Secure Range-free Localization Scheme in Wireless Sensor Networks

Nabila Labraoui University of Tlemcen, Algeria

labraouinabila@yahoo.fr

Abstract- Localization in wireless sensor networks (WSNs) has

drawn growing attention from the researchers and a number of

localization schemes have been proposed to discover the locations of regular sensors based on a few beacon nodes, which are assumed to know their locations through GPS or manual configuration. However, the localization process is vulnerable to malicious attacks aimed at interrupting the functionality of location-aware applications. The wormhole attack is a particularly challenging one since the external adversary which acts in passive mode, does not need to compromise any nodes or

have access to any cryptographic keys. In this paper, wormhole attack in DV-hop is discussed, and a Wormhole-free DV-hop Localization scheme (WFDV) is proposed to defend wormhole attack in proactive countermeasure. Using analysis and

simulation, we show that our solution is effective in detecting and defending against wormhole attacks with a high detection rate.

Keywords- DV-hop; Secure localization; WSN.

I. INTRODUCTION

Recently, the wireless sensor networks (WSNs) has emerged an exciting new development in the field of signal processing and wireless communications for many innovative applications [3]. In general, sensors are event-driven and WSN s are mostly used for monitoring purposes. When a sensor detects an emergency event-driven, its location information should be quickly and accurately determined; sensing data without knowing the sensor's location is meaningless [4]. A straightforward solution is to equip each sensor with a GPS receiver that can accurately provide the sensors with their exact location. Unfortunately, the high costs of GPS technology are at odds with the desire to minimize the cost of individual nodes. Thus it is only feasible to fit a small portion of all sensor nodes with GPS receivers. These GPS-enabled nodes called anchor or beacon nodes provide position information, in the form of beacon message, for the benefit of non-beacon or blind nodes (i.e nodes without GPS capabilities). Blind nodes can utilize the location information fmished from multiple nearby beacon nodes to estimate their own positions, thus amortizing the high cost of GPS technology across many nodes [5]

Localization in WSNs has drawn growing attention from the researchers and many range-based and range-free approaches [6, 7] have been proposed. However, almost all previously proposed localization can be trivially abused by a malicious adversary involving false position and range reports by internal attackers and position spoofmg by external attackers. Since location information is an integral part of most

978-1-4577-0908-1111/$26.00 ©2011 IEEE

Mourad Gueroui University of Versailles, France Mourad.guerroui@prism.uvsq.fr

wireless sensor networks services such as geographical routing and applications such a target tracking and monitoring, it is of paramount importance to design localization to be resilient to location poisoning. However, security solutions require high computation, memory, storage and energy resources, which create an additional challenge when working with tiny sensor nodes [I, 2]. A trade-off between security level and performance must be carefully balanced [I].

Motivated by the above observation, our intention in this work is not to provide any brand-new localization technique for WSNs, but to analyze and enhance the security of DV-Hop algorithm, a typical range-free approach built upon hop-count. In this paper, we propose a Wormhole-free DV-hop Localization scheme (WFDV), to thwart wormhole attacks in DV-Hop algorithm. We choose the wormhole attack as our defending target, since it is a particularly challenging attack which can be successfully launched without compromising any nodes or having access to any cryptographic keys. Hence, a solution that depends only on cryptographic techniques is clearly not effective enough to defend against wormhole attacks.

The main idea of our approach is to plug-in proactive Countermeasure to the basic DV-Hop scheme named: Infection prevention that consists of two phases to detect wormhole attacks. The first phase applies two inexpensive techniques and utilizes local information that is available during the normal operation of sensor nodes. Advanced technique in the second phase is applied only when a wormhole attack is suspected to remove the packets delivery through the wormhole link. Thus, in case there are no wormholes in the network, the sensors do not need to waste computation and communication resources. After eliminating the illegal connections, the DV-Hop localization procedure can be successfully conducted. We present simulations to demonstrate the effectiveness of our proposed scheme.

The paper is organized as follows. Section II describes the problem statements. Section III describes the system model. In section IV, we describe our proposed Wormhole-Free DV-Hop based localization in details. In Section V, we present the security analysis. In section VI, we present the simulation results. Section VI reviews the related work on the secure localization. Finally, Section VII concludes this paper.

II. PROBLEM STATEMENTS

In this section, we describe the DV -hop localization scheme, its vulnerability against the wormhole and the impact of this attack on the location accuracy.

A. The basic DV-Hop Localization scheme

Niculescu and Nath [8] have proposed the range-free DV­Hop, which is a distributed, hop by hop localization algorithm. It is easy to implement and has less demanding on the hardware conditions [9]. The algorithm implementation evolves in three steps:

In the first step, each beacon node broadcasts a beacon message to be flooded throughout the network containing the beacons location with a hop-count value initialized to zero. Each receiving node maintains the minimum hop-count value per beacon of all beacons messages it receives. Beacons are flooded outward with hop-count values incremented at every intermediate hop.

