On The Intruder Detection For Sinkhole Attack In Wireless Sensor Networks


Published on

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • On The Intruder Detection For Sinkhole Attack In Wireless Sensor Networks

    1. 1. On the Intruder Detection for Sinkhole Attack in Wireless Sensor Networks Edith C. H. Ngai 1 , Jiangchuan Liu 2 , and Michael R. Lyu 1 1 Department of Computer Science and Engineering The Chinese University of Hong Kong 2 School of Computing Science Simon Fraser University 12 Jun 2006 IEEE International Conference on Communications (ICC 2006)
    2. 2. Outline <ul><li>Introduction </li></ul><ul><li>Related Work </li></ul><ul><li>Sinkhole Attack Detection </li></ul><ul><li>Enhancements Against Multiple Malicious Nodes </li></ul><ul><li>Performance Evaluation </li></ul><ul><li>Conclusion and Future Work </li></ul>
    3. 3. Wireless Sensor Networks <ul><li>Increasingly popular to solve challenging real-world problems </li></ul><ul><ul><li>Industrial sensing </li></ul></ul><ul><ul><li>Environmental monitoring </li></ul></ul><ul><li>Set of sensor nodes </li></ul><ul><li>Many-to-one communication </li></ul><ul><ul><li>Vulnerable to the sinkhole attack </li></ul></ul>
    4. 4. Sinkhole Attack <ul><li>Prevent the base station from obtaining complete and correct sensing data </li></ul><ul><li>Particularly severe for wireless sensor networks </li></ul><ul><li>Some secure or geographic based routing protocols resist to the sinkhole attacks in certain level </li></ul><ul><li>Many current routing protocols in sensor networks are susceptible to the sinkhole attack </li></ul>
    5. 5. Sinkhole Attack <ul><li>Left: using an artificial high quality route </li></ul><ul><li>Right: using a wormhole </li></ul>
    6. 6. Related Work <ul><li>Intrusion detection has been an active research topic for the Internet extensively </li></ul><ul><li>Sensor network that we are considering </li></ul><ul><ul><li>asymmetric many-to-one communication pattern </li></ul></ul><ul><ul><li>power of the sensor nodes is rather weak </li></ul></ul><ul><li>Protocols based on route advertisement are vulnerable to sinkhole attacks </li></ul>
    7. 7. Related Work <ul><li>Wood et al. </li></ul><ul><ul><li>mechanism for detecting and mapping jammed regions </li></ul></ul><ul><li>Ding et al. </li></ul><ul><ul><li>algorithm for the identification of faulty sensors and detection of the reach of events </li></ul></ul><ul><li>Staddon et al. </li></ul><ul><ul><li>trace the identities of the failed nodes with the topology conveyed to the base station </li></ul></ul><ul><li>Ye et al. </li></ul><ul><ul><li>a Statistical En-route Filtering (SEF) mechanism that can detect and drop false reports </li></ul></ul><ul><li>Perrig et al. </li></ul><ul><ul><li>a packet leash mechanism for detecting and defending against wormhole attacks </li></ul></ul>
    8. 8. Our Work <ul><li>Propose an algorithm for detecting sinkhole attacks and identifying the intruder in an attack </li></ul><ul><ul><li>Base station collects the network flow information with a distributed fashion in the attack area </li></ul></ul><ul><ul><li>An efficient identification algorithm that analyzes the collected network flow information and locate the intruder </li></ul></ul><ul><li>Consider the scenario that a set of colluding nodes cheat the base station about the location of the intruder </li></ul>
    9. 9. Estimate the Attacked Area <ul><li>Consider a monitoring application in which sensor nodes submit sensing data to the BS periodically </li></ul><ul><li>By observing consistent data missing from an area, the BS may suspect there is an attack with selective forwarding </li></ul><ul><li>BS can detect the data inconsistency using the following statistical method </li></ul><ul><li>Let X 1 , ..., Xn be the sensing data collected in a sliding window, and be their mean. Define f ( Xj ) as </li></ul>
    10. 10. Estimate the Attacked Area <ul><li>Identify a suspected node if f ( Xj ) is greater than a certain threshold </li></ul><ul><li>The BS can estimate where the sinkhole locates </li></ul><ul><li>It can circle a potential attacked area , which contains all the suspected nodes </li></ul>
