Sunteți pe pagina 1din 14

698

IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008

Intrusion Detection in Homogeneous and Heterogeneous Wireless Sensor Networks

Yun Wang, Student Member , IEEE , Xiaodong Wang, Student Member , IEEE , Bin Xie, Senior Member , IEEE , Demin Wang, Student Member , IEEE , and Dharma P. Agrawal, Fellow , IEEE

Abstract—Intrusion detection in Wireless Sensor Network (WSN) is of practical interest in many applications such as detecting an intruder in a battlefield. The intrusion detection is defined as a mechanism for a WSN to detect the existence of inappropriate, incorrect, or anomalous moving attackers. For this purpose, it is a fundamental issue to characterize the WSN parameters such as node density and sensing range in terms of a desirable detection probability. In this paper, we consider this issue according to two WSN models: homogeneous and heterogeneous WSN. Furthermore, we derive the detection probability by considering two sensing models: single-sensing detection and multiple-sensing detection. In addition, we discuss the network connectivity and broadcast reachability, which are necessary conditions to ensure the corresponding detection probability in a WSN. Our simulation results validate the analytical values for both homogeneous and heterogeneous WSNs.

Index Terms—Intrusion detection, node density, node heterogeneity, sensing range, Wireless Sensor Network (WSN).

Ç

1 I NTRODUCTION

A Wireless Sensor Network (WSN) is a collection of spatially deployed wireless sensors by which to

monitor various changes of e nvironmental conditions (e.g., forest fire, air pollutant concentration, and object moving) in a collaborative manner without relying on any underlying infrastructure support [1]. Recently, a number of research efforts have been made to develop sensor hardware and network architectures in order to effectively deploy WSNs for a variety of applications. Due to a wide diversity of WSN application requirements, however, a general-purpose WSN design cannot fulfill the needs of all applications. Many network parameters such as sensing range, transmission range, and node density have to be carefully considered at the network design stage, according to specific applications. To achieve this, it is critical to capture the impacts of network parameters on network performance with respect to application specifications. Intrusion detection (i.e., object tracking) in a WSN can be regarded as a monitoring system for detecting the intruder that is invading the network domain. Fig. 1 gives an example that sensors are deployed in a square area ðA ¼ L LÞ for detecting the presence of a moving intruder. Note that in Fig. 1, as well as in Figs. 3 and 4, the illustration of sensors and an intruder is based on a slide for paper [2]. The intrusion detection application concerns how fast the intruder can be detected by the WSN. If sensors are deployed with a high density so that the union of all sensing ranges covers the entire network area, the

. The authors are with the OBR Center of Distributed and Mobile Computing, Department of Computer Science, University of Cincinnati, Cincinnati, OH 45221-0030. E-mail: {wany6, wangxd, xieb, wangdm, dpa}@email.uc.edu.

Manuscript received 15 May, 2007; revised 26 Oct. 2007; accepted 10 Jan. 2008; published online 28 Jan. 2008. For information on obtaining reprints of this article, please send e-mail to:

tmc@computer.org, and reference IEEECS Log Number TMC-2007-05-0136. Digital Object Identifier no. 10.1109/TMC.2008.19.

1536-1233/08/$25.00 2008 IEEE

intruder can be immediately detected once it approaches the network area. However, such a high-density deploy- ment policy increases the network investment and may be even unaffordable for a large area. In fact, it is not necessary to deploy so many sensors to cover the entire WSN area in many applications [3], since a network with small and scattered void areas will also be able to detect a moving intruder within a certain intrusion distance. In this case, the application can specify a required intrusion distance within which the intruder should be detected. As shown in Fig. 1, the intrusion distance is referred as D and defined as the distance between the point the intruder enters the WSN, and the point the intruder is detected by the WSN system. This distance is of central interest to a WSN used for intrusion detection. In this paper, we derive the expected intrusion distance and evaluate the detection probability in different applica- tion scenarios. Given a maximal allowable intrusion distance D max ¼ , we theoretically capture the impact on the detection probability in terms of different network parameters, including node density, sensing range, and transmission range. For example, given an expected detection distance E ðDÞ , we can derive the node density with respect to sensors’ sensing range, thereby knowing the total number of sensors required for WSN deployment. In a WSN, there are two ways to detect an object (i.e., an intruder): single-sensing detection and multiple-sensing detection. In the single-sensing detection, the intruder can be successfully detected by a single sensor. On the contrary, in the multiple-sensing detection, the intruder can only be detected by multiple collaborating sensors [4]. In some applications, the sensed information provided by a single sensor might be inadequate for recognizing the intruder. It is because individual sensors can only sense a portion of the intruder. For example, the location of an intruder can only be determined from at least three sensors’ sensing data [5], [6], [7], [8]. In view of this, we analyze the

Published by the IEEE CS, CASS, ComSoc, IES, & SPS

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

699

HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 699 Fig. 1. Intrusion detection in a WSN. intrusion detection

Fig. 1. Intrusion detection in a WSN.