In the second step, once a beacon gets hop-count value to other beacon, it estimates an average size for one hop, which is then flooded to the entire network. The average hop-size is estimated by beacon i using the following formula:

(1)

where (Xi, Yi), (Xj' Yj) are coordinates of beacon i and beaconj, hij is the hops between beacon i and beacon j. Blind nodes receive hop-size information, and save the fIrst one. At the same time, they transmit the hop-size to their neighbor nodes. In the end of this step, blind nodes compute the distance to the beacon nodes based hop-length and hops to the beacon nodes.

di = hopcounti x HopSizei (2)

In the third step, after the blind node obtains three or more estimated values from anchor nodes, it can compute its physical location in the network by using methods such as triangulation [19].

B. Impact of the wormhole attack on DV-Hop

The wormhole attacks [20, 21] are relatively easy to mount, while being diffIcult to detect and prevent. In a typical wormhole attack, when one attacker receives (captures) packets at one point of the network, it tunnels them through the wormhole link to the other attacker, which retransmits them at the other point of the network. Since in the wormhole attack the adversary replays recorded messages, it can be launched without compromising any network node, or the integrity and authenticity of the communication. As a consequence, using a wormhole attack can affect location by leading two nodes located more than one hop away into believing that they are within communication range and into exchanging information as if they were immediate neighbors. Launching wormhole attack in DV-hop can cause two impacts:

1. Causing position error: The wormhole attack can greatly deteriorate the DV-Hop localization procedure. In can affect the fIrst step by making the hop count abnormal; consequently, the second step is also affected and the entire localization scheme is ruined. As seen from Figure 1, a wormhole link between malicious node Al and A2 exists. Al receives the beacon message from B 1 with a hop-count equal to 1 and tunnels it to A2. A2 replays the beacon message and transmits it to S2. Normally, beacon node B I and B2 are 5 hops away, but in existence of a wormhole link, the hop-count between them becomes 2, which lead B2 to make a false estimation on the average hop size. In the same way, sensor nodes near B2 will assume a smaller hop counts to Bland triangulation will provide a highly inaccurate position estimate.

2. Energy depletion: The nodes have to transmit more replayed messages under attack, and thus consume more energy than in a benign environment. It is fatal for the network with limited resource.

Hop -coun' (Bl-tB2)=5 �-. -;.,;

. - _ . S4 S5 S6 , B2 �Al Wormhole link A2 _b Sl • .- S2

HOp-COUllt (BI �B2)=2 (via wOI'mltole)

o Sensor Beacon II Attacker

Figure 1. The impact of wormhole attack on DV-hop localization.

III. SYSTEM MODEL

This section illustrates our system model including communication, network, and adversary models.

A. Simplified Path-Loss Model

In this subsection we study how to characterize the variation in received signal power over distance due to the path loss inspired from [22], [23]. Path loss is the term used to quantify the difference (in dB) between the transmitted signal power, Pt, and received signal power Pr(d) at distance d . The simple path-loss model predicts that the mean path loss, PL(d) , measured in dB, at a transmitter-receiver separation distance (d) will be:

- - d PLed) = PL(do) + 10yloBlo(-) do (3)

where, PL(do) is the mean path loss in dB at close-in reference distance do, which depends on the antenna characteristics and the average channel attenuation, and y is the path-loss exponent. In free space environment, y = 2. The reference distance, do is chosen to be in far-fIeld of the antenna, at a distance at which the link is approximately that of free-space. Typically, do is chosen to be 1-10 meters for indoor environments and 10-100 meters for outdoor environments. When the simplifIed model is used, the value of PL(do) is set to the free-space path gain at distance do assuming omni-directional antennas:

- (47rdO) PL(do) = 20[0910 -il- (4)

where, A = C / f is the wavelength of the transmitted signal (c

is the speed of light, 3x108 mis, and f is the frequency of the transmitted signal in Hz). The path losses at different geographical locations at the same distance d (for d > do) from a fixed transmitter, exhibit a natural variability due to the environment that results in log-normal shadowing. It is usually found to follow a Gaussian distribution with standard deviation (J dB about the distance-dependent mean path-loss PL(d). Finally, the received signal power at a separation distance d based on the transmitted signal in dB is:

(5)

The IEEE 802.15.4 standard [25] addresses a simple, low-cost and low-rate communication network that allows a wireless connectivity between devices with a limited power. Recently, most of sensor platforms equip the specific RF chip which can provide the IEEE 802.15.4 physical characteristics. CC2420 RF chip is one of these RF transceivers that can be utilized for a number of sensor hardware platforms. The CC2420 RF modules can measure the received signal power as RSSI (Received Signal Strength Indicator). Based on this value, having the transmission power level, the receiver can estimate the transmitter-receiver separation distance.

