2Computer Science Department, UMass Lowell ... passive, this algorithm uses a hop-counting tech- nique as a ... which may be useful information for further de-.
Distributed Wormhole Attack Detection in Wireless Sensor Networks
Yurong Xu1 Guanling Chen2 James Ford1,3 Fillia Makedon1,3 1
Computer Science Department, Dartmouth College {yurong, jford, makedon}@cs.dartmouth.edu 2
Computer Science Department, UMass Lowell {glchen}@cs.uml.edu
3
Univ. of Texas at Arlington, Dept. of Computer Science and Eng. {Makedon,jford}@cse.uta.edu
Abstract
ployed in some hostile environment, attacks (especially those like wormhole attacks that don’t need
This paper proposes a distributed wormhole to capture the keys used in the network) may affect detection algorithm for wireless sensor networks, current sensor networks and may even disable a potential technology for infrastructures of many their functions. This paper proposes a distributed applications. Currently, most sensor networks wormhole detection algorithm called Wormhole assume they will be deployed in a benign enviGeographic Distributed Detection (WGDD), that ronment; however, when a sensor network is de-
is based on detecting disorder of the networks
capabilities. This technology has the potential
which is caused by the existence of a wormhole
to provide infrastructures for numerous applica-
inside the network. Since wormhole attacks are
tions, such as surveillance, healthcare, industry
passive, this algorithm uses a hop-counting tech-
automation, and military uses.
nique as a probe procedure to detect wormhole attacks, then reconstructs local maps in each node, and after that, uses a feature called “diameter” to detect abnormalities caused by wormholes. The main advantage of using a distributed wormhole detection algorithm is that such an algorithm can provide the approximate location of a wormhole, which may be useful information for further defense mechanisms. Simulations show that the proposed detection method has both a low False Tol-
Currently, most applications in WSNs assume that they are deployed in a trusted environment, but it is possible that a WSN is to be deployed in an untrusted environments, and so dealing with security issues will become a central requirement. In this situation, an adversary can disable the functionality of a WSN by interfering with packet transmissions inside the networks with different attacks such as wormhole attacks, sybil attacks [12], jamming, and packet injection attacks [17].
eration Rate (FTR) and a low False Detection Rate (FDR) in detecting wormhole attacks.
This paper focuses on wormhole attack detection [2, 7, 13]. A wormhole attack doesn’t require knowing the cryptographic infrastructure of
1. Introduction the sensor network, and thus it puts an attacker in Wireless Sensor Networks (WSNs) [1, 15] are
a very powerful position relative to other nodes
an emerging technology consisting of small, low-
in the network, compared to other attacks such
power, and low-cost devices that integrate limited
as sybil and packet injection attacks, which usu-
computation, sensing, and radio communication
ally utilize vulnerabilities in the infrastructure of
wireless sensor networks. An attacker can perform a wormhole attack on a sensor network even if the network communication infrastructure provides confidentiality and authenticity, and the attacker does not have any cryptographic keys.
Currently, there are many methods that have been proposed for detecting wormhole attacks inside of ad hoc networks and wireless sensor networks, and encouraging results have been obtained. However, these methods usually require that some nodes in the network be equipped with special hardware. Solutions such as SECTOR [2] and “Packet Leashes” [7] need time synchronization or highly accurate clocks to detect wormholes; the method of Hu and Evans [5] requires that a directional antenna is deployed in each node; and LAD [3], SerLoc [9], and the approach in [6] concentrate on detecting/defending against wormholes in localization in WSNs, but these methods also need the help of anchor nodes (which are special nodes that already know their location exactly), which requires manual setup
when a network is deployed. In comparison with the above methods, in this paper we describe a distributed method called Wormhole Geographic Distributed Detection (WGDD) to detect a wormhole attack without using anchor nodes or any additional hardware. Since a wormhole attack is passive, this algorithm uses a simple hop-counting technique as a probe procedure to detect wormhole attack, then reconstructs local maps by MDS (Multidimensional Scaling) in each node, and after that uses a feature introduced in this papce called “diameter” to detect distortions caused by a wormhole. The main advantage of using a distributed wormhole detection algorithm is that such an algorithm can provide the approximate location of a wormhole, which can assist further defense mechanisms. Simulation shows that the proposed detection method has both a low False Toleration Rate(FTR) and a low False Detection Rate(FDR) in detecting wormhole attacks. In this paper, we make the following contribu-
tions. (i.) We propose a new feature which can be
2. Related Work
used to detect wormholes in a distributed scheme. (ii.) We propose a distributed wormhole detection algorithm which needs only local connectivity information. Since the detection of wormholes is completed under a distributed scheme, it is possible that our algorithm can provide the approximate locations of the ends of wormholes, which will be helpful in further defense against wormhole attacks. (iii) We provide extensive simulation for (i-ii) in NS-2, which shows that our methods are effective at detecting wormhole attacks on different network placements.
