Multi-Step Detection of Simplex and Duplex Wormhole Attacks over Wireless Sensor Networks

: Detection of the wormhole attacks is a cumbersome process, particu-larly simplex and duplex over the wireless sensor networks (WSNs). Wormhole attacks are characterized as distributed passive attacks that can destabilize or disable WSNs. The distributed passive nature of these attacks makes them enormously challenging to detect. The main objective is to find all the possible ways in which how the wireless sensor network’s broadcasting character and transmission medium allows the attacker to interrupt network within the distributed environment. And further to detect the serious routing-disruption attack “Wormhole Attack” step by step through the different network mech-anisms. In this paper, a new multi-step detection (MSD) scheme is introduced that can effectively detect the wormhole attacks for WSN. The MSD consists of three algorithms to detect and prevent the simplex and duplex wormhole attacks. Furthermore, the proposed scheme integrated five detection modules to systematically detect, recover, and isolate wormhole attacks. Simulation results conducted in OMNET++ show that the proposed MSD has lower false detection and false toleration rates. Besides, MSD can effectively detect wormhole attacks in a completely distributed network environment, as suggested by the simulation results.

The NNVP determines whether or not the node is infected and whether or not it is a neighbor node. The links that originate from a wormhole are referred to as "false links". These connections can be removed using the FLRP. Finally, the isolation module guarantees that the detection and recovery processes are carried out properly, isolating all traces and instances of the wormhole. This paper contributes as: • The proposed MSD involves five detection methods, which can detect the successfully classified simplex and duplex wormhole attacks. • MSD is supported with a valid locator detection feature, which can adjustably fine-tune a threshold value to make a sensor node easily to detect the valid locator(VL). Once VL is identified, then the detection process is used to determine the wormhole-enabled node for the WSN connected with IoT. • MSD consists of a self-healing procedure that determines the wormhole attack and points to the positions of wormhole-enabled nodes. • Secret key and signature generation processes are used to guarantee the secure communication process among the sensor node and adjacent sensor nodes or sensor node and base station.

Related Work
This section explores into the key aspects of striking approaches. To detect and recover from wormhole attacks in multi-hop WSNs, the distributed self-healing method was suggested [20]. It also determines the locations of malicious nodes and separates them from the network. It is the first approach that carries out both routing organization recovery and wormhole node quarantine in response to wormhole attacks. However, it requires proper localization capabilities as well as time analysis. The proposed method relies solely on network connection in a distributed manner. The simulation results showed that the suggested technique detects all wormholeenabled nodes with 100 percent accuracy and zero percent erroneous detection. In terms of power usage and overhead, the result also shows that the suggested technique outperforms other competing alternatives.
The cloned and wormhole node detection method is introduced in Maheswari et al. [21]. This method examines each node's behavior to determine if it is a wormhole or not. If the node has not received authorization from the base, it is not permitted to participate in the communication.
To solve the problem of wormhole and Grayhole attacks, the lightweight trust-driven approach was proposed [22]. The suggested method uses direct trust, which is determined based on the node's characteristics. It has also been utilized to establish indirect trust based on the perspectives of nearby sensor nodes. According to the authors, the suggested technique is energy efficient and would not add extra overhead to data flow.
The directional antennas are introduced to prevent wormhole attacks [23]. To avoid a wormhole, each node exchanges a secret key with its neighbors and maintains a current list of all neighbors. The direction in which a signal is heard from a neighbor is used to build all lists in a secure way, provided that all nodes antennas are aligned. However, it only mitigates the threat of wormhole attacks to a limited extent. It only protects against wormhole attacks, in which hostile nodes try to trick two nodes into thinking they are neighbors. In wireless sensor networks, the effects of wormhole attacks are widely examined utilizing IoT [24].
The authors proposed the label-based DV-hop localization method to defend against the possibility of wormhole attacks. Furthermore, the correctness of the approach is also proved using the simulation results.
DAWN: A Distributed detection algorithm is proposed for controlling the Wormhole in WSN [25]. The suggested method made an attempt to establish a lower constraint on efficient detection rate. The authors investigated the battle of DAWN against collusion and wormhole attacks. Furthermore, the suggested technique has no increased cost due to the use of additional testing messages. DAWN is supported by substantial experimental findings, as all existing wormhole detection techniques increase communication overhead and false negatives. The proposed technique, on the other hand, has a low communication overhead and a high accuracy rate.