B. Network Model

Here, we assume a static wireless sensor network composed of a number of tiny motes uniformly distributed in a field. All the nodes in the network are the same and equipped with two radios: the regular radio RF and a radio with frequency hopping (FH) capability. We assume that the network consists of a set of blind sensor nodes S of unknown location and a set of beacon nodes B which already know their absolute locations via GPS or manual configuration. We assume the communication range R of each node in the WSN is the same. We further assume that any pair of nodes in the network shares two cryptographic keys KJ and Kz after they discover their neighborhood. We assume all beacon nodes are uniquely identified. In other words, a node can identify the original sender of each beacon packet based on the cryptographic key used to authenticate the packet. We also assume that the contention-based medium-access protocol is used in the networks and there is at least one RTS/CTSlDataJAck period of time that a pair of nodes can communicate. We assume that during one execution of RTS­CTS-Data-ACK the environment is stable, thus loss of packets due to noise spike can be ignored. Hence, if the sender has successfully sent the RTS to the receiver, all of its neighbors would have received the RTS and would not contend for the channel. Therefore, the CTS will be received correctly at the sender.

C. Adversary model

We assume a wormhole link is bidirectional with two endpoints (wormhole ends). The length of the wormhole link is assumed to be larger than R to avoid the endless packet transmission loops caused by the both attackers. However, we do not consider the case that the attackers can intentionally drop of certain types, or modify certain fields, of received packets. This is because we treat the wormhole attackers as external attackers which act in passive mode.

To describe our proposed solution clearly, we provide the following definitions: Definitionl. Local neighbor: local neighbors of a node are all single-hop neighbor that lie in the communication range of the node. Definition2. Fake neighbor: a node is a fake neighbor if it can be communicated with via the wormhole link. In the remaining sections of the paper, we use the following notations in table 1:

Notation Description RTT(S1.S2) RTT between node S1 and node S2

RTTwormhole RTT of a link under wormhole attack AvgRTTsl average RTT of all links from S1 to its neighbors

w time to tunnel a packet between two wormhole ends n Number of neighbors of a node p Propagation delay of a legitimate link Pt transmitted signal power Pr Received signal power

E(K,M) Encryption of message M with secret key K HMAC(K,M) Message digest of M using hash function with key K

TABLE I. NOTATION

IV. WFDV: WORMHOLE-FREE DV-HOP BASED LOCALIZATION

In this section, we describe our proposed wormhole attack resistant localization scheme, called WFDV: Wormhole-Free DV-Hop based localization. The WFDV enables sensors to determine their location and defend against the wormhole attack at the same time. Since DV-hop is well known, we focus attention mainly on the improvement upon robustness against wormhole threats. The success of wormhole attack in the frrst step of DV -Hop can lead to infect its second step and thus to distort the location estimate accuracy. The Wormhole-Free DV-Hop based localization includes two phases, infection prevention and DV -Hop-based secure localization. Firstly, a proactive countermeasure named irifection prevention is performed to prevent wormhole contamination via wormhole links. After eliminating the illegal connections, the DV -Hop localization procedure can be successfully conducted.

Infection Prevention DV·Hop Based Secure Localization

Figure 2. The flowchart of WFDV.

A. Infection prevention

The infection prevention is performed before the fIrst step of DV-Hop scheme in order to eliminate the fake connections produced by wormhole, which infect the localization procedure, by relaying and reporting a false hop-count. The aim of attacker is to perform distance reduction between two far neighbors by replaying a message from beacon nodes or from blind nodes in the fIrst step of DV -Hop scheme. It is very difficult for nodes to distinguish the local neighbor from fake neighbor because the attacker replays a genuine message. In our approach, each node builds the neighbor list and tries to detect links suspected to be part of a wormhole. This prevention is very useful, because the node can detect the replayed messages and drops them immediately; avoiding transmitting replayed messages. By consequence, sensors preserve more energy and bandwidth and avoid infecting other nodes. Following are two phases of infection prevention:

- Phase I - Neighbor List Construction (NLC): In this step, a node SI simply discovers its one-hop neighbors by does one­hop broadcast of the neighbor request (NREQ) message and saves the time of NREQ sending: T REQ. The NREQ receiving node responds to Siwith the neighbor reply (NREP) message, in which it piggybacks the transmitted signal power Pt. The requesting node SI saves the time of each NREP receiving: TREP•

In the NLC phase, we use two simple triggers to fmd out if a link should be suspected and challenged. The first trigger is based on the RSSI which is an inexpensive technique that assists the infection prevention to remove fake links. Taking advantage of the communication capability of the WSN, the RSSI ranging technique has the low-power, low-cost characteristics. So the WFDV only cites RSSI to assist building neighbor list, to detect fake links and remove them.

