Detecting Wormhole Attacks in Wireless Networks Using Connectivity Information 97598039 梁紀翔 97598050 王謙志 NETLab Outline Wormhole Attack ? Some detecting methods and limitations Using Bound distance or Time Using Graph theory and Geometric Using Connectivity Information Unit Disk Graph model Other models Wormhole removal Simulation result & Conclusion What is Wormhole ? http://commons.wikimedia.org/wiki/File:Worm3.jpg Shortcut through space and time Wormhole Attack http://www.wings.cs.sunysb.edu/~ritesh/wormhole.html Threats Dropping or modifying packets Generating unnecessary routing activities by turning off the wormhole link periodically Record traffic for later analysis Break protocol relies on geographic proximity Bound distance or Time Use node location info. to bound the distance a packet can traverse Use global clock to bound propagation time But… hard to determine “legal” distance Useless against physical layer attacks Besides… they all need additional hardware Graph theory and Geometric Use combination of one-time authenticated neighbor discovery and Guard nodes to attest the source of transmission What if attack begin before discovery ? Special Guard nodes knows their “correct” location and with higher RF power and different RF charactertics Impractical Graph theory and Geometric cont. Use Directional antennas Need a cooperative protocol share directional info. between nodes to detect wormhole Use neighbor distance estimation and Multidimensional scaling to draw a “network layout” The layout should be “flat” Centralized computation Physical layer authentication in packet modulation/demodulation Special RF hardware Limitations Additional hardware is not affordable on large scale sensor networks, such as Directional antennas GPS Ultrasound Guard nodes with correct location Global clock synchronization or computation Localized algorithm is the solution Use info. collected by upper layer Algorithm concept Looks for forbidden substructure that should not present in a legal connectivity graph Unit Disk Graph model Idealized model for multi-hop wireless network Node modeled as a disk with unit radius Unit radius is the communication range with omnidirectional antenna Each node is a neighbor of all nodes within its disk www.it.uu.se/research/group/mobility/adhoc Hardness NP-Hard to detect wormhole in UDG Equivalence of finding UDG embedded in 2D graph Proven NP-Hard problem The algorithm looks for structures that do not allow UDG embedding Due to hardness, 100% wormhole detection will not guaranteed But provides sufficiently high detection rate Disk packing In a fix region, one can not pack too many nodes without having edges in between Packing number- pS , r Maximum number of points inside region S such that every pair of points is strictly more then distance r away from each other Disk packing cont. DR u -A unit disk D of radius R centered at u pDR u , R 5 Lune- Lr, R DR u DR v Intersection of 2 disks of radius R centered at u, v, with distance r away Disk packing cont. Lemma 1 When R = r = 1 pL,1 2 pw 3 2 1 Lemma 2 for r 2 R 2 8 R 1 2 4r r r2 2 R pLr , R , arccos 2 4 2 2 R Forbidden substructure a and b (non-neighbors) have three common independent neighbor c, d, e By Lemma 1, this can not happen If only c, d in region B. It will fail Forbidden substructure cont. For low density case Look among k-hop neighbors Find f k common independent k-hop neighbors of two non-neighbor nodes Forbidden substructures used in algorithm 3 independent common 1-hop neighbors f k independent common k-hop neighbors f k -Forbidden parameter Forbidden substructure cont. f k must be more than the packing number for unit distance inside the lune of two disks of radii k placed at distance 1 Radius k for modeling k-hop neighborhood 1 for modeling the lower bound of distance between non-neighbors f k pL1, k ,1 1 Forbidden substructure cont. If a network has forbidden substructure There must be a wormhole For a given node density with wormhole present Higher k, higher detection possibility Larger neighborhood provide more nodes to work with Algorithm 1. Find the forbidden parameter 2. Each node u determines its 2k-hop neighbor list N 2k u , execute following steps for each non-neighboring node v in N 2k u Algorithm cont. 3. 