The wormhole attack detection in wireless adhoc networks was introduced in [2, 6, 7]. Both solutions are referred to as “Packet Leashes” [7], and SECTOR [2]. They detect wormhole attacks based upon the notion of geographical or temporal leashes. Briefly, suppose every node in the network already knows its exact location and each node embeds its location and a timestamp into each packet it sends. If the network is synchronized, then other nodes receiving that packet can detect a wormhole by detecting the mismatch between the timestamp difference they calculate and
The remainder of the paper is organized as fol-
the location difference they observe. Such a solu-
lows. Section 2 discusses related work. Sec-
tion requires a synchronized clock and preknown
tion 3 describes some basic concepts related to
location for each node. The method we propose
wormhole attacks. Section 4 discusses the fea-
here does not have these requirements.
ture which detects wormholes inside of a network
In [8], Kong et al. study Denial of Service
and the details of the WGDD algorithm. Section
(DoS) attacks, including wormhole attacks, in
5 evaluates the algorithm in an NS-2 simulation
UWSN (Under Water Sensor Networking). Be-
environment. And finally Section 6 gives our con-
cause UWSN typically uses acoustical methods
clusions.
to propagate messages under water, the methods
in UWSN can’t be directly applied into wireless
anchor nodes that are close to a end of a worm-
sensor networks.
hole, SeRLoc will still have difficulty in detecting/defending against wormhole attacks.
In [5], Hu and Evans utilize directional antennas to prevent wormhole links by assuming every node of the network will be equipped with directional antennas that all have the same orientation. Lazos and Poovendran apply a similar idea in designing a secure localization scheme called SeRLoc [9] that protects against wormhole attacks in localization. In SeRLoc, there are about 400 anchor nodes (designated as “beacon nodes” in the paper) deployed in a 5000-node network. Each anchor node has a directional antenna and already knows its physical location. Other nodes in the network use these anchor nodes to locate themselves. When there is a wormhole attack in the network, since a wormhole will shortcut the network, directional antennas deployed in the anchor nodes will help in detecting the attack, and the nodes can then defend against it by discard-
In more recent papers [3, 10], D. Liu et al. proposed an anchor-based scheme which is resistant to several attacks, including wormhole attacks. By using a hop-counting technique, the scheme estimates the distance between a node and an anchor node (or “location reference” in the authors’ terminology). If there is a wormhole inside the network, then it is possible that the distance from a node to some anchor node will be changed, and a simple threshold method is used to determine whether such a distance difference is caused by a wormhole attack or by localization error. The main difference between our method and those of [3] and [10] is that the latter methods rely on anchor nodes, which need manual setup in advance, while our method does not require any anchor nodes to detect wormholes.
ing incorrect localization messages. However, if
Additional work by [14] presents a useful graph
anchor nodes are compromised, especially those
theoretic framework for modeling of wormhole
attacks, but this theoretic framework is based on
which is identified in [14], is that such a visual-
the assumption that there are “guard nodes” know
ization cannot be applied to networks with irreg-
their locations exactly. Thus, these nodes actu-
ular shapes, such as a string topology (nodes con-
ally work as anchor nodes as described in this pa-
nected in one line).