Technique 1 :Signal Attenuation Property check: Based on the path loss model presented in subsection 3.1, the received signal strength anywhere farther than the reference distance must be less than the received power at the reference distance (\1 d>dO: Pr(d)<Pr(dO)). We name this signal attenuation property. Therefore, if we assume the distance between every two nodes is more than the reference distance, no node can receive a message with a power more than Pr(dO). While reply messages are received, Signal Attenuation property is checked by node SI. If a connection does not follow Signal Attenuation property, the node SI removes this connection and blacklists it.

Technique 2: RTT-based Detection: if we assume that the attacker is smart enough to fake a RSSI value and reply the message with adjusted power that does not violate the signal attenuation property, the Signal Attenuation Property check becomes inefficient. In this case, a second trigger is used, based on the round trip delay of a link (RTT) namely RTT­based Detection. RTT is a measure of the time it takes for a packet to travel from a node, across a wireless network to

another node and back. The RTT can be calculated as RTT= TREP- TREQ•

Let a node SI communicates with a neighbor node S2. During peace time, the RTT between SI and S2 is 2p. If the direct link (Sj,S2) is formed as a result of a wormhole attack, then the round trip time would be RTTwormhole=2(P+w+p)=2(2p+w). Where w is time to tunnel a packet between two wormhole ends. Thus we believe the R TT of the wormhole link should be at least two times the RTT of a normal link, even though w can be smaller than p. In Section 6 we conduct simulations to confIrm this fact.

Algorithm1. Neighbor list Construction

LocaINs=0; SuspectNs=0; TotaIRTT=O; n=O

1. SI7*: NREQ: IDS1, N1

2. Si 7S : NREP: IDsi, N 1,Pt

3. for each reply from node Sj Do

if (Pt -Pr) < PL( dO) {Signal attenuation property}

then Sj is a fake neighbor {Sj is blacklisted}

else

end if

End do

SuspectNS1=SuspectNs1 U Si

TotaIRTT=TotaIRTT + RTT(Sj,SJ

n=n+l

4. If SuspectNsl i- 0 {RTT detection}

then AvgRTTSl = Total RTTI n

end if

For each node Si E SuspectNs1 Do

if RTT(Sl,Si)::: k * AvgRTTsl then

Confirm the link (Sj,S;) is suspicious

Execute Neighbor list repair.

else LocalNs1= LocalNsl uS; end if

End Do

For each NREP, Slmeasures the RTT with all of the presume neighbors. If it fInds one node S; that RTT(Sj,S;) is at least k times the average RTT between SI and all its neighboring nodes, then the link (Sj,S;) may be a wormhole. The value of k is the system parameter which depends on nand w. In Section 5.1 we explain how the value of k is determined. The RTT detection is similar to the scheme proposed in [24]. However, the difference is that we define deterministic threshold value while the scheme in [24] decides the threshold value based on simulations. The pseudo-code of NLC phase is presented in Algorithm 1.

- Phases II - Neighbor list repair: Having suspected a possible wormhole link in the network, WFDV launches a series of challenges to make sure that the wormhole is correctly identified. In this phase we use frequency hopping for confIrming the existence of a wormhole. The pseudo-code is presented in Algorithm 2.

Algorithm2: Frequency Hopping Challenge(Sj,S2)

1: SJ �S2: RTS, Enc(K1,N1). (frequency /1).

2: S2 �SJ: CTS, Enc(Kl, 12, Nl, N2), H MAC (K1,12,N1,N2). (j1).

3: S2 switches its receiver to12 and waits for 2*RTT (SJ,s2) time.

4: After receiving the CTS,

SJ -7S2 :RTS, Enc(K1,N2), HMAC(K2,N2). (12).

5: if SJ receives ACK from S2 in frequency 12 within duration of

2*RTT (Sj,SJ time

then LocalNsJ=LocalNsJ U S;

else Si is fake neighbor {S; is blacklisted}

end if

RTS, ENC(Kl,Nl) (using fl)

CTS, E(Kl,f2,Nl,N2), MAC(K2,f2,Nl,N2) (using fl) ....

RTS, ENC(K I ,N2), MAC(K2,N2) (using 12)

CTS (using 12) �

Figure 3. Frequency Hopping Challenge.

