On the Intruder Detection for Sinkhole Attack in Wireless Sensor Networks

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

1Department of Computer Science and EngineeringThe Chinese University of Hong Kong

2School of Computing ScienceSimon Fraser University

12 Jun 2006 IEEE International Conference on Communications (ICC

2006)

2

OutlineIntroductionRelated WorkSinkhole Attack DetectionEnhancements Against Multiple Malicious NodesPerformance EvaluationConclusion and Future Work

3

Wireless Sensor Networks

Increasingly popular to solve challenging real-world problems

Industrial sensing Environmental monitoring

Set of sensor nodesMany-to-one communication

Vulnerable to the sinkhole attack

4

Sinkhole AttackPrevent the base station from obtaining complete and correct sensing dataParticularly severe for wireless sensor networksSome secure or geographic based routing protocols resist to the sinkhole attacks in certain levelMany current routing protocols in sensor networks are susceptible to the sinkhole attack

5

Sinkhole Attack

Left: using an artificial high quality route Right: using a wormhole

BS

SH

Affected node

High quality route

6

Related WorkIntrusion detection has been an active research topic for the Internet extensivelySensor network that we are considering

asymmetric many-to-one communication patternpower of the sensor nodes is rather weak

Protocols based on route advertisement are vulnerable to sinkhole attacks

7

Related WorkWood et al.

mechanism for detecting and mapping jammed regionsDing et al.

algorithm for the identification of faulty sensors and detection of the reach of events

Staddon et al. trace the identities of the failed nodes with the topology conveyed to the base station

Ye et al. a Statistical En-route Filtering (SEF) mechanism that can detect and drop false reports

Perrig et al. a packet leash mechanism for detecting and defending against wormhole attacks

8

Our WorkPropose an algorithm for detecting sinkhole attacks and identifying the intruder in an attack

Base station collects the network flow information with a distributed fashion in the attack areaAn efficient identification algorithm that analyzes the collected network flow information and locate the intruder

Consider the scenario that a set of colluding nodes cheat the base station about the location of the intruder

9

Estimate the Attacked Area

Consider a monitoring application in which sensor nodes submit sensing data to the BS periodicallyBy observing consistent data missing from an area, the BS may suspect there is an attack with selective forwardingBS can detect the data inconsistency using the following statistical methodLet X1, ..., Xn be the sensing data collected in a sliding window, and be their mean. Define f(Xj) as

10

Estimate the Attacked Area

Identify a suspected node if f(Xj) is greater than a certain threshold

The BS can estimate where the sinkhole locates

It can circle a potential attacked area, which contains all the suspected nodes

BS

SH

Nodes with missing or inconsistent data

11

Identifying the IntruderEach sensor stores the ID of next-hop to the BS and the cost in its routing tableThe BS sends a request message to all the affected nodes The sensors reply with <ID, IDnext-hop, cost>Since the next-hop and the cost could already be affected by the attack

The reply message should be sent along the reverse path in the flooding, which corresponds to the original route with no intruder

12

Identifying the Intruder

Network flow information can be represented by a directed edgeRealizes the routing pattern by constructing a tree using the next hop information collectedAn invaded area possesses special routing pattern

All network traffic flows toward the same destination, which is compromised by the intruder SH

BS

SH

13

Enhancement on Network Flow Information CollectionMultiple malicious nodes may prevent the BS from obtaining correct and complete flow information for intruder detectionThey may cooperate with the intruder to perform the following misbehaviors:

Modify the packets passing throughForward the packets selectivelyProvide wrong network flow information of itself

We address these issues through encryption and path redundancy

14

Multiple Malicious NodesDrop some of the reply packets

BS

SHColluding nodes

SH'

ASH'

SH

C

D

E

F

G H

Their objective is to hide the real intruder SH and blame on a victim node SH’

Provide incorrect flow information

15

Dealing with Malicious Nodes

Maintain an array Count[]Entry Count[i] stores the total number of nodes having hop count difference i Index i can be negative (a node is smaller than its actual distance from the current root)

If Count[0] is not the dominated one in the array, it means the current root is unlikely the real intruder

16

Dealing with Malicious Nodes

By analyzing the array Count, we may estimate the hop counts from SH’ to SH

The BS can make root correction and re-calculate the array Count among the nodes within two hops from SH’

Concludes the intruder based on the most consistent result

17

ExampleThe array Count of the following figure is:

18

ExampleEventually, node SH becomes the new root:

19

Performance EvaluationNo. of nodes in network 400

Size of network 200m x 200m

Transmission range 10m

Location of BS (100,100)

Location of sinkhole (50, 50)

Percentage of colluding codes (m) 0 – 50%

Message drop rate (d) 0 – 80%

No. of neighbors which a message is forwarded to (k)

1 – 2

Packet size 100bytes

Max. number of reply messages per packet

5

Accuracy of Intruder Identification

Success RateFalse-positive RateFalse-negative Rate

Communication CostEnergy Consumption

20

Success Rate

0

20

40

60

80

100

0 5 10 15 20 25 30 35 40 45 50

Suc

cess

rat

e (%

)

Ratio of malicious nodes (%)

Success rate in intruder identification

d=0d=0.2d=0.4d=0.6d=0.8

21

False-positive and False-negative Rate

0

20

40

60

80

100

0 5 10 15 20 25 30 35 40 45 50

Fals

e-po

sitiv

e ra

te (%

)

Ratio of malicious nodes (%)

False-positive rate in intruder identification

d=0d=0.2d=0.4d=0.6d=0.8

0

20

40

60

80

100

0 5 10 15 20 25 30 35 40 45 50

False

-neg

ative

rate

(%)

Ratio of malicious nodes (%)

False-negative rate in intruder identification

d=0d=0.2d=0.4d=0.6d=0.8

22

Communication Cost and Energy Consumption

0

20

40

60

80

0 1 2 3 4 5 6 7 8

Pack

ets

per n

ode

Hops to base station

Communication cost for collecting network flow information

packet receive (k=1)packet receive (k=2)

packet send (k=1)packet send (k=2)

0

100

200

300

400

500

600

700

800

900

1000

1 2 3 4 5 6 7 8

Ener

gy c

onsu

mpt

ion

per n

ode

(uJ)

Hops to base station

Energy consumption for intruder identification

k=1k=2

23

Conclusion and Future Work

An effective method for identifying sinkhole attack in wireless sensor networksIt locates a list of suspected nodes by checking data consistency, and then identifies the intruder in the list through analyzing the network flow informationA series of enhancements to deal with cooperative malicious nodes that attempt to hide the real intruderNumerical analysis and simulation results are provided to demonstrate the effectiveness and accuracy of the algorithmWe are interested in more effective statistical algorithms for identifying data inconsistency