Simulation Evaluation

The environment of our simulation is randomly spread N sensor nodes in an area R[0,L]² and the events occurred randomly anywhere inside R. The size of isoclusters may expend or reduced as time go by. The clusters inside the isoclusters would break up or get new ones as the variation of the range of isocluster. If the events occurred and dismissed quickly, the action of clustering would cause down the performance of the networks. So we define the time threshold T that when events occurred exceed T, the action of clustering begins. The time threshold T in our scheme is the time that the size of isocluster exceeds two hops away in the networks. So the value of T is case by case in the simulation.

We used TDMA with IEEE 802.15.4 ZigBee Mac protocol for our simulation environment. The size of look-up table of sensors in our simulation is 20. In other words, the numbers of samples which process detection once by clustered-heads of each voter are 20. There are 10 rounds of detection, once each time slot. So there are 200 data must be transmitted from non-clustered-heads to clustered-heads each case.

Figure 4-4 shows the results of our simulation.

There are three cases of our simulation. Each of which were process over 200 times. We let the nodes compromised 20%, 30%, 40% of neighbors of each node. So there are N/5, 3N/10, 2N/5 compromised nodes between N nodes spread in the network. The best case in our simulation is about 98.10%

detection rates in 20% compromised case. According to that graph, we can see the higher precision the later time slot. Because the numbers of compromised nodes inside the network are much less than other case, the relation of geographically locations between compromised nodes does not apparently influence the result. So the better precision occurred at the less numbers of compromised nodes in the networks. There is another one factor that could also influence the result. That is the behavior of compromised nodes. The ones who were compromised might not transmit fabricated contents of message all the time. They can sometime fabricate data and sometime tell the truth. When the value of trustworthy is almost below the threshold, they can tell the truth until the value of trustworthy recovering.

That is why some compromised nodes can not be detected. On the other side, the actions which caused down the performance of the network done by compromised nodes would be limited. That’s the goodness of our scheme.

The scheme not only detects the compromised nodes inside the range of clusters but also limited the damages caused by compromised ones into 1-hop cluster.

One thing should be noticed in the figure 4-4 is that the detection precisions of 20% case before time slot 3 is less than others. One of the reasons is probably the number of compromised nodes. The probabilities of compromised nodes that fabricate the message most of the time and make the values of trustworthy decreased rapidly below the threshold in higher percent of compromised cases are relatively higher than less ones. The other reasons are the size of isocluster and the relative geographical locations between compromised nodes…etc.

Figure 4-5 represent the detection rate of compromised nodes independently in each slot. By observing that, we can know the highest precision of detection rate is at time slot 3 of figure 4-5 and the largest

variation of detection rate in figure 4-4 is also from time slot 2 to time slot 3.

The time slot 2~3 is the threshold that the stupid (fabricate messages without considering the factor of trustworthy value) compromised nodes were be detected. The scenario does not mean these stupid compromised nodes were always detected from time slot 2 to time slot 3. It means that the stupid compromised nodes were usually detected earlier than smart ones (the ones who do not transmit fake message all the time and consider the effect of trustworthy values).

The ratio of detection on each case from time slot 2 to time slot 3 is: 84%

for 20% compromised neighbors, 65.7% for 30% compromised neighbors and 46% for 40% compromised neighbors. At time slot 4, the ratio of detection for 40% compromised of neighbors is 55.5% (see figure 4-4). This represents that most of compromised nodes can be detected in early time slots and the range of detection variation will not vary so much. After that time slot, the remainder compromised nodes would consider the factor of trustworthy values as an important detected element. These conditions were more apparently in more compromised nodes’ cases of the network.

Figure 4-6 shows the false detection rate for compromised nodes. We can see the worse case in the scheme is 1.21%. That means that there are 1.21 normal nodes of the detected compromised nodes.

The better results occurred at fewer compromised nodes cases of the simulation. This is reasonable, because the numbers of compromised nodes in higher precision case are relatively less. The influence of geographically locations between compromised nodes for the result is not so much than more compromised nodes’ case. We can say that the false detection rate of compromised nodes is relative direct proportion to the number of compromised nodes.

Figure 4-7 show the false detection rate independent of each time slot.

Finally, we compared our simulation result with the decentralize

intrusion detection system in wireless sensor network [22]. Figure 4-8 shows the effectiveness of data alteration detection compared with the decentralize IDS. We can see that the detection effectiveness of decentralized IDS decrease when increasing the buffer size. The voting based detection would not cause down rapidly as the change of buffer size.

We also evaluate the effect of traffic between clustered WSNs and un-clustered WSNs. There are ten time slots in the evaluation. We use the HEED protocol to clustering, and gather statistics with the number of the packets. The packet sums of each time slot is representing that the number of transmissions which each node transmits one packet. This condition is not usually occurred in the network. Because the sensors do not sense data in each time slot, they sleep ordinary. When it needs to be sensed, the sensors wake up and work. Figure 4-9 shows the simulation result.

.