A systematic review of routing attacks detection in wireless sensor networks

Wormhole attacks

In a wormhole attack, the attacker connects two network nodes physically separated from one another using a quick communication path called a wormhole tunnel as can be seen in Fig. 2. This communication platform can be an Ethernet cable, high-speed wireless communication, or fiber optic communication. When the wormhole tunnel is implemented, the attacker captures the packets directed by the nodes on one side of the network and spreads them through the wormhole tunnel on the other side. The wormhole nodes behave completely transparently, making them invisible to the network; therefore, it is operational even without network IDs or cryptographic keys (Ma et al., 2017). Table 1 displays the comparative analysis of currently available wormhole attack detections in literature.

Sybil attacks

The 1973 book “Sybil” is about Shirley Mason, a mental health patient with multiple false identities (Schreiber, 1973). Sybil was named after the WSN nodes with false identities for this rationale. The most vulnerable peer-to-peer networks to Sybil attacks are distributed networks. In its most basic form, Fig. 3 shows how a malicious node uses the Sybil attack to place itself in a position of multiple other nodes. Sybil’s attack can stop redundancy in distributed networks by falsifying other nodes’ identities and preventing accurate distribution.

Each identity should be linked to a physical node to defend against Sybil attacks. There are two ways to achieve the stated objective. The first method is direct acknowledgment, in which the node checks the accuracy of its interacting node directly. A second method is a form of indirect acknowledgment in which the verified node accepts or rejects the other node. The following are three ways to detect a Sybil attack:

• Evaluating the radio source

• Determining the critical correctness for pre-distributed keys

• Node Registration and Location discovery.

Table 2 displays the comparative analysis of currently available Sybil attack detections in literature.

Grayhole/Selective forwarding (SF) attacks

Multi-step routing networks forward packets safely and unchanged to the parent node. Attacker nodes employing grayhole/selective forwarding may decide not to forward or drop specific packets or alter them before forwarding. A standard grayhole/selective forwarding attack is that the attacker node avoids sending any packet to the next node and deletes them. As shown in Fig. 4, if an attacker node feels threatened by its neighbors, it explores a different path and decides to leave the current path (La, Fuentes & Cavalli, 2016).

Since the attack is conducted through authenticated nodes, the authentication mechanisms must be improved to detect and prevent grayhole/selective forwarding attacks. So far, several solutions have been proposed to deal with these types of attacks, such as:

• Attack identification through the concept of node authentication.

• The concept of a multithreaded data stream.

• Detection using the heterogeneous network theory.

Table 3 displays the comparative analysis of currently available Grayhole/Selective Forwarding (SF) attack detections in literature.

Blackhole attack

In a blackhole attack, the attacker pulls traffic to the network by broadcasting fake routing information to find the shortest path. This malicious node pretends to have the shortest path while sending fake messages. As a result, the source node ignores the routing table and utilizes this node to send packets. The blackhole node then begins to drop the sent packets, as shown in Fig. 5, causing a network service interruption or provision.

The network may suffer severe damage because of a blackhole attack; however, neighboring nodes can quickly identify the malicious nodes by keeping an eye on their activity. A risky fake route will be proposed that will not deliver the packets to their intended location if the malicious node responds to the request message before the valid node does. The malicious node will disrupt the network and drop the packets, disrupting packet movement in the network. Table 4 displays the comparative analysis of currently available blackhole attack detections in literature.

Sinkhole attacks

Sinkhole attacks are one of the most appealing but dangerous attacks in WSNs. This attack is notable for its ability to launch another attack in the middle of the attack. The sinkhole attack uses a node with false information and specifications to fool neighboring nodes into sending their data to the attacker node. At this time, the attacker can apply any changes to the information, including changing the packet, rejecting packets, or utilizing other attacks. Figure 6 illustrates a simulation of a sinkhole attack.

In WSNs, communication is hop-to-hop, meaning the packet is conveyed from one node to another to reach the destination. In this case, the nodes usually choose a path that has a lower hop and selects a node as its parent, which is in a less hop count path, known as an optimal path. The attack starts when a sensor node decides to show itself as desirable to other nodes (Isidro & Ashour, 2021). Because of optimal path selection in WSNs, nodes try to select the best path, which also has the least cost to transmit their packets. The cost may include several factors such as processing, energy consumed, distance and load. Therefore, a malicious node in the sink attack somehow shows itself to its neighbors that they think it has the lowest cost and the shortest path to the sink. In this case, the attack enters its primary phase, as neighboring nodes select the malicious node as their parent and send information to it by lack of knowledge that the node will announce fake and false information about its distance to the base station entirely unrealistic. At this time, a penetration range is created in the network, massive network traffic comes to this node, and much information gets changed or forged. The malicious node can be a laptop-class type with several process power and energy and can continue to sabotage for a long time (Reji et al., 2017). Table 5 displays the comparative analysis of currently available sinkhole attack detections in literature.

