6, JUNE 2008
Abstract—Intrusion detection in Wireless Sensor Network (WSN) is of practical interest in many applications such as detecting
an intruder in a battlefield. The intrusion detection is defined as a mechanism for a WSN to detect the existence of inappropriate,
incorrect, or anomalous moving attackers. For this purpose, it is a fundamental issue to characterize the WSN parameters such
as node density and sensing range in terms of a desirable detection probability. In this paper, we consider this issue according
to two WSN models: homogeneous and heterogeneous WSN. Furthermore, we derive the detection probability by considering
two sensing models: single-sensing detection and multiple-sensing detection. In addition, we discuss the network connectivity and
broadcast reachability, which are necessary conditions to ensure the corresponding detection probability in a WSN. Our simulation
results validate the analytical values for both homogeneous and heterogeneous WSNs.
Index Terms—Intrusion detection, node density, node heterogeneity, sensing range, Wireless Sensor Network (WSN).
1 INTRODUCTION
2 RELATED WORK
Intrusion detection is one of the critical applications in
WSNs, and recently, several approaches for intrusion
detection in homogeneous WSNs have been presented [3],
[14], [15], [16], [17]. The focus of these approaches aims at
effectively detecting the presence of an intruder. First, the
problem is investigated from the aspect of the network
Fig. 1. Intrusion detection in a WSN. architecture. Kung and Vlah [14] take advantage of a
hierarchical tree structure to effectively track the movement
intrusion detection problem under two application scenar- of an intruder. The hierarchical tree consists of connected
ios: single-sensing detection and multiple-sensing detection. sensors and is built upon expected properties of intruder
According to the capability of sensors, we consider mobility patterns such as its movement frequency over a
two network types: homogeneous and heterogeneous region. Based on the hierarchical tree, it allows an efficient
WSNs [9]. We define the sensor capability in terms of the record of an intruder’s moving information and supports
sensing range and the transmission range. In a heteroge- fast querying from the base station. Another tree structure
neous WSN [10], [11], [12] some sensors have a larger sensing for tracking an intruder, called as a logic object-tracking
range and more power to achieve a longer transmission tree, is developed by Lin et al. [15]. The logic object tracking
range. In this paper, we show that the heterogeneous WSN tree reduces the communication cost for data updating and
increases the detection probability for a given intrusion querying by taking into account the physical network
detection distance. On the other hand, a heterogeneous WSN topology. In particular, the logic object tracking tree targets
poses the challenge of network connectivity due to asym- to balance the update cost and the query cost so as to
metric wireless link. The high-capability sensors have a minimize the total communication cost.
longer transmission range while low capability sensors Second, the intrusion detection problem has been
have a shorter transmission range. Due to this, the packet considered from the constraint of saving network resources.
sent by a high-capability sensor may reach the low-capability For example, Chao et al. [16] have addressed the issue of
sensor, while the low capability sensor may not be able to tracking a moving intruder by power-conserving operations
send packets to the corresponding high-capability sensor and sensor collaboration. To achieve this, the authors
[13]. This motivates us to analyze the network connectivity defined a set of novel metrics for detecting a moving
in this paper. Furthermore, in a heterogeneous WSN, high- intruder and developed two efficient sleep-awake schemes
capability sensors usually undertake more important tasks called PECAS and MESH, to minimize the power con-
(i.e., broadcasting power management information or syn- sumption. Ren et al. [3] further studied the trade-off
chronization information to all the sensors in the network), between the network detection quality (i.e., how fast the
it is also desirable to define and examine the broadcast intruder can be detected) and the network lifetime. There-
reachability from high-capability sensors. The network fore, the sensor coverage had to be carefully designed
connectivity and broadcast reachability are important con- according to the detection probability with respect to
ditions to ensure the detection probability in WSNs. They
specific application requirements. The authors then pro-
are formally defined and analyzed in this paper. To the best
posed three wave sensing scheduling protocols to achieve
of our knowledge, our effect is the first to address this issue
the bounded worst case detection probability.
in a heterogeneous WSN.
Rather than a static WSN architecture as the above
The main contributions of this paper can be summarized approaches, Liu et al. [17] have modeled the intrusion
as follows: detection problem in a mobile WSN, where each sensor is
. Developing an analytical model for intrusion capable of moving. The authors have given the optimal
strategy for fast detection and shown that mobile WSN
detection in WSNs, and mathematically analyzing
improves its detection quality due to the mobility of sensors.
the detection probability with respect to various
In this paper, we address the intrusion detection
network parameters such as node density and
problem from the other angle. Most of the above efforts
sensing range.
consider intrusion detection and its efficiency in terms of
. Applying the analytical model to single-sensing the single-sensing model in a homogeneous WSN. Instead
detection and multiple-sensing detection scenarios of the network architecture and detecting protocol design,
for homogeneous and heterogeneous WSNs. we provide a comprehensive theoretical analysis on the
. Defining and examining the network connectivity intrusion detection in both homogeneous and heteroge-
and broadcast reachability in a heterogeneous WSN. neous WSNs [18]. The detection probability is theoretically
The remainder of the paper is organized as follows: captured by using underlying network parameters, and
Section 2 presents the related work. Section 3 describes the thus, our work is of paramount importance for a network
Authorized licensed use limited to: Green Hills Engineering College. Downloaded on July 17, 2009 at 06:14 from IEEE Xplore. Restrictions apply.
700 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008
Authorized licensed use limited to: Green Hills Engineering College. Downloaded on July 17, 2009 at 06:14 from IEEE Xplore. Restrictions apply.
WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 701
Fig. 4. Intrusion strategy 2. Fig. 6. The intruder starts form a random point in the WSN.
Authorized licensed use limited to: Green Hills Engineering College. Downloaded on July 17, 2009 at 06:14 from IEEE Xplore. Restrictions apply.
