Detecting Wormhole
Attacks in Wireless
Networks Using
Connectivity Information
97598039 梁紀翔 97598050 王謙志
NETLab
Outline


Wormhole Attack ?
Some detecting methods and limitations
Using Bound distance or Time
 Using Graph theory and Geometric


Using Connectivity Information
Unit Disk Graph model
 Other models
 Wormhole removal


Simulation result & Conclusion
What is Wormhole ?
http://commons.wikimedia.org/wiki/File:Worm3.jpg
Shortcut through space and time
Wormhole Attack
http://www.wings.cs.sunysb.edu/~ritesh/wormhole.html
Threats




Dropping or modifying packets
Generating unnecessary routing activities by
turning off the wormhole link periodically
Record traffic for later analysis
Break protocol relies on geographic proximity
Bound distance or Time

Use node location info. to bound the distance a
packet can traverse


Use global clock to bound propagation time


But… hard to determine “legal” distance
Useless against physical layer attacks
Besides… they all need additional hardware
Graph theory and Geometric

Use combination of one-time authenticated
neighbor discovery and Guard nodes to attest
the source of transmission


What if attack begin before discovery ?
Special Guard nodes knows their “correct”
location and with higher RF power and different
RF charactertics

Impractical
Graph theory and Geometric cont.

Use Directional antennas


Need a cooperative protocol share directional info.
between nodes to detect wormhole
Use neighbor distance estimation and Multidimensional scaling to draw a “network layout”
The layout should be “flat”
 Centralized computation


Physical layer authentication in packet
modulation/demodulation

Special RF hardware
Limitations

Additional hardware is not affordable on large
scale sensor networks, such as
Directional antennas
 GPS
 Ultrasound
 Guard nodes with correct location
 Global clock synchronization or computation


Localized algorithm is the solution

Use info. collected by upper layer
Algorithm concept

Looks for forbidden substructure that should not
present in a legal connectivity graph
Unit Disk Graph model

Idealized model for multi-hop wireless network
Node modeled as a disk with unit radius
 Unit radius is the communication range with omnidirectional antenna
 Each node is a neighbor of all nodes within its disk

www.it.uu.se/research/group/mobility/adhoc
Hardness

NP-Hard to detect wormhole in UDG

Equivalence of finding UDG embedded in 2D
graph




Proven NP-Hard problem
The algorithm looks for structures that do not
allow UDG embedding
Due to hardness, 100% wormhole detection will
not guaranteed
But provides sufficiently high detection rate
Disk packing


In a fix region, one can not pack too many nodes
without having edges in between
Packing number－ pS , r 

Maximum number of points inside region S such
that every pair of points is strictly more then distance
r away from each other
Disk packing cont.
 DR u  －A


unit disk D of radius R centered at u
pDR u , R  5
Lune－ Lr, R  DR u   DR v

Intersection of 2 disks of radius R centered at u, v,
with distance r away
Disk packing cont.

Lemma 1

When R = r = 1
 pL,1  2
  pw  3 2  1

Lemma 2

for r  2 R
2
 8  R 1 2

 4r 
r
  r2 
  2  R    
pLr , R ,         arccos
2
4
   2 
 2 R      


Forbidden substructure



a and b (non-neighbors) have three common
independent neighbor c, d, e
By Lemma 1, this can not happen
If only c, d in region B. It will fail
Forbidden substructure cont.

For low density case
Look among k-hop neighbors
 Find f k common independent k-hop neighbors of
two non-neighbor nodes


Forbidden substructures used in algorithm
3 independent common 1-hop neighbors
 f k independent common k-hop neighbors
 f k －Forbidden parameter

Forbidden substructure cont.

f k must be more than the packing number for
unit distance inside the lune of two disks of
radii k placed at distance 1
Radius k for modeling k-hop neighborhood
 1 for modeling the lower bound of distance
between non-neighbors


f k  pL1, k ,1  1
Forbidden substructure cont.

If a network has forbidden substructure


There must be a wormhole
For a given node density with wormhole present
Higher k, higher detection possibility
 Larger neighborhood provide more nodes to work
with

Algorithm
1.
Find the forbidden parameter
2.
Each node u determines its 2k-hop neighbor
list N 2k u  , execute following steps for each
non-neighboring node v in N 2k u 
Algorithm cont.
3.
4.
u determines the set of common k-hop
neighbors with v from their k-hop neighbor list
 Ck u, v   N k u   N k v 
 N k v  can be obtained by simply exchanging lists
u determines the maximal independent set of
Ck u, v 


Find maximum independent set is NP-Hard
Use greedy algorithm
Algorithm cont.
5.

