Communications and Network, 2013, 5, 524-528 Published Online September 2013 (
Copyright © 2013 SciRes. CN
Research on Intrusion Detection Algorithm Based on
Multi-Class SVM in Wireless Sensor Net works
Hangxia Zhou, Qian Liu, Chen Cui
Department of Computer Science and Technology, China Jiliang University, Hangzhou, China
Received June 2013
A multi-class method is proposed based on Error Correcting Output Codes algorithm in order to get better performance
of attack recognition in Wireless Sensor Networks. Aiming to enhance the accuracy of attack detection, the multi-class
method is constructed with Hadamard matrix and two-class Support Vector Machines. In order to minimize the com-
plexity of the algorithm, sparse coding method is applied in this paper. The comprehensive experimental results show
that this modified multi-class method has better attack detection rate compared with other thr ee coding algorithms, and
its time efficiency is higher than Hadamard coding algorithm.
Keywords: Wireless Sensor Network; Multi-Class; Network Security
1. Introduction
Wireless Sensor Network (WSN) consists of a large num-
ber of small sensor nodes in terms of self-organization
and multiple hops. These sensor nodes have low cost,
less energy, and limited processing ability. These nodes
are applied to sense, collect and process the object within
the network coverage area, and sent signals to the host
user in the form of data. The sensor nodes are usually
distributed in no security environment, and it is easy for
them to be captured and manipulated by attackers. In
recent years, WSN security has become the frontier re-
search fields to scholars. The author in [1] summarized
the types of attacks in WSN, such as blackhole attack,
hello flooding attack, DoS attack, and selective forward-
ing attack and so on .
Support Vector Machine (SVM) is one of the most
widely used classification methods in WSN. It has pecu-
liar advantages in small sample, high dimension pattern
recognition and nonlinear problems [2]. But the tradi-
tional support vector machine is designed for two-class
classification so that it fa ils to handle multi-class prob-
lems. As a result, research on SVM multi-class classifier
has become a necessity.
This paper proposed a modified Sparse-ECOC multi-
class classification method. This method can be used to
classify the traffic data collected by network nodes to
determine whether the system is invaded by attackers.
Experiments show that compared with the existing clas-
sification algorithm, this improved algorithm has higher
attack detection rate and time efficiency.
2. Classical Algor ith ms
Compared with the traditional networks, wireless sensor
network has the following two characteristics: the limita-
tion of energy supply, processing speed and storage space.
And the limitation of communication bandwidth, time
delay, transmission packet size, etc.
Because of the limitations, safety prevention method
which is commonly used in wired networks does not ap-
ply to wireless sensor networks. For this reason, this ar-
ticle chooses intrusion detection technology of SVM which
conforms to the characteristics of WSN.
2.1. Support Vector Machine and Principle
Support vector machine is a new kind of machine learn-
ing method. It is based on statistical learning theory and
structural risk minimization principle. In [3], the use of
kernel function made the nonlinear flow data collected by
sensor nodes to be mapped to a high-dimensional feature
space, which greatly reduces the algorithm complexity,
and effectively overcomes the “dimension disaster” prob-
lems which often appears in artificial ne ural networks. In
[4], support vector machine has strong generalization
ability in tackling small sample classificatio n. The model
proposed in [5] is suitable for low bandwidth and small
packets situations in wireless sen so r network s .
In SVM model, set input vector
, category
{ }
, sample size
, 1,2,...,ij n=
, kernel function
Copyright © 2013 SciRes. CN
(, )
Kx x
, high dimensional feature space
, nonlinear
. Nonlinear samples can be mapped
to high-dimensional feature space
by kernel function
and mapping
to construct an optimal separating
hyperplane in
. The points on the optimal separating
hyperplane need to meet:
() 0xb
⋅ +=
, (1)
and classification interval is equ al to
. If we want
the best effect of classifying, classification interval shall
take the maximum, that is to say,
shall take the
min i mu m [6].
In practice, classic support vector machine cannot solve
mul ti -class problems. So we need to take other ways to
solve them. In [7], the author listed some common mul-
ti-class classification method, such as one-against -one me-
thod, one-against-all method, binary tree method, error
correcting output codes (ECOC) method, directed acyclic
graph SVM (DAGSVM) method, etc.
2.2. Hadamard Coding Algorithm
Hadamard error correcting output codes method is a typ-
ical algorithm which decomposes multi-class problem into
several two-class problems. Hadamard matrix was pro-
posed by James Joseph Sylvester on the basis of ortho-
gonality in 1867 [8]. It is a square matrix which is made
of “1” and “+1”, and any different two rows of it is
mutually orthogonal.
dimensional Hadamard matrix
can be obtained by
dimensional matrix through
the method of recursing.
/2 /2
/2 /2
dimensional matrix, any two rows or two
columns are neither same nor complementary. The dis-
tance between any two rows or two columns is
These features meet the needs of classifier training, but
the first “1” column in the matrix cannot be used for
classifier coding. So the original
dimensional matrix
needs to be cut in a certain degree.