702 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008
2
rs
domain. The derived results can be applied to the other case 2rs þ 2
r2 p1 ½D ¼ ¼ 2rs e and
by replacing 2s with r2s . pffiffi
Z 2 L ð5Þ
We first consider the detection probability that the r2
2rs þ 2s
intruder can be immediately detected once it enters the E1 ðDÞ ¼ 2rs e dðÞ:
network domain. In other words, it has an intrusion 0
distance D ¼ 0. The corresponding intrusion detection area
r2
is S0 ¼ 2s . We then have Theorem 1 as follows: Proof. In Theorem 2, (4) gives the cumulative density
Theorem 1. The probability p1 ½D ¼ 0 that an intruder can be function (CDF) of intrusion distance such as p1 ½D .
immediately detected once it enters a homogeneous WSN with Therefore, p1 ½D ¼ can be obtained from the differential
node density and identical sensing range rs can be given by
of p1 ½D , and it can be calculated as p1 ½D ¼ ¼
r2
dðp1 ½DÞ s
p1 ½D ¼ 0 ¼ 1 e
r2s
2 : ð2Þ dðÞ ¼ 2rs eð2rs þ 2 Þ . The average intrusion distance
E1 ðDÞ can be easily derived from the PDF of the intrusion
Proof. In a uniformly distributed WSN with node density , distance (i.e., p1 ½D ¼ ). Since the intruder is assumed to
the probability of m sensors located within the area S
move in the network along a straight path, and the
follows the Poisson distribution [18]:
network domain is a square area with size A ¼ L L, the
ðSÞm S pffiffiffi
P ðm; SÞ ¼ e : ð3Þ maximum distance the intruder may travel is 2L. Then,
m!
the average intrusionpffiffi distance is given as E1 ðDÞ ¼
R pffiffi2L R 2L r2
Therefore, the probability of no sensor in the immediate s
p1 ½D ¼ dðÞ ¼ 0 2rs eð2rs þ 2 Þ dðÞ. u
t
r2 0
r2 r2 s
intrusion detection area S0 ¼ 2s is P ð0; 2s Þ ¼ e 2 . Theorems 1-3 indicate that the quality of intrusion detection
r2s
Then, the complement of P ð0; 2 Þ is the probability that in single-sensing detection scenario for a given WSN
r2
there is at least one sensor located in S0 ¼ 2s . In this improves as the sensing range or the node density
case, the intruder can be detected once it approaches the increases.
network with intrusion distance D ¼ 0. Thus, the
probability that the intruder can be detected immedi- 4.2 K-Sensing Detection
ately by the WSN once2 it enters the WSN is p1 ½D ¼ 0 ¼ In the k-sensing detection model, an intruder has to be sensed
r2 rs
1 P ð0; 2s Þ ¼ 1 e 2 . u
t by at least k sensors for intrusion detection in a WSN. The
number of required sensors depends on specific applications.
This result shows that the immediate detection prob-
For example, at least three sensors’ sensing information is
ability p1 ½D ¼ 0 is determined by the node density and the
required to determine the location of the intruder.
sensing range. By increasing the node density or enlarging
the sensing range, p1 ½D ¼ 0 can be improved. Theorem 4. Let pk ½D ¼ 0 be the probability that an intruder is
Immediate detection may need a large sensing range or a detected immediately once it enters a WSN with node density
high node density, thus increasing the WSN deployment and sensing range rs in k-sensing detection model. It has
cost. We then consider the detection probability in a relaxed 2 i
condition when the intruder is allowed to travel some X
k1
rs r2s
distance in the WSN. pk ½D ¼ 0 ¼ 1 e 2 : ð6Þ
i¼0
2i i!
Theorem 2. Suppose is the maximal intrusion distance
r2s
allowable for a given application. The probability p1 ½D Proof. According to (3), P ði; 2 Þ is the probability that
that the intruder can be detected within in the given
there are i sensors located in the immediate detection
homogeneous WSN can be derived as
r2 Pk1 r2s
area S0 ¼ 2s . i¼0 P ði; 2 Þ is therefore the probability
2 rs
2rs þ 2 that there are less than k sensors in the area S0 . Further,
p1 ½D ¼ 1 e : ð4Þ P r2s
1 k1i¼0 P ði; 2 Þ represents the probability that there
Proof. According to the definition of single-sensing detection
are at least k sensors located in the area S0 . In this case,
model, the probability that the intruder can be detected
the intruder can be sensed by at least k sensors when
within an intrusion distance of is equivalent to the
it accesses the network boundary. Consequently, it
probability that there is at least one sensor located in the P r2s
corresponding intrusion detection area S ¼ 2rs þ 2s .
r2 can be said that pk ½D ¼ 0 ¼ 1 k1 i¼0 P ði; 2 Þ ¼ 1
Pk1 ðr2s Þ r2s
i
Authorized licensed use limited to: Green Hills Engineering College. Downloaded on July 17, 2009 at 06:14 from IEEE Xplore. Restrictions apply.
WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 703
i
X
k1
S S
pk ½D ¼ 1 e Theorems 4-6 show that the quality of intrusion detection
i!
i¼0 ð7Þ in the k-sensing detection scenario for a given WSN improves
r2
where S ¼ 2rs þ s : as the sensing range and node density increase and
2
r2s decreases as k grows. If we relax the multiple-sensing
Proof. S ¼ 2rs þ 2 is the intrusion detection area with
respect to the maximal intrusion distance . If there are at detection to single-sensing detection2 by setting k ¼ 1.
r
s
least k sensors in the area S , the intruder can be sensed Equation (8) is reduced to E1 ðDÞ ¼ e2rs 2i! , which shows (5)
R pffiffi2L r2s
by the k sensors, and the k sensors could collaborate in another way (i.e., E1 ðDÞ ¼ 0 2rs eð2rs þ 2 Þ dðÞ).
with each other i
to recognize the intruder. From (3), Note that there is no closed form solution for the integral
ðS Þ S
P ði; S Þ ¼ i! e denotes the probability that i sen-
P in (5), but it matches with (8) when L rs .
