FBDR-Fuzzy Based DDoS Attack Detection and Recovery Mechanism for Wireless Sensor Networks

Wireless sensor networks (WSN) is considered as one of the exploring technology for its deployment of the massive number of dedicated sensor nodes which sense the environment and collect the data. The collected data are sent to the sink node through the intermediate nodes. Since the sensors node data are exposed to the internet, there is a possibility of vulnerability in the WSN. The common attack that affects most of the sensor nodes is the Distributed Denial of Services (DDoS) attack. This paper aims to identify the DDoS (Flooding) attack quickly and to recover the data of sensor nodes using the fuzzy logic mechanism. Fuzzy based DDoS attack Detection and Recovery mechanism (FBDR) uses type 1 fuzzy logic to detect the occurrence of DDoS attack in a node. Similarly fuzzy- type 2 is used for the recovery of data from the DDoS attack. Both the type 1 fuzzy-based rule and type 2 fuzzy-based rule perform well in terms of identifying the DDoS attack and recover the data under attack. It also helps to reduce the energy consumption of each node and improves the lifetime of the network. The proposed FBDR scheme is also compared with other related existing schemes. The proposed method saves energy usage by up to 20% compared with the related schemes. The experimental results represent that the FBDR method works better than other similar schemes.


Introduction
Fuzzy-based logic system is widely used to recognize the DDoS attack. This system is considered as the most effective attack detection method, which resolves with imprecise, vague boundaries among the normal traffic and various levels of attacks. It accurately detects the occurrence of the attack and it also identifies the strength of the attack [11]. Since early 1990's fuzzy system has been implemented because of its adaptation capabilities. The growth has created a variety of fuzzy system that solves various types of problems in different application area [12]. There are various classifications in DDoS attack, among which flooding attack is considered in the proposed work. In this paper, the detection and recovery from DDoS (Flooding) attacks have been discussed.
The main contribution of the paper is.
• Type1 Fuzzy-based rule is framed to detect DDos attacks with the input values of Energy Consumption, Response time and Packet count. • The recovery model is constructed that the DDos attacked node will be redirected to the sink using the alternate path. • The identification of alternate path and the sink path are computed using the Type2 Fuzzy-based rule.
The rest of the paper is organized as follows. In Sect. 2, various fuzzy and machine learning techniques and comparative study between them is presented. Section 3, discusses the proposed fuzzy-based system. Section 4 contains the simulation results and performance evaluation and finally, Sect. 5 covers the conclusion respectively.