intrusion detection problem under two application scenar- ios: single-sensing detection and multiple-sensing detection. According to the capability of sensors, we consider two network types: homogeneous and heterogeneous WSNs [9]. We define the sensor capability in terms of the sensing range and the transmission range. In a heteroge- neous WSN [10], [11], [12] some sensors have a larger sensing range and more power to achieve a longer transmission range. In this paper, we show that the heterogeneous WSN increases the detection probability for a given intrusion detection distance. On the other hand, a heterogeneous WSN poses the challenge of network connectivity due to asym- metric wireless link. The high-capability sensors have a longer transmission range while low capability sensors have a shorter transmission range. Due to this, the packet sent by a high-capability sensor may reach the low-capability sensor, while the low capability sensor may not be able to send packets to the corresponding high-capability sensor [13]. This motivates us to analyze the network connectivity in this paper. Furthermore, in a heterogeneous WSN, high- capability sensors usually undertake more important tasks (i.e., broadcasting power management information or syn- chronization information to all the sensors in the network), it is also desirable to define and examine the broadcast reachability from high-capability sensors. The network connectivity and broadcast reachability are important con- ditions to ensure the detection probability in WSNs. They are formally defined and analyzed in this paper. To the best of our knowledge, our effect is the first to address this issue in a heterogeneous WSN. The main contributions of this paper can be summarized as follows:

.

Developing an analytical model for intrusion detection in WSNs, and mathematically analyzing the detection probability with respect to various network parameters such as node density and sensing range.

.

Applying the analytical model to single-sensing detection and multiple-sensing detection scenarios for homogeneous and heterogeneous WSNs.

Defining and examining the network connectivity and broadcast reachability in a heterogeneous WSN. The remainder of the paper is organized as follows:

.

Section 2 presents the related work. Section 3 describes the

intrusion detection model. Section 4 analyzes the intrusion detection in a homogeneous WSN, and Section 5 examines the intrusion detection in a heterogeneous WSN. Section 6 studies the network connectivity and broadcast reachability in a heterogeneous WSN. Simulation and verification results are given in Section 7. Finally, the paper is concluded in Section 8.

2 RELATED W ORK

Intrusion detection is one of the critical applications in WSNs, and recently, several approaches for intrusion detection in homogeneous WSNs have been presented [3], [14], [15], [16], [17]. The focus of these approaches aims at effectively detecting the presence of an intruder. First, the problem is investigated from the aspect of the network architecture. Kung and Vlah [14] take advantage of a hierarchical tree structure to effectively track the movement of an intruder. The hierarchical tree consists of connected sensors and is built upon expected properties of intruder mobility patterns such as its movement frequency over a region. Based on the hierarchical tree, it allows an efficient record of an intruder’s moving information and supports fast querying from the base station. Another tree structure for tracking an intruder, called as a logic object-tracking tree, is developed by Lin et al. [15]. The logic object tracking tree reduces the communication cost for data updating and querying by taking into account the physical network topology. In particular, the logic object tracking tree targets to balance the update cost and the query cost so as to minimize the total communication cost. Second, the intrusion detection problem has been considered from the constraint of saving network resources. For example, Chao et al. [16] have addressed the issue of tracking a moving intruder by power-conserving operations and sensor collaboration. To achieve this, the authors defined a set of novel metrics for detecting a moving intruder and developed two efficient sleep-awake schemes called PECAS and MESH, to minimize the power con- sumption. Ren et al. [3] further studied the trade-off between the network detection quality (i.e., how fast the intruder can be detected) and the network lifetime. There- fore, the sensor coverage had to be carefully designed according to the detection probability with respect to specific application requirements. The authors then pro- posed three wave sensing scheduling protocols to achieve the bounded worst case detection probability. Rather than a static WSN architecture as the above approaches, Liu et al. [17] have modeled the intrusion detection problem in a mobile WSN, where each sensor is capable of moving. The authors have given the optimal strategy for fast detection and shown that mobile WSN improves its detection quality due to the mobility of sensors. In this paper, we address the intrusion detection problem from the other angle. Most of the above efforts consider intrusion detection and its efficiency in terms of the single-sensing model in a homogeneous WSN. Instead of the network architecture and detecting protocol design, we provide a comprehensive theoretical analysis on the intrusion detection in both homogeneous and heteroge- neous WSNs [18]. The detection probability is theoretically captured by using underlying network parameters, and thus, our work is of paramount importance for a network

700

IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008

TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008 Fig. 2. Heterogeneous WSN deployment. planner

Fig. 2. Heterogeneous WSN deployment.

planner to design WSNs for intrusion detection applica- tions. To the best of our knowledge, this is the first work that considers the intrusion detection problem in a heterogeneous WSN and provides fundamental analytical results on it. The analytical results indicate the improve- ment on the detection quality in a heterogeneous WSN, as compared to a homogeneous WSN, either for the single- sensing detection or the multiple-sensing detection scenar- ios. Furthermore, we have modeled the network connectiv- ity and broadcast reachability in a heterogeneous WSN [19], which serve as the necessary conditions for achieving desirable detection probability.

3 I NTRUSION DETECTION M ODEL AND D EFINITIONS

Our intrusion detection model includes a network model,

a detection model, and an intrusion strategy model. The

network model specifies the WSN environment. The detection model defines how the intruder can be detected and the intrusion strategy illustrates the moving policy of the intruder.