Proposed Multi Detection Scheme
This section presents the proposed multi-detection scheme for detecting wormhole attacks. Thus, the data distribution process is of paramount vital before detecting the attacks. The Poisson distribution [26] has been used for the data distribution over the network. The data is available at different locations of a WSN. Each data location has a degree of self-sufficiency, is capable of handling local as well as global applications. Data distribution is shaped either by captivating a prevailing single location or excruciating it over different locations. The data uncertainty of data distribution can be computed as: where p i : probability of the event The proposed scheme consists of the three modules, which are discussed in the subsequent sections: • Neighbor node validation process (NNVP), • Fake link reduction process (FLRP), • Wormhole isolation.

Neighbor Node Validation Process
For each type of wormhole attack detected, there are corresponding different identification protocols. They are as follows.
There are different types of wormhole attacks. They could be classified as either simplex or duplex wormhole attacks [27,28]. In this work, different detection processes have been applied to identify the wormhole attacks.

Duplex Wormhole Link Attack
To detect whether a network is experiencing the problem due to the duplex wormhole attack, the sensor node attempts to recognize all its Valid Locators (VLs) prior to the self-discovery process. Let us take X 2 as a locator depicted in Fig. 2; when the sensor node initiates the Location Request Message (LRM), then X 2 returns a Location Acknowledgement Message (LAM) to the sensor node because it is within the communication range of X 2 . Furthermore, LAM also travels from point Z 2 through the wormhole attack link to another point Z 1 before it arrives at the sensor node. Thus, the sensor node receives several times LAM from the X 2 . Nevertheless, there are three diverse scenarios: • The locator is within the range of transmission of the sensor node. Thus, the sensor node received three times message from X 4 , as shown in Fig. 2. • The locator is not within the range of the sensor nodes' transmission; then the sensor node receives the message twice from the as X 7 , as shown in Fig. 2. • The locator is within the range of transmission of the sensor node, then the sensor node receives the message twice from the X 2 , as shown in Fig. 2. Based on the ranges, X 2 and X 4 are considered as the VLs, but not X 7 . The sensor node can apply five VLs processes to identify the V-locators.
The attacker node has a capability of changing the location in order to attack the legitimate node. Let us assume that distance between attacker and victim is symbolized as |A d − v d |. The random change [−1, 1] can be characterized as 'Δβ'. Thus, cos(2π Δβ) denotes the circular path of the attacker around the victim node. Thus, the control is transferred to the victim node when detection movement of the malicious node is determined that is computed by: where A d : Attacker distance; v d : Victim distance When an attacker node knows that its position is exposed, then it attempts to update the position. However, the victim node can identify whenever an attacker moves away from there based on a random-change. Hence, if the random change is greater than 1 or less than −1 that provides the clue to the victim node. The moving process of the attacker node 'A m ' and identifying process time predicted by and victim node 'v pp ' are mathematically expressed in Eqs. (3) and (4) respectively. In the first scenario, if the sensor node gets victim due to a wormhole attack and receives three times LAM of the Neighbor Locator (NL), then a bit of the LAM should be set to 1. Thus NL is declared as a VL that is shown as X 4 in Fig. 2. The sensor node only nullifies the minimum Medium Access Control (MAC) delay of a locator. On the other hand, message traveling and the response time delays get longer when the message comes through the wormhole link. Therefore, the measured distance based on the LAM comes from VL takes the shortest response time.
In the second scenario, if the sensor node gets the LAM twice from the NL, then a bit of the LAM should be set to 1, and NL is considered as a Suspicious Locator (SL) such as X 7 can be determined and as shown in Fig. 2.
Definition 1: Data reiteration rate 'D rr ' of the given samples reflect the malicious behavior of the sensor node because of repetition of the continuous packets.
where S p : Sent samples; t: Time for sending the samples; repeated samples.