Related Works
The detection schemes for various DDoS attacks and detection of a DDoS attack in WSN is discussed in the literature survey. Xia et al. [11] proposed an intelligent fuzzy logic method that has two stages. The first stage is, the attack identification and the second stage is intelligent fuzzy logic, which was used for deciding the strength of DDoS flood attack. During the attack identification, for each new traffic, the co-efficient of the wavelet and SIC (Schwarz Information Criterion) statistic was updated. SIC is the technique used to evaluate repeatedly the network change-point. After identification, the network traffic is segmented into pieces and then the strength of the attack was identified based on fuzzy logic. The Hurst parameter also used to evaluate the strength of the DDoS flood attack. An intelligent DDoS judgement method [13] was proposed to detect the DDoS attack based on judgement. The Hurst parameter is calculated based on VTP (Variance-Time Plots), RVTP (Real-time Variance-Time Plots) and Real-time Detection of DDoS Attack based on Fuzzy Logic (FRVTP). The judgement is made by the result obtained from many DDoS attack. They analyzed the FRVTP method and traditional methods. From the comparative analysis made, it was found the FRVTP method given a better result in real-time. Fuzzy logic based defence mechanism [14] has four phases. They are the learning phase, Traffic analysis, Anomaly detection, and attack prevention. In the learning phase, the rules are created and framed inside the fuzzy system. This system learns the rule that was fed inside it. In the traffic analysis phase, the traffic is analyzed (normal or abnormal traffic) and evaluated based on the rules. In the anomaly detection phase, an alarm was generated if any malicious traffic found. The unwanted packets from the malicious node are discarded traffic in the attack prevention phase. Li et al. [15] proposed PCA-RNN (Principal Component Analysis-Recurrent Neural Network) method to extract the features of the DDoS attack like flow time, slow connection, flood, etc. It is transformed into a PCA matrix for further analysis. PCA is the most efficient dimension reduction method. The correlated values are converted into values. The values are stored inside RNN to train it and the trained values are used to detect the DDoS attack. ML-based detection method [16] has two modules. The first module is pre-trained; it is already trained to find out the victim machine. The second module is online learning, it was trained by itself and updates the first module day-by-day. Four types of DDoS attack is detected using ML method and it prevents the attacks further affecting the system.
The Fuzzy logic methodology [17] uses the AODV protocol to evaluate different kinds of attacks. Among the attacks, the DDoS attack (Flooding) is identified, based on the transfer speed of data packets, loss of data packets and the delivery ratio. FBDPS(Fuzzy Based Detection and Prediction of DDoS Attacks) method [18], analyze the energy consumption of each node to predict the existence of the malicious node. According to this method, the nodes are compromised in the MAC layer by DDoS attack. The compromised nodes can be identified by the energy consumption rate. Usually, the malicious node while launching the attack, the energy consumption rate of a node varies. So based on that rate we can easily differentiate the normal node and malicious node. A threshold value is used for the energy consumption and packet delivery rate to classify a different kind of malicious nodes in the MAC layer. A fuzzy Markov chain model is used in FBDPS method to analyze the energy consumption of each sensor node. FLONF method [19] detect different kinds of DDoS attack like land attack, mail bomb attack, smurf attack and ping of death attack. Four different algorithms are used to detect such attacks. The detection is based on the flow rate and the number of flows. The algorithms used in this method detect the DDoS attacks faster and the rules for detecting the attack were also simple. FRI method [20] uses a fuzzy inference system for the detection of a DDoS attack. The fuzzy inference system stores the fuzzy input into the fuzzy set and calculates it. The calculated rules are used to detect the DDoS attack more efficiently.
The IPS based protection method [21] uses fuzzy logic and a Q-learning algorithm for detecting and preventing the system from the DDoS attack. It first analyzes the traffic in the network and then examines the DDoS attack utilizing a learning method and artificial intelligence. In this approach, the packets are captured and the details of the packets are collected. Then the collected details are stored inside the log files and the reliability index is calculated to identify the risk of the malicious packet. Now the abnormal behaviour of the node can be identified by using neuro-fuzzy rules. The Fuzzy Q-learning method is used for the quick detection of the DDoS attack. The Fuzzy Q-learning method will investigate each packet and checks for any abnormal behaviour in the packets. If any abnormal packets are identified, then those packets will be dropped. Then the result is stored to avoid the system from the same attack in the future. The fuzzy estimator method [22] is used to detect DDoS attack and to identify the IP address of the malicious one. It is identified to avoid further intrusion of DDoS attack. But the identified IP address is not so accurate. In the Bio-inspired Bat algorithm [23] is used to identify the attack as like the bat find its prey even in dark. It is an evolutionary-based algorithm, where each bat denotes a solution. It is the best method to detect the attack even in any situation but prevention is not possible. CNN Ensemble framework [24] encounters the most sophisticated DDoS attack in SDN and the detection is more accurate. Flexible SDN-based Architecture [25] detects and reduces the Low-Rate DDoS attack. It utilizes six Machine Learning models to train the SDN-based architecture to detect the attack more accurately. And the detection rate is up to 95%. MSCD method [26] has three parts to identify the clone attack. The first part is to build the path of the head node and the second part is to decide the witness for each node in the network. Finally the third part is used to verify the legitimacy of the messages before sending to the head nod in the witness ring. Novel intrusion detection technique [27] with PD (Pearson's Divergence) is used to detect the intrusion that usually compromises the node. The compromised node exists for a long time in the network so that it can affect and collapse the system. Pearson's Divergence technique is used to detect the attack and it improves the accuracy of the detection.SIP based defence mechanism [28] detects SR-DRDoS attack using IP spoofing technique. This type of attack improves the CPU load upto 100%. SIP mechanism has three modules named as statistics, Inspection and Action to identify the abnormal traffic to reduce the CPU load. The statistics module collects various traffics, Inspection module compares the traffic and finally action module identifies the abnormal traffic (SR-DRDoS attack) and drop or blocks it. IHSM Scheme [29] proposed three algorithms namely, EMABRD, SACOP