4. u determines the set of common k-hop neighbors with v from their k-hop neighbor list Ck u, v N k u N k v N k v can be obtained by simply exchanging lists u determines the maximal independent set of Ck u, v Find maximum independent set is NP-Hard Use greedy algorithm Algorithm cont. 5. If the maximal independent set size is equal or larger than f k , u declares the presence of a wormhole For most case, k = 1 is sufficient, with d 3 d 2 to check non-neighbor nodes in 2-hop neighborhood d to find maximal independent set d is the average degree of nodes k = 2 for fairly low density cases Node distribution fk 1 is theoretical worst case With known distribution, f k can be much smaller Smaller f k , higher detection rate But… too small will have false positives f 2 pL1,2,1 18 1 19 Unless node density is very high It’s unlikely to find that many common independent 2-hop neighbors Communication models UDG is overly simplified Packet reception range is not prefect disk For other communication models Same algorithm applied But finding f k by Mathematical or Geometrical ways Known models Quasi-UDG Distance within α≦1-link Distance larger than 1-no link f k pL , k , 1 Run simulation with target distribution to obtain connectivity graph Then estimate forbidden parameter Known models cont. For any pair of non-neighboring nodes Find the maximal independent set among their common k-hop neighbors Take the maximum as f k 1 Used in simulation result to obtain tight bound If model is probabilistic f k 1 is also probabilistic Notice that false positives still possible Unknown model Parametric search for unknown f k Use large initial value to run the algorithm If no detection, half the value, re run Until vary small fraction of nodes report wormhole Or minimum number of tolerable false positives Run this search in safe part of network Unknown model cont. If there is no safe place Assume a “threat level” Guidance for what fraction of nodes must report wormhole So f k will not reduced any further Wormhole removal Manually isolate links effected Process for 1-hop, UDG Corrupted nodes verify its neighbor list with uncorrupted nodes Ignore transmission from suspicious nodes Simulation environment Models UDG Quasi-UDG Model used in TOSSIM simulator Distributions Perturbed grid (a planed sensor deployment) Random 144 nodes, single wormhole, k ≤ 2, repeat 10,000 times Quasi-UDG Transmission radius-R Quasi-UDG factor-0 ≤α≤ 1 Link-distance d withinαR No link-d > R d in [αR, R] -link with probability Useα= 0.75 in simulation TOSSIM model-link probability 1 Pb Pb -bit error probability d R R Distributions Perturbed 12×12 grid [x-px, x+px], [y-py, y+py] Perturbation parameter-0.0 ≤ p ≤ 0.5 Randomly chosen x, y coordinates Node density Change R for (Quasi-)UDG Change geographic area for TOSSIM Experiments Create topology Check connectivity Disconnected if any two node do not have route Run algorithm to see false positive Apply wormhole, run algorithm to detect Results Perturbed grid p = 0.2 Quasi-UDG UDG TOSSIM Random Quasi-UDG UDG TOSSIM 100% detecting and no false alarms when network is connected 90% detection when 50% chance disconnected Detection drop for low density cases, but network disconnected also increase Detection performance get worse as the randomness Estimation of f k is more accurate if less randomness 1-hop dose not perform well in non-UDG cases Quasi-UDG, random distribution 1-hop detection rate when f1 increase Parametric search for f k k = 1, quasi-UDG, Perturbed grid with p = 0.2, average degree = 6 Suitable f1 can be estimated by observing false positive probability Detection show first before false positive Critical value of f1 is 4 Conclusion Pros Simple and localized Universal to node distribution and communication model Cons Not suitable for frequent connectivity change (VANET, MANET) Can not detect short wormhole link References R. Maheshwari, J. Gao and S. R. Das,“Detecting Wormhole Attacks in Wireless Networks Using Connectivity Information,” in INFOCOM 2007. 26th IEEE International Conference on Computer Communications. IEEE , 2007, pp. 107-115 Wikipedia (http://en.wikipedia.org/) Wormhole Attack Detection in Wireless Network (http://www.wings.cs.sunysb.edu/~ritesh/wormhole.html) Any Questions ? and Thanks !!
© Copyright 2024 Paperzz