sors are located in the area of S . Then, k1 i¼0 P ði; S Þ ¼
Pk1 ðS Þi S
i¼0 i! e is the probability that less than k sensors 5 INTRUSION DETECTION IN A HETEROGENEOUS
are located in the area S . Thus, the complement of WIRELESS SENSOR NETWORK
Pk1 Pk1 ðS Þi S
i¼0 P ði; S Þ, 1 i¼0 i! e is the probability that In a heterogeneous WSN, as defined in Section 3.1, we
there are at least k sensors located in the area S . If this is consider two types of sensors: Type I and Type II with the
the case, the intruder can be sensed by at least k sensors node density of 1 and 2 , respectively. A Type I sensor
P ðS Þi S has the sensing range rs1 , and the sensing coverage is a
from the WSN with probability 1 k1 i¼0 i! e disk of area S1 ¼ r2s1 . A Type II sensor has the sensing
before it travels a distance of . Finally, the probability coverage of S2 ¼ r2s2 with the sensing range rs2 . Without
pk ½D that the intruder is detected within the maximal loss of generality, we can assume that rs1 > rs2 in our
network model. In a heterogeneous WSN, any point in the
intrusion distance in k-sensing detection model can be
Pk1 ðS Þi S network domain is said to be covered if the point is under
derived as pk ½D ¼ 1 i¼0 i! e . t
u the sensing range of any sensor (Type I, Type II, or both).
Theorem 6. Let Ek ðDÞ be the average intrusion distance in the In this section, we present the analysis of intrusion
k-sensing detection model for the given WSN with node detection probability of a heterogeneous WSN in single-
density and sensing range rs , it has sensing detection and multiple-sensing detection models.
Authorized licensed use limited to: Green Hills Engineering College. Downloaded on July 17, 2009 at 06:14 from IEEE Xplore. Restrictions apply.
704 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008
Fig. 7. Intrusion detection at the start point ðDh ¼ 0Þ. Fig. 8. Intrusion detection in the heterogeneous WSN ðDh ¼ Þ.
0
from (3), the probability that no2 Type I sensor lies inside Note that P1 ð0; S10 Þ ¼ e1 S1 is the probability of no Type I
r 0
S1 is P1 ð0; S1 Þ ¼ e1 S1 ¼ e 1 2s1
, and the probability of sensor in the area of S10 , and P2 ð0; S20 Þ ¼ e2 S2 is the
2 r
no Type II sensor inside S2 is P2 ð0; S2 Þ ¼ e2 S2 ¼ e2
s2
2 . probability of no Type II sensor in the area of S20 . The
Considering Type I and Type II, sensors are indepen- first condition can be satisfied with the probability of
dently deployed according to our heterogeneous WSN 1 P1 ð0; S10 Þ, and the second condition holds with the
model, the probability of neither Type I sensor nor Type probability of P1 ð0; S10 Þð1P2 ð0; S20 ÞÞ. Thus, 1P1 ð0; S10 Þ þ
II sensor that senses the intruder is P1 ð0; S1 ÞP2 ð0; S2 Þ ¼ P1 ð0; S10 Þð1 P2 ð0; S20 ÞÞ ¼ 1 P1 ð0; S10 ÞP2 ð0; S20 Þ represents
2 r 2 r
s1 s2 the probability of at least one sensor (either Type I or
e1 2 e2 2 . Thus, the probability of at least one sensor
Type II) that can detect the intruder within the maximal
(either Type I or Type II) around the boundary that can
2 r
s1 intrusion detection area S0 . Finally, the probability
sense2 the intruder is 1 P1 ð0; S1 ÞP2 ð0; S2 Þ ¼ 1 e1 2
r
s2 that the intrusion distance Dh is less than can be derived
e2 2 . Therefore, the probability that the intruder is 0 0
a s p1 ½Dh ¼ 1 P1 ð0; S10 ÞP2 ð0; S20 Þ ¼2 1 e1 S1 e 2 S2
.
detected immediately once it enters the network domain r r2
s1 s2
2 2 r
s1
r
s2
Further, we get p1 ½Dh ¼ 1e1 ð2rs1 þ 2 Þ e2 ð2rs2 þ 2 Þ . t u
can be represented as p1 ½Dh ¼ 0 ¼ 1 e1 2 e2 2 . u
t
Authorized licensed use limited to: Green Hills Engineering College. Downloaded on July 17, 2009 at 06:14 from IEEE Xplore. Restrictions apply.
WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 705
Xk1 hXm i
Theorems 7-9 indicate that the quality of intrusion pk ½Dh ¼ 0 ¼ 1 m¼0 j¼0
P1 ðj; S 1 ÞP2 ðm j; S 2 Þ
detection in single-sensing detection scenario for a given Xk1 Xm r2s1 r2
only if at least k sensors are located within their half ability that there are totally m sensors can sense the
P Pm
sensing disk centered at the intrusion start point (as intruder. Then, k1 0 0
m¼0 ½ j¼0 P1 ðj; S1 ÞP2 ðm j; S2 Þ is the
j
illustrated in Fig. 7). Based on (3), P1 ðj; S1 Þ ¼ ðS1j!Þ eS1 is probability that there are at most ðk 1Þ (i.e., less than k)
the probability of j Type I sensors that can sense the sensors that can sense the intruder within the intrusion
S
intruder within the corresponding intrusion detection detection area S10 S20 . Consequently, the probability
ðmjÞ
r2s1
area S1 ¼ 2 , and P2 ðm j; S2 Þ ¼ ðSðmjÞ!