3.1 Network Model

We consider a WSN in a two-dimensional (2D) plane with

N

sensors, denoted by a set N ¼ ðn 1 ; n 2 ;

; n N Þ, where n i

is

the i th sensor. These sensors are uniformly and indepen-

dently deployed in a square area A ¼ L L. Such a random deployment results in a 2D Poisson point distribution of sensors. All sensors are static once the WSN has been deployed. In particular, we consider two WSN types:

homogeneous and heterogeneous WSNs. In a homogeneous WSN, each sensor has the same sensing radius of r s , and the transmission range of r x . A sensor can only sense the intruder within its sensing coverage area that is a disk with radius r s centered at the sensor. Denote the node density of the homogeneous WSN as . We then focus on a heterogeneous WSN with two types of sensors, as shown in Fig. 2:

. Type I sensor that has a larger sensing range r s 1 , as well as a longer transmission range r x 1 , and

. Type II sensor that has a smaller sensing range r s 2 , as well as a shorter transmission range r x 2 . The densities of Type I and Type II sensors are represented as 1 and 2 , respectively. Fig. 2 shows a heterogeneous

WSN, where both Type I and Type II sensors follow the 2D Poisson point distribution. In a homogeneous or heterogeneous WSN, a point is said to be covered by a sensor if it is located in the sensing range of any sensor(s). The WSN is thus divided into two regions, the covered region, which is the union of all sensor coverage disks, and the uncovered region, which is the complement of the covered region within the area of interest A. In our network model, the intruder does not know the sensing coverage map of the WSN.

3.2 Detection Model

There are two detection models in terms of how many sensors are required to recognize an intruder: single- sensing detection model and multiple-sensing detection model. It is said that the intruder is detected under the single-sensing detection model if the intruder can be identified by using the sensing knowledge from one single sensor. On the contrary, in the multiple-sensing detection model , the intruder can only be identified by using cooperative knowledge from at least k sensors (k is defined by specific application requirements). For simplicity of expression, multiple sensing and k-sensing are interchangeable in the following discussion:

In order to evaluate the quality of intrusion detection in WSNs, we define three metrics as follows:

.

Intrusion distance. The intrusion distance, denoted by D, is the distance that the intruder travels before it is detected by a WSN for the first time. Specifically, it is the distance between the point where the intruder enters the WSN and the point where the intruder gets detected by any sensor(s). Following the definition of intrusion distance, the Maximal Intrusion Distance (denoted by , > 0) is the maximal distance allowable for the intruder to move before it is detected by the WSN.

.

Detection probability. The detection probability is defined as the probability that an intruder is detected within a certain intrusion distance (e.g., Maximal Intrusion Distance ).

.

Average intrusion distance. The average intrusion distance is defined as the expected distance that the intruder travels before it is detected by the WSN for the first time.

3.3 Intrusion Strategy Model

As illustrated in Figs. 3 and 4, we consider two intrusion strategies for the movement of the intruder in a WSN. If the intruder (say, a panzer) already knows its destination before entering the network domain, it follows the shortest path to approach the destination. In this case, the intrusion path is a straight line ðD 1 Þ from the entering point to the destination, as illustrated in Fig. 3. The main idea behind this strategy is that the straight movement causes the least risk for the intruder due to the least area that it has to explore by following a straight line toward the destina- tion. The corresponding intrusion detection area S 1 is determined by the sensor’s sensing range r s and intrusion distance D 1 , as shown in Fig. 3. It is because the intruder can be detected within the intrusion distance D 1 by any sensor(s) situated within the area of S 1 .

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

701

HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 701 Fig. 3. Intrusion strategy 1. On the contrary, if

Fig. 3. Intrusion strategy 1.

On the contrary, if the intruder does not know its destination, it moves in the network domain in a random fashion. We consider that the intruder tends to minimize the overlapping on its path. Thus, the intrusion path of the intruder can be regarded as a nonoverlapping curved line ðD 2 Þ, and the intrusion area accordingly is a curved band S 2 , as illustrated in Fig. 4. In the above two strategies, if the intruder travels the same distance, i.e., D 1 ¼ D 2 , the corresponding intrusion detection areas approximately satisfy S 1 ¼ S 2 . Therefore, we adopt a straight path in the following discussion, and the analytical results can be directly applied to the case of the curved path. Furthermore, the intruder can start its intrusion from the network boundary or a random point inside the network domain. For example, the intruder can be dropped from the air and starts from any point in the network domain.

4 I NTRUSION DETECTION IN A HOMOGENEOUS WIRELESS S ENSOR NETWORK

In this section, we present the analysis of intrusion detection in a homogeneous WSN. We derive the detection probability for single-sensing detection and k-sensing detection.

for single-sensing detection and k -sensing detection. Fig. 5. The intruder starts from the boundary of
for single-sensing detection and k -sensing detection. Fig. 5. The intruder starts from the boundary of

Fig. 5. The intruder starts from the boundary of the WSN.

