1 / 23

On the Intruder Detection for Sinkhole Attack in Wireless Sensor Networks

On the Intruder Detection for Sinkhole Attack in Wireless Sensor Networks. Edith C. H. Ngai 1 , Jiangchuan Liu 2 , and Michael R. Lyu 1 1 Department of Computer Science and Engineering The Chinese University of Hong Kong 2 School of Computing Science Simon Fraser University 12 Jun 2006

Anita
Download Presentation

On the Intruder Detection for Sinkhole Attack in Wireless Sensor Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. On the Intruder Detection for Sinkhole Attack in Wireless Sensor Networks Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1 1Department of Computer Science and Engineering The Chinese University of Hong Kong 2School of Computing Science Simon Fraser University 12 Jun 2006 IEEE International Conference on Communications (ICC 2006)

  2. Outline • Introduction • Related Work • Sinkhole Attack Detection • Enhancements Against Multiple Malicious Nodes • Performance Evaluation • Conclusion and Future Work

  3. Wireless Sensor Networks • Increasingly popular to solve challenging real-world problems • Industrial sensing • Environmental monitoring • Set of sensor nodes • Many-to-one communication • Vulnerable to the sinkhole attack

  4. Sinkhole Attack • Prevent the base station from obtaining complete and correct sensing data • Particularly severe for wireless sensor networks • Some secure or geographic based routing protocols resist to the sinkhole attacks in certain level • Many current routing protocols in sensor networks are susceptible to the sinkhole attack

  5. Sinkhole Attack • Left: using an artificial high quality route • Right: using a wormhole

  6. Related Work • Intrusion detection has been an active research topic for the Internet extensively • Sensor network that we are considering • asymmetric many-to-one communication pattern • power of the sensor nodes is rather weak • Protocols based on route advertisement are vulnerable to sinkhole attacks

  7. Related Work • Wood et al. • mechanism for detecting and mapping jammed regions • Ding et al. • algorithm for the identification of faulty sensors and detection of the reach of events • Staddon et al. • trace the identities of the failed nodes with the topology conveyed to the base station • Ye et al. • a Statistical En-route Filtering (SEF) mechanism that can detect and drop false reports • Perrig et al. • a packet leash mechanism for detecting and defending against wormhole attacks

  8. Our Work • Propose an algorithm for detecting sinkhole attacks and identifying the intruder in an attack • Base station collects the network flow information with a distributed fashion in the attack area • An efficient identification algorithm that analyzes the collected network flow information and locate the intruder • Consider the scenario that a set of colluding nodes cheat the base station about the location of the intruder

  9. Estimate the Attacked Area • Consider a monitoring application in which sensor nodes submit sensing data to the BS periodically • By observing consistent data missing from an area, the BS may suspect there is an attack with selective forwarding • BS can detect the data inconsistency using the following statistical method • Let X1, ..., Xn be the sensing data collected in a sliding window, and be their mean. Define f(Xj)as

  10. Estimate the Attacked Area • Identify a suspected node if f(Xj) is greater than a certain threshold • The BS can estimate where the sinkhole locates • It can circle a potential attacked area, which contains all the suspected nodes

  11. Identifying the Intruder • Each sensor stores the ID of next-hop to the BS and the cost in its routing table • The BS sends a request message to all the affected nodes • The sensors reply with <ID, IDnext-hop, cost> • Since the next-hop and the cost could already be affected by the attack • The reply message should be sent along the reverse path in the flooding, which corresponds to the original route with no intruder

  12. Identifying the Intruder • Network flow information can be represented by a directed edge • Realizes the routing pattern by constructing a tree using the next hop information collected • An invaded area possesses special routing pattern • All network traffic flows toward the same destination, which is compromised by the intruder SH

  13. Enhancement on Network Flow Information Collection • Multiple malicious nodes may prevent the BS from obtaining correct and complete flow information for intruder detection • They may cooperate with the intruder to perform the following misbehaviors: • Modify the packets passing through • Forward the packets selectively • Provide wrong network flow information of itself • We address these issues through encryption and path redundancy

  14. Multiple Malicious Nodes • Provide incorrect flow information • Drop some of the reply packets Their objective is to hide the real intruder SH and blame on a victim node SH’

  15. Dealing with Malicious Nodes • Maintain an array Count[] • Entry Count[i] stores the total number of nodes having hop count difference i • Index i can be negative (a node is smaller than its actual distance from the current root) • If Count[0] is not the dominated one in the array, it means the current root is unlikely the real intruder

  16. Dealing with Malicious Nodes • By analyzing the array Count, we may estimate the hop counts from SH’to SH • The BS can make root correction and re-calculate the array Count among the nodes within two hops from SH’ • Concludes the intruder based on the most consistent result

  17. Example • The array Count of the following figure is:

  18. Example • Eventually, node SH becomes the new root:

  19. Performance Evaluation • Accuracy of Intruder Identification • Success Rate • False-positive Rate • False-negative Rate • Communication Cost • Energy Consumption

  20. Success Rate

  21. False-positive and False-negative Rate

  22. Communication Cost and Energy Consumption

  23. Conclusion and Future Work • An effective method for identifying sinkhole attack in wireless sensor networks • It locates a list of suspected nodes by checking data consistency, and then identifies the intruder in the list through analyzing the network flow information • A series of enhancements to deal with cooperative malicious nodes that attempt to hide the real intruder • Numerical analysis and simulation results are provided to demonstrate the effectiveness and accuracy of the algorithm • We are interested in more effective statistical algorithms for identifying data inconsistency

More Related