per. Since in this work we assume that none of the nodes in the network knows its physical location,
3. The Wormhole Attack
our proposed solution is for a case not covered by this framework. Origin end
MDS-VOW [16] allows visualization of a net-
Wormhole tunnel Destination end
Figure 1. A Wormhole Attack in a WSN
work to allow detection of wormholes by finding bending distortions caused by a wormhole in
In a typical wormhole attack, an attacker re-
computed maps. The main difference between
ceives packets at one point in the network, for-
our approach and MDS-VOW is that MDS-VOW
wards them through a wireless or wired link with
can only work in a centralized scheme, so MDS-
much less latency than the default links used by
VOW needs to have a central computer to finish
the network and relays those packets at another
its computation. In our paper, we extract a new
position in the network. In this paper we as-
feature which can efficiently indicate the ends of
sume that a wormhole is bidirectional, and when
a wormhole based only on local bending distor-
considering a wormhole attack, we refer to the
tions caused by the ends of the wormhole. The
end of that wormhole receiving a message as the
algorithm described in this paper is computed by
“origin end” of the wormhole and the end that
a distributed scheme and requires no centralized
transmits the message as the “destination end” of
computation. A general limitation of MDS-VOW,
that wormhole (thus which end is which is en-
tirely context dependent). Figure 1 shows a typ-
similar hop-counting technique as a probe proce-
ical wormhole attack. In this work we assume
dure (Section 4.2) to detect wormhole attack. Af-
wormholes with two endpoints, although in the-
ter the running of the probe procedure, each node
ory multi-end wormholes are possible.
will collect the set of hop-count from its neigh-
We also assume that each wormhole in a net-
bor nodes which are in one(k) hop(s) distance to
work is (1) passive, and thus does not send out
it, then that node will run Dijkstra’s algorithm to
any message without any inbound message, (2)
get the shortest path for each pair of the nodes,
static, which means that such wormhole will not
after that, it will reconstruct a local map by MDS
move around.
(Multidimensional Scaling) (Section 4.3). After we discuss a feature called as “diameter” to de-
4
Detecting Wormhole Attacks
tect distortions caused by a wormhole in local maps in Section 4.4, we will introduce the detec-
In this section, at first, we will describe our altion procedure in Section 4.5. The overview of gorithm in brief, then, by observing the network this Wormhole Geographic Distributed Detection with a wormhole inside it, we discuss a feature (WGDD) algorithm can be seen in Procedure 1. which can be used to detect wormhole attacks in distributed scheme, at last, based on the previous feature we propose how to detect wormhole at-
Procedure 1 Wormhole Geographic Distributed Detection (WGDD) 1: Probe Procedure 2: Local Map Computation Procedure 3: Detection Procedure
tacks.
4.1
Overview of WGDD Algorithm
4.2
Probe Procedure
Our distributed algorithm called Wormhole Ge-
Since a wormhole attack is passive, which
ographic Distributed Detection (WGDD) uses a
means that such an attack can only happen when
there is some message being transmitted near the
procedure [18] for node a is shown in Procedure
wormhole area. In order to detect whether there
2.
is a wormhole attack inside a network, we design a probe procedure to flood an message from some bootstrap node to the whole networks to let all other nodes in the network to count the hop distance from itself to that bootstrap node. Such probe procedure is based on hop-coordinates [18] technique to measure the hop distance from each node to some bootstrap node, which shares the same idea as hop-counting, but has more accurate measurement.
Procedure 2 Probe Procedure in node a 1: INPUT: message (hopb ) from node b ∈ Na 2: for message (hopb ) from any B ∈ Na and not TIMEOUT do 3: if hopb < hopa then 4: hopa = hopb + 1 5: forward (message(hopa ) ) to MAC 6: else 7: drop (message(hopb ) ) 8: end if 9: end for 10: if |Na | == 0 then 11: offseta = 0 12: else P (hop −(hopa −1))+1 13: offseta = b∈Na 2(|Nb a |+1) 14: end if 15: return hopa and offseta
(i)In bootstrap node: A bootstrap node x creates a probe message with (i = idx ) to flood the network. After that, the bootstrap node will drop any probe message that was originated by itself. The bootstrap node has the hop-coordinate: hopx = 0 and offsetx = 0.
Here, a is a node, hopa is the minimum number of hops to reach node a counting from some bootstrap node (x), the initial value of it will be the largest positive value in practice. the combi-
(ii) In all other nodes in the WSN: Suppose that
nation of hopa and offseta is the hop coordinate for
a node a is calculating its hop distance, and node
node a, Na is a set of nodes which can be reached
b is one of the neighbors of node a. Then the basic
by node a in one hop, and |Na | is the number of
probe procedure 2 is as same as hop-coordinates
nodes in Na .