4.1 Single-Sensing Detection

In the single-sensing detection model, the intruder can be recognized once it moves into the sensing coverage disk of any sensor(s). According to the intrusion strategy, the intruder may access the network domain from any point of the network boundary or a random point in the network domain. When the intruder starts from a point of the network boundary, as shown in Fig. 5, given an intrusion distance D 0, the corresponding intrusion detection area S D is almost an oblong area. This area includes a rectangular area with length D and width 2r s and a half disk with radius r s attached to it. It has

S D ¼ 2 D r s þ r 2 :

s

2

ð1 Þ

According to the definition of single-sensing detection, the intruder is detected if and only if there exists at least one sensor within this area S D . Otherwise, the intruder is not detected. Similarly, when the intruder starts from a random point in the network domain, the corresponding intrusion detection area is S D ¼ 2 D r s þ r 2 , as shown in Fig. 6. In the following analysis, we focus on the case that the intruder starts from the boundary of the network

s

that the intruder starts from the boundary of the network s Fig. 4. Intrusion strategy 2.

702

IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008

domain. The derived results can be applied to the other case by replacing r 2 with r 2 We first consider the detection probability that the intruder can be immediately detected once it enters the network domain. In other words, it has an intrusion distance D ¼ 0. The corresponding intrusion detection area is S 0 ¼ r 2 . We then have Theorem 1 as follows:

s

2

s

2

s .

Theorem 1. The probability p 1 ½D ¼ 0 that an intruder can be immediately detected once it enters a homogeneous WSN with node density and identical sensing range r s can be given by

p 1 ½D ¼ 0 ¼ 1 e r 2 :

s

2

ð2Þ

Proof. In a uniformly distributed WSN with node density , the probability of m sensors located within the area S follows the Poisson distribution [18]:

P ðm; S Þ ¼ ð S m! Þ m e S :

ð3Þ

Therefore, the probability of no sensor in the immediate

intrusion detection area S 0 ¼ r 2 is P ð0 ; r 2 Þ ¼ e r 2 2 . Then, the complement of P ð0 ; r 2 Þ is the probability that there is at least one sensor located in S 0 ¼ r . In this case, the intruder can be detected once it approaches the network with intrusion distance D ¼ 0. Thus, the probability that the intruder can be detected immedi- ately by the WSN once it enters the WSN is p 1 ½D ¼ 0 ¼

tu

This result shows that the immediate detection prob- ability p 1 ½D ¼ 0 is determined by the node density and the sensing range. By increasing the node density or enlarging the sensing range, p 1 ½D ¼ 0 can be improved. Immediate detection may need a large sensing range or a high node density, thus increasing the WSN deployment cost. We then consider the detection probability in a relaxed condition when the intruder is allowed to travel some distance in the WSN.

Theorem 2. Suppose is the maximal intrusion distance allowable for a given application. The probability p 1 ½D that the intruder can be detected within in the given homogeneous WSN can be derived as

s

2

s

2

s

2

2

s

2

s

1 P ð0 ; r 2 Þ ¼ 1 e r 2 .

2

s

s

2

p 1 ½D ¼ 1 e

2 r s þ r 2

s

2

:

ð4Þ

Proof. According to the definition of single-sensing detection model, the probability that the intruder can be detected within an intrusion distance of is equivalent to the probability that there is at least one sensor located in the corresponding intrusion detection area S ¼ 2 r s þ r 2

. That is, p 1 ½D ¼ 1 P ð0 ; S Þ while P ð 0; S Þ is obtained from (3). The probability p 1 ½D can further be

.

tu

Theorem 3. Let p 1 ½D ¼ be the probability that the intruder is detected at an intrusion distance , > 0, and E 1 ð DÞ be the average intrusion distance. Then,

s

2

1 e ð 2 r s þ r 2

s

2

Þ

represented as p 1 ½D ¼ 1 P ð0; S Þ

¼

Then, it yields p 1 ½D ¼ 1 e ð 2 r s þ Þ .

2

r 2

s

2 r s þ r 2

s

2

r s e

p 1 ½D ¼ ¼ 2 r s e ffiffi

p

2

L

E 1 ðD Þ ¼ Z

2

and

2 r s þ r 2

s

2

d ð Þ:

0

ð5 Þ

Proof. In Theorem 2, (4) gives the cumulative density

function (CDF) of intrusion distance such as p 1 ½ D .

Therefore, p 1 ½D ¼ can be obtained from the differential

of p 1 ½ D , and it can be calculated as p 1 ½ D ¼ ¼

Þ . The average intrusion distance

E 1 ð DÞ can be easily derived from the PDF of the intrusion

distance (i.e., p 1 ½ D ¼ ). Since the intruder is assumed to

move in the network along a straight path, and the

network domain is a square area with size A ¼ L L, the

d ð p ½ D Þ dð Þ

1

¼

2 r s e ð 2 r s þ r 2

s

2

2 L. Then,

the ffiffi average intrusion ffiffi distance is given as E 1 ðD Þ ¼

tu

Theorems 1-3 indicate that the quality of intrusion detection

in single-sensing detection scenario for a given WSN

improves as the sensing range or the node density increases.

maximum distance the intruder may travel is

p

R

0

2

L

p

p 1 ½D ¼ dð Þ ¼ R

0

2

L

2 r s e ð 2 r s þ r 2

s

2

Þ dð Þ.

p

ffiffiffi

4.2 K -Sensing Detection

In the k-sensing detection model, an intruder has to be sensed

by at least k sensors for intrusion detection in a WSN. The number of required sensors depends on specific applications. For example, at least three sensors’ sensing information is required to determine the location of the intruder.