We illustrate in figure 3, the implementation of Algorithm2 using RTS/CTS mechanism of the contention-based medium­access (MAC) protocols in WSNs like S-MAC, T-MAC or B­MAC. In the first message, 8] sends RTS and a nonce Nl (encrypted using Kl) to 82 using a frequency jl being used for communication between them. Upon receiving this message from 8f, 82 replies in frequency jl with a CTS message that contains the frequency f2 (picked from the set of common frequencies shared by 8J and 82), the nonce Nl received previously and a new nonce N2, also encrypted with Kl. To protect the integrity of the packet, S2 can optionally compute a message digest using HMAC function with key K2.

After replying to 8] with CTS packet, 82 switches its receiver to frequency f2 and starts waiting for a packet from 8]. Here we assume the CTS always gets through if the environment conditions are stable. Later in the analysis section we discuss this assumption in depth. Immediately after receiving CTS, 8] switches its transmitter to frequency f2 and sends a new R TS message to 82 that contains N2 for the sake of authentication.

Finally, 82 replies with a CTS packet to finish the challenge. If 8J and 82 are far away and become direct neighbors due to the wormhole, then by switching to the new frequency they will not be able to receive messages from each other. This is because the attacker does not know the new frequency and thus cannot forward the messages between 8] and 82• The use of nonces Nl and N2 is to avoid the replay attacks. Without the nonces, the attacker can launch the attack as follows. Suppose that the attacker has captured a CTS packet which contains an encrypted frequency f2 that he does not know. He

can store the message and try to scan all the frequencies to find out the one in which 8] and 82 are communicating. On correctly identifying the frequency, he can replay the same message for any new challenge between the same pair 8] and 8b thus effectively breaking the solution. This attack is not possible if we use nonces because they can help detect replayed messages. We can further improve the security for these messages by including the expiry time for each message.

B. DV-Hop Based 8ecure Localization

After the infection prevention step is performed, each node 8; in the network maintains a list of local neighbors LocalNs;. Thus, while each node eliminates the fake links from its neighbor list, the DV -Hop localization procedure will be conducted. In both of first and second phase of the DV -Hop localization, every node will not forward the message received from the node out of its local neighbors list. With this strategy, the impacts of the wormhole attack on the localization will be avoided. Thus, our proposed scheme can obtain the secure localization against the wormhole attack.

V. SECURITY ANALYSIS

In this section we provide the security analysis of our secure localization scheme. We show the wormhole's impact on sensor node location determination is prevented proactively and DV -hop localization procedure can be successfully conducted.

A. Analysis o/Neighbor List Construction phase

1. Violating "Signal Attenuation property"

Considering a simple scenario, as illustrated in Figure 4, in which adversary wants to make four fake links, 8rDf, SrDb 8rD] and 8rD2• We defme victim topology as two sets of nodes corresponding to two sides of the attack. Each node is a member of one set and its path loss to the adversary is its representative. In our scenario we assume the victim topology which is : {{45,70},{50,80} }that means there are 2 nodes in the left (right) side of attack with these path loss value. We also assume that the maximum power level of nodes is ObBm, and the path loss at reference distance is 40dBm. Ml and M2 are relay points of the attacker and 8; and D; nodes are victims. The adversary must change the signal strength before relaying them. Considering the power level of the adversary uses to relay a message is �p plus the received power, the end-to-end path loss between two close nodes should fulfill the "Signal Attenuation" property. i.e the end-to end path loss should be more than 40dBm. To maximize the chance of creation fake link, the adversary has to minimize the �P. however the minimum �p the attacker can use to make all 4 fake links is 60dBm. Therefore, when it relaying the messages of closer nodes it can be detected by the closer node in the other side because the end-to-end path loss between two close nodes is less than 40dBm which is impossible based on the Signal Attenuation property.

Figure 4. A simple relay channel.

2. Attacking RTT-based Detection

In Algorithm 1 we require that RTT (S1,S2) be at least k times AvgRTTs1 so that S1 can start suspecting the link (S],S2) to be a wormhole. Now we show how each node can determine the value of k. Let n be the number of neighbors a node has and assume that among n neighbors there exists at most m (m< n) wormhole link. We have:

RTTs1,S2 = 2(2p + w)

(n - m)2p + 2(2p + w)m AvgRTTsl = ----=-----=----­

n (6)

RTT(Sl,S2) 2(2p + w)n Test = = > k AvgRTTsl (n - m)2p + 2(2p + w)m - (7)

Observe that Test increases when w increases. Thus, to avoid detection, the attacker should try to decrease the value of Test by decreasing w. However, w is always greater than O. Thus, if we set the threshold value k for w = 0 then the attacker will

very likely be detected. In that case, k = � and can easily n+m

be computed by each wireless node. For example, if n= 6 and m = 1, then the threshold value k will be 1217 = 1.7.