0 10
144 140
90
144 140 80 70
120
60
120 50 40
100
30
100 20
60
60
40
40
20
20
0 0
80
10
80
10 20 30 40 50 60 70 80 90
20
40
60
80
100
120
140 144X
0
0
20
40
60
0 10
0 0
80
100
120
140 144
(a) The original location of a 2500node (b) the same 2500-node WSN with one WSN with one wormhole wormhole siting on the edges of the WSN Figure 2. a 2500-node WSN (r = 2m) with one wormhole
4.3
(|N a |+1)×(|N a |+1) shortest path matrix (here
Local Map Computation
|N a | is the number of nodes that can be reached by In this step, each node will compute a local map for it’s neighbors based on the hop-coordinate computed in the previous step. After the gener-
node A in one (k) hop(s)) and retain the first two (or three) largest eigenvalues and eigenvectors to construct a 2-D (or 3-D) local map.
ation of hop-coordinates with Procedure 2, each The total cost for this step is a computational node will send a request to its neighbor nodes that
cost of O(|Na |3 n) and a memory cost of O(|Na |2 )
are within one(k) hop(s) to send back their hop per node, with no communication cost in this step. coordinate from some bootstrap node (x). After each node receives the hop coordinate
4.4
Detection Procedure
from its neighbors, that node will compute shortest paths between all pairs of nodes one (k) hop(s)
Based on the local map from previous step,
to that node, using Dijkstra’s algorithm or other
here we will try to detect attacks. At first let us
similar algorithms.
have a look of the affection of wormhole attack
Then,
we
apply
MDS
to
the
on computed map.
4.4.1
Observation of a Wormhole in a Recon-
ing on the edges of the network.
structed Map
In order to observe a wormhole, we implemented the probe procedure 2 and the local map compu-
4.4.2
New Feature to Detect Wormhole Attacks
tation procedure as routing agents and the boot-
With the fact that each WSN node has limited re-
strap node for the probe procedure as a protocol
sources and has no possibility to store global in-
agent in NS-2 version 2.29 [11] with 802.15.4
formation, in order to detect wormholes in a dis-
MAC layer [19] and CMU wireless extensions
tributed scheme, each node can only use local in-
[4]. The configuration parameters used for NS-2
formation to detect wormhole attacks.
are RF range = 15 meters, propagation = TwoRayGround, and antenna = Omni Antenna.
Consider the two parts of the intruded network with a wormhole with two ends in Figure 3, by se-
In our first experiment, we used 2500 nodes in a
lecting two parts of the network which is close to
uniform placement— total 2500 nodes are placed
the ends of the wormhole in Figure 2(a). We use a
on a grid with ±0.5r randomized placement error,
dotted circle to represent the neighbor area where
where r = 2 m is the width of a small square in
a particular node can directly reach in transmis-
the grid. A wormhole is implemented as a wired
sion range R, since there are two ends, we shows
connection.
two parts of the network. Then, after the cir-
Fig. 2(a) and 2(b) shows the same sensor net-
cled node finished local map computation for the
work; each ‘x’ represents a node, and the red cir-
nodes in its local range, it will be getting a lo-
cles indicate the two ends of a wormhole; in Fig.
cal map as in Figure 4. From this figure, we can
2(a), the wormhole is siting in the center of the
see that because wormhole shortcuts the two parts
network, while in Fig. 2(b), the wormhole is sit-
of the network, the circled node can reach more
range than before (if we measure the longest dis-
as distancde(a, b) = sqrt((x − x0 )2 + (y − y 0 )2 )
tance in this local map, it will equal 49m), though
in 2D case, here (x, y),(x0 , y 0 ) are the coordiantes
that computed local map is bended by the effect
for node a, b in the local map computed in the
of the wormhole.
previous step, respectively. Theoretically, the diameter of the neighbor area for a node will roughly equal or less its trans-
Figure 3. Two Parts of the Network near Wormhole Ends.Here, parameters: r = 4,
R = 15, red circles represents the wormhole ends.
mission range R, since one node only can hear from its neighbors within the transmission range R. But because of the shortcut of wormhole, the computed map for that neighbor area of that node will be distorted, and so the diameter of that com-
2d =49m Figure 4. Local Map in the Red Circled Node in Figure 3.After probe procedure and local
map computation in that node which is red circled.
puted local map will be larger than the physical one, as shown in 4, we can see 2d = 49m. In order to verify whether such diameter feature is working in detecting wormhole in the whole
From the above observation, we instead fo-
network, we compute the diameter for each node
cus on detecting wormholes by using a different
in the same 2500-node network with and without
feature—the diameter of the computed local map.