Definition 2:
If the observation time for the sample-sending S s (t) is too large then, it may cause of duplex wormhole link attack. On the other hand, if the sample-sending rate is lower, then it may also cause of duplex wormhole link attack.
where S sv : The sample-sending value In the third scenario, if the sensor node gets the LAM twice from the NL, then a bit of the LAM should be set to 0, and NL is regarded as the VL. Also, measured distance based on the LAM is considered as correct with the shorter response time as X 2 shown in Fig. 2. . ., (a p , b p )} and corresponding measured distances S = {l 1 , l 2 ,. . ., S p }, where (a i , b i ) is the location 'L' of the locator X i and r i that is the distance from a sensor node to X i , where J = (1, 2,3,. . ., p). Thus estimated location of the sensor node can be determined as (a 0 , b 0 ). Thus, the mean square error (MSE) rate for the location can be defined as: The distance dependability property (DDP) of the legal locators demonstrates that the MSE of the estimated location is based on the exact distance that is smaller than a minimum threshold. On the other hand, the MSE of the estimated location is based on the distance that involves some inappropriate distance measurements that is not smaller than a threshold value. More VLs are detected using the DDP of the VLs.
• Detection Process-2 If the sensor node has detected not less than two VLs using Detection Process 1; thus, it detects other VLs by examining whether an estimated distance is dependable. A predefined threshold 'β' of the MSE is identified (i.e., an estimated distance with the MSE lesser than β is regarded to be steady). The sensor node can recognize X 2 , X 3 , and X 4 as VL despite changing the location, as shown in Fig. 1. Furthermore, an accurate estimated distance 'D acc ' can be obtained.
where : distance of valid locator; γ : distance covered by the sensor in case of mobility.
When a new locator joins the network, then it is of paramount significance to calculate the distance of the new locator 'D nl ' to avoid and minimize the error rate given by The objective function is used to analyze the nature of the link, whether wormhole or not.
The sensor node initiates the detection process one by one for the uncertain locators (ULs). For example, to examine whether X 1 is the VL. Thus, it is also important that the sensor node should be capable of calculating its own location using measured distance to X 1 , X 2 , X 3 , and X 4 . If the measured distance to X 1 is inappropriate, then the MSE of the calculated distance dimension can surpass the β, which implies that X 1 should not be considered as VL. If the sensor node identifies the distance stability of X 2 , X 3 , X 4 , and X 6 , it also checks that the MSE is lesser than β; therefore, X 6 should be considered as VL and measured distance to X 6 should be considered as accurate. After examining each uncertain NL, the sensor node can determine all VLs with the exact measured distance.
Theorem 1: When a sensor node becomes victim due to duplex wormhole link attack, ∀L j such contention location C(L j ) = ρ, L j ∈ D A .
Proof: When a sensor node is a victim due to duplex wormhole link attack as depicted in Fig. 1. All of the locations in SL (Atk 1 ) USL (Atk 2 ) are NLs for the sensor nodes. According to the given theorem: .
Thus, the message cannot be advanced to wormhole link, and there is no anomaly for the interchange of the message interchange between L i and other locators, consequently Tab. 1 shows the notations and their description.

Simplex Wormhole Link Attack
When the sensor node discovers the simplex wormhole attack, then it adopts the VLs' detection processes.
• Detection Process-3 If the sensor node gets the victim due to simplex wormhole link attack as depicted in Fig. 2. If the sensor node receives the LAM of an NL twice, then that NL is considered as a VL. For example, if X 3 replies a LAM to the sensor node as depicted in Fig. 1, this message travels through two different routes to the sensor node: one route goes directly from X 3 to the sensor node whereas, the other from X 3 to Z 1 via the wormhole link to the sensor node. Hence, the sensor node is capable of determining that X 3 is a VL. To further achieve the accurate measured distance to X 3 , the sensor node matches the response times of the LAM from X 3 through different routes. The measured distance with the shortest response time is deliberated as correct and accurate. Likewise, X 4 is also recognized as a VL, and its accurate measured distance can be determined. Thus, the spatial property is used to identify VLs. Duplex and simplex wormhole attack detection processes are given in Algorithm 1.