This is a deterministic value, contradicting with the one in [24], where the threshold value varies in different networks.

B. Analysis of Neighbor List Repair phase

The attacker has two options to respond to the challenge: either to drop the RTS packet or to allow the packet to pass through to Sj. We now show that using any of these options is not helpful to the wormhole attack and it will eventually be discovered.

1. Dropping the RTS Packet

In our solution if S1 does not get the CTS reply in a finite amount of time it will timeout and resend the RTS. In IEEE 802.15.4 standard each node retries r times (typically r = 3) before declaring a transmission failure [25]. If a transmission failure occurs our solution considers that to be a missed challenge. If a link has M such continuous missed challenges, our solution declares that link to be malicious. If node S1 is sending an RTS frame then the probability that collisions occurs is given by:

P[collision] = 1 - (1 - r)n-l

where T is the probability of transmission at a moment t of each node and n is the number of neighbors of a node. If S1 does not get the CTS reply within a finite amount of time, it times out and resends the RTS frame. If all these r RTS frames were to collide with transmissions from other node then the probability of that happening is:

P[Losing r RTS] = [1 - (1 - r)n-1r

The probability of failing M challenges due to wireless issues rather than wormhole is:

P[Failing M challenges] = [1 - (1 - r)n-1rM

Using M= 6, r = 3, n = 10 and T = 0.1 we get

P[Failing M challenges] = 1.4 x 10-4 This probability of failing M challenges without the existence of wormhole is thus negligible. Hence the strategy of dropping RTS packets is not in the interest of the wormhole.

2. Allowing the RTS Packet Through

The other option for the wormhole is to allow the RTS to go through. We assume that (1) it is too expensive for the attacker to listen on all the available channels and (2) it is computationally infeasible for the attacker to break the encryption to obtain fl in a short duration. Therefore, by allowing the RTS get through the attacker has to guess the frequency fl, because the content of the message is encrypted and integrity protected. The probability of correctly guessing the right frequency is liN, where N is the number of channels. If we further force each node to pass the challenge for J times this probability of guessing the correct frequency every time is reduced to lINJ. Using appropriate values of J and N this probability can be made very small. For example if N = 27 (802.15.4 network) and J = 2 the probability is less than 1 %. The wormhole thus is unlikely to pass the neighbor list repair phase.

VI. SIMULATION RESULTS

In order to investigate the effect of the wormhole attack and the ability of WFDV to detect attacks, we conduct simulation using the ns-2 simulator. The wormhole was implemented as a wired connection with much less latency than the wireless connections. The location of the wormhole was completely randomized within the network. In order to evaluate the performance of our scheme, two parameters were tested: "impact of wormhole attack on the RTT values" and "effectiveness of RTT-based detection",

1. Impact of Wormhole attack on the RTT values We conduct simulation to study the impact of wormhole links on the RTT values. In the first scenario of simulation, we set up a simple sensor network consisting of two sensor nodes.

We measure the average RTT when sending a ping packet from one mote to another and receive an acknowledgment back for the same packet. In the second scenario of simulations, we set up a sensor network consisting of four sensor nodes including two legitimate nodes and 2 compromised nodes. We mimic a wormhole attack where a packet sent from one mote is captured at the fIrst attacker, tunneled to the second attacker, and replayed at the second mote. The wormhole link was implemented as a wired connection. In this scenario, we verify if the RTT of a wormhole link is twice as much as that of a normal link. We conduct both simulations for fIve minutes continuously and take the average of the results. Fig. 4 shows that the round trip time when the wormhole existed is much higher than that in normal case. The average RTT of sending a packet through wormhole link and a legitimate link was observed to be 15.22 ms and 7.37 ms, respectively. Thus the node can use the delay as an indicator to suspect any link.

2. Effectiveness of RTT-based detection We implement the RTT-based detection in Neighbor List Construction phase, to study the effectiveness of the threshold value. We create a network topology with 100 nodes deployed randomly in a 1 OOOmetersx 1000 meters fIeld. The radio range is set to 20 meters. There is no movement of nodes and the background traffic is generated randomly by a random generator provided by ns2. The CBR connection with 4 packets per second are created and the size of the packet is 512 bytes. In the simulation, we randomly pick a node S1. We then create

a wormhole link between S1 and a distant node S2. Repeating the experiment many times we can select S1 with varying degree of neighbors. We then measure the RTT between the neighbors of S1 and calculate k (threshold) as described in sub­section 5.1. We conduct simulation for fIve minutes Comparison of the simulated values to the analytical value is shown in Fig. 5. We observe that the ratio of the wormhole RTT to average RTT is always above the calculated threshold and hence we conclude that the threshold value we suggested is effective. We can conclude that WFDV can defend the network efficiently against the wormhole attack.