    11. 11. Identifying the Intruder <ul><li>Each sensor stores the ID of next-hop to the BS and the cost in its routing table </li></ul><ul><li>The BS sends a request message to all the affected nodes </li></ul><ul><li>The sensors reply with < ID, ID next-hop , cost > </li></ul><ul><li>Since the next-hop and the cost could already be affected by the attack </li></ul><ul><ul><li>The reply message should be sent along the reverse path in the flooding, which corresponds to the original route with no intruder </li></ul></ul>
    12. 12. Identifying the Intruder <ul><li>Network flow information can be represented by a directed edge </li></ul><ul><li>Realizes the routing pattern by constructing a tree using the next hop information collected </li></ul><ul><li>An invaded area possesses special routing pattern </li></ul><ul><ul><li>All network traffic flows toward the same destination, which is compromised by the intruder SH </li></ul></ul>
    13. 13. Enhancement on Network Flow Information Collection <ul><li>Multiple malicious nodes may prevent the BS from obtaining correct and complete flow information for intruder detection </li></ul><ul><li>They may cooperate with the intruder to perform the following misbehaviors: </li></ul><ul><ul><li>Modify the packets passing through </li></ul></ul><ul><ul><li>Forward the packets selectively </li></ul></ul><ul><ul><li>Provide wrong network flow information of itself </li></ul></ul><ul><li>We address these issues through encryption and path redundancy </li></ul>
    14. 14. Multiple Malicious Nodes <ul><li>Drop some of the reply packets </li></ul>Their objective is to hide the real intruder SH and blame on a victim node SH’ <ul><li>Provide incorrect flow information </li></ul>
    15. 15. Dealing with Malicious Nodes <ul><li>Maintain an array Count [] </li></ul><ul><ul><li>Entry Count [ i ] stores the total number of nodes having hop count difference i </li></ul></ul><ul><ul><li>Index i can be negative (a node is smaller than its actual distance from the current root) </li></ul></ul><ul><li>If Count [0] is not the dominated one in the array, it means the current root is unlikely the real intruder </li></ul>
    16. 16. Dealing with Malicious Nodes <ul><li>By analyzing the array Count , we may estimate the hop counts from SH’ to SH </li></ul><ul><li>The BS can make root correction and re-calculate the array Count among the nodes within two hops from SH’ </li></ul><ul><li>Concludes the intruder based on the most consistent result </li></ul>
    17. 17. Example <ul><li>The array Count of the following figure is: </li></ul>
    18. 18. Example <ul><li>Eventually, node SH becomes the new root: </li></ul>
    19. 19. Performance Evaluation <ul><li>Accuracy of Intruder Identification </li></ul><ul><ul><li>Success Rate </li></ul></ul><ul><ul><li>False-positive Rate </li></ul></ul><ul><ul><li>False-negative Rate </li></ul></ul><ul><li>Communication Cost </li></ul><ul><li>Energy Consumption </li></ul>5 Max. number of reply messages per packet 100bytes Packet size 1 – 2 No. of neighbors which a message is forwarded to ( k ) 0 – 80% Message drop rate ( d ) 0 – 50% Percentage of colluding codes ( m ) (50, 50) Location of sinkhole (100,100) Location of BS 10m Transmission range 200m x 200m Size of network 400 No. of nodes in network
    20. 20. Success Rate
    21. 21. False-positive and False-negative Rate
    22. 22. Communication Cost and Energy Consumption
    23. 23. Conclusion and Future Work <ul><li>An effective method for identifying sinkhole attack in wireless sensor networks </li></ul><ul><li>It locates a list of suspected nodes by checking data consistency, and then identifies the intruder in the list through analyzing the network flow information </li></ul><ul><li>A series of enhancements to deal with cooperative malicious nodes that attempt to hide the real intruder </li></ul><ul><li>Numerical analysis and simulation results are provided to demonstrate the effectiveness and accuracy of the algorithm </li></ul><ul><li>We are interested in more effective statistical algorithms for identifying data inconsistency </li></ul>