2 Þ
eS2 is the pk ðDh Þ that the intruder travels with distance less
probability of ðm jÞ Type II sensors that can sense the than before being detected by the given heterogeneous
r2s2
intruder within the area of S2 ¼ 2 . Consequently, WSN in the k-sensing detection model can be derived
P hP i
P1 ðj; S1 ÞP2 ðm j; S2 Þ represents the probability of as pk ðDh Þ ¼ 1 k1 m 0 0
m¼0 j¼0 1 ðj; S1 ÞP2 ðm j; S2 Þ ¼
P
m sensors (j Type I sensors plus m j Type II sensors) Pk1 hPm r2s1 r2s2
i
1 m¼0 j¼0 P1 ðj; 2r s1 þ 2 ÞP2 ðmj; 2r s2 þ 2 Þ . tu
that can sense the intruder at the start point. Since these
Theorem 12. Let Ek ðDh Þ be the average intrusion distance under
m sensors can be any combination of sensor types,
Pm the k-sensing detection model in the given heterogeneous
j¼0 P1 ðj; S1 ÞP2 ðm j; S2 Þ is the probability that there WSN. Then
are totally m sensors that can sense the intruder in P hP i
S r2s1 r2s2
the intrusion detection area of S1 S2 . Therefore, k k1
m¼0
m
j¼0 P1 j; 2 P2 m j; 2
Pk1 Pm Ek ðDh Þ ¼ : ð14Þ
2rs1 1 þ 2rs2 2
m¼0 ½ j¼0 P1 ðj; S1 ÞP2 ðm j; S2 Þ is the probability of
at most ðk 1Þ (less than k) sensors that can sense the Proof. Ek ðDh Þ is the average intrusion distance in the
intruder when it approaches the WSN. Finally, the heterogeneous WSN. Then, the corresponding average
probability that the intruder can be immediately detected intrusion detection areas for Type I and Type II sensors
are S1 ¼ 2rs1 Ek ðDh Þ and S2 ¼ 2rs2 Ek ðDh Þ, respectively.
once it enters the heterogeneous WSN in the k-sensing
While the node densities of Type I and Type II sensors
detection model is equivalent to the complement of are 1 and 2 . The average number of Type I sensors
Pk1 Pm
m¼0 ½ j¼0 P1 ðj; S1 ÞP2 ðm j; S2 Þ, yielding that with the intruder during its invasion is N1 ¼ 1 S1 .
Authorized licensed use limited to: Green Hills Engineering College. Downloaded on July 17, 2009 at 06:14 from IEEE Xplore. Restrictions apply.
706 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008
At the same time, the average number of Type II sensors For instance, in Theorem 1, the probability p1 ½D ¼ 0 that
that hit the intruder in its intrusion is N2 ¼ 2 S2 . In the the intruder can be immediately detected once it enters a
k-sensing detection model, k sensors are required to homogeneous WSN with node density , sensing range rs ,
detect the intruder, it has N1 þ N2 ¼ 1 S1 þ 2 S2 ¼ and node availability pa can be given by
2rs1 Ek ðDh Þ1 þ 2rs2 Ek ðDh Þ2 ¼ k. The only exception is r2
s
2rs1 Ek ðDh Þ1 þ 2rs2 Ek ðDh Þ2 ¼ 0 while Ek ðDh Þ ¼ 0 in the p1 ½D ¼ 0 ¼ 1 epa 2 : ð15Þ
case of immediate intrusion detection. In view of this, we
It is clear that (15) is reduced to (2) for pa ¼ 1.
eliminate this boundary effect (i.e., Ek ðDh Þ ¼ 0) and
obtain kð1 pk ½Dh ¼ 0Þ ¼ 2Ek ðDh Þrs1 1 þ 2Ek ðDh Þrs2 2 .
Substituting pk ½Dh ¼ 0 with (12), iwe further obtain 6 NETWORK CONNECTIVITY AND BROADCAST
Pk1 hPm r2s1 r2s2 REACHABILITY IN A HETEROGENEOUS
k m¼0 j ¼ 0 P1 ðj; 2 ÞP2 ðm j; 2 Þ ¼ 2Ek ðDh Þrs1 1 þ
2Ek ðDh Þrs2 2 . Consequently, the average intrusion dis-
WIRELESS SENSOR NETWORK
tance for k-sensing model in the heterogeneous WSN can Based on our network model, Theorems 1-12 statistically
be derived as characterize the intrusion detection probability in terms of the
P hP i intrusion distance, the node density, the sensing range, and
r2s1 r2s2
k k1m¼0
m
j¼0 P1 j; 2 P2 m j; 2 the node heterogeneity. Given a maximal allowable intrusion
Ek ðDh Þ ¼ : distance, a predefined detection probability, and the sensor
2rs1 1 þ 2rs2 2
capability (i.e., sensing range), the network planner can
u
t calculate the required node density by using Theorems 1-12.
Hereafter, the network planner knows the number and type
Theorems 10-12 indicate that the quality of intrusion of sensors that have to be deployed in the WSN.
detection in the k-sensing detection scenario for a given However, detecting the intruder is the first step in
heterogeneous WSN improves with the increase in the intrusion detection. To operate successfully, a WSN must
sensing range and the node density and decreases as k grows. provide satisfactory connectivity so that sensors can com-
In addition, the existence of high-capability sensors further municate for data collaboration and reporting to the
improves the network detection quality due to the enlarged administrative center (i.e., base station). The sensing data
sensing coverage. may have to be reported to the base station, which may be in
any location of the network [25]. If the network connectivity
5.3 Incorporating Node Availability
is not assured, it is meaningless even the sensor(s) detect the
It should be noted that the above analytical results
presence of the intruder. Zhang and Hou [26] have proven
(Theorems 1-12) can be extended to the scenario that a
power management scheme is adopted as follows: A power that in a homogeneous WSN, if the transmission range is
management scheme in WSNs is greatly desirable due to equal to or higher than twice of the sensing range, a given
power constraint on common sensors. Sensor power can be coverage probability guarantees a connectivity probability.