3. Experimental Design and Implementation
Experimental design includes two aspects: coding matrix
construction and the training of classifier. Coding matrix
construction is conducted on the basis of Hadamard ma-
trix. The realization of classifier is implemented on NS2
and LIBSVM pla t form.
3.1. Construct Modified Coding Matrix
According to the characteristics of the matrix and coding
principles, the approach of Sparse-ECOC matrix struc-
ture can be shown as follows:
Obtained a
dimensional Hadamard matrix ac-
cording to Equation (2).
Delete the first “1” column, and obtained a
( 1)NN×−
dimensional matrix.
Take the first
lines of the matrix, and obtained a
( 1)lN×−
dimensional matrix.
Chose an element from each row and replace it with
element “0”. Ensure the minimum hamming distance
as large as possible.
The sign l expresses sample class number. The mod-
ified coding matrix has simple coding scheme, less num-
ber of classifiers constructed, and convenient calculation.
Any two rows or two columns are neither same nor com-
plementary. Th e hamming distance b etween any tw o rows
is equal to
The coding matrix constructed in this way is ternary
code matrix. In ternary code encoding, element “1” ex-
presses positive, element “1” expresses negative, and
element “0” expresses doing nothing with it [9]. The ad-
dition of zero elements made classifier more simplified,
so we call this coding matrix Sparse-ECOC matrix.
The Sparse-ECOC matrix not only satisfies the train-
ing requirements of multi-class SVM classifier, but also
reduces each single classifier's construction time because
of the addition of zero elements. These properties effec-
tively improve the training speed and comprehensive
3.2. Classifier Implem entation
The Sparse-ECOC multi-class algorithm proposed in this
paper mainly detect for hello flooding attack, denial-of-
service (DoS) attack, blackhole attack, selective for-
warding attack and sybil attack in WSN. Detect and clas-
sify attacks by analyzing the energy of nodes and packets
received and send situations in the networks. In order to
reduce the complexity of calculation, we choose appro-
priate flow characteristics for each attack as less as poss-
For hello flooding attack, we select the energy of
package sent as its feature. For DoS attack, we select the
number of data packets received. For blackhole attack,
we select the number of route request replies received,
the number of route request replies sent, and the number
of route request replies dropped. For selective forwarding
attack, we select the number of route errors send and the
number of route errors received. For sybil attack, we se-
lect the frequency of the node selected as cluster head
Classifier realization mainly includes four processes: data
acquisition, data preprocessing, kernel function selection
and classifier training, algorithm verification (Figure 1).
1) Data acq uision: Bu ild a hierarchic al and cluster struc-
ture model of WSN in NS2. We choose IEEE 802.15.4
Copyright © 2013 SciRes. CN
Figure 1. Classifier implementation process.
standard for media access control (MAC) layer and low
energy adaptive clustering hierarchy (LEACH) protocal
for network layer. Specific process can be implemented
as follows.
a) Define the transmission channel, transmission mod-
el, the interface queue, topology, God object, the node's
properties and actions in the node transmission process.
b) Add environmental parameters which would be
needed in the operational process of LEACH protocol.
Add malicious nodes of five attacks in a specific time
one by one.
c) Monitor the network status, including node energy
state, packet receiving and sending situation, cluster se-
lected rules.
d) Extract trace files and construct datasets.
2) Data preprocessing
In order to avoid the singular sample data caused an
increase of training time, normalize each column in the
datasets. Then translate the normalized training dataset
into seven two-type of datasets on the basis of Table 1.
Element “1” expresses positive, element “1” expresses
negative, and element “0” expresses does nothing with it.
3) Kernel function selection and classif ier training
In experiments, we select radial basis function (RBF)
as the kernel function, and 250 rows of data as the train-
ing set. The optimal kernel parameters
and penalty
of sev en two -class SVM classifier can be
obtained in (210, 215) through grid search and 5-fold
cross validation method. With the optimal parameters the
classifier can be trained.
4) Algorithm verification
Select six kinds of data from the normalized testing
dataset. Input into seven classifier and got the output re-
sults. Calculate the hamming distance between outputs
and Sparse-ECOC coding matrix. Take the category of
the minimum hamming distance as its category of be-
Table 1. The Sparse-EC O C coding schedule.
Class Codeword
1 1 1 1 0 1 1 1
2 +1 1 +1 1 0 1 +1
3 1 +1 0 1 1 +1 +1
4 +1 +1 1 1 +1 0 1
5 0 1 1 +1 +1 +1 +1
argmin{ ,}2
ij ij
== −
Equation (3) is the minimum hamming distance for-
is the code word of the jth column in the test
sample output vector.
is the code word of the ith
row and the jth column in the Sparse-ECOC coding
4. Experimental Analysis
In the simulation, fifty sensor stationary nodes are dis-
tributed in the area of 100 × 100 meters. The initial
energy of each node is two joules. Malicious nodes have
enough energy. The total simulation time is 500 seconds.
In the experiments, the train data and test data are from
NS2 wireless sensor network simulation. Datasets con-
sists of five parts: node data in Hello flooding attack, DoS
attack, blackhole attack, selective forwarding attack and
sybil attack situations. This paper compares the perfor-
mance of the modified algorithm with one-against-one me-
thod, one-against-all method and ECOC m ethod (Table 2).
