On the Intruder Detection for Sinkhole Attack
in Wireless Sensor Networks
Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1
1Department
of Computer Science and Engineering
The Chinese University of Hong Kong
2School of Computing Science
Simon Fraser University
12 Jun 2006
IEEE International Conference on Communications (ICC 2006)
Outline
Introduction
Related Work
Sinkhole Attack Detection
Enhancements Against Multiple
Malicious Nodes
Performance Evaluation
Conclusion and Future Work
2
Wireless Sensor Networks
Increasingly popular to solve challenging
real-world problems
Industrial sensing
Environmental monitoring
Set of sensor nodes
Many-to-one communication
Vulnerable to the sinkhole attack
3
Sinkhole Attack
Prevent the base station from obtaining
complete and correct sensing data
Particularly severe for wireless sensor networks
Some secure or geographic based routing
protocols resist to the sinkhole attacks in certain
level
Many current routing protocols in sensor
networks are susceptible to the sinkhole attack
4
Sinkhole Attack
BS
Affected
node
SH
High quality
route
Left: using an artificial high quality route
Right: using a wormhole
5
Related Work
Intrusion detection has been an active
research topic for the Internet extensively
Sensor network that we are considering
asymmetric many-to-one communication
pattern
power of the sensor nodes is rather weak
Protocols based on route advertisement are
vulnerable to sinkhole attacks
6
Related Work
Wood et al.
mechanism for detecting and mapping jammed regions
Ding et al.
algorithm for the identification of faulty sensors and
detection of the reach of events
Staddon et al.
trace the identities of the failed nodes with the topology
conveyed to the base station
Ye et al.
a Statistical En-route Filtering (SEF) mechanism that can
detect and drop false reports
Perrig et al.
a packet leash mechanism for detecting and defending
against wormhole attacks
7
Our Work
Propose an algorithm for detecting sinkhole
attacks and identifying the intruder in an attack
Base station collects the network flow information
with a distributed fashion in the attack area
An efficient identification algorithm that analyzes
the collected network flow information and locate
the intruder
Consider the scenario that a set of colluding
nodes cheat the base station about the
location of the intruder
8
Estimate the Attacked Area
Consider a monitoring application in which sensor
nodes submit sensing data to the BS periodically
By observing consistent data missing from an area,
the BS may suspect there is an attack with selective
forwarding
BS can detect the data inconsistency using the
following statistical method
Let X1, ..., Xn be the sensing data collected in a
sliding window, and be their mean. Define f(Xj) as
9
Estimate the Attacked Area
Identify a suspected node
if f(Xj) is greater than a
certain threshold
BS
SH
Nodes with missing
or inconsistent data
The BS can estimate
where the sinkhole locates
It can circle a potential
attacked area, which
contains all the suspected
nodes
10
Identifying the Intruder
Each sensor stores the ID of next-hop to the BS and
the cost in its routing table
The BS sends a request message to all the affected
nodes
The sensors reply with <ID, IDnext-hop, cost>
Since the next-hop and the cost could already be
affected by the attack
The reply message should be sent along the reverse
path in the flooding, which corresponds to the original
route with no intruder
11
Identifying the Intruder
Network flow information can
be represented by a directed
edge
Realizes the routing pattern by
constructing a tree using the
next hop information collected
An invaded area possesses
special routing pattern
BS
SH
All network traffic flows toward
the same destination, which is
compromised by the intruder SH
12
Enhancement on Network Flow
Information Collection
Multiple malicious nodes may prevent the BS
from obtaining correct and complete flow
information for intruder detection
They may cooperate with the intruder to
perform the following misbehaviors:
Modify the packets passing through
Forward the packets selectively
Provide wrong network flow information of itself
We address these issues through encryption
and path redundancy
13
Multiple Malicious Nodes
Drop some of the
reply packets
Provide incorrect
flow information
BS
SH
Colluding nodes
SH'
3
2
SH'
F
1
C
3
3
2
G
3
A
2
SH
3
D
3
E
3
3
3
3
H
Their objective is to hide the real intruder SH and
blame on a victim node SH’
14
Dealing with Malicious Nodes
Maintain an array Count[]
Entry Count[i] stores the total number of
nodes having hop count difference i
Index i can be negative (a node is smaller
than its actual distance from the current
root)
If Count[0] is not the dominated one in
the array, it means the current root is
unlikely the real intruder
15
Dealing with Malicious Nodes
By analyzing the array
Count, we may estimate
the hop counts from SH’
to SH
The BS can make root
correction and recalculate the array Count
among the nodes within
two hops from SH’
Concludes the intruder
based on the most
consistent result
16
Example
The array Count of the following figure is:
17
Example
Eventually, node SH becomes the new root:
18
Performance Evaluation
Accuracy of Intruder
Identification
Success Rate
False-positive Rate
False-negative Rate
Communication Cost
Energy Consumption
No. of nodes in network
400
Size of network
200m x 200m
Transmission range
10m
Location of BS
(100,100)
Location of sinkhole
(50, 50)
Percentage of colluding codes (m)
0 – 50%
Message drop rate (d)
0 – 80%
No. of neighbors which a message is
forwarded to (k)
1–2
Packet size
100bytes
Max. number of reply messages per
packet
5
19
Success Rate
Success rate in intruder identification
100
80
60
40
d=0
d=0.2
d=0.4
d=0.6
d=0.8
20
0
0
5
10
15
20
25
30
35
40
45
50
Ratio of malicious nodes (%)
20
False-positive and
False-negative Rate
False-negative rate in intruder identification
False-positive rate in intruder identification
100
80
80
False-negative rate (%)
100
60
40
d=0
d=0.2
d=0.4
d=0.6
d=0.8
20
60
40
d=0
d=0.2
d=0.4
d=0.6
d=0.8
20
0
0
0
5
10
15
20
25
30
35
Ratio of malicious nodes (%)
40
45
50
0
5
10
15
20
25
30
35
40
Ratio of malicious nodes (%)
21
45
50
Communication Cost and
Energy Consumption
Energy consumption for intruder identification
Communication cost for collecting network flow information
1000
80
Energy consumption per node (uJ)
900
60
40
20
800
700
600
500
400
packet receive (k=1)
packet receive (k=2)
packet send (k=1)
packet send (k=2)
300
k=1
k=2
200
100
0
0
0
1
2
3
4
5
Hops to base station
6
7
8
1
2
3
4
5
6
7
Hops to base station
22
8
Conclusion and Future Work
An effective method for identifying sinkhole attack in
wireless sensor networks
It locates a list of suspected nodes by checking data
consistency, and then identifies the intruder in the list
through analyzing the network flow information
A series of enhancements to deal with cooperative
malicious nodes that attempt to hide the real intruder
Numerical analysis and simulation results are
provided to demonstrate the effectiveness and
accuracy of the algorithm
We are interested in more effective statistical
algorithms for identifying data inconsistency
23