If the maximal independent set size is equal or
larger than f k , u declares the presence of a
wormhole
For most case, k = 1 is sufficient, with d 3 
 d 2 to check non-neighbor nodes in 2-hop

neighborhood
d  to find maximal independent set
d is the average degree of nodes


 

k = 2 for fairly low density cases
Node distribution
 fk 1


is theoretical worst case
With known distribution, f k can be much smaller
Smaller f k , higher detection rate


But… too small will have false positives
f 2   pL1,2,1  18  1  19
 Unless node density is very high
 It’s unlikely to find that many common independent
2-hop neighbors
Communication models

UDG is overly simplified


Packet reception range is not prefect disk
For other communication models
Same algorithm applied
 But finding f k by Mathematical or Geometrical
ways

Known models

Quasi-UDG
Distance within α≦1－link
 Distance larger than 1－no link




f k  pL , k ,    1
Run simulation with target distribution to obtain
connectivity graph
Then estimate forbidden parameter
Known models cont.

For any pair of non-neighboring nodes
Find the maximal independent set among their
common k-hop neighbors
 Take the maximum as f k  1
 Used in simulation result to obtain tight bound


If model is probabilistic


f k  1 is also probabilistic
Notice that false positives still possible
Unknown model

Parametric search for unknown f k
Use large initial value to run the algorithm
 If no detection, half the value, re run
 Until vary small fraction of nodes report wormhole
 Or minimum number of tolerable false positives


Run this search in safe part of network
Unknown model cont.


If there is no safe place
Assume a “threat level”
Guidance for what fraction of nodes must report
wormhole
 So f k will not reduced any further

Wormhole removal


Manually isolate links effected
Process for 1-hop, UDG
Corrupted nodes verify its neighbor list with
uncorrupted nodes
 Ignore transmission from suspicious nodes

Simulation environment

Models
UDG
 Quasi-UDG
 Model used in TOSSIM simulator


Distributions
Perturbed grid (a planed sensor deployment)
 Random


144 nodes, single wormhole, k ≤ 2, repeat
10,000 times
Quasi-UDG

Transmission radius－R
Quasi-UDG factor－0 ≤α≤ 1
Link－distance d withinαR
No link－d ＞ R
d in [αR, R] －link with probability
Useα= 0.75 in simulation

TOSSIM model－link probability 1  Pb 






Pb －bit error probability
d
R  R
Distributions

Perturbed 12×12 grid

[x-px, x+px], [y-py, y+py]

Perturbation parameter－0.0 ≤ p ≤ 0.5
Randomly chosen x, y coordinates
 Node density

 Change
R for (Quasi-)UDG
 Change geographic area for TOSSIM
Experiments


Create topology
Check connectivity



Disconnected if any two node do not have route
Run algorithm to see false positive
Apply wormhole, run algorithm to detect
Results


Perturbed grid
p = 0.2
Quasi-UDG
UDG
TOSSIM

Random
Quasi-UDG
UDG
TOSSIM




100% detecting and no false alarms when
network is connected
90% detection when 50% chance disconnected
Detection drop for low density cases, but
network disconnected also increase
Detection performance get worse as the
randomness

Estimation of f k is more accurate if less
randomness



1-hop dose not perform well in non-UDG
cases
Quasi-UDG, random distribution
1-hop detection rate when f1 increase

Parametric search for f k
k = 1, quasi-UDG, Perturbed grid with p = 0.2,
average degree = 6
 Suitable f1 can be estimated by observing false

positive probability
Detection show first before false positive
 Critical value of f1 is 4

Conclusion

Pros
Simple and localized
 Universal to node distribution and communication
model


Cons
Not suitable for frequent connectivity change
(VANET, MANET)
 Can not detect short wormhole link

References



R. Maheshwari, J. Gao and S. R. Das,“Detecting
Wormhole Attacks in Wireless Networks Using
Connectivity Information,” in INFOCOM 2007. 26th
IEEE International Conference on Computer Communications.
IEEE , 2007, pp. 107-115
Wikipedia (http://en.wikipedia.org/)
Wormhole Attack Detection in Wireless Network
(http://www.wings.cs.sunysb.edu/~ritesh/wormhole.html)
Any Questions ?
and Thanks !!