and FZKA. EMABRD algorithm uses energy utilization threshold to identify the replica node. The detection rate of malicious node of SACOP algorithm is faster than EMABRD algorithm. FZKA algorithm stores the fingerprint of all the nodes in the cluster head and the finger print of the cluster heads will be stored in the base Station. So the cluster head and Base station involve in the detection of malicious node. FZKA algorithm also reduces the storage and communication overheads. OLWPRAD method [30] uses online dataset to detect the anomalies. It uses Principal Component Analysis (PCA) to manage the data. The detection of abnormal data in OLWPRAD can be done by dynamic threshold method. AIS-IDS method [31] is an effective approach to detect and reduce different kinds of flooding attack. It reduces the anomalies by dropping and blocking it. A distributed estimator framework [32] is used to detect randomly acquiring DoS attack or Data integrity attack. Each sensor is embedded with an statistical learning based detector and it is capable enough to detect the attacks effectively. SKG Scheme [33] identifies the active attacks while generating secret key. This scheme uses SVD technique and private pilot to identify the various active attacks. It usually authenticates the sender for protection against the active attacks. The DLDM Framework structure [34] is used to identify the different kinds of DDoS attack effectively, thereby it improves the throughput and it also reduces the energy consumption. EPSM [35] is proposed to detect the wormhole attack and it also used to minimize the energy consumption and the overhead of the network. The EPSM method has two stages to identify the wormhole attack. If both the stages are unsuccessful, it means that the attack is identified and the blacklist is announced. The MSIDN method [36] is used to identify and reduce the Distributed Denial of Service attacks and Flooding based DoS in Named Data Networking while Mitigation of the attacks will never damage the reliable users. It also reduces the traffic and network overhead. Lower-edge routers are used for stopping the malicious node from the origin. SDN-EHCND Mechanisms [37] is used to detect and keep away from the unnecessary nodes which occur because of cloning attack. The HCND method identify clone node and remove the clone attack available in the Wireless Networks. Superimposed SDIS junction code is used to find out the clones locally and globally. SLGBM method [38] is an intrusion detection method, it has two main algorithms they SLS algorithm and Light GBM algorithm.SLS algorithm minimize the communication overhead and the Light GBM algorithm detect the various network attacks in the WSN effectively. The summary of the related works is represented in Table 1. EMA model [40] is used to detect the replica attack node based on the energy consumption of each node. This model has three phases, they are Energy Prediction, Threshold Setting and finally replica based detection process. In the energy prediction phase, energy of each node is identified by the amount of time the node exists in each state. And the threshold is fixed in the threshold setting phase based on the prediction error, energy consumed in each state and the total number of messages sent and received by a node. In the final process, sink node will evaluate the actual energy consumption of each node. If the actual energy consumption of a node is more than the predicted energy consumption, then that node is considered as the malicious node. DWA-SPS Mechanism [41] in the beginning generates all the paths from the source node to the destination node by using AOMDV (Adhoc On Demand Multipath Distance Vector) Protocol. After the generation of the multiple paths, source node will send the Detection Packet through the multiple paths to reach the destination node. Later the Feedback Packet produced from each intermediate node for the Detection Packet in the multiple paths. Then the comparison for the Feedback Packet with the Detection Packets was made by the source node. Based on the comparison the source node can able to detect the wormhole attacked path and it will send the packet to the secure optimal path, which was selected by using Particle Swarm Optimization Algorithm (PSO).
Mobile Malicious Node Detection Method [42] groups all the sensor nodes in different cluster. And the cluster head in each cluster uses rule-based anomaly detection method to identify the attack from the entire sensor node in the cluster. A mobile agent usually collects the data from all the cluster head and sends it to the sink. Before collecting the data from the cluster head, the mobile agent verifies whether the cluster head is trust worthy or not. Similarly the cluster head also checks whether the mobile agent is malicious or not. This verification process by the mobile agent and the cluster head can do by three-step negotiation process.
Neuro-fuzzy Based Intrusion Detection System [43], separates the suspected nodes from the normal nodes by using Fuzzy Inference rule. It uses the trust value to identify the malicious node. If the trust value of particular node is maximum, that node is considered as the legitimate node. If the trust value of a node is minimum or average, it is consider as the enemy node or distrust node. Finally the Artificial Neural Network is used to perform the refining process to identify the various DDoS attacks more accurately. The parameters like packet drop, residual energy, packet forward etc. of each enemy node and distrust node is given as the input to the ANN to identify the malicious node.
XGBoost classification model [44] mainly used for IDS dataset classification. This datasets are collected from the kaggle repository, where the data's are in the form of categorical or numerical value. This data's are converted into numerical value by one-hot encoding technique. Then the features of the dataset are standardized by using standard scalar technique. And the PCA algorithm is applied on the transformed dataset for dimensionality reduction and for more accuracy in detection of intrusion. Hybrid PCA-GWO method [45] was introduced to detect the intrusion in Internet of Medical Things. This method uses DNN model, which introduces PCA and GWA to analyze and predict the attacks very accurately. One-hot encoding is used to transform the collected data into numerical value and PCA-GWO is applied on to the transformed data to reduce the dimensionality. CANintelliIDS method [46] is the combination of both Convolutional Neural Network and Attention based Gatted Recurrent Unit (AGRU). It is mainly used to detect the single or mixed intrusion attacks in CAN bus. CNN gets the sequence of data from the various CAN bus to detect the pattern of anomaly. AGRU has reset and update gate to identify the amount of memory that is needed around it.
Based on the studies carried out in this field it is clear that the principal focus of most of the existing works are detecting the DDoS attack alone and there is no prevention measure available. Moreover the perfect level of reliability has not been accomplished due to their limited approach and concentration only on the application techniques. Therefore to deal with the problem a novel approach is proposed in this work.