Property 1:
The sensor node is unable to get the messages from two NLs concurrently if the measured distance between these two NLs is larger than 2d. Each NL sends L am to sensor node including message abnormality detection outcome. 6. Sensor node waits for L am to measure the distance to each NL and compute the response time of each NL 7. If the sensor node detection =D γ then 8. Detected as D wh 9. if the sensor node detection = D δ then 10. Detected as S wh 11 In Algorithm 1, the simplex and duplex detection processes are explained. In step-1, variables are initialized. Steps-2 provides the input.
Step-3 gives the output. In step-4, the sensor node broadcasts the location request message. In step-5, each neighbor locator sends location acknowledgment message to the sensor node, including message irregularity detection result. In step-6, each neighbor locator sends the location acknowledgment message to measure the distance to each neighbor locator and computes the response time for each node locator. In step-7, if the sensor node detection methods fall within the category of dections: 1-2 methods, then the duplex wormhole method is observed. In step-8, if the sensor node detection methods fall within the category of detections; 3-5 methods, then the simplex wormhole method is observed. In step-9, if a sensor node is neither falling within the processes of D γ nor D δ , then it is considered that no wormhole link attack is discovered.
• Detection Process-4 When the sensor node becomes victim due to the simplex wormhole link attack as depicted in Fig. 2, if two NLs violate the spatial property, it is noticeable that one of them is a valid locator (VL) and explained in the Algorithm-2, and the other is a Suspicious Locator (SL). Let us take an example of X 2 and X 5 in Fig. 2, as the distance between X 2 and X 5 is larger than 2d. After receiving LAM from them, the sensor node can detect that two NLs cannot hold the spatial property. Thus, VL can be differentiated from SL using the response time of both NLs as the LAM from X 5 is transmitted to the sensor node through the wormhole link. It also takes a longer response time than that from X 2 . The sensor node considers X as a VL and X 5 as a SL because X 2 has a shorter response time. Therefore, the distance to X 2 is also deliberated as correct. The distance consistency property is used of VLs to determine more VLs when the sensor node becomes a victim due to the simplex wormhole link attack. In Algorithm 2, the valid locators are identified. In step-1, variables are initialized. In steps-2-3, give the input and output. In steps-4-7, when the sensor node detects the duplex wormhole attack, then it initiates the 'D γ ' detection method-1 or detection method-2. In steps-8-9, the process of detecting other valid locators is initiated. In step-13-14, when the sensor node detects the simplex wormhole attack, then it starts to use detection methods-3-5. And based on the detection methods, the valid locators are detected. Let us take a 'bs i ' as a malicious parameter done by a simplex wormhole link attack that can be denoted by Let us take a 'Gd k ' as a malicious parameter done by a duplex wormhole link attack that can be indicated by gd k = gd k,1 , gd k,i , . . . , gd k,j T (11) For the data coming from each sensor node is evaluated for every event. As we get i = 1, 2, . . ., 50, k = 1, 2, . . ., 50, and k = 1, 2, . . ., 10. The set bs i is used to generate the template for detection of simplex wormhole link attack for the sensor node 'i'. While the set gd k is used for the template generation of duplex wormhole link attack. It can be determined if each gd k ∈ Gd k can be segregated from each bs i ∈ Bs i .
• Detection Process-5 When the sensor node becomes the victim of the simplex wormhole attack, similar to Detection Process 2, if the sensor node uses detection processes 3-4 for detecting minimum two VLs, it can detect other VLs based on the Distance Consistency Property (DCP) of VLs. Considering the scenario of Fig. 3, the sensor node can detect X 2 , X 3 , and X 4 as VLs and obtain the correct measured distance. The sensor node can further detect other VLs by examining distance consistency. A MSE smaller than β can be obtained when the sensor node estimates its location based on X 1 , X 2 , X 3 , and X 4 because they are all VLs. The sensor node can then determine that X 1 is a VL and the measured distance to X 1 is found as correct.
The procedure of the basic VLs detection approach is enumerated in Algorithm 2: When the sensor node gets a victim of the duplex wormhole link attack, then it needs to execute the detection Process 1 to determine the VLs. As the distance stability process requires at least three VLs, if the sensor node classifies no less than two VLs, it can use the detection process 2 to detect other VLs. In case if the sensor node becomes the victim due to simplex wormhole link attack, then it adopts the detection processes 3-4 to identify the VLs. After that, if at least two VLs are identified, the sensor node executes the detection process 5 to identify other VLs.