put on/off periodically to save energy in most of the In this manner, when the coverage is satisfied in the
WSN applications [16], [21], [22]. Thus, it is appropriate to homogeneous WSN, the network connectivity is also
take the node availability rate into consideration in our statistically guaranteed so that it allows two sensors to
analysis. communicate with each other. However, in a heterogeneous
The most basic prescheduled independent sleeping WSN, the deployment of sensors with different capability
approach can be implemented by a Random Independent
complicates the network operation with the asymmetric
Sleeping (RIS) scheme. In this scheme, time is divided into
cycles based on a time synchronization method. At the links. Specifically, a sensor with longer transmission range
beginning of a cycle, each sensor independently decides (i.e., Type I sensor) might reach some sensors with shorter
whether to become active with probability p or go to sleep transmission range (i.e., Type II sensors), while the Type II
with probability 1 p. Thus, the network lifetime is sensors may not be able to reach the Type I sensor. The
increased by a factor up to 1=p [23]. Here, we incorporate network connectivity has to be reconsidered.
this RIS scheme in our analysis of intrusion detection in In a heterogeneous WSN, sensors mainly use a broadcast
terms of node availability. We assume all sensors have the paradigm for communication [12] and high-capacity sensors
same availability probability, denoted by pa , which means usually undertake more important tasks (i.e., for broad-
each sensor has the probability of 1 pa to be off in every casting power management information or synchronization
sensing period. Note that the Poisson stream has its
information to all the sensors). This motivates us to examine
characteristics. If a Poisson stream with mean rate is split
into k substreams such that the probability of a job that is two fundamental characteristics of a heterogeneous WSN.
going to be the ith substream is pi , each substream is also The definitions are listed below:
Poisson distributed with a mean rate of pi [24]. In our
. Network connectivity. The probability that a packet
network model, all sensors are randomly deployed and
broadcasted from any sensor (either Type I or
conform to a Poission distribution. Therefore, our above
analysis can be extended to incorporate RIS scheme with a Type II sensor) can reach all the other sensors in
node availability rate pa by replacing the previous node the network.
densities , 1 , and 2 with pa , pa 1 , and pa 2 , respectively, . Broadcast reachability. The probability that a packet
in the above derivation of Theorems 1-12 for either broadcasted from any Type I sensor can reach all the
homogeneous or heterogeneous WSN. other sensors in the network.
Authorized licensed use limited to: Green Hills Engineering College. Downloaded on July 17, 2009 at 06:14 from IEEE Xplore. Restrictions apply.
WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 707
i.e., there are Nj sensors of type j with transmission range rxj , PbrN ¼ 1 e1 rx1 e2 rx2 : ð18Þ
P
such that N ¼ Jj¼1 Nj for j ¼ 1; . . . ; J, and Nj 1 for 8j.
Let P ðconÞ be the probability that the WSN is connected, and Proof. Different from the network connectivity, broadcast
P ðnoiÞ be the probability that no sensor is isolated in the reachability is the probability that a packet broadcasted
WSN. It has from any Type I sensor can reach all the other sensors
P ðconÞ ffi P ðnoiÞ; ð16Þ in the WSN. As illustrated in Fig. 9, A 2 N is an
arbitrary sensor in the WSN. It has the responsibility to
for P ðnoiÞ close to 1.
receive the packet broadcasting from any Type I
Based on Lemma 1, we then have Theorem 13 and 14 sensor(s). In order for A to receive the packet, it has
as follows: to be in the transmission range of at least one of the
Theorem 13. Consider a heterogeneous WSN consisting of other N 1 sensors. In other words, sensor A should
independently deployed Type I and Type II sensors with not be isolated from the rest of the network, and at least
node densities 1 and 2 and transmission range rx1 and one sensor can reach A in its transmission range. The
rx2 ðrx1 > rx2 Þ, respectively. The upper bound of the network probability of no Type I sensor in its transmission range
connectivity is 2
from A is P1 ð0; r2x1 Þ ¼ e1 rx1 . The probability that no
N type II sensor lies in its transmission range from A
2
N
Pcon ¼ 1 eð1 þ2 Þrx2 : ð17Þ 2
is P2 ð0; r2x2 Þ ¼ e2 rx2 . Then, P1 ð0; r2x1 ÞP2 ð0; r2x2 Þ ¼
2 2
e1 rx1 e2 rx2 is the probability that neither Type I
Proof. In a heterogeneous WSN, network connectivity sensors nor Type II sensors can reach sensor A.
requires that a packet broadcasted from any sensor Therefore, the probability that at least one sensor can
(either Type I or Type II) can reach all the other sensors 2 2
reach A is 1 e1 rx1 e2 rx2 . Due to statistical inde-
of the network. Note an arbitrary sensor A, as illustrated
pendence among all sensors, the probability that the
in Fig. 9. If there is one Type I sensor (e.g., B) located in
the area of Sx1 ¼ r2x1 while outside of the area other ðN 1Þ sensors are reachable from the broadcast
h 2 2
iðN1Þ
Sx2 ¼ r2x2 , a packet generated from sensor A may not can be calculated as PbrN1 ¼ 1e1 rx1 e2 rx2 .
be able to reach sensor B. This is because sensor B may Consequently, we obtain the upper bound of broadcast
be out of sensor A’s transmission range if sensor A is a h 2 2
iN
Type II sensor with transmission range rx2 , and rx2 < rx1 . reachability as PbrN ¼ 1 e1 rx1 e2 rx2 . u
t
In view of this, for a packet generated from sensor A to The results in this section indicate that for a given
be received by all the other sensors in WSN, at least one heterogeneous WSN, the network connectivity and broad-
sensor (either Type I or Type II) should lie in the area of cast reachability is enhanced with the increase of node
the smaller transmission range Sx2 . Further, if all the density and transmission range. Furthermore, the broadcast
Authorized licensed use limited to: Green Hills Engineering College. Downloaded on July 17, 2009 at 06:14 from IEEE Xplore. Restrictions apply.