Proposed Work
Initially, nodes are deployed in the environment to form the network. The entire sensor nodes are randomly deployed with the same energy within the specified network area. Nodes can sense the environment in the form of data, these data packets are sent to the sink node. The packets are sent to the sink through the path which has been already calculated and identified; usually, the path is the collection of nodes. If any node in the path consumes more energy, and is flooded with data packets, it takes high response time and it is assumed that node is affected by DDoS (Flooding) attack. This prediction is made by type 1 fuzzy-based rule where energy consumption, response time and packet counts are given as the input parameters. If DDoS attack is detected, it is necessary to mark that particular node in that path as the dead node. To avoid the packet loss, the packet needs to be sent to the sink through the alternate path identifying the possible alternate paths to the sink. These paths can be identified based on a type2 fuzzy-based rule where distance, energy consumption, and packet size are given as the input parameters. From the thorough study that was made in fuzzy systems, it was very clear that the fuzzy system have a structure that is very simple and that can be established very easily too. Since the fuzzy system is more flexible, the rules can be changed at anytime. It is also deal with complex problems with indefinite inputs and makes decisions properly. It utilizes very less memory space.

System Mode
• The nodes are deployed randomly inside the network. • Each sensor node is mobility in nature so that it can move inside the network area.
• Each sensor node is homogenous. • A sink may be available anywhere inside the network area.
The nodes in the WSN are not protected against the DDoS attack. Usually, this attack drains the battery power of the sensor nodes and reduces its lifetime. To detect the DDoS attack and to secure the nodes from this attack, Fuzzy based DDoS detection and Recovery method has been proposed. It uses the type 1 fuzzy-based rule to detect the DDoS attack and type 2 Fuzzy based rule to secure the nodes. The workflow diagram for the proposed is shown in Fig. 1.

Detection Method
The Data Packets are sent from the source node to the sink. The sensor node transmits the data packets to the nearest node in the path to reach the sink. But, before passing the packets to a node, it is examined and evaluated based on the fuzzy logic. It has three input variables. They are Energy_consumption, Response_time, and Packet_count. Each and every node in the network have their own Energy Consumption, Response Time and packet count, which are stored in the routing table located in the sink. Based on the type1 fuzzy rule, the particular node was examined whether a DDoS attack occurs or not. Fuzzy logic is used to determine the occurrence of DDoS attacks in a node based on a decision. It mainly uses true or false and "truth" degree.
The output is obtained based on the three inputs provided to the type1 fuzzy-based rule. The three inputs are considered as input parameters and each input parameter has membership functions. The membership function is mainly utilized for executing the element's fuzziness in the fuzzy set. The fuzzy set is used for solving a problem depending on its experience. The output of type 1 fuzzy-based system depends on the input supplied to the fuzzy system.
The block diagram of Type1 Fuzzy based DDoS attack detection system is shown in Fig. 2, it has three input parameters they are Energy_consumption, Response_time, and Packet_count. The input parameters are supplied for the fuzzification process to obtain the fuzzy-based input value with the information provided by knowledge-based rule. Then the fuzzy-based value is sent for the defuzzification process and finally, the output is obtained by the defuzzification process. Based on the obtained output value we can verify whether there is a DDoS attack inside the network. The type1 fuzzy-based detection system also has three inputs parameters and each parameter has three membership functions. Based on the input parameters and the membership functions 27 rules are formed. Table 2 represents the fuzzy rule for various inputs and outputs.
The algorithm1, which is mentioned below, represents the type 1 fuzzy-based DDoS attack detection algorithm. The current node collects the information (energy consumption, response time and packet count) from the next nearest hop to which it is about to send its packets and verifies the information using type 1 Fuzzy Based Detection method. If the energy consumed by the nearest sensor node is greater than the threshold energy value similarly if the response time and the packet count is more than the threshold value then that particular node is considered as malicious node. At once, the recovery method is called otherwise the normal broadcast takes place.

