp. Mobile Ad Hoc Networking and Computing (MobiHoc 05),
pp. 300-308, 2005.
[18] X. Wang, Y. Yoo, Y. Wang, and D.P. Agrawal, Impact of
Node Density and Sensing Range on Intrusion Detection in
Wireless Sensor Networks, Proc. 15th Intl Conf. Computer Comm.
and Networks (ICCCN 06), Oct. 2006.
[19] Y. Wang, X. Wang, D.P. Agrawal, and A.A. Minai, Impact
of Heterogeneity on Coverage and Broadcast Reachability in
Wireless Sensor Networks, Proc. 15th Intl Conf. Computer Comm.
and Networks (ICCCN 06), Oct. 2006.
[20] C. Bettstetter, On the MinimumNode Degree and Connectivity of
a Wireless Multihop Network, Proc. Third ACM Intl symposium on
Mobile ad hoc Networking and Computing (MobiHoc 02), pp. 80-91,
2002.
[21] A. Ephremides, Energy Concerns in Wireless Networks, IEEE
Wireless Comm., vol. 9, no. 4, pp. 48-59, Aug. 2002.
[22] L. Wang and Y. Xiao, A Survey of Energy-Efficient Scheduling
Mechanisms in Sensor Networks, Mobile Network Applications,
vol. 11, no. 5, pp. 723-740, 2006.
[23] S. Kumar, T.H. Lai, and J. Balogh, On K-Coverage in a Mostly
Sleeping Sensor Network, Proc. 10th Ann. Intl Conf. Mobile
Computing and Networking (MobiCom 04), pp. 144-158, 2004.
[24] R. Jain, The Art of Computer Systems Performance Analysis:
Techniques for Experimental Design, Measurement, Simulation and
Modeling. Wiley-Interscience, 1991.
[25] A. Durresi, P.V.K. , S. Iyengar, and R. Kannan, Optimized
Broadcast Protocol for Sensor Networks, IEEE Trans. Computers,
vol. 54, no. 8, pp. 1013-1024, Aug. 2005.
[26] H. Zhang and J. Hou, On Deriving the Upper Bound of
c-lifetime for Large Sensor Networks, Proc. Fifth ACM Intl
Symp. Mobile Ad Hoc Networking and Computing (MobiHoc 04),
pp. 121-132, 2004.
[27] C. Bettstetter, On the Connectivity of Wireless Multihop
Networks with Homogeneous and Inhomogeneous Range As-
signment, Proc. IEEE Vehicular Technology Conf. (VTC 02), vol. 3,
pp. 1706-1710, Sept. 2002.
710 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008
Yun Wang received the BS degree in computer
science and engineering in 2001 at Wuhan
University, Hubei, China, and then entered the
PhD program in computer science and engineer-
ing at Wuhan University, where she specialized
in multimedia communication. She joined the
Center for Distributed and Mobile Computing,
Department of Electrical and Computer Engi-
neering and Computer Science, University of
Cincinnati, Ohio, in 2004, as a PhD student. Her
research activities include fundamental design issues in wireless sensor
networks such as sensor deployment, energy efficiency, positioning,
and network security. She also performs research on wireless MAC
protocol design in wireless ad hoc networks and audio and video
processing in multimedia communication. She is a student member of
the IEEE.
Xiaodong Wang received the BS degree in
communication engineering in 1995, the MS
degree in electric engineering in 1998, and the
PhD degree in computer engineering from the
University of Cincinnati, Cincinnati, Ohio, in
2005. He joined China Telecom in 1998, where
he worked on communication protocols for
telecommunication. From June 2000 to July
2002, he worked on GSM base station software
development at Bell-labs China, Beijing. His
research activities included wireless MAC protocols and energy saving
for wireless sensor networks. He joined Motorola in 2005. He is currently
with the OBR Center of Distributed and Mobile Computing, Department
of Computer Science, University of Cincinnati. He is a student member
of the IEEE.
Bin Xie received the BSc degree from Central
South University, Changsha, China, the MSc
and PhD degrees (with honors) in computer
science and computer engineering from the
University of Louisville, Kentucky. As a research
associate, he is currently with the Department of
Computer Science, University of Cincinnati. He
is the author of the book entitled Heterogeneous
Wireless NetworksNetworking Protocol to
Security and published more than 30 papers in
international conference proceedings and journals. His research
interests are focused on ad hoc networks, sensor networks, wireless
mesh networks, integrated WLAN/MANET/cellular with Internet, in
particular the fundamental aspects of mobility management, perfor-
mance evaluation, Internet/wireless infrastructure security, and wireless
network capacity. In addition to his academic experience, he has
six years of industry experience, including ISDN, 3G, and Lucent Excel
programmable switching systems. He is an IEEE senior member.
Demin Wang received the BS degree in
computer science and the MS degree in safety
technology and engineering from the University
of Science and Technology of China, Hefei,
China, in 2000 and 2003, respectively. He is
currently working toward the PhD degree in
computer science and engineering at the
University of Cincinnati, Cincinnati, Ohio. His
research interests include coverage and energy
problems in wireless sensor networks, imple-
mentation of wireless sensor networks, and wireless mesh networks. He
is an IEEE student member.
Dharma P. Agrawal is the Ohio board of
regents distinguished professor of computer
science and the founding director for the Center
for Distributed and Mobile Computing, Depart-
ment of ECECS, University of Cincinnati, Ohio.
He was a visiting professor of ECE at the
Carnegie Mellon University, where he was on
sabbatical leave during the Autumn 2006 and
Winter 2007 Quarters. He has been a faculty
member at the North Carolina State University,
Raleigh, North Carolina, from 1982 to 1998) and the Wayne State
University, Detroit, from 1977 to 1982). His recent research interests
include resource allocation and security in mesh networks, efficient
query processing and security in sensor networks, and heterogeneous
wireless networks. He is a coauthor of an introductory textbook on
wireless and mobile computing that has been widely accepted
throughout the world, and a second edition was published in 2006.
The book has been has been reprinted both in China and India and
translated to Korean and Chinese languages. He is also a coauthor of a
book on ad hoc and sensor networks published in the spring of 2006 and
has been named as a best seller by the publisher. He has given tutorials
and extensive training courses in various conferences in the USA and
numerous institutions in Taiwan, Korea, Jordan, Malaysia, and India on
ad hoc and sensor networks and mesh networks. He is an editor for the
Journal on Parallel and Distributed Systems, International Journal on
Distributed Sensor Networks, International Journal of Ad Hoc and
Ubiquitous Computing, and International Journal of Ad Hoc and Sensor
Wireless Networks. He served as an editor of the IEEE Computer
magazine, the IEEE Transactions on Computers, and the International
Journal of High Speed Computing. He has been the program chair and
general chair for many international conferences and meetings. He has
received numerous certificates and awards from the IEEE Computer
Society. He was awarded a Third Millennium Medal by the IEEE for his
outstanding contributions. He has also delivered the keynote speech for
five international conferences. He also has five patents in wireless
networking area. He has also been named as an ISI Highly Cited
Researcher in Computer Science. He is a fellow of the IEEE, the ACM,
the AAAS, and the WIF.
> For more information on this or any other computing topic,
please visit our Digital Library at www.computer.org/publications/dlib.
WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 711

S-ar putea să vă placă și