DEIM Forum 2019 A8-1 Fuzzy logic and ECA rules-based misbehaving-node detection for cluster-based heterogeneous IoT systems Nesrine BERJAB † , Hieu Hanh LE † , Chia-Mu YU †† , Sy-Yen KUO ††† , and Haruo YOKOTA † † Tokyo Institute of Technology, 2-12-1 Ookayama, Meguro-ku, Tokyo 152-8550, Japan †† National Chung Hsing University, 145 Xingda Road, South District, Taichung City 40227, Taiwan ††† National Taiwan University, No. 1, Section 4, Roosevelt Road, Taipei 10617, Taiwan E-mail: †{berjab,hanhlh}@de.cs.titech.ac.jp, ††chiamuyu@gmail.com, †††sykuo@ntu.edu.tw, ††††yokota@cs.titech.ac.jp Abstract The IoT devices have been the subject of much interest. Nevertheless, these devices are resource con- strained and susceptible to false-data-injection attacks and failures, leading to unreliable and inaccurate sensor readings. In this paper, we propose a hierarchical framework for detecting misbehaving nodes in WSNs. It uses fuzzy logic in event-condition-action (ECA) rule-based WSNs to detect malicious nodes, while also considering failed nodes. The spatiotemporal semantics of heterogeneous sensor readings are considered in the decision process to distinguish malicious data from other anomalies. Our experiments using real-world dataset demonstrate that our approach can provide high detection accuracy with low false-alarm rates. Key words Internet of things, wireless sensor network, security, misbehaving node detection, fuzzy logic, sensor correlation, ECA rules 1. Introduction The Internet of Things (IoT) can be described as a dy- namic and distributed networked system that uses wireless connectivity and is composed of a wide range of uniquely identifiable embedded computer-like devices. One of the es- sential elements of the IoT paradigm is the wireless sensor network (WSN). WSNs are composed of smart-sensor nodes that monitor their environmental conditions, report sensor data, and perform appropriate actions in response to the surrounding circumstances. However, these sensor nodes suffer from resource con- straints such as processing power, memory, and energy sup- ply. Moreover, because of the absence of appropriate high- level abstractions to simplify the programming of WSNs, ap- plication development remains challenging. In the IoT do- main, “If-This-Then-That” is an example of an abstraction. It is a simple rule that triggers an action if a particular event occurs. For example, “If the room temperature increases, then regulate the air conditioner to cool the room.” However, the interaction between the two devices involved has a secu- rity issue. Decisions are taken by considering only the output of the devices without observing whether their current oper- ational state is normal or on a state of misbehaving. Such incomplete specifications will lead to inaccurate and unreli- able sensor readings that may lead to incorrect decisions and even to real-world damage. Indeed, sensor nodes are often exposed to open or hostile environments. This makes it easy for attackers to compromise some of the sensor nodes and manipulate the integrity of the sensed data, e.g., by inject- ing fake packets. As far as we know, the area of false-data- injection attacks (FDIAs) detection for IoT is yet to receive the attention it deserves. Most previous intrusion detection methods proposed for IoT, particularly for WSNs, focus only on specific types of network attack. Few approaches have included an efficient, adaptive WSN intrusion-detection ap- plication that considers methods for programming the sensor nodes. To answer these challenges and to guarantee reliable mon- itoring in WSNs, we propose a new hierarchical framework based on fuzzy logic for detecting misbehaving nodes in event-condition-action (ECA) rule-based WSNs. Our contri- bution is to provide an integrated solution for programming the sensor nodes and distributedly detecting misbehaving nodes in hierarchical heterogeneous WSNs. By controlling the sensor nodes according to a set of ECA rules, we can better express network behaviors and detect malicious nodes while considering failed nodes. Identification of failed nodes is the first step in countering the threats against WSN reli- ability. In this paper, we consider that when a node fails, it stops sensing the environment and sending report messages. Therefore, based on a preliminary analysis of potential fail-