Prolonged Node Validation Process
In the basic VL detection process, if the sensor node detects less than three VLs, it terminates the self-localization. This occurs because the statistical method of maximum likelihood estimation (MLE) used in the self-localization needs at least three distance measurements. However, when using detection processes based on the distance consistency property of V-locators, many VLs cannot be determined due to the threshold of MSE, β is set incorrectly at a trivial value.
A prolonged valid locators' identification approach is used to handle the above problem. The proposed approach can adaptively adjust the threshold value of β to make the sensor node easier to detect more VLs. If the sensor node gets a victim of the duplex wormhole link attack, it conducts detection process 1 to detect VLs. If the sensor node detects no less than two VLs, it replicates to detect other VLs using detection process 2 and updates the β with an augmentation of τ 2 until the minimum three VLs are recognized, or β is higher than β max. In case, the sensor node notices that it gets a victim due to simplex wormhole link attack, it adopts the detection processes 3-4 to detect the VLs. If at least two VLs are detected, the sensor node repeats to conduct the detection process 5 to identify other VLs and update β with an increment of β until at least three VLs are recognized, or β is larger than β max. The procedure of the prolonged VLs' detection process is explained in Algorithm 3. After the wormhole link attack detection and VLs' identification, the sensor node can detect VLs from its NLs. Furthermore, the sensor node can calculate the accurate distance for the VLs. If the sensor node gets minimum three correct measured distances to its NLs, it performs the Maximum Likelihood Estimation (MLE) localization process based on the locations and distances of the associated NLs.  In Algorithm 3, the Prolonged node validation process is explained. In step-1, used variables are initialized. Steps-2-3 specify the input and output. Steps-4-5 shows the detection process of the duplex wormhole link attack conducted by the sensor node; then it initiates to conduct the detection process-1 to identify the VLs. In steps-6-7, the value of the identified VLs is compared; if identified VLs are greater than or equal to 2, then this process will be continued until determine for the rest of the detection methods. The steps-8-9 show the process of detecting other VLs; then the threshold value is set by adding the maximum threshold value and incremental of a predefined threshold value.
In steps-10-13, the predefined threshold value is compared with the maximum incremental predefined threshold value; this process continues until an identified VLs are greater than or equal to 3. In steps-14-20, the sensor node detects the simplex wormhole attack, then the detection process of valid locators is begun. By applying the detection methods 3-5, then other valid locators are determined. Finally, the threshold values are set in order to identify all the valid locators.

Secret Key and Signature Generation Process
The sensor nodes are tiny, and their data sending process is vulnerable. Thus, the proposed approach wants to secure the data communication process. Hence, the secret key is generated for sending the data confidentially. In addition, the signature is created to validate the sent message.

Secret Key Generation Process
When the sensor node interacts either with an adjacent sensor node or the base station, then it requires to generate the secret key for interacting and sending the data.
Let us assume that the sensor node 'S N ' intends to communicate, then a secret key is calculated as: For i ∈ {0, 1}, then two hash values 'H v ' should be calculated. Hence, T k = L 1 S Nid , i , T i ∈ O 1 . Thus, the output produces a secret key 'S k ' calculated by where T k : Transaction key.

Signature Generation Process
The signature must be calculated, and the sensor node obtains the received file 'X '. The file X must be split into 'm' number of the chunks 'c k ' that can be written as where C t : Total number of the chunks The sensor node computes the pair of the signature {S k , T k } for each file of chuck.
First, Calculating two hash value as: q k : chunk's pointer c k in the given file X , 1 ≤ k ≤ m.
Once two hash values are calculated, then start a file of secret sharing SS (τ ,d) with z (x) = H v + q 1 x + . . . + q r−1 x r−1 and calculates r-1 points.
U p : A universal parameter.
Finally, compute the number of the random variables 'n' given by v k ∈ K t , 1 ≤ k ≤ n, then calculates where v k : Random variable Therefore, the signature generation process is secure that also supports the sensor nodes to avoid impersonation and identity attacks.

