Date post: | 20-Aug-2015 |
Category: |
Business |
Upload: | nirmala-last |
View: | 2,155 times |
Download: | 0 times |
On the Intruder Detection for Sinkhole Attack in Wireless Sensor Networks
Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1
1Department of Computer Science and EngineeringThe Chinese University of Hong Kong
2School of Computing ScienceSimon Fraser University
12 Jun 2006 IEEE International Conference on Communications (ICC
2006)
2
OutlineIntroductionRelated WorkSinkhole Attack DetectionEnhancements Against Multiple Malicious NodesPerformance EvaluationConclusion and Future Work
3
Wireless Sensor Networks
Increasingly popular to solve challenging real-world problems
Industrial sensing Environmental monitoring
Set of sensor nodesMany-to-one communication
Vulnerable to the sinkhole attack
4
Sinkhole AttackPrevent the base station from obtaining complete and correct sensing dataParticularly severe for wireless sensor networksSome secure or geographic based routing protocols resist to the sinkhole attacks in certain levelMany current routing protocols in sensor networks are susceptible to the sinkhole attack
5
Sinkhole Attack
Left: using an artificial high quality route Right: using a wormhole
BS
SH
Affected node
High quality route
6
Related WorkIntrusion detection has been an active research topic for the Internet extensivelySensor network that we are considering
asymmetric many-to-one communication patternpower of the sensor nodes is rather weak
Protocols based on route advertisement are vulnerable to sinkhole attacks
7
Related WorkWood et al.
mechanism for detecting and mapping jammed regionsDing et al.
algorithm for the identification of faulty sensors and detection of the reach of events
Staddon et al. trace the identities of the failed nodes with the topology conveyed to the base station
Ye et al. a Statistical En-route Filtering (SEF) mechanism that can detect and drop false reports
Perrig et al. a packet leash mechanism for detecting and defending against wormhole attacks
8
Our WorkPropose an algorithm for detecting sinkhole attacks and identifying the intruder in an attack
Base station collects the network flow information with a distributed fashion in the attack areaAn efficient identification algorithm that analyzes the collected network flow information and locate the intruder
Consider the scenario that a set of colluding nodes cheat the base station about the location of the intruder
9
Estimate the Attacked Area
Consider a monitoring application in which sensor nodes submit sensing data to the BS periodicallyBy observing consistent data missing from an area, the BS may suspect there is an attack with selective forwardingBS can detect the data inconsistency using the following statistical methodLet X1, ..., Xn be the sensing data collected in a sliding window, and be their mean. Define f(Xj) as
10
Estimate the Attacked Area
Identify a suspected node if f(Xj) is greater than a certain threshold
The BS can estimate where the sinkhole locates
It can circle a potential attacked area, which contains all the suspected nodes
BS
SH
Nodes with missing or inconsistent data
11
Identifying the IntruderEach sensor stores the ID of next-hop to the BS and the cost in its routing tableThe BS sends a request message to all the affected nodes The sensors reply with <ID, IDnext-hop, cost>Since the next-hop and the cost could already be affected by the attack
The reply message should be sent along the reverse path in the flooding, which corresponds to the original route with no intruder
12
Identifying the Intruder
Network flow information can be represented by a directed edgeRealizes the routing pattern by constructing a tree using the next hop information collectedAn invaded area possesses special routing pattern
All network traffic flows toward the same destination, which is compromised by the intruder SH
BS
SH
13
Enhancement on Network Flow Information CollectionMultiple malicious nodes may prevent the BS from obtaining correct and complete flow information for intruder detectionThey may cooperate with the intruder to perform the following misbehaviors:
Modify the packets passing throughForward the packets selectivelyProvide wrong network flow information of itself
We address these issues through encryption and path redundancy
14
Multiple Malicious NodesDrop some of the reply packets
BS
SHColluding nodes
SH'
ASH'
SH
C
D
E
F
G H
Their objective is to hide the real intruder SH and blame on a victim node SH’
Provide incorrect flow information
15
Dealing with Malicious Nodes
Maintain an array Count[]Entry Count[i] stores the total number of nodes having hop count difference i Index i can be negative (a node is smaller than its actual distance from the current root)
If Count[0] is not the dominated one in the array, it means the current root is unlikely the real intruder
16
Dealing with Malicious Nodes
By analyzing the array Count, we may estimate the hop counts from SH’ to SH
The BS can make root correction and re-calculate the array Count among the nodes within two hops from SH’
Concludes the intruder based on the most consistent result
19
Performance EvaluationNo. of nodes in network 400
Size of network 200m x 200m
Transmission range 10m
Location of BS (100,100)
Location of sinkhole (50, 50)
Percentage of colluding codes (m) 0 – 50%
Message drop rate (d) 0 – 80%
No. of neighbors which a message is forwarded to (k)
1 – 2
Packet size 100bytes
Max. number of reply messages per packet
5
Accuracy of Intruder Identification
Success RateFalse-positive RateFalse-negative Rate
Communication CostEnergy Consumption
20
Success Rate
0
20
40
60
80
100
0 5 10 15 20 25 30 35 40 45 50
Suc
cess
rat
e (%
)
Ratio of malicious nodes (%)
Success rate in intruder identification
d=0d=0.2d=0.4d=0.6d=0.8
21
False-positive and False-negative Rate
0
20
40
60
80
100
0 5 10 15 20 25 30 35 40 45 50
Fals
e-po
sitiv
e ra
te (%
)
Ratio of malicious nodes (%)
False-positive rate in intruder identification
d=0d=0.2d=0.4d=0.6d=0.8
0
20
40
60
80
100
0 5 10 15 20 25 30 35 40 45 50
False
-neg
ative
rate
(%)
Ratio of malicious nodes (%)
False-negative rate in intruder identification
d=0d=0.2d=0.4d=0.6d=0.8
22
Communication Cost and Energy Consumption
0
20
40
60
80
0 1 2 3 4 5 6 7 8
Pack
ets
per n
ode
Hops to base station
Communication cost for collecting network flow information
packet receive (k=1)packet receive (k=2)
packet send (k=1)packet send (k=2)
0
100
200
300
400
500
600
700
800
900
1000
1 2 3 4 5 6 7 8
Ener
gy c
onsu
mpt
ion
per n
ode
(uJ)
Hops to base station
Energy consumption for intruder identification
k=1k=2
23
Conclusion and Future Work
An effective method for identifying sinkhole attack in wireless sensor networksIt locates a list of suspected nodes by checking data consistency, and then identifies the intruder in the list through analyzing the network flow informationA series of enhancements to deal with cooperative malicious nodes that attempt to hide the real intruderNumerical analysis and simulation results are provided to demonstrate the effectiveness and accuracy of the algorithmWe are interested in more effective statistical algorithms for identifying data inconsistency