Theorem 4. Let p k ½D ¼ 0 be the probability that an intruder is detected immediately once it enters a WSN with node density

and sensing range r s in k- sensing detection model. It has

k 1

p k ½D ¼ 0 ¼ 1 X

i¼ 0

r 2

s

i

2 i i !

r 2

s

e :

2

ð6 Þ

Proof. According to (3), P ði; r 2 Þ is the probability that

s

2

there are i sensors located in the immediate detection

P ði; r 2 Þ is therefore the probability

area S 0 ¼ r 2 . P

s

2

k

i¼ 0

1

s

2

that there are less than k sensors in the area S 0 . Further,

1 P

P ð i; r 2 Þ represents the probability that there

k

1

i¼ 0

s

2

are at least k sensors located in the area S 0 . In this case,

the intruder can be sensed by at least k sensors when

it accesses the network boundary. Consequently, it

P ði; r 2 Þ ¼ 1

can be said that p k ½ D ¼ 0 ¼ 1 P

k

1

i¼ 0

s

2

e is the probability of the intruder to

be detected immediately when it enters the WSN

domain under k-sensing detection scenarios. tu

Theorem 5. Let p k ½ D be the probability that the intruder is detected within the maximal intrusion distance in a k - sensing detection model for the given homogeneous WSN. Then, p k ½D can be calculated as

P

k

1

i¼ 0

r 2 i i!

s

ð

2

Þ i

r 2

s

2

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

703

k 1

p k ½ D ¼ 1 X

i

¼ 0

S

i

i!

e S

where S ¼ 2 r s þ 2 r 2

s

:

ð7Þ

Proof. S ¼ 2 r s þ r 2 is the intrusion detection area with

s

2

respect to the maximal intrusion distance . If there are at

least k sensors in the area S , the intruder can be sensed

by the k sensors, and the k sensors could collaborate

with each other to recognize the intruder. From (3),

P ði; S Þ ¼

sors are located in the area of S . Then, P

P

e S is the probability that less than k sensors

are located in the area S . Thus, the complement of

P

e S denotes the probability that i sen-

P ði; S Þ ¼

ð

S

Þ i

i!

k 1 i¼ 0

k 1 ð S Þ i

i

¼ 0

k

1

i

¼ 0

i!

e S is the probability that

there are at least k sensors located in the area S . If this is

the case, the intruder can be sensed by at least k sensors

from the WSN with probability 1 P

P ði; S Þ , 1 P

k 1 ð S Þ i

i

¼ 0

i!

k 1 ð S Þ i

i¼ 0

e S

i!

before it travels a distance of . Finally, the probability

p k ½D that the intruder is detected within the maximal

intrusion distance in k-sensing detection model can be

tu

Theorem 6. Let E k ð DÞ be the average intrusion distance in the k- sensing detection model for the given WSN with node density and sensing range r s , it has

derived as p k ½D ¼ 1 P

k 1 ð S Þ i

i¼ 0

i!

e S .

E k ðD Þ ¼

P
k

k 1

i ¼ 0

r 2

s

2

i e

r 2

s

2

2 r s i !

:

ð8Þ

Proof. E k ð DÞ is the average intrusion distance. Then,

S k ¼ E k ðDÞ 2 r s is the average intrusion detection area, and E k ðD Þ 2r s is the average number of sensors

located in the area of S k . Based on the definition of k-sensing detection model, k sensors are required to identify the intruder. Thus, the average number of sensors

located in the average intrusion detection area should be equal to k, that is, E k ðD Þ 2r s ¼ k . Considering the case when the intruder is detected immediately once it enters the WSN domain, the average intrusion distance is

¼ 0, while E k ðDÞ 2 r s ¼ 0 . In this case,

E k ð DÞ

E k ð DÞ 2r s ¼ k does not hold. Thus, it is necessary to eliminate this boundary effect, and we get E k ðD Þ 2 r s ¼ k ð1 p k ½D ¼ 0 Þ . By replacing p k ½D ¼ 0 by (7)

following Theorem 4, we further obtain E k ð DÞ 2r s ¼

Þ i e . Finally, the average

intrusion distance in the k-sensing detection model for

the given WSN can be calculated as

k P

k

1

i¼ 0

P ði; r 2 Þ ¼ k P

s

2

k 1 ð r 2 i¼ 0

2

s

r 2

s

2

E k ðD Þ ¼

k

P

k

i

1

¼ 0

r 2

2

s

i e

r 2

s

2

2 r s i !

:

ut

Theorems 4-6 show that the quality of intrusion detection

in the k-sensing detection scenario for a given WSN improves

as the sensing range and node density increase and

decreases as k grows. If we relax the multiple-sensing

detection to single-sensing detection by setting k ¼ 1.

, which shows (5)

Equation (8) is reduced to E 1 ð DÞ ¼ e

in another way (i.e., E 1 ðD Þ ¼ R

Þ d ð Þ).

