1. In-Band Wormhole Detection in Wireless Ad Hoc Networks Using
Change Point Detection Method
Student: Yi Ling Faculty Advisor: Dr. Maggie Cheng
Department of Computer Science, Missouri University Science and Technology
1) The Sequential Change Point Detection Algorithm
3.Wormhole Detection Scheme
2) New Sequential Change Point Detection Algorithm: SW-CLT
5. Conclusion and Future Work
• A new in-band wormhole detection SW-CLT method was proposed.
• Identification of wormhole end nodes and removal the wormhole or
mitigation the damage caused by the wormhole in future
1. Background
2. Project Objective
Wormhole attack
• Fake a route that is shorter than the original one within the network
• Confuse routing mechanisms which rely on distance between nodes
• Captures from one wormhole node and replays on the other
• Easily be launched
Out-band wormhole attack
• Utilizes an external link between the two control points
In-band wormhole attack
• Redirect the traffic to a multi-hop tunnel over existing wireless
medium
Identify the in-band wormhole in wireless ad hoc network by detecting
abrupt increase in end-to-end delay.
• Detect a change point in a time series{x1,x2,…, xt , …,}, however,
manually-set thresholds or parameters that limit the application.
• The parametric version CUSUM algorithm is the best when the pre-
and post-change distributions are known
• The non-parametric version CUSUM need to preset threshold and
related constant parameter.
• The repeated sequential probability ratio test (R-SPRT) is used when
the distributions are known or can be reliably estimated.
• No requirement about the data characteristics.
• Use a sliding window to calculate its detection statistics, and the
detection threshold is decided based on the Central Limit Theory.
• m – window size , t – time 0<=t<=n-2m
Windows:
• Compare the difference between the sums of the two windows with a
threshold DTh.
• ) is CDF for standard normal distribution. is a desired false alarm
rate.
• As the windows slide from the low end to the high end of the time
series. If
• Then The algorithm decides a change point has occurred between
the boundary of two windows, and report change time μ ̃ = t + m.
• For a true positive, the detection delay is the time difference between
a reported change point and the true change point:
• The algorithm is based on the Central Limit Theory and it works
regardless of the underlying distribution of the end- to-end delay
{x1 , . . . , xn }.
3) Simulation
A. Wormhole Detection in a Stationary Network
1. All traffic is redirected to the wormhole tunnel
• flows: 18-28 and 17-38. No background traffic. Wormhole attacks on
50s
2. Some flows go through the wormhole tunnel while others follow their
previous routes.
• Affected flows: 9-24, 18-28,17-38
• background traffic: 18-10, 37-12
• Wormhole attacks on 50s
• Using NS3 simulator deployed 40 random node equipped with 802.11b
Wifi interface with data rate 11 Mbps on a 500 m*500 m square region
• Node transmission range: 100m
B. Wormhole Detection in a Mobile Network
• Benign case : node 1 and node 2 are moving towards each other.
• Attack case : route change is caused by wormhole.
Identify the in-band wormhole in wireless ad hoc network by detecting
abrupt increase in end-to-end delay.
C. Comparison of SW-CLT and NP-CUSUM
• Scenario 1 : 18-28 and 17-38 flows
• Scenario 2 : attack case with three flows:9-24,17-38, and 18-12