708 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008
Fig. 10. Intrusion detection probability (single and three-sensing) in the Fig. 11. Average intrusion distance (single and three-sensing in the
homogeneous WSN. homogeneous WSN.
reachability is always higher than the network connectivity approaches 1 when the sensing range increases to a certain
under the same network parameters. threshold. For example, in the single-sensing detection, the
intruder can be detected with probability 1 if the sensing
7 SIMULATION AND VERIFICATION range exceeds 50, whereas in three-sensing detection, the
intruder can be almost surely detected if the sensing range
We have performed a simulation-based verification of our exceeds 90. In addition, we can see that the detection
analytical results in both homogeneous and heterogeneous probability grows fast when the sensing range is far from
WSNs. The simulation is carried out for single-sensing and the threshold and grows slowly when it approaches the
k-sensing detection models. The analytical and simulation threshold. Fig. 10 shows that the sensing range significantly
results are compared by varying the sensing range, impacts the detection probability of a homogeneous WSN.
transmission range, node density, and node availability. To investigate the influence of a sensor’s sensing range on
In the simulation, sensors are deployed in accordance with an average intrusion distance of a WSN, we fix the number
a uniform distribution in a squared network domain. The of sensors as N ¼ 500 and vary the sensing range from 0 to
intruder moves into the network domain from a randomly 30 meters. Fig. 11 presents the average intrusion distance in
selected point on the network boundary. Monte-Carlo single-sensing and three-sensing detection scenarios. It can
simulation is performed, and each data point shown in be observed that the average intrusion distance drops
the following figures is the average of 500 simulation dramatically with an increase of the sensing range. This is
results. The analytical results are calculated by using because the increase of sensing range significantly enhances
Theorems 1-14. For successive simulation runs, the sensors the network coverage. Fig. 11 also shows that under the
are uniformly redistributed in the network domain. same network parameters, the average intrusion distance
7.1 Verification for Homogeneous WSNs in single-sensing detection decreases more quickly than in
three-sensing detection. This is because with the increase in
We simulate the intrusion detection in a homogeneous
a sensor’s sensing range, more area can be monitored by
WSN. There are 500 sensors uniformly deployed in a
one sensor than by three sensors.
1,000 1,000 square meters, and the node density is ¼
In the simulation, we also show how to improve the
0:0005 per square meter. The sensing range changes from 0
detection efficiency by assuring the network connectivity so
to 100 meters and the maximal allowable intrusion distance
that the sensor can adjust its sleep period. In the normal
is set as 50 meters. Fig. 10 illustrates the detection
state, each sensor keeps awake for 80 percent of a cycle
probability of the analytical and simulation results. ðpa ¼ 0:8Þ. If an intruder is detected by a sensor, an
It can be seen in Fig. 10 that the analytical results match
alarming message is broadcasted by the sensor over the
the simulation results pretty well, which indicates the entire network. Then, all the sensors receiving the massage
correctness of our analytical model. The detection prob- keep awake for 100 percent of a cycle ðpa ¼ 1:0Þ. The results
ability increases with the increase of the sensors’ sensing in Figs. 10 and 11 show a similar trend that for a given
range. It is because the increase of sensing range improves sensing range, the average intrusion distance drops if the
the network coverage. At the same time, the single-sensing waking time of the sensor is longer ð1:0 > 0:8Þ.
detection probability is higher than that of three-sensing
detection. This is because the k-sensing detection imposes 7.2 Verification for Heterogeneous WSNs
a more strict requirement on detecting the intruder The purpose of the simulation in this part is to verify the
(e.g., at least k ¼ 3 sensors are required). analytical results on intrusion detection in heterogeneous
Fig. 10 also demonstrates that the detection probability WSNs. To examine the effect of introducing high-capability
in single-sensing detection or three-sensing detection sensors (e.g., Type I sensors) on the network intrusion
Authorized licensed use limited to: Green Hills Engineering College. Downloaded on July 17, 2009 at 06:14 from IEEE Xplore. Restrictions apply.
WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 709
Authorized licensed use limited to: Green Hills Engineering College. Downloaded on July 17, 2009 at 06:14 from IEEE Xplore. Restrictions apply.
710 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 7, NO. 6, JUNE 2008
broadcast reachability is equivalent to the network con- [6] N. Bulusu, J. Heidemann, and D. Estrin, “Gps-Less Low Cost
Outdoor Localization for Very Small Devices,” IEEE Personal
nectivity since there are no asymmetric links. Comm. Magazine, special issue on smart spaces and environments,
Next, the simulation is carried out to see the effect of Type I 2000.
sensors on the network connectivity and broadcast reach- [7] D. Niculescu, “Positioning in Ad Hoc Sensor Networks,” IEEE
ability. We fix the number of Type II sensors as n2 ¼ 300 Network, vol. 18, no. 4, pp. 24-29, July-Aug. 2004.
[8] Y. Wang, X. Wang, D. Wang, and D.P. Agrawal, “Localization
and vary the number of Type I sensors from 10 to 300. Algorithm Using Expected Hop Progress in Wireless Sensor
The transmission ranges are set as rx1 ¼ 140 meters and Networks,” Proc. Third IEEE Int’l Conf. Mobile Ad hoc and Sensor
rx2 ¼ 70 meters for Type I and Type II sensors, respectively. Systems (MASS ’06), Oct. 2006.
[9] P. Traynor, R. Kumar, H. Choi, G. Cao, S. Zhu, and T.L. Porta,
Similar to the results shown in Fig. 12, we compare the “Efficient Hybrid Security Mechanisms for Heterogeneous
results in homogeneous WSN with that in heterogeneous Sensor Networks,” IEEE Trans. Mobile Computing, vol. 6, no. 6,
WSN by reducing Type I sensors to Type II sensors. June 2007.