wormhole. The results are shown in Figure 5(a),
We define diameter d for Node a here:
if we examine nodes that are very near to a worm-
Diameter: d = max(distance(b, c))/2,
hole, such as the area near the red circles in Fig-
Where b, c ∈ Na , here Na is the set of neighbor
ure 5(b), the diameters of the local maps for these
nodes of node a, distance(a, b) will be computed
nodes will be noticeably increased by proximity
26 24 22
17
Diameter
Diameter
16 15 14
20 18 16
13 0
100 20
80 40
14
60 60
40 80
20 0100
12 100
80
60
X
40
20
100 0
80
60
40
Y
20
0
(a) Diameter Measurement in the 2500-node (b) Diameter Measurement in the 2500-node WSN in Figure 2.(a) without Wormhole WSN in Figure 2.(a) with a Wormhole Figure 5. Diameter Measurement without and with Wormhole in a 2500-node WSN. In Figure 5(b),
the diameter of a local map will roughly be R (from 14 to 18, while R = 15 meters) unless there is a wormhole attack, in which case the diameter of a local map will become longer as the position draws closer and closer to the wormhole.
to the wormhole, comparing the diameters in the
longer as the position draws closer and closer to
same nodes in the network without wormhole in
the wormhole. The diameter reaches the highest
Figure 5(a). But if the nodes are a little farther
(about 25 m) at the nodes at about 7 m to the ends
away, or in a distant part of the network, such as
of wormhole, then the diameter is decreased, be-
the middle area in Figure 5(b), the diameters of
cause the nodes are approaching to the edges of
the local maps for these nodes, will be almost as
the network, but still above 22 m.
normal as these in the same area in Figure 5(a), which is without wormhole.
The ‘diameter’ feature is also good at detect wormhole attack in networks with irregular
In Figure 5(b), the diameter of a local map will
shapes, and in networks with multiple wormholes
roughly be R (from 14 to 18, while R = 15 me-
inside them. We did some experiments of ‘diam-
ters) unless there is a wormhole attack, in which
eter’ in a network with string topology, and a net-
case the diameter of a local map will become
work with two wormholes inside it.
16.8
26
16.6
24 22
16.2
Diameter
diameter
16.4
16 15.8
20 18 16
15.6
14
15.4
12
15.2 0
20
40
60
X
80
100
(a) Diameter Measurement in the 50node WSN in String Placement without a Wormhole
0
20
40
60
X
80
100
(b) Diameter Measurement in the 50node WSN in String Placement with a Wormhole
Figure 6. Diameter Measurement in the 50-node WSN in String Placement without/with a Wormhole
In a string topology experiment, we tested a
2.a. The measurement of diameter for all nodes
50-node network, inside of which, each node are
as shown in Figure 7. The locations of the ends
uniformally distributed in a 100 meter string in
of these two wormholes are represented as red
one dimension. First we measure the diameter for
circles in the same figure. From the figure, we
each node without any wormhole in the network,
can see that even two wormholes are very close
the result is in Figure 6(a). The diameter is at most
to each other, the peaks of diameter are still ap-
16.8 m in Figure 6(a). Then, we add a wormhole
peared in the nodes which are close to the ends of
into the network with the two ends of that worm-
the wormholes, from our measurement, four peak
hole at the two ends of the string. We can see that
values are 24.8, 25.2, 22.2, 22.6 m respectively.
right now, the diameters of nodes which are close to the ends of the wormhole are larger than 22 m, shown in Figure 6(b).
So, by computing the diameter d for local map, such detection algorithm can runs independently in each node, in conjunction with the computation
In order to test the feature of ‘diameter’ in de-
of a local map for the neighboring area. Since
tecting multiple wormholes in a network, we de-
all nodes in this area are within one(k) hop(s) of
ployed two wormholes in the network of Figure
the calculating node, the detection algorithm can
to the ends of the wormhole will be higher to over 22m. So, we can define a threshold for the diameter to detect wormholes in the network. Since, the lower the value we assign to such threshold, the higher possibility it is that nodes send the error alarms of wormhole. So, based on the above experiments, we define a threshold as 1.4R (in our Figure 7. Diameter Measurement in the 2500node WSN in Figure 2.(a) with Two Wormholes.Here, red cycles are the ends of worm-
holes, the dashed lines are the tunnels of the wormholes. A ’X’ is represented as a node. The 50X50 mesh is only for visualization purpose. Color bar represents the value of diameter.
configuration 1.4R = 1.4 ∗ 15 = 21 m) to determine whether there is a wormhole attack present or not. In order to adjust the sensitivity of detection procedure we introduce a constant parameter λ:
compute the diameter of each local map after determining each neighbor node’s location.