Experimental Results
To validate the effectiveness of the proposed MSD approach, the simulation is conducted using OMNET++ 5.6.2 simulator. Based on the simulation results, the performance of MSD approach has been analyzed and compared with existing state-of-the-art schemes: Hybrid Algorithm to Eliminate Wormhole Attack (HAW) [20], Dynamic Detection and Prevention (DDP) [21], and Wormhole and Gray attack (WGA) [22]. The sensor nodes are distributed randomly to serve the data sending process. The deployed sensor nodes are connected using the end-to-end reliable and bi-directional approach.
The main goal of the simulation is to balance the bandwidth usage and proper data exchange. Several scenarios (Malicious and Non-Malicious) are generated to conclude the realization of the proposed approach. The simulation scenarios resemble the tangible WSN situation. The given outcomes demonstrate alike to a realistic environment. The simulation network consists of 450 × 450 square meters with 270 sensor nodes. The transmission and sensing ranges are 45 and 30, respectively. Each sensor node has 80 Kb/Sec bandwidth capacity and buffers the 80 frames. The size of the data packet is 512 bytes with 10 seconds' pause time, and the entire simulation takes 15 minutes. The summary of the simulation parameters is given in Tab. 2.

Accuracy
Accuracy requires both precision and authenticity. Fig. 4 shows the accuracy of the proposed MSD and other contending schemes (HAW, DDP, and WGA). The accuracy of the proposed approach and contending approaches has been measured using the variable number of valid sensor nodes up to maximum 180 with the 10% malicious sensor nodes. The result demonstrates that the MSD produced a maximum of 99.93% accuracy. Whereas other contending schemes produced 98.74%-99.47%.
When the number of sensor nodes increase then, accuracy is marginally affected with 10% malicious nodes. The results demonstrate that proposed MSD obtain 99.904% accuracy with 270 sensor nodes. Whereas, the contending approaches obtain the accuracy 97.9%-98.6% with 270 sensor nodes. HAW produced less accuracy with 270 sensor nodes as shown in Fig. 5. The testing procedure involves true negative, and true positive. Thus, the accuracy is given by: where T p : True positive, T n : True negative, T wm : Total wormhole attacks. The reason behind better accuracy for the proposed approach is to use five detection methods and secret key and signature generation processes that determine the precise true negative and true positive successfully.

Detection (True Positive, False Negative and False Positive)
The proposed MSD and contending schemes (HAW, DDP, and WGA) have been measured using False-positive 'F pos ' and true positive 'T pos ' rates. True positive and false positive rates are depicted in Fig. 6. It has been observed, based on the outcomes of the simulation that the proposed MSD possesses a greater true positive rate. On the other hand, contending schemes have a lesser true positive with the false positive rates. DDP gets lower positive rate. False negative 'F neg ' and true positive rates have been depicted in Fig. 7. The trend of the result in the graph demonstrates that the proposed MSD gets a higher true positive rate, and only 0.015 false-negative rates are detected, while contending schemes show the higher false-negative rate that is counted as 0.023-0.072. MSD gains the higher false-negative rage that is measured to be 0.072. Based on the outcomes, it has been confirmed that the proposed scheme attains the true higher positive and gains lower false-negative rates. Thus, true positive, CMC, 2022, vol.70, no.3 4257 false positive and false negative rates can be calculated using Eqs. (17)- (19).

Conclusion
A new multi-detection scheme has been executed for detecting the wormhole attacks in WSNs over the distributed environment. In the proposed scheme, different integrated detection modules implemented to systematically detect, recover, and isolate wormhole attacks. In this multi-step detection (MSD) scheme, the neighbor node validation process plays a crucial role in identifying the infected nodes and the false neighbors. In addition, the proposed MSD can be used to eliminate all fake links (i.e., the links which originate from a wormhole). Finally, the performance of isolation module ensured that detection and recovery are highly effective and thereby isolates the wormhole completely from the network. To support the proposed scheme, different algorithms were executed that provide specific details of how exactly each component (e.g., Wormhole attack detection scheme and Extended Node Validation process) of the proposed scheme was effectively detected and successfully recovered the network inside the distributed environment. Current limitations on assessing after the rerouting and rescheduling in real time traffic management for the detection model should be taken into consideration towards further research. In future, attacks in integrated network scenarios around the distributed environment will be evaluated through nontraditional algorithms for optimum desirability to detect and recover the WSN from the wormhole attacks.