Fig. 14 shows the analytical and simulation results, and [10] J.-J. Lee, B. Krishnamachari, and C.J. Kuo, “Impact of Hetero-
geneous Deployment on Lifetime Sensing Coverage in Sensor
they match with each other closely. From the figure, Networks,” Proc. First Ann. IEEE Comm. Soc. Conf. Sensor and
network connectivity and broadcast reachability are im- Ad Hoc Comm. and Networks, pp. 367-376, Oct. 2004.
proved while increasing Type I sensors. This is because [11] V.P. Mhatre, C. Rosenberg, D. Kofman, R. Mazumdar, and
N. Shroff, “A Minimum Cost Heterogeneous Sensor Network
some sensors that are originally isolated or unreachable with a Lifetime Constraint,” IEEE Trans. Mobile Computing,
from the rest of the network are now connected or reachable vol. 4, no. 1, pp. 4-15, 2005.
in the network after the introduction of Type I sensors. In [12] M. Yarvis, N. Kushalnagar, H. Singh, A. Rangarajan, Y. Liu, and
S. Singh, “Exploiting Heterogeneity in Sensor Networks,” Proc.
addition, the results indicate that even a small increase of IEEE INFOCOM, 2005.
Type I sensor significantly improves the broadcast reach- [13] I.F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci,
ability, while network connectivity only improves gradu- “A Survey on Sensor Networks,” IEEE Comm. Magazine, vol. 40,
ally. This also implies that the node heterogeneity does no. 8, pp. 102-114, Aug. 2002.
[14] H. Kung and D. Vlah, “Efficient Location Tracking Using Sensor
affect the broadcast reachability much more dramatically Networks,” Proc. IEEE Wireless Comm. and Networking Conf., vol. 3,
than it does to the network connectivity. pp. 1954-1961, Mar. 2003.
[15] C.-Y. Lin, W.-C. Peng, and Y.-C. Tseng, “Efficient in-Network
Moving Object Tracking in Wireless Sensor Networks,”
8 CONCLUSION IEEE Trans. Mobile Computing, vol. 5, no. 8, pp. 1044-1056,
2006.
This paper analyzes the intrusion detection problem in both [16] C. Gui and P. Mohapatra, “Power Conservation and Quality of
homogeneous and heterogeneous WSNs by characterizing Surveillance in Target Tracking Sensor Networks,” Proc. 10th
Ann. Int’l Conf. Mobile Computing and Networking (MobiCom ’04),
intrusion detection probability with respect to the pp. 129-143, 2004.
intrusion distance and the network parameters (i.e., [17] B. Liu, P. Brass, O. Dousse, P. Nain, and D. Towsley, “Mobility
node density, sensing range, and transmission range). Improves Coverage of Sensor Networks,” Proc. Sixth ACM Int’l
Two detection models are considered: single-sensing Symp. Mobile Ad Hoc Networking and Computing (MobiHoc ’05),
pp. 300-308, 2005.
detection and multiple-sensing detection models. The [18] X. Wang, Y. Yoo, Y. Wang, and D.P. Agrawal, “Impact of
analytical model for intrusion detection allows us to Node Density and Sensing Range on Intrusion Detection in
analytically formulate intrusion detection probability with- Wireless Sensor Networks,” Proc. 15th Int’l Conf. Computer Comm.
and Networks (ICCCN ’06), Oct. 2006.
in a certain intrusion distance under various application [19] Y. Wang, X. Wang, D.P. Agrawal, and A.A. Minai, “Impact
scenarios. Moreover, we consider the network connectivity of Heterogeneity on Coverage and Broadcast Reachability in
and the broadcast reachability in a heterogeneous WSN. Wireless Sensor Networks,” Proc. 15th Int’l Conf. Computer Comm.
and Networks (ICCCN ’06), Oct. 2006.
Our simulation results verify the correctness of the
[20] C. Bettstetter, “On the Minimum Node Degree and Connectivity of
proposed analytical model. This work provides insights in a Wireless Multihop Network,” Proc. Third ACM Int’l symposium on
designing homogeneous and heterogeneous WSNs and Mobile ad hoc Networking and Computing (MobiHoc ’02), pp. 80-91,
helps in selecting critical network parameters so as to meet 2002.
[21] A. Ephremides, “Energy Concerns in Wireless Networks,” IEEE
the application requirements. Wireless Comm., vol. 9, no. 4, pp. 48-59, Aug. 2002.
[22] L. Wang and Y. Xiao, “A Survey of Energy-Efficient Scheduling
Mechanisms in Sensor Networks,” Mobile Network Applications,
REFERENCES vol. 11, no. 5, pp. 723-740, 2006.
[1] D.P. Agrawal and Q.-A. Zeng, Introduction to Wireless and Mobile [23] S. Kumar, T.H. Lai, and J. Balogh, “On K-Coverage in a Mostly
Systems. Brooks/Cole Publishing, Aug. 2003. Sleeping Sensor Network,” Proc. 10th Ann. Int’l Conf. Mobile
[2] B. Liu and D. Towsley, “Coverage of Sensor Networks: Funda- Computing and Networking (MobiCom ’04), pp. 144-158, 2004.
mental Limits,” Proc. Third IEEE Int’l Conf. Mobile Ad Hoc and [24] R. Jain, The Art of Computer Systems Performance Analysis:
Sensor Systems (MASS), Oct. 2004. Techniques for Experimental Design, Measurement, Simulation and
[3] S. Ren, Q. Li, H. Wang, X. Chen, and X. Zhang, “Design Modeling. Wiley-Interscience, 1991.
and Analysis of Sensing Scheduling Algorithms under Partial [25] A. Durresi, P.V.K. , S. Iyengar, and R. Kannan, “Optimized
Coverage for Object Detection in Sensor Networks,” IEEE Broadcast Protocol for Sensor Networks,” IEEE Trans. Computers,
Trans. Parallel and Distributed Systems, vol. 18, no. 3, pp. 334-350, vol. 54, no. 8, pp. 1013-1024, Aug. 2005.