Replay attack

The furthermost standard direct attack in contrast to a routing protocol is to target the routing data between the nodes. Unprotected routing in WSNs causes such vulnerabilities on routing because each node in the WSNs can perform as a router, and thus can promptly affect routing data (Chaki & Ashour, 2021). By replay attack, intruders can cause routing loops, wrong error packets, network division, increase end-to-end latency, and increase or shorten the path. Figure 7 displays a simulation of replay attack.

The Code Verification Identity Packet can be used to deal with replay attacks, which are attached to the original packet. The recipient can identify the fake or modified packet by adding a packet confirming the code’s identity. Furthermore, counters and timestamps can be used in the packet being sent to counteract the repetition of routing information. In general, a solution to such attacks can be found by validating nodes and encoding data packets (Pathan, 2016). Table 6 displays the comparative analysis of currently available replay attack detections in literature.

Spoofing attacks

Spoofing is a direct and standard attack against the routing protocol. This attack aims to obtain the path of information exchange between two nodes. Attackers will be able to create routing loops, attract or decline network traffic, extend, or shorten resource paths, generate false error messages, segment the network, and ultimately increase end-to-end traffic (Huan, Kim & Zhang, 2021). Figure 8 illustrates a simulation of a spoofing attack.

The common solution for this type of attack is authentication and validation. Table 7 displays the comparative analysis of currently available spoofing attack detections in literature.

Hello flood attacks

A Hello Flood attack is one of the more recent attacks on WSNs. In a few protocols, nodes must broadcast Hello packets to let other nodes know they exist. A node that receives a Hello packet assumes that it is within the sender’s node’s radio range. This concept might be untrustworthy, and a laptop-class attacker could convince any network node that the attacker is one of its neighbors. It can only re-distribute overhead packets to the public, as seen in Fig. 9, with the possibility of each network node retrieving them.

The most straightforward defense against a Hello Flood attack is to examine a link on both sides before doing an evocative action on a packet established from a link. Hence, this joint action loses effectiveness when an attacker has a reliable receiver, such as its robust sender. An attacker can effectively create a wormhole in this way. The above method cannot effectively detect and prevent Hello Flood Attacks because the link between these nodes and the attacker is bidirectional. A solution to this problem is that each node authenticates its neighbors with an authentication protocol from a secure base station. If the protocol directs packets in mutual directions of the link, Hello Flood Attacks can be banned when the attacker has a robust transmitter since the protocol checks both directions of the link.

In a multi-step topology, hello flood attacks are typically used to broadcast a packet that every node should receive. The self-organized and decentralized nature of secure, high-sensitivity WSNs poses a significant challenge. It is possible to use global knowledge as a security measure. When the topology is well-formed or altered, or when network scope is constrained. For example, in relatively small WSNs with one hundred nodes or less that have no non-virtual nodes at the development stage, each node can send information to its neighbors and transmit its geographic location to the base station after the initial topology is formed (Sayed & Ashour, 2021). The base station can map the entire network’s topology using the above information. The reason for changing the topology is due to radio interactions or node errors. The nodes renovate a base station with proper information periodically and cause the base station to map the network topology accurately (Khan et al., 2016). Table 8 displays the comparative analysis of currently available hello Flood attack detections in literature.

Data sources

Table 10 lists the articles that were accumulated for review from credible publishers, including Wiley, Tech Science, Springer, ScienceDirect, Sage, MDPI, InderScience, IGI Global, IEEE, Hindawi, Exeley, Elsevier and, Google Scholar.

Search strategy

The focus has been on routing attack detection techniques since 2016. The articles under consideration for this review are from the past 6 years. We define the search words as the first step in figuring out the search string based on the theme and the suggested research questions. The search keywords were “attacks” and “wireless sensor network.” The significant watchwords were associated using the logical operators “AND” and “OR.” After several evaluations, we chose the supplementary search strings that provide an adequate amount of related research. We do this by considering the keywords in Table 11 and framing the search string as follows:

Search Strings: (([B1, S1] OR [B1, S2] OR [B1, S3] OR [B1, S4] OR [B1, S5] AND ([B2,S1] OR [B2, S2])))

Article selection process

The research questions are first framed as part of the methodology used in the article selection process. The selection and search processes are aided by structuring the search string. The articles that have been published in English are considered. The scoping review process is conducted under the PRISMA (Prevention and Recovery Information System for Monitoring and Analysis) flow diagram (Peters et al., 2015) to comprehend the most recent advancements and research on detecting routing attacks depicted in Fig. 10. The search process is concluded by categorizing the routing attacks to ensure that this survey is comprehensive. Most of the articles were discarded because their abstracts were not found, or their titles did not meet the screening criteria.