In Figures 2 and 3, we can see that Sparse-ECOC
method has a distinct advantage in each attack detection
when compares with one-against-one method and one-
against-all method. The data in Figure 4 shows the de-
tection accuracy comparison between Spar se-ECOC me-
thod and Hadamard method. They have the similar accu-
Copyright © 2013 SciRes. CN
Table 2. Detection accuracy and average training time of four ECOC encoding method.
Encoding Method Detection Accuracy (%) Average Training Time (s)
hello flooding blackhole selective forwarding DoS sybil
Sparse-ECOC 96.19 96.15 91.07 95.24 92.73 9.825189571
Hadamard 94.16 96.09 88.21 96.19 93.26 12.593525428
one-against-one 90.96 91.06 80.17 90.35 90.14 2.913055304
one-against-all 90.95 90.92 80.08 90.31 82.17 8.700531809
Figure 2. Accuracy comparison between Sparse-ECOC
method and one-against-one method.
Figure 3. Accuracy comparison between Sparse-ECOC
method and one-against-all method.
Figure 4. Accuracy comparison between Sparse-ECOC
method and Hadamard method.
racy in blackhole attack, DoS attack and sybil attack, but
Spar se-ECOC method is better in hello flooding attack
and selective forwarding attack.
Figure 5 shows the number of sub-classifiers needed
in four encoding methods and the training time cost of
each sub-classifier. From the picture, we can see that
one-against-one method spends the least amount of time,
but it needs the most number of sub-classifiers. One-
against-all method needs the least number of sub-clas-
Figure 5. Training time of four encoding methods.
sifiers, but it has low detection accuracy of attacks. Ha-
damard method has the same number of sub-classifiers as
Spar se-ECOC method, but its time efficiency is far lower
than the latter. These results demonstrate that Sparse-
ECOC method provides a better approach for improving
attack detection rate and time efficiency.
5. Conclusion
In this paper, a multi-class SVM algorithm is constructed
based on Hadamard coding algorithm. Through the expe-
riment, higher accuracy of attack detecting is obtained.
By comparing the results with that of Hadamard method,
one-against-one method and one-against-all method, it is
found that the modified algorithm is a better approach for
attack detection.
[1] H. Ehsan and F. A. Khan, “Malici ous AODV: Implemen-
tation and Analysis of Routing Attacks in MANETs,”
IEEE Trust, Security and Privacy in Computing and
Communications Conference TRUSTCOM, Liverpool,
25-27 June 2012, pp. 1181-1187.
[2] N. Shahid, I. H. Naqvi and S. B. Qaisar, “Quarter-Sphere
SVM: Attribute and Spatio-Temporal Correlations Based
Outlier & Event Detection in Wireless Sensor Networks,”
IEEE Wireless Communications and Networking Confe-
rence WCNC, Shanghai, 1-4 April 2012, pp. 2048-2053.
[3] S. Xu, C. Hu, L. Wang and G. Zhang, “Support Vector
Machines Based on K Nearest Neighbor Algorithm for
Outlier Detection in WSNs,” Proceedings of the 8th
Wireless Communications, Networking and Mobile Com-
puting International Conference WICOM, Shanghai,
Copyright © 2013 SciRes. CN
21-23 September 2012, pp. 1-4.
[4] D. Bi, X. Wang and S. Wang, “Particle Swarm Optimiza-
tion Clustering for Target Classification in Wireless Sen-
sor Networks,” Proceedings of the 4th Natural Computa-
tion International Conference, Jinan, 18-20 October 2008,
pp. 111-115.
[5] A. B. Raj, M. V. Ramesh, R. V. Kulkarni and T. Hema-
latha, “Security Enhancement in Wireless Sensor Net-
works Using Machine Learning,” High Performance
Computing and Communication & 2012 IEEE 9th Inter-
national Conference on Embedded Software and Systems
HPCC-ICESS, Liverpool, 25-27 June 2012, pp. 1264-
[6] X. Liu, X. Zhang and J. Duan, “Speech Recognition
Based on Support Vector Machine and Error Correcting
Output Codes,” Pervasive Computing Signal Processing
and Applications International Conference PCSPA, Har-
bin, 17-19 September 2010, pp. 336-339.
[7] F. Masulli and G. Valentini, “An Experimental Analysis
of the Dependence among Codeword Bit Errors in ECOC
Learning Machines,” Neurocomputing, Vol. 57, 2004, pp.
[8] J. Wales, “Hadamard matrix From Wikipedia,” 2013.
[9] M. M. Khedkar and S. A. Ladhake, “Robust Human Iris
Pattern Recognition System Using Neural Network Ap-
proach,” Information Communication and Embedded
Systems International Conference ICICES, Chennai, 21-
22 February 2013, pp. 78-83.
[10] C. E. Loo, M. Y. Ng, C. Leckie and M. Palaniswami,
“Intrusion Detection for Routing Attacks in Sensor Net-
works,” International Journal of Distributed Sensor Net-
works, Vol. 2, No. 4, 2006, pp. 313-332.