Mar. 2007. [26] H. Zhang and J. Hou, “On Deriving the Upper Bound of
[4] S. Banerjee, C. Grosan, A. Abraham, and P. Mahanti, -lifetime for Large Sensor Networks,” Proc. Fifth ACM Int’l
“Intrusion Detection on Sensor Networks Using Emotional Symp. Mobile Ad Hoc Networking and Computing (MobiHoc ’04),
Ants,” Int’l J. Applied Science and Computations, vol. 12, no. 3, pp. 121-132, 2004.
pp. 152-173, 2005. [27] C. Bettstetter, “On the Connectivity of Wireless Multihop
[5] S. Capkun, M. Hamdi, and J. Hubaux, “GPS-Free Positioning in Networks with Homogeneous and Inhomogeneous Range As-
Mobile Ad-Hoc Networks,” Proc. 34th Ann. Hawaii Int’l Conf. signment,” Proc. IEEE Vehicular Technology Conf. (VTC ’02), vol. 3,
System Sciences, Jan. 2001. pp. 1706-1710, Sept. 2002.
Authorized licensed use limited to: Green Hills Engineering College. Downloaded on July 17, 2009 at 06:14 from IEEE Xplore. Restrictions apply.
WANG ET AL.: INTRUSION DETECTION IN HOMOGENEOUS AND HETEROGENEOUS WIRELESS SENSOR NETWORKS 711
Yun Wang received the BS degree in computer Demin Wang received the BS degree in
science and engineering in 2001 at Wuhan computer science and the MS degree in safety
University, Hubei, China, and then entered the technology and engineering from the University
PhD program in computer science and engineer- of Science and Technology of China, Hefei,
ing at Wuhan University, where she specialized China, in 2000 and 2003, respectively. He is
in multimedia communication. She joined the currently working toward the PhD degree in
Center for Distributed and Mobile Computing, computer science and engineering at the
Department of Electrical and Computer Engi- University of Cincinnati, Cincinnati, Ohio. His
neering and Computer Science, University of research interests include coverage and energy
Cincinnati, Ohio, in 2004, as a PhD student. Her problems in wireless sensor networks, imple-
research activities include fundamental design issues in wireless sensor mentation of wireless sensor networks, and wireless mesh networks. He
networks such as sensor deployment, energy efficiency, positioning, is an IEEE student member.
and network security. She also performs research on wireless MAC
protocol design in wireless ad hoc networks and audio and video Dharma P. Agrawal is the Ohio board of
processing in multimedia communication. She is a student member of regents distinguished professor of computer
the IEEE. science and the founding director for the Center
for Distributed and Mobile Computing, Depart-
Xiaodong Wang received the BS degree in ment of ECECS, University of Cincinnati, Ohio.
communication engineering in 1995, the MS He was a visiting professor of ECE at the
degree in electric engineering in 1998, and the Carnegie Mellon University, where he was on
PhD degree in computer engineering from the sabbatical leave during the Autumn 2006 and
University of Cincinnati, Cincinnati, Ohio, in Winter 2007 Quarters. He has been a faculty
2005. He joined China Telecom in 1998, where member at the North Carolina State University,
he worked on communication protocols for Raleigh, North Carolina, from 1982 to 1998) and the Wayne State
telecommunication. From June 2000 to July University, Detroit, from 1977 to 1982). His recent research interests
2002, he worked on GSM base station software include resource allocation and security in mesh networks, efficient
development at Bell-labs China, Beijing. His query processing and security in sensor networks, and heterogeneous
research activities included wireless MAC protocols and energy saving wireless networks. He is a coauthor of an introductory textbook on
for wireless sensor networks. He joined Motorola in 2005. He is currently wireless and mobile computing that has been widely accepted
with the OBR Center of Distributed and Mobile Computing, Department throughout the world, and a second edition was published in 2006.
of Computer Science, University of Cincinnati. He is a student member The book has been has been reprinted both in China and India and
of the IEEE. translated to Korean and Chinese languages. He is also a coauthor of a
book on ad hoc and sensor networks published in the spring of 2006 and
Bin Xie received the BSc degree from Central has been named as a best seller by the publisher. He has given tutorials
South University, Changsha, China, the MSc and extensive training courses in various conferences in the USA and
and PhD degrees (with honors) in computer numerous institutions in Taiwan, Korea, Jordan, Malaysia, and India on
science and computer engineering from the ad hoc and sensor networks and mesh networks. He is an editor for the
University of Louisville, Kentucky. As a research Journal on Parallel and Distributed Systems, International Journal on
associate, he is currently with the Department of Distributed Sensor Networks, International Journal of Ad Hoc and
Computer Science, University of Cincinnati. He Ubiquitous Computing, and International Journal of Ad Hoc and Sensor
is the author of the book entitled Heterogeneous Wireless Networks. He served as an editor of the IEEE Computer
Wireless Networks—Networking Protocol to magazine, the IEEE Transactions on Computers, and the International
Security and published more than 30 papers in Journal of High Speed Computing. He has been the program chair and
international conference proceedings and journals. His research general chair for many international conferences and meetings. He has
interests are focused on ad hoc networks, sensor networks, wireless received numerous certificates and awards from the IEEE Computer
mesh networks, integrated WLAN/MANET/cellular with Internet, in Society. He was awarded a “Third Millennium Medal” by the IEEE for his
particular the fundamental aspects of mobility management, perfor- outstanding contributions. He has also delivered the keynote speech for
mance evaluation, Internet/wireless infrastructure security, and wireless five international conferences. He also has five patents in wireless
network capacity. In addition to his academic experience, he has networking area. He has also been named as an ISI Highly Cited
six years of industry experience, including ISDN, 3G, and Lucent Excel Researcher in Computer Science. He is a fellow of the IEEE, the ACM,
programmable switching systems. He is an IEEE senior member. the AAAS, and the WIF.
Authorized licensed use limited to: Green Hills Engineering College. Downloaded on July 17, 2009 at 06:14 from IEEE Xplore. Restrictions apply.