Note that there is no closed form solution for the integral

in (5), but it matches with (8) when L r s .

r 2

2

s

2r s i !

p ffiffi

2

0

L

2 r s e ð 2 r s þ r 2

s

2

5 I NTRUSION D ETECTION IN A HETEROGENEOUS W IRELESS S ENSOR NETWORK

In a heterogeneous WSN, as defined in Section 3.1, we consider two types of sensors: Type I and Type II with the node density of 1 and 2 , respectively. A Type I sensor has the sensing range r s 1 , and the sensing coverage is a disk of area S 1 ¼ r 2 1 . A Type II sensor has the sensing coverage of S 2 ¼ r s2 2 with the sensing range r s 2 . Without loss of generality, we can assume that r s1 > r s2 in our network model. In a heterogeneous WSN, any point in the network domain is said to be covered if the point is under the sensing range of any sensor (Type I, Type II, or both). In this section, we present the analysis of intrusion detection probability of a heterogeneous WSN in single- sensing detection and multiple-sensing detection models.

5.1 Single-Sensing Detection

We denote the intrusion distance by D h in the given heterogeneous WSN. Again, an intruder may be detected by the WSN once it approaches the network boundary, and the corresponding intrusion distance is D h ¼ 0 . This leads to the following theorem.

Theorem 7. The probability p 1 ½D h ¼ 0 that an intruder can be immediately detected once it enters the given heterogeneous WSN in a single-sensing detection model can be represented by

s

p 1 ½D h ¼ 0 ¼ 1 e 1

r 2 s1

2

e

2

r 2 s2

2

:

ð9 Þ

Proof. According to the single-sensing detection model, the intruder is detected if and only if one of the following conditions is satisfied:

.

The intruder enters into the sensing coverage area of any Type I sensor(s).

.

The intruder enters into the sensing coverage area of any Type II sensor(s).

In the Cartesian coordinate system, as illustrated in

Fig. 7, suppose point (0, 0) is the starting position of the

intruder, and y -axis is the network boundary. If a Type

, which is

Isensor is located inside the half disk S 1 ¼

centered at the point (0, 0) with radius r s 1 , the first

condition holds. Similarly, the second condition holds if

,

there is a Type II sensor inside the half disk S 2 ¼

which is centered at the point (0, 0) with radius r s 2 . Then,

r 2

s 1

2

r 2

s2

2

704

IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008

TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008 Fig. 7. Intrusion detection at the

Fig. 7. Intrusion detection at the start point ðD h ¼ 0Þ.

from (3), the probability that no Type I sensor lies inside

S 1 is P 1 ð 0; S 1 Þ ¼ e 1 S 1 ¼ e 1

no Type II sensor inside S 2 is P 2 ð0 ; S 2 Þ ¼ e 2 S 2 ¼ e 2 2 .

Considering Type I and Type II, sensors are indepen-

dently deployed according to our heterogeneous WSN

model, the probability of neither Type I sensor nor Type

II sensor that senses the intruder is P 1 ð0; S 1 Þ P 2 ð0 ; S 2 Þ ¼

e

. Thus, the probability of at least one sensor

(either Type I or Type II) around the boundary that can

sense the intruder is 1 P 1 ð0 ; S 1 ÞP 2 ð 0; S 2 Þ ¼ 1 e 1

e

. Therefore, the probability that the intruder is

detected immediately once it enters the network domain

tu

can be represented as p 1 ½ D h ¼ 0 ¼ 1 e 1

2 , and the probability of

r 2 s1

r 2 s2

r 2

1

r 2 s2

1

s

2

r 2

2

e

2

2

r 2 s1

2

2

s

2

r 2

1

r 2 s2

s

2

e

2

2

.

Theorem 8. Suppose is the maximal intrusion distance allowable for the intruder to travel within the given heterogeneous WSN in single-sensing detection. The prob- ability p 1 ½D h that the intrusion distance D h is less than can be calculated as

p 1 ½D h ¼ 1 e 1 S 0

1

e 2 S

0

2 ;

where S ¼ 2 r si þ r 2 ; ði ¼ 1 ; 2 Þ:

0

i

si

2

ð 10Þ

Proof. The probability of an intruder to be detected within the maximal intrusion distance is equivalent to the probability of at least one sensor (either Type I or Type II) inside the corresponding intrusion detection area S . For Type I sensors, the intrusion detection area S 1 0 is the region that includes a rectangular area with length and width 2 r s 1 , as well as a half disk with

radius r s1 , as shown in Fig. 8. It gives S 1 0 ¼ 2 r s1 þ r 2 Similarly, the intrusion detection area for Type II sensors

.

0

1

s

2

is S 2 ¼ 2 r s2 þ r 2 . Then, we obtain the maximal intru-

0

s2

2

sion detection area with respect to as S ¼ S 1 0 S S 2 . The

intruder can be detected within the intrusion distance if

one of the following conditions is satisfied:

0

0

.

.

At least one Type I sensor is located in the area

of S 0

1

.

If condition 1 does not hold, at least one Type II

sensor is located in the area of S

0

2

.

least one Type II sensor is located in the area of S 0 2 . Fig.

Fig. 8. Intrusion detection in the heterogeneous WSN ðD h ¼ Þ.