Suppose the diameter of a local relative map is d; if d > (1+λ)1.4R (here λ is a constant parame-
4.4.3
Detection Procedure
Thus, we propose to use the diameter to determine whether there is a wormhole attack present or not. From the experiment in Figure 5(a) and 5(b), we can see that usually the diameters for lo-
ter which is less than 1 and larger than 0), then we can say there is a wormhole in the network, and if not, we can say that the error probably comes from localization error. The details of the detection algorithm follow.
cal maps will be around R, but if there is a worm-
Suppose node a is an arbitrary node in the
hole in the network, then the diameters of the lo-
WSN. At first, we propose a distributed detec-
cal maps which are computed by the nodes close
tion Procedure 3, which is used to compute the
diameter after running the probe procedure 2 and
[11] with 802.15.4 MAC layer [19] and CMU
local map computation in Section 4.3, and detect
wireless [4] extensions. The configuration used
whether there is a wormhole in the network.
for NS-2 is RF range = 15 meters, propagation =
Procedure 3 Wormhole Detection Procedure in node a 1: INPUT: local map G in node a for Na ∪ {a} 2: diameter d = 0 3: for each b ∈ Na ∪ {a} do 4: for each node c ∈ Na ∪ {a} − {b} do 5: if 2d < distance(b, c) in local map G then 6: 2d = distance(a, b) in local map G 7: end if 8: end for 9: end for 10: if d > (1 + λ) × 1.4R then 11: return “FOUND WORMHOLE” to sink node. 12: end if
TwoRayGround, antenna = Omni Antenna. We implemented a wormhole as a wired connection with smaller latency that forwards packets from one node to another node. 120
100
80
60
40
20
0
The total cost for this step is a computational cost of O(|Na |2 n) and a memory cost of O(|Na |) per node, with no communication cost in this
0
20
40
60
80
100
120
Figure 8. A typical placement for simulation (Constructed with n = 400, r = 4. green dashed ovals are holes and small blue circles are islands.)
step. In our all experiments, we used uniform
5. Simulations Results
placement—n nodes are placed on a grid with ±0.5r randomized placement error. Here r is the
5.1
Simulation Environment Setup
width of a small square in the grid. We conSame as to the experiment setup in the previous
structed a total of 60 placements with n = 400,
section, we implemented our whole detection al-
900, 1600 and 2500, and with r = 2, 4,6, 8, 10
gorithm as a routing agent in NS-2 version 2.29
and 12 meters, respectively. The reason we use
uniform placement with ±0.5r error is that usu-
In practice, we count the number of the nodes,
ally such placement produces both node holes and
which send out “FOUND WORMHOLE” mes-
islands in one placement, as demonstrated in Fig-
sages but are far away from the ends of a worm-
ure 8. The place of the wormhole is totally ran-
hole (We define that if a node is R = 15m away
domized inside of the network.
from all ends of a wormhole, then this node obviously has few impact of wormhole, and so we
5.2
Detection Simulation Result
say that such node is far away from the worm5.2.1
Metrics
hole.), into the “number of normal localization errors flagged as detected wormholes”. When FDR
As we decrease the value of λ, we can increase = 0, it means that there is no wrong alarm in dethe accuracy of detecting wormhole attack, but tecting wormholes. the possibility of fault alarm will be increased. In order to evaluate the accuracy of our wormhole attack detection under different λ values, we introduce the following concepts:
False Toleration Rate (FTR): the frequency with which the detection system falsely recognizes different characteristics as identical, thus failing to detect a wormhole attack.
False Detection Rate (FDR): the frequency with which the detection system falsely recognizes identical characteristics as being different, thus failing to tolerate, for example, a normal localization error.