Input Membership Functions
The input and output member functions are framed by trapezoidal and triangular functions respectively. The Response_time membership function has variables like more, normal and less for evaluating the response time as shown in Fig. 3.  The response time has been measured by using the trained system as in FLQL method [21]. The Measurement of the membership function of Response_time for various variables like more, normal and less are represented in Eqs. 1, 2 and 3.
The Energy_consumption membership function has variables like high, medium and low for evaluating the energy consumption as shown in Fig. 4.
The Measurement of membership functions of Energy_consumption for various variables like high, medium and low are represented in Eqs. 4, 5 and 6.
Similarly, the Packet_count membership function has variables like maximum, normal and minimum for evaluating the packet count as shown in Fig. 5.
The number of packets sent by a normal sensor node and malicious node varies, the packet count of each node can be measured accordingly [11]. The Measurement of the Fuzzy rules are fixed for the constraints of the membership functions like Response_ time, Energy_consumption and Packet_count are as shown in Fig. 6.

Output Membership Functions
MATLAB's fuzzy rule viewer is shown in Fig. 7. IF-THEN conditions are used for generating fuzzy rules. The input and output of various membership functions are depicted in the fuzzy Table2.
Membership functions for DDoS attack status:

Recovery Method
To recover the data packets from DDoS attack, in the proposed method, the packets which are sent to the node that is affected by the DDoS attack will be redirected to the sink through an alternate path. The nodes that utilizes less energy and which is very near to the sink are identified to redirect the data packets. To identify the alternate paths, a type2 fuzzy-based rule is used with the inputs parameters as Energy_consumption, Distance, and Packet_size. Once the alternate node is chosen, the node is examined again by the type1 fuzzy-based detection system to verify if the node is affected by DDoS attack or not. This process is called backtracking. The block diagram for the type2 fuzzy-based recovery system is represented in Fig. 8. The type 2 fuzzy based recovery system has three parameters (Distance, Energy_consumption and packet_size).
The fuzzy set has crisp input and it is given to the fuzzifier. The input (crisp) vector Inp' = (Inp 1 '......Inp p ') are represented as shown below [39]. The interval of the three inputs are [0,1]. The inputs are Distance, Energy_consumption and the Packet_size. The rules for the fuzzy based recovery system are represented in the Table 3.
Based on the assumption the parameter for the input variables like Distance is considered as ip1, Energy_consumption as ip2, and finally Packet_size as ip3. The variables for the outputs are Sink path identification as GP1 and Alternate path identification as GP2.
where σFRi(inpi) is the lower membership function and σFRi'(inpi) is the larger

Defuzzification
The extended output, Algorithm 2 represents the type2 fuzzy-based recovery algorithm, which is mainly used to redirect the packets to the sink through the alternate path. The current node collects the information from the next nearest hop to choose the correct path towards the sink. The path towards the sink can be identified based on decision made by type2 fuzzy based rule. The Distance membership function has variables like near, medium and far for evaluating the distance as shown in Fig. 9.
The Energy_consumption membership function has variables like less, medium and huge for evaluating the energy usages as shown in Fig. 10.
The Packet_size membership function has variables like small, medium and large for evaluating the size of the packets as shown in Fig. 11.