Inclusion and exclusion criteria

As shown in Fig. 10, which is a PRISMA flow diagram for article selection, the underlying study generated a total of 1,428 articles from various quality publishers between 2016 and 2022, as mentioned in Table 9. The inclusion and exclusion criteria, listed in Table 12, are implemented to select the significant related research. Therefore, the number of articles was lowered to 783. The number of chosen articles was reduced to 122 based on their titles and abstracts. Following that, 122 articles were examined and thoroughly scrutinized based on the content that matched our classification of routing attack detections in WSN, finally generating 87 articles based on the content. After checking the title, abstract, and comprehensive published research, the essential research articles are selected in accordance with the established criteria to ensure that the findings are relevant to this research article.

Year-wise selection

From the articles which are selected for review, Fig. 11 shows the number of articles published year-wise. To provide a current and relevant literature review, articles from the last 6 years were selected from 2016 to 2022.

Publisher-wise selection

Figure 12 shows the number of articles which were selected and published by well-known scholarly publishers between 2016 and 2022. Overall, of 13 different quality publishers are selected for inclusion of their articles in this SLR article. Three articles are selected from Wiley, three articles are selected from Tech Science, 23 articles are selected from Springer, four articles are selected from ScienceDirect, two articles are selected from Sage, 10 articles are selected from MDPI, four articles are selected from InderScience, one article is selected from IGI Global, eight articles are selected from IEEE, six articles are selected from Hindawi, one article is selected from Exeley and seven articles are selected from Elsevier. Moreover, 15 articles are selected from Google Scholar as it ranks individual articles by considering the publication source, the author, the full text of each document, and the quantity and recency of citations.

Selection per performance evaluation metric

Overall, of 24 different performance evaluations metrics were defined in process of developing this article in which True Detection Rate (TDR), Energy Consumption, Packet delivery Ratio (PDR), Detection Accuracy and communication overhead are the most used metrics in 24, 21, 14, 14 and 13 articles. Figure 13 shows the number of articles used the other metrics.

Selection per detection method

Figure 14 displays the number of articles which used different detection methods. Total of 79 different detection methods were identified in which only the methods which were used in more than two articles are included in Fig. 14. Eight articles used behaviour-based neighbor-based detection methods which gained the highest rank. RSS and trust-based gained second place as they are used by six articles each.

Selection per routing attack

This article is the review of 87 different articles from 2016 to 2022 in which some of the articles focused on more than one attack. As per the statistical analysis which is provided in Fig. 15 and the number of articles overviewed the specific attacks, we can sort out the routing attack severity as per the following: wormhole attack (14 articles), Sybil Attack (24 articles), Grayhole/selective forwarding attack (27 articles), blackhole attack (21 articles), sinkhole attack (13 articles), replay attack (six articles), Spoofing attack (five articles) and hello flood attacks (four articles).

Selection per different metrics for wormhole attack

Overall, 14 different performance evaluations metrics are used by the articles on wormhole attack detection. As shown in Fig. 16, Efficiency gained the highest rank as it is used by four articles.

Selection per different metrics for Sybil attack

Overall, 19 different performance evaluations metrics are used by the articles on Sybil attack detection. As shown in Fig. 17, True Detection Rate (TDR) gained the highest rank as it is used by 10 articles.

Selection per different metrics for Grayhole/SF attack

Overall, 21 different performance evaluations metrics are used by the articles on Grayhole/SF attack detection. As shown in Fig. 18, Energy Consumption gained the highest rank as it is used by nine articles.

Selection per different metrics for blackhole attack

Overall, 19 different performance evaluations metrics are used by the articles on Blackhole attack detection. As shown in Fig. 19, True Detection Rate (TDR) gained the highest rank as it is used by seven articles.

Selection per different metrics for sinkhole attack

Overall, 14 different performance evaluations metrics are used by the articles on Sinkhole attack detection. As shown in Fig. 20, Energy Consumption gained the highest rank as it is used by six articles.

Selection per different metrics for replay attack

Overall, nine different performance evaluations metrics are used by the articles on Replay attack detection. As shown in Fig. 21, Packet delivery Ratio (PDR) and True Detection Rate (TDR) gained the highest rank as they are used by two articles.