� 12 '"

10

:r ...... ,;\/ ..... , .. : .. " ... /\ .... / ......... ; .. . ...-" .................... : ...... ... ....... /."" .... ; ....... ..........

....... ···�···" ····.····· .. ····vl o 10 � m � m 00

Ping packet number

Figure 5. Round trip time ( Wormhole link and normal link)

2.6 1--.-----.---;=�=�=====:;----.--1 I _+- Threshold k I 2.4 2.2

, ..

'.6

'.4

• Ration obtained through simulation

. .--.� .�-•

Degree of node

Figure 6. Round trip time: Theoretical vs Simulation

VII. RELATED WORK

Recently, much work has been devoted to secure sensor localization, because sensor localization has become an indispensable function for all applications over wireless sensor networks. Lazos et al. proposed a robust positioning system called ROPE [8] that provides a location verifIcation mechanism to verify the location claims of the sensors before data collection. However, the requirement of the counter with nanoseconds precision makes it unsuitable in low cost sensor networks. DRBTS [9] is a distributed reputation-based beacon trust security protocol aimed at providing secure localization in WSNs. Based on a quorum voting approach, DRBTS drives beacons to monitor each other and then enables them to decide which should be trusted. However it requires extra memory to store the neighbor reputation tables (NRT) and trusted beacon neighbor tables (TBN). To provide secure location services, [10] introduces a method to detect malicious beacon signals, techniques to detect replayed beacon signals, identifIcation of malicious beacons, avoidance of false detection and the revoking of malicious beacons. By clustering of benign location reference beacons, Wang et al. [11] proposes a resilient localization scheme that is computational efficiency. In [12], robust statistical methods are proposed, including triangulation and RF -based fmgerprinting, to make localization attack-tolerant. To achieve secure localization in a WSN suffered from wormhole attacks, SeRLoc [13] fIrst detects the wormhole attack based on the sector uniqueness property and communication range violation property using directional antennas, then fIlters out the attacked locators. HiRLoc [14] further utilizes antenna rotations and multiple transmit power levels to improve the localization resolution. However, SeRLoc and HiRLoc need extra hardware such as directional antennae. In [15], Chen et al. propose to make each locator build a conflicting-set and then the sensor can use all conflicting sets of its neighboring locators to fIlter out incorrect distance measurements of its neighboring locators. The limitation of the scheme is that it only works properly when the system has no packet loss. In [16], Zhu et al. propose a label-based secure localization scheme which is wormhole attack resistant based on the DV-Hop localization process. The main idea of this scheme is to generate a pseudo neighbor list

for each beacon node, use all pseudo neighbor lists received from neighboring beacon nodes to classify all attacked nodes into different groups, and then label all neighboring nodes (including beacons and sensors). According to the labels of neighboring nodes, each node prohibits the communications with its pseudo neighbors, which are attacked by the wormhole attack.

VIII. CONCLUSIONS

Wormhole attacks are severe attacks that can be easily launched even in networks with confidentiality and authenticity. In this paper, we have presented WFDV an effective method for detecting and preventing proactively wormhole attacks in DV -hop localization scheme. The proposed solution is an easy-to-deploy solution because it does not require any time synchronization or special hardware neither. The WFDV only uses simple techniques to identify the wormhole and then performs proper actions to confirm the existence of the attack. Through simulation, we make a compelling argument showing the ability of WFDV to detect the wormhole attack. Our analysis further confirms the effectiveness of our framework.

REFERENCES

[1] N. Labraoui, M. Gueroui, M. Aliouat and T. Zia, "Data Aggregation Security Challenge in Wireless Sensor Networks: A Survey", Ad hoc & Sensor Networks, International Journal ( In press), 2010.

[2] T. A Zia and A. Y Zomaya, "A security framework for wireless sensor networks", In Proc. of the IEEE Sensor Applications Symposium, 2006, pp. 49-53.

[3] C. Y. Chong and S. P. Kumar, "Sensor networks: evolution, opportunities, and challenges," In Proc. IEEE, 2003, vol. 91, no. 8, pp. 1247-1256.

[4] J. M. Rahaey, M. J. Ammer, J. L. da Silva, Jr., D. Patel, and S. Roundy, "PicoRadio supports ad hoc ultra-low power wireless networking," Computer, 2002, vol. 33, no. 7, pp. 42-48.

[5] M. Pirreti, N. Vijaykrishnan, P. McDaniel, and B. Madan, "SLAT: Secure Localization with Attack Tolerance", tech. report NAS-TR-0024-2005, Network and Security Research Center, Dept. of Computer Science and Eng., Pennsylvania State Univ., 2005.