Performance Evaluation
In the proposed scheme FBDR method (Fuzzy Based Detection and Recovery method) is used to detect a DDoS attack. The sensor nodes are deployed randomly in a 500 × 500 m specified area. The sensor nodes are varied from 50 to 500. The sensor nodes are homogeneous so that all the nodes utilize the same energy, sensing range, etc. The sink is located (13)   anywhere in the specified area. The data packets from different sensor nodes are transferred to the sink. Nodes are deployed only after the calculation of the Euclidean distance [3]. The Euclidean distance is calculated as The sensibility of Se i at the point 't' can be represented as where D(Se i ,t) be the distance between sensors. 'Se i ' be the sensors, 't' be the point at position (q, r), ϒ, j be the sensor dependent positive constant. Euclidean distance is calculated to fix the distance between each sensor node. If the distance is less between the sensors, the sensitivity between the sensors is high so we need to calculate Euclidean distance before deploying it in a position. The proposed FBDR method reduces the usage of the buffer, energy consumption and response time. It also increases the lifetime of the network and increases the live nodes even after 450 rounds. The proposed method was evaluated and compared with the related DDoS detection strategies like the FLQL method [21], FSDNA [25], SACOP algorithm [29] and DLDMFS [34] Table 4 represents the simulation parameters. Figure 12 represents the lifetime of the network based on the different number of sensors. It is mainly used to evaluate the capability of the FBDR method concerning the lifetime of the network. The sensor nodes taken for our simulation work are 200, 300, 400 and 500. The fuzzy-based detection and recovery method is compared with the related strategies. As the count of the sensor nodes increases the lifetime of the network also gets increased. The FBDR method can save up to 30% of network lifetime compared to the other related strategies.  Figure 13 represents the number of alive sensor nodes in each round. The FBDR method performs better than the other related strategies because there are alive nodes even after 450 rounds, but in the other related strategies, no more alive nodes available in 400 rounds which in turn affect the lifetime of the network. The distance between the sensors, while it is deploying in a position, has been evaluated by the Euclidean distance equation and it is found that the number of alive nodes is high in this method. Further, it is identified that all the sensors utilized very less energy if the distance between them is less and alive even after 450 rounds.  Figure 14 represents the FBDR method with less packet drop rate than the related strategies as FBDR method uses Fuzzy based type2 rule. It uses three types of inputs; they are Distance, Energy_consumption and Packet_size. These are used to analyze the DDoS attack affected nodes and the packets are redirected to the sink through an alternate path. It is found that, these inputs are not available in other strategies; the number of packets loss is higher in other related strategies.  Figure 15 represents the energy utilization of each sensor concerning the time. The FBDR method is compared with other related strategies. Since all the sensors are deployed very close to each other and the fuzzy-based rule is used, the sensor consumes very less energy than the sensors in the other related strategies. Figure 16 shows the response time concerning the time. The proposed FBDR method has 20% less response time than the other related strategies. Since the fuzzy-based rule is used for detection and fuzzy-based type2 rule is used for recovery. The response time of our proposed FBDR method has slight improvement over the other related strategies. Figure 17 represents the utilization of buffer in the proposed FBDR method and other related strategies. The usage of the buffer is the main perspective for evaluating the overhead of the sensors. If the size of the buffer is less, the algorithm performs well. The FBDR method use 10% less buffer size than the other related strategies. Figure 18 represents the detection ratio in the proposed FBDR method and other related strategies. The detection rate of each strategy is evaluated and compared with each other. If the detection rate is more, the algorithm performs well. The detection rate of the proposed FBDR method is more than the other related strategies.  Figure 19 shows the execution time of the proposed FBDR method and the other related schemes with different number of sensor nodes. It is clearly visible that the FDBR method has less execution time compared to other related strategies. The proposed FDBR method has very less execution time and also very less computational complexity compared to other related strategies. The overall comparison of performance analysis is demonstrated in Table 5.

Conclusion
We propose a new FBDR method to detect the DDoS(Flooding) attack and to redirect the data packets to the sink through the alternate path. The FBDR method analyzes the energy consumption, response time and data packet count of each sensor. The FBDR method uses type1 fuzzy-based rule to detect the occurrence of the DDoS attack. So it quickly identifies the sensor node that was affected by the DDoS attack. Moreover, to avoid packet loss, the packets are redirected to the sink through the alternate path using the recovery method. The recovery method uses type2 fuzzy-based rule, by making an analysis on the packet size, energy consumption, and distance of each node. The proposed method saves energy usage by up to 20% compared with the related schemes. The proposed work examines the energy efficiency of the FBDR method by analyzing the buffer usage, packet drop rate, response time and a lifetime of the network. Based on the conclusion drawn from this study, the future focus would be the prevention measures using the neuro-fuzzy approach. From the conclusion made from this study, we aim to work on to enhance the FDBR method more up-to-date by combining both the benefits of neural network and Fuzzy Inference system. So that it can mitigate the DDoS attack in the early stage itself.