Selection per different metrics for spoofing attack

Overall, 10 different performance evaluations metrics are used by the articles on Spoofing attack detection. As shown in Fig. 22, Resource Consumption gained the highest rank as it is used by two articles.

Selection per different metrics for hello flood attack

Overall, nine different performance evaluations metrics are used by the articles on Hello Flood attack detection. As shown in Fig. 23, Energy Consumption gained the highest rank as it is used by two articles.

Memory and capacity

Each sensor is a tiny device with a slight volume of memory and storage space for storing the codes (Isidro & Ashour, 2021). With the intention of consuming an efficient detection, it is vital to reduce the code size.

Energy

It is the most significant constraint for WSNs capabilities. It is assumed that nodes cannot easily insert or recharge after the deployment of WSNs. The impact of the added security code on energy should be taken into consideration when a cryptographic function or protocol is implemented inside the nodes. In other words, when designing a detection tool, it is essential to determine its impact on the node’s lifespan. The extra energy consumed by the nodes is because of the required processing to execute detection, transfer of security-related data, and ultimately safely storing parameters.

Unknown transmission

In general, communications are wireless because of the packet-based routing in WSNs, and this means the data transfer is uncertain. Packets may be broken due to channel errors or because of network congestion. The result is the loss of the packets. The vital security packets do not get to the correct destination or get lost if protocols are not adequately managed.

Collision

Even if the channel is reliable, the connection itself may be uncertain. It is due to the nature of the WSNs transmission. If the packets collide in the middle of their way, the transfer operation will fail. In high-density networks, this can be a severe obstacle, which may lead to packets loss.

Delay

Multi-route routing network congestion (Pulmamidi, Aluvalu & Maheswari, 2021) and processing nodes can lead to increased delays, which may result in a lack of synchronization in WSNs. The synchronization is crucial for WSNs where the detection systems depend on critical event reports or broadcasting cryptographic keys.

Node seizure attacks

Sensors may be deployed in environments that are accessible to the attacker. So, the probability that a sensor node will be exposed to a physical attack is reasonably more than a server residing in a safer place (Isidro & Ashour, 2021). By taking over the node, it is possible for an attacker to read the valuable information that can include cryptographic keys.

Q2. What performance evaluation metrics are considered when WSN detects routing attacks?

Overall, of twenty-four performance evaluation metrics were identified during the development of this SLR article in which Table 13 displays the articles which use the most 12 common metrics according to different type of attack detection. Figure 13 displays the number of articles for each metrics therefore the most used metrics are: TDR, energy consumption, PDR, detection accuracy, communication overhead, FDR, throughput, FPR, computation overhead, efficiency, network lifetime and end-to-end delay.

Q3. What are the current research trends and unaddressed issues in WSN?

In recent years, research on WSNs security has become more prominent. In the design of WSNs, there are several factors and open research issues that need to be considered.

Hardware

Each node must be small enough, lightweight, and low volume while having all the necessary components. For example, in some applications, the node should be as small as a matchbox; sometimes, the node’s size is limited to one cubic centimeter (Alansari et al., 2021). It should be light enough to hang in the air with the wind in terms of weight. At the same time, each node must have minimal power consumption, low cost, and be compatible with environmental conditions. These are all limitations that challenge the design and construction of sensor nodes.

Connectivity

A sensor network has graph connectivity as its inbuilt connectivity. Each node has connections to several other nodes in its vicinity because of the nodes’ wireless connections and public broadcasting. Efficient algorithms for collecting data and applications for tracking network objects, such as spanning trees, are considered (Siddiqui & Ashour, 2021). Hence, the traffic is such that the data travels from some node to another; connectivity management should be done carefully. An essential step in the management of network connectivity is the initial setup. Nodes that have not had any initial communication before should be able to communicate with one another once they are hired and started to work. Connectivity management algorithms should be able to subscribe to new nodes in the initial setup and removes the nodes which do not work for any reason. The connectivity dynamics of the sensor network properties are an issue that challenges security. Providing dynamic connectivity management methods that can cover security issues is one of the great ideas for future studies.

Reliability

Each node can be broken or destroyed entirely by environmental events, such as an accident or explosion, or can fail when the energy source is exhausted (Alansari, Siddique & Ashour, 2022). The purpose of tolerance or reliability is that node failure should not affect the overall network performance and build a reliable network using unreliable components.