FTR = (number of wormhole attacks not detected) / (total number of trials). If there is a wormhole in a experiment, but there is no node to send out “FOUND WORMHOLE”
FDR = (number of normal localization errors
messages, we will count this as “wormhole at-
flagged as detected wormholes) / (total number of
tacks not detects”. So, if FTR = 0, it means that
trials).
our detection algorithm is successful in detecting
0.1
0.09
0.09
0.08
0.08
0.08
0.07
0.07
0.07
0.07
0.06
0.06
0.06
0.06
0.05
0.05
0.05
0.05
0.04
0.04
0.04
0.04
0.03
0.03
0.03
0.03
0.02
0.02
0.02
0.01
0.01
0.01
FDR
0.08
FDR(%)
FTR
0
2
4
6
8
r (m)
10
12
0.02 0.01 0
0
0
0
FDR FTR
FTR(%)
0.1
0.09
FDR(%)
0.1
FTR(%)
0.1 0.09
0
15
2
(a) when λ = 0
4
6
8
r (m)
10
12
15
(b) when λ = 0.1
Figure 9. False Detection Rate (FDR) and False Toleration Rate (FTR) for various node spacings.
1
1 0.9
0.9
FDR FTR
0.8
0.8 0.7
5.2.2
Simulation Result
We use the same experimental setup as in section
FDR(%)
0.7 0.6
0.6
0.5
0.5
0.4
0.4
0.3
0.3
0.2
0.2
0.1
0.1 0
0 2
5.1, with one wormhole in each placement, again implemented in NS-2 as a wired connection with
FTR(%)
wormholes in all experiments.
7
12
17
22
27
32
37
Hop Distance Between Two Ends of a Wormhole
Figure 10. FTR/FDR vs Hop Distance Between Two Ends of a Wormhole (λ = 0)
a latency far less than the latency of the wireless connections. Results in terms of FTR and FDR are shown in Figure 9. Our detection algorithm
our algorithm to detect smaller wormholes (such
has a low FTR with FDR=0 when λ = 0.0as in
as two to three hops long), we plot the all FTR and
Figure 9.a; when λ = 0.1as in Figure 9.b, our
FDR experiment data( when λ = 0) on Figure 10
detection algorithm can achieve a low FDR with
based on the number of hops between two ends of
FTR=0.
a wormhole in one experiment. We can see that
In order to consider about the performance of
if it is a long wormhole such as ≥ 3 hops long,
our detection algorithm archives almost 100% de-
distortion in distributed scheme, with the help of
tection rate (shown as FTR = 0). Even when fac-
that feature– “diameter”, we propose a wormhole
ing shorter wormhols which are less than 3 hops
detection procedure.
long, our algorithm can still make more than 80% detection rate (shown as FTR < 20%).
We test our Wormhole Geographic Distributed Detection (WGDD) algorithm in simulation environment under different placements of networks.
6. Summary and Discussion
In this paper, we discuss how to detect wormhole attacks in distributed scheme. By assuming that wormhole attacks are passive, we provide a probe procedure to let some bootstrap node flood a probe message to detect some possible wormholes in the network, the probe procedure produces a hop-coordinates to each node which represents the hop distance from that node to the bootstrap node. Then each node will compute a local map for its neighbors and itself with the hopcoordinates collected in the previous step. Since
The extensive simulation result shows that our detection algorithm can archive almost 100% overall detection rate (shown as FTR is around zero, when λ = 0 in Figure 10.a). Even considering about the cases of shorter wormholes which are less than 3 hops long, our algorithm can still make more than 80% detection rate (shown as FTR < 20% in Figure 10). We can run our detection algorithm in stricter model by setuping λ = 0.1, it this case, we can archive almost zero wrong alarm rate (shown as FDR = 0 in Figure 10.b).
if there is a wormhole in the network, it causes
Since our algorithm is running under dis-
some distortions in some local maps of the nodes
tributed scheme, it means that if there is a worm-
which are close to the ends of the wormhole, so
hole, then some nodes close to the wormhole will
we find a feature called “diameter” to detect such
detect the wormhole attacks, so such advantage
of our algorithm may help in defending against
coordinate inside itself.
Such process will be
wormholes. We may propose the idea of freez-
ended until there is no node detects any wormhole
ing nodes that have detected wormhole attacks in
attack.
their vicinity, along with their neighbor nodes, in
Right now, we are basing experiment to decide
order to isolate and negate the effect of a worm-
the threshold and λ in deciding whether a diame-
hole.
ter measurement triggers an alarm for wormhole.