Note that P 1 ð0 ; S 0

1 Þ ¼ e 1 S 0

1 is the probability of no Type I

sensor in the area of S 1 0 , and P 2 ð0 ; S

0

2 Þ ¼ e 2 S

0

2 is the

probability of no Type II sensor in the area of S 2 . The

first condition can be satisfied with the probability of

1

P 1 ð0 ; S 1 0 Þ, and the second condition holds with the probability of P 1 ð 0; S 1 0 Þð 1 P 2 ð 0; S 2 ÞÞ . Thus, 1 P 1 ð0 ; S 1 0 Þ þ P 1 ð0; S 1 0 Þð 1 P 2 ð 0; S 2 ÞÞ ¼ 1 P 1 ð0; S 1 0 Þ P 2 ð0 ; S 2 Þ represents the probability of at least one sensor (either Type I or Type II) that can detect the intruder within the maximal

0

0

0

0

intrusion detection area S . Finally, the probability that the intrusion distance D h is less than can be derived

a s p 1 ½D h ¼ 1 P 1 ð0 ; S 1 0 ÞP 2 ð0 ; S 2 Þ ¼ 1 e 1 S 0

2 .

Further, we get p 1 ½D h ¼ 1 e 1 ð 2 r s1 þ

Þ . tu

0

0

1

e 2 S

r 2 s2

0

r 2 s1

2

Þ e 2 ð 2 r s 2 þ

2

Theorem 9. The probability p 1 ½ D h ¼ that the intruder is detected at an intrusion distance ð > 0 Þ when it travels within the given heterogeneous WSN in single-sensing detection can be derived as

p 1 ½D h ¼ ¼ 2 ð 1 r s 1 þ 2 r s 2 Þe ð 1 S 0

1 þ 2 S

2

0 Þ ;

where S ¼ 2 r si þ r 2 ; ði ¼ 1 ; 2 Þ:

0

i

si

2

ð11 Þ

Proof. Equation (10) gives the CDF of intrusion distance in a

single-sensing detection scheme. Therefore, the probabil-

ity p 1 ½ D h ¼ that the intruder is detected at an intrusion

distance can be derived by the differential of p 1 ½D h .

It

Þ . Then, based on

the PDF of an intrusion detection distance such as

p 1 ½D h ¼ , it is easy to obtain the expected intrusion

distance as

has p 1 ½D h ¼ ¼ dð p 1 ½ D h Þ

d

ð Þ

2 ð 1 r s1 þ 2 r s 2 Þ e ð 2 1

¼ 2ð 1 r s1 þ 2 r s2 Þe ð 1 S 0

s1 þ 2 r 2

s2

1 þ 2 S

2 0 Þ ¼

r s1 þ 2 2 r s2 þ 1 r 2

2

ffiffi

p

2

L

E 1 ðD h Þ ¼ Z

0

2 ð 1 r s 1 þ 2 r s 2 Þe ð 1 S 1 0 þ 2 S

0

2

Þ dð Þ:

This is because the maximum intrusion distance that the intruder could travel in the square network domain is

p

tu

ffiffiffi 2 L by following a straight path.

WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS

705

Theorems 7-9 indicate that the quality of intrusion detection in single-sensing detection scenario for a given heterogeneous WSN increases with the increasing of sensing range and node density. In addition, the existence of high-capability sensors improves the network detection probability further due to a larger sensing range.

5.2 K -Sensing in a Heterogeneous WSN

In the k-sensing detection model of a heterogeneous WSN with two types of sensors, at least k sensors are required to detect an intruder. These k sensors can be any combination of Type I and Type II sensors. For instance, if three sensors are required to detect an intruder for a specific application, the intruder can be detected by any of the following sensor combinations:

p k ½D h ¼ 0 ¼ 1 X

¼ 1 X

k

m¼ 0

k

m¼ 0

1

1

h

X

m

j¼ 0

P

1

ð j; S Þ

1

P

2

ðm j;

S

2

Þ

i

X

¼ 0 P 1 ðj; r 2 Þ P 2 ðm j; r 2 :

m

j

s1

2

s

2

2

Þ

tu

Theorem 11. Let p k ðD h Þ be the probability that the intrusion distance is less than ð > 0 Þ in the k -sensing detection model, is the maximal intrusion distance allowable for an intruder to move in the given heterogeneous WSN. It has

k

1

p k ½D h ¼ 1 X

m¼ 0

"

m

X

j¼ 0

P

1

j; S 0

1

P 2

m j; S # ;

0

2

where S ¼ 2 r si þ r 2 ; ði ¼ 1 ; 2 Þ:

0

i

si

2

ð13 Þ

Proof. From (3), P 1 ð j; S 1 0 Þ is the probability that j Type I

sensors are located in the intrusion detection area

S 1 0 ¼ 2 r s 1 þ r 2 . P 2 ð m j; S 2 Þ is the probability of

1. three Type I sensors,

2. three Type II sensors,

3. one Type I sensor and two Type II sensors, and

4. two Type I sensors and one Type II sensor.