[6] M. Zhao and S. D. Servetto, "An Analysis of the Maximum Likelihood Estimator for Localization Problems", In Proc. of the 2nd conference on Broadband Networks, 2005. BroadNets 2005, 2005, pp. 982-990.

[7] P. Bahl and V. N. Padmanabhan, " RADAR:An In-building RF-based User Location and Tracking System", In Proc. of INFOCOM, Nineteenth Annual Joint Conference of the IEEE Computer and Communications, 2000, pp. 775-784.

[8] L. Lazos, R. Poovendran, and S. Capkun, "ROPE: Robust Position Estimation in Wireless Sensor Networks", In Proc. of IEEE 4th Inri Symposium on Information Processing in Sensor Networks, pp 324-331, 2005.

[9] A. Srinivasan, J. Teitelbaum, and J. Wu, "DRBTS: Distributed Reputation-based Beacon Trust System", In Proc. Of the 2nd IEEE Int'l Symposium on Dependable, Autonomic and Secure Computing, pp 277-283, 2006.

[10] D. Liu, P. Ning, and W. Du, "Detecting Malicious Beacon Nodes for Secure Localization Discovery in Wireless Sensor Networks", In Proc. of IEEE ICDCS, pp 609-619, 2005.

[11] C.Wang, A. Liu, and P. Ning, "Cluster-BasedMinimun Mean Square Estimation for Secure and Resilient Localization in Wireless Sensor Networks", In Proc. of the Int'l Conf. on Wireless Algorithms, Systems and Applications, pp 29-37, 2007.

[12] Z. Li, W. Trappe, Y. Zhang, and B. Nath, "Robust Statistical Methods for Securing Wireless Localization in Sensor Networks", In Proc. of IEEE IPSN, pp 91-98, 2005.

[13] L. Lazos and R. Poovendran, "SeRLoc: robust localization for wireless sensor networks,", ACM Transactions on Sensor Networks, vol. 1, no. 1, pp. 73-100, 2005.

[14] L. Lazos and R. Poovendran, "HiRLoc: high-resolution robust localization for wireless sensor networks", IEEE Journal on Selected Areas in Communications, vol. 24, no. 2, pp. 233-246, 2006.

[15] H. Chen,W. Lou, and Z.Wang, "Conflicting-set-based wormhole attack resistant localization in wireless sensor networks" In Proc. of the 6th International Conference on Ubiquitous Intelligence and Computing, 2009, pp. 296-309.

[16] J. Wu, H. Chen, W. Lou, Z. Wang, and Z. Wang, "Label-Based DV-Hop Localization AgainstWormhole Attacks in Wireless Sensor Networks", In Proc. of the 5th IEEE International Conference on Networking, Architecture, and Storage, 2010, pp. 79-88.

[17] D. Niculescu and B. Nath, "Ad Hoc Positioning System ( APS)," In Proc. of the IEEE GLOBECOM 2001, 2001, pp. 2926-2931.

[18] L. Wenfeng, Wireless sensor networks and mobile robot control, Science Press, 2009, pp.54-60.

[19] B. Parkinson and J. Spilker, "Global positioning system: theory and application", Washington, D.C., American Institute of Aeronautics and Astronautics, 1996.

[20] Y. Hu, A. Perrig, and D. Johnson, "Packet Leashes: A Defense Against Wormhole Attacks in Wireless Ad Hoc Networks", In Proc of INFOCOM, Twenty-Second Annual Joint Conference of the IEEE Computer and Communications, 2003, vol. 3, pp. 1976-1986.

[21] R. Maheshwari, J. Gao, S. R. Das, " Detecting Wormhole Attacks in Wireless Networks Using Connectivity Information" In Proc. of INFOCOM, 26th IEEE Int'l Conference on Computer Communications, 2007, pp. 107-115.

[22] A. Goldsmith, Wireless Communications, Cambridge University Press, New York, NY, USA, 2005.

[23] T. Rappaport, Wireless Communications: Principles and Practice, Prentice Hall PTR, Upper Saddle River, NJ, USA, 2001.

[24] P.V. Tran, LX Hung, Y.K. Lee, S. Lee, S. and H. Lee, " TIM: An Efficient Mechanism to Detect Wormhole Attacks in Wireless Ad-hoc Networks", In Proc. of the 4th IEEE Consumer Communications and Networking Conference , 2007, pp. 593-598

[25] T. Shon and H. Choi, 'Towards the Implementation of Reliable Data Transmission for 802.l5.4-Based Wireless Sensor Networks", In Proc. of the 5th international conference on Ubiquitous Intelligence and Computing, 2008, pp. 363-372.