Suppose that the wireless range for a wormhole
One future work may need to improve our algo-
attack equals k times the transmission range R of
rithm is how to decide such threshold and λ auto-
a normal node; if this is the case, then it is possi-
matically.
ble that we can stop the transmission of a wormhole attack by freezing the nodes within k times
References
transmission range R of one detecting location. [1] I. Akyildiz, W. Su, Y. Sankarasubramaniam, and
Procedure 4 Defending against wormhole attacks Require: triggered by DetectionProcedure 1: send message(freezing)to all neighbor nodes in 1(k) hop(s) 2: Broadcast message(relocalization) to the bootstrap node and other nodes.
E. Cayirci. A survey on sensor networks. Communications Magazine, IEEE, 40(8):102–114, 2002. ˇ [2] S. Capkun, L. Butty´an, and J. Hubaux. SEC-
From a node (or nodes), which detects worm-
TOR: secure tracking of node encounters in
hole attack, a special message will flood out
multi-hop wireless networks. Proceedings of the
to freeze neighboring nodes.
1st ACM workshop on Security of ad hoc and
If the bootstrap
node (x) receives this message, it will restart the
sensor networks, pages 21–32, 2003.
wormhole detection algorithm again, while other
[3] W. Du, L. Fang, and N. Peng. LAD: Localization
nodes receive such message will clean the hop-
anomaly detection for wireless sensor networks.
Journal of Parallel and Distributed Computing, 66(7):874–886, 2006. [4] T. C. M. Group.
[9] L. Lazos and R. Poovendran. SeRLoc: secure range-independent localization for wireless sen-
Wireless and Mo-
bility Extensions to ns-2.
obtain from
http://www.monarch.cs.cmu.edu/cmu-ns.html.
sor networks. Proceedings of the 2004 ACM workshop on Wireless security, pages 21–30, 2004. [10] D. Liu, P. Ning, and W. Du. Attack-resistant lo-
[5] L. Hu and D. Evans. Using Directional Antencation estimation in sensor networks. Informanas to Prevent Wormhole Attacks. Proceedings tion Processing in Sensor Networks, 2005. IPSN of the 11th Network and Distributed System Se2005. Fourth International Symposium on, pages curity Symposium, pages 131–141, 2004. 99–106, 2005. [6] Y. Hu, A. Perrig, and D. Johnson. Wormhole de[11] S. McCanne and S. Floyd. ns-2 Network Simutection in wireless ad hoc networks. Department lator. Obtain via: http://www. isi. edu/nsnam/ns. of Computer Science, Rice University, Tech. Rep. [12] J. Newsome, E. Shi, D. Song, and A. Perrig. The TR01-384, June, 2002. sybil attack in sensor networks: analysis & de[7] Y. Hu, A. Perrig, and D. Johnson.
Packet
fenses. Proceedings of the third international
Leashes: A Defense against Wormhole Attacks
symposium on Information processing in sensor
in Wireless Ad Hoc Networks. Proceedings of
networks, pages 259–268, 2004.
INFOCOM, 2003, 2003.
[13] P. Papadimitratos and Z. Haas. Secure routing
[8] J. Kong, Z. Ji, W. Wang, M. Gerla, R. Bagro-
for mobile ad hoc networks. SCS Communica-
dia, and B. Bhargava. Low-cost attacks against
tion Networks and Distributed Systems Model-
packet delivery, localization and time synchro-
ing and Simulation Conference (CNDS 2002),
nization services in under-water sensor net-
2002.
works. Proceedings of the 4th ACM workshop on Wireless security, pages 87–96, 2005.
[14] R. Poovendran and L. Lazos. A Graph Theoretic Framework for Preventing the Wormhole Attack
in Wireless Ad Hoc Networks. ACM Wireless Networks (WINET). [15] M. Vieira, C. Coelho Jr, D. da Silva Jr, and J. da Mata. Survey on wireless sensor network devices. IEEE Emerging Technologies and Factory Automation, pages 537–544, 2003. [16] W. Wang and B. Bhargava.
Visualization of
wormholes in sensor networks. Proceedings of the 2004 ACM workshop on Wireless security, pages 51–60, 2004. [17] A. Wood and J. Stankovic. Denial of service in sensor networks. Computer, 35(10):54–62, 2002. [18] Y. Xu, J. Ford, and F. S. Makedon. A Variation on Hop-counting for Geographic Routing. Embedded Networked Sensors, 2006. EmNetSIII. The third IEEE Workshop on, 2006. [19] J. Zheng and et.al. sion to NS-2.
802.15.4 exten-
Obtain via:
ee.ccny.cuny.edu/zheng/pub.
http://www-