Theorem 10. Let p k ðD h ¼ 0Þ be the probability that an intruder can be immediately detected once it enters the given heterogeneous WSN in the k- sensing detection model. It has

k

1

p k ½D h ¼ 0 ¼ 1 X

m

¼ 0

"

m

X

j

¼ 0

P

1

j; r 2

s1

2

P 2

m j;

r

2

s

2

2

:

12Þ

Proof. According to k-sensing detection model, an intruder

is detected immediately once it enters the network if and

only if at least k sensors are located within their half

sensing disk centered at the intrusion start point (as

e S 1 is

illustrated in Fig. 7). Based on (3), P 1 ðj; S 1 Þ ¼

the probability of j Type I sensors that can sense the

intruder within the corresponding intrusion detection

e S 2 is the

probability of ð m j Þ Type II sensors that can sense the

. Consequently,

P 1 ð j; S 1 ÞP 2 ðm j; S 2 Þ represents the probability of

m sensors (j Type I sensors plus m j Type II sensors)

that can sense the intruder at the start point. Since these

m sensors can be any combination of sensor types,

m ¼ 0 P 1 ðj; S 1 Þ P 2 ðm j; S 2 Þ is the probability that there

ð S Þ j j!

1

area S 1 ¼

r 2

s1

2

,

and P 2 ð m j; S 2 Þ ¼

ð

S

s2

2

Þ ðm jÞ

ð

m jÞ !

r 2

2

intruder within the area of S 2 ¼

P

j

are totally m sensors that can sense the intruder in

the intrusion detection area of S 1 S S 2 . Therefore,

P

m ¼ 0 P 1 ðj; S 1 ÞP 2 ðm j; S 2 Þ is the probability of

k

m ¼ 0 ½ P j

1

s1

2

0

ð m j Þ Type II sensors located in the corresponding

intrusion detection area S 2 and S 2 ¼ 2 r s 2 þ r 2 . Then,

0

0

s2

2

P 1 ðj; S 1 0 ÞP 2 ð m j; S 2 Þ represents the probability of

m sensors, consisting of j Type I sensors and ðm j Þ

# Type II sensors can sense the intruder within the intrusion

detection area S 1 0 S S 2 with respect to . If m ¼ k,

0

0

P 1 ðj; S 1 0 ÞP 2 ð m j; S 2 Þ stands for the probability that the

ð intruder can be detected by the WSN within intrusion

distance . Since these m sensors can be any combination

0

of sensor types, P j¼ 0 P 1 ð j; S 1 0 Þ P 2 ðm j; S 2 Þ is the prob-

ability that there are totally m sensors can sense the

intruder. Then, P

probability that there are at most ðk 1 Þ (i.e., less than k)

¼ 0 P 1 ðj; S 1 0 ÞP 2 ðm j; S 2 Þ is the

m

1

0

k

m ¼ 0 ½ P j

m

0

sensors that can sense the intruder within the intrusion

0

detection area S 1 0 S S 2 . Consequently, the probability

p k ð D h Þ that the intruder travels with distance less

than before being detected by the given heterogeneous

WSN in the k-sensing detection model can be derived

h

j¼ 0 P 1 ðj; S 1 0 ÞP 2 ð m j; S i ¼

¼ 0 P 1 ðj; 2 r s1 þ r 2 ÞP 2 ðm j; 2 r s2 þ r 2 i . tu

Theorem 12. Let E k ðD h Þ be the average intrusion distance under the k- sensing detection model in the given heterogeneous WSN. Then

as p k ðD h Þ ¼ 1 P

1 P

k

1

m

¼ 0

h

P

m

j

k

1

m¼ 0

m

P

s

1

2

0

2

Þ

Þ

s2

2

k P

m

¼ 0

k

1

h

P

m

j

¼ 0

P

1

j;

r

2

s

1

2

P

2

m j;

r

2

s2

2

i

E k ð D h Þ ¼

2r s 1 1 þ 2 r s2 2

:

ð14 Þ

at most ðk 1Þ (less than k) sensors that can sense the

intruder when it approaches the WSN. Finally, the

probability that the intruder can be immediately detected

once it enters the heterogeneous WSN in the k-sensing

detection model is equivalent to the complement of

P

k

m ¼ 0 ½ P j

1

m ¼ 0 P 1 ðj; S 1 ÞP 2 ðm j; S 2 Þ , yielding

Proof. E k ðD h Þ is the average intrusion distance in the heterogeneous WSN. Then, the corresponding average intrusion detection areas for Type I and Type II sensors

are S 1 ¼ 2 r s 1 E k ðD h Þ and S 2 ¼ 2 r s 2 E k ðD h Þ , respectively. While the node densities of Type I and Type II sensors are 1 and 2 . The average number of Type I sensors

that with the intruder during its invasion is N 1 ¼ 1 S 1 .

706

IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008

At the same time, the average number of Type II sensors

that hit the intruder in its intrusion is N 2 ¼ 2 S 2 . In the k-sensing detection model, k sensors are required to

detect the intruder, it has N 1 þ N 2 ¼ 1 S 1 þ 2 S 2 ¼

2 r s 1 E k ðD h Þ 1 þ 2 r s2 E k ð D h Þ 2 ¼ k. The only exception is 2 r s 1 E k ðD h Þ 1 þ 2 r s2 E k ð D h Þ 2 ¼ 0 while E k ð D h Þ ¼ 0 in the case of immediate intrusion detection. In view of this, we eliminate this boundary effect (i.e., E k ð D h Þ ¼ 0 ) and obtain kð 1 p k ½D h ¼ 0 Þ ¼ 2E k ðD h Þ r s 1