Scalability

The network should be scalable concerning the number of nodes and the allocation of nodes. In other words, the sensor network should be able to work with hundreds, thousands, and even millions of nodes and support the density of different nodes’ distribution. In several applications, nodes are randomly distributed, and environmental factors displace no possibility of distribution with a specific and uniform density of nodes. As a result, the density should be flexible, ranging from a few to one hundred nodes. The various approaches also have an impact on the scalability problem. For instance, they will not work in a specific density or with a certain number of nodes. Specific techniques, on the other hand, are scalable.

Overall cost

As the number of nodes is high, each node’s cost reduction is critical. The number of nodes sometimes reaches millions which, in this case, the cost reduction of the node, even in small quantities, has a significant effect on the total price of the network.

Environmental conditions

A wide range of WSNs applications is related to environments in which humans cannot be present. Like chemical, microbial, or nuclear-contaminated environments or underwater studies, space, or military environments due to the presence of the enemy. In the forest and Inhabitants of animals, the presence of human beings will escape them. In each case, the environmental conditions should be considered in the design of the nodes. For example, in the sea or wet environments, the sensor node must be placed in a chamber that does not transmit moisture.

Communication media

In WSNs, nodes communicate wirelessly through radio media, Infrared Radiation (IR), or other optical media. The infrared connection is cheaper and easier to build, but it only works in a direct line.

Power consumption of nodes

The WSNs nodes must have low power consumption. Sometimes the power supply of a battery is a 1.2 V with a flow of 0.5 amps per hour, which should provide the necessary power for a long time, for example, nine months. In many applications, the battery is not replaceable. Therefore, battery life establishes the life of the node. Moreover, a node acts as a pathfinder, receiving information (by the sensor) or running a command (by the actuator). Faulty operation of a node removes it from the connections and would cause network reorganization and rerouting of the packets (Alansari, Prasanth & Belgaum, 2018). Designing the node’s hardware, using low power consumption components, and providing the possibility of a sleep mode for the entire node or each section is essential.

Increasing the network lifetime

WSNs typically have a short lifetime due to the nodes’ insufficient power supply. Additionally, a network node’s location can occasionally exacerbate the problem. For instance, a node only one hop away from a sink quickly runs out of energy from an excessive workload. On the other hand, if it fails, the sink will be disconnected from the entire network, and WSNs will stop working. Some solutions involve the network structure; for example, an automated structure is a great way to address the problem. The automated structure makes most of its decisions locally (Maheswari, Raju & Reddy, 2019). As a result, the node’s and network’s lifetime increase even though the transmission traffic through it decreases. Any WSN with an uneven node distribution will experience the issue of early energy depletion on nodes with low-density regions. To ensure that crucial nodes are used as less as possible, it would be appropriate in these circumstances to implement power management within the nodes and provide some power awareness solutions. Since distributed nodes in the sensor/actuator field share resources, effective task management, and power management will lengthen the network lifetime. Providing appropriate structural patterns, management methods, and intelligent power algorithms to grow the network lifetime worth further investigation.

Real-time communication and co-ordination

In some applications, the network response speed is crucial such as the system for detecting and preventing the spread of fire or theft prevention system. The packets must be instantaneously updated in the immediate display of pressure on the monitor. A way to realize the system’s real-time connectivity is to set a deadline for packets. In the media access control layer, packets with the shortest deadlines will be sent sooner. The duration of the cut-off depends on its application. Respectively, another critical issue is event report delivery to the sink in order of occurrence. Otherwise, the network may not respond appropriately. One more issue is the coordination of the network with the related reports given to the sink of a specific area in case of an event. For example, assume in a military application that some sensors to detect the occurrence of enemy units and some tools to destroy them are considered. Several sensors inform the sink of the presence of an enemy. The network must start the operation in the entire area immediately; otherwise, with the response of the first sink, the enemy soldiers are dispersed, and the operation is defeated. However, the issue of instant communication and coordination in sensor networks, especially in large-scale and uncertain conditions, is still a topic of research.

Unpredictable factors

WSNs are a function of many uncertainties. Unpredictable natural factors such as floods, earthquakes, problems caused by wireless communication and radio disturbance, node failure, sensor failure, dynamics structure, network routing, the addition of new nodes and the removal of old nodes, automated nodes replacement, or by natural factors. The issue is how to develop, from a network layer perspective, an outlook in such a situation that is a solid, large-scale entity with a reliable operational capability which will be addressed in this SLR.

Limitations of this SLR

• This review only took a limited set of databases and journals into account.

• Additionally, only a few keywords and string combinations have been used to search the literature.

• This review has not considered any articles that were published prior to 2016.

• This review primarily focuses on routing attack detections rather than application, transport, datalink, or physical layer attacks on WSNs.