Distributed wormhole attack detection in wireless sensor networks
Transcript of Distributed wormhole attack detection in wireless sensor networks
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
1/21
Distributed Wormhole Attack Detection in Wireless Sensor
Networks
Yurong Xu1 Guanling Chen2 James Ford1,3 Fillia Makedon1,3
1Computer Science Department, Dartmouth College
{yurong, jford, makedon}@cs.dartmouth.edu
2Computer Science Department, UMass Lowell
{glchen}@cs.uml.edu
3Univ. of Texas at Arlington, Dept. of Computer Science and Eng.
{Makedon,jford}@cse.uta.edu
Abstract
This paper proposes a distributed wormhole
detection algorithm for wireless sensor networks,
a potential technology for infrastructures of many
applications. Currently, most sensor networks
assume they will be deployed in a benign envi-
ronment; however, when a sensor network is de-
ployed in some hostile environment, attacks (espe-
cially those like wormhole attacks that dont need
to capture the keys used in the network) may affect
current sensor networks and may even disable
their functions. This paper proposes a distributed
wormhole detection algorithm called Wormhole
Geographic Distributed Detection (WGDD), that
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
2/21
is based on detecting disorder of the networks
which is caused by the existence of a wormhole
inside the network. Since wormhole attacks are
passive, this algorithm uses a hop-counting tech-
nique as a probe procedure to detect wormhole at-
tacks, then reconstructs local maps in each node,
and after that, uses a feature called diameter to
detect abnormalities caused by wormholes. The
main advantage of using a distributed wormhole
detection algorithm is that such an algorithm can
provide the approximate location of a wormhole,
which may be useful information for further de-
fense mechanisms. Simulations show that the pro-
posed detection method has both a low False Tol-
eration Rate (FTR) and a low False Detection
Rate (FDR) in detecting wormhole attacks.
1. Introduction
Wireless Sensor Networks (WSNs) [1, 15] are
an emerging technology consisting of small, low-
power, and low-cost devices that integrate limited
computation, sensing, and radio communication
capabilities. This technology has the potential
to provide infrastructures for numerous applica-
tions, such as surveillance, healthcare, industry
automation, and military uses.
Currently, most applications in WSNs assume
that they are deployed in a trusted environment,
but it is possible that a WSN is to be deployed
in an untrusted environments, and so dealing with
security issues will become a central requirement.
In this situation, an adversary can disable the
functionality of a WSN by interfering with packet
transmissions inside the networks with different
attacks such as wormhole attacks, sybil attacks
[12], jamming, and packet injection attacks [17].
This paper focuses on wormhole attack detec-
tion [2, 7, 13]. A wormhole attack doesnt re-
quire knowing the cryptographic infrastructure of
the sensor network, and thus it puts an attacker in
a very powerful position relative to other nodes
in the network, compared to other attacks such
as sybil and packet injection attacks, which usu-
ally utilize vulnerabilities in the infrastructure of
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
3/21
wireless sensor networks. An attacker can per-
form a wormhole attack on a sensor network even
if the network communication infrastructure pro-
vides confidentiality and authenticity, and the at-
tacker does not have any cryptographic keys.
Currently, there are many methods that have
been proposed for detecting wormhole attacks in-
side of ad hoc networks and wireless sensor net-
works, and encouraging results have been ob-
tained. However, these methods usually require
that some nodes in the network be equipped with
special hardware. Solutions such as SECTOR [2]
and Packet Leashes [7] need time synchroniza-
tion or highly accurate clocks to detect worm-
holes; the method of Hu and Evans [5] requires
that a directional antenna is deployed in each
node; and LAD [3], SerLoc [9], and the ap-
proach in [6] concentrate on detecting/defending
against wormholes in localization in WSNs, but
these methods also need the help of anchor nodes
(which are special nodes that already know their
location exactly), which requires manual setup
when a network is deployed.
In comparison with the above methods, in
this paper we describe a distributed method
called Wormhole Geographic Distributed Detec-
tion (WGDD) to detect a wormhole attack with-
out using anchor nodes or any additional hard-
ware. Since a wormhole attack is passive, this
algorithm uses a simple hop-counting technique
as a probe procedure to detect wormhole attack,
then reconstructs local maps by MDS (Multidi-
mensional Scaling) in each node, and after that
uses a feature introduced in this papce called di-
ameter to detect distortions caused by a worm-
hole. The main advantage of using a distributed
wormhole detection algorithm is that such an al-
gorithm can provide the approximate location of a
wormhole, which can assist further defense mech-
anisms. Simulation shows that the proposed de-
tection method has both a low False Toleration
Rate(FTR) and a low False Detection Rate(FDR)
in detecting wormhole attacks.
In this paper, we make the following contribu-
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
4/21
tions. (i.) We propose a new feature which can be
used to detect wormholes in a distributed scheme.
(ii.) We propose a distributed wormhole detection
algorithm which needs only local connectivity in-
formation. Since the detection of wormholes is
completed under a distributed scheme, it is pos-
sible that our algorithm can provide the approxi-
mate locations of the ends of wormholes, which
will be helpful in further defense against worm-
hole attacks. (iii) We provide extensive simula-
tion for (i-ii) in NS-2, which shows that our meth-
ods are effective at detecting wormhole attacks on
different network placements.
The remainder of the paper is organized as fol-
lows. Section 2 discusses related work. Sec-
tion 3 describes some basic concepts related to
wormhole attacks. Section 4 discusses the fea-
ture which detects wormholes inside of a network
and the details of the WGDD algorithm. Section
5 evaluates the algorithm in an NS-2 simulation
environment. And finally Section 6 gives our con-
clusions.
2. Related Work
The wormhole attack detection in wireless ad-
hoc networks was introduced in [2, 6, 7]. Both
solutions are referred to as Packet Leashes [7],
and SECTOR [2]. They detect wormhole attacks
based upon the notion of geographical or tempo-
ral leashes. Briefly, suppose every node in the net-
work already knows its exact location and each
node embeds its location and a timestamp into
each packet it sends. If the network is synchro-
nized, then other nodes receiving that packet can
detect a wormhole by detecting the mismatch be-
tween the timestamp difference they calculate and
the location difference they observe. Such a solu-
tion requires a synchronized clock and preknown
location for each node. The method we propose
here does not have these requirements.
In [8], Kong et al. study Denial of Service
(DoS) attacks, including wormhole attacks, in
UWSN (Under Water Sensor Networking). Be-
cause UWSN typically uses acoustical methods
to propagate messages under water, the methods
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
5/21
in UWSN cant be directly applied into wireless
sensor networks.
In [5], Hu and Evans utilize directional anten-
nas to prevent wormhole links by assuming every
node of the network will be equipped with direc-
tional antennas that all have the same orientation.
Lazos and Poovendran apply a similar idea in de-
signing a secure localization scheme called SeR-
Loc [9] that protects against wormhole attacks in
localization. In SeRLoc, there are about 400 an-
chor nodes (designated as beacon nodes in the
paper) deployed in a 5000-node network. Each
anchor node has a directional antenna and already
knows its physical location. Other nodes in the
network use these anchor nodes to locate them-
selves. When there is a wormhole attack in the
network, since a wormhole will shortcut the net-
work, directional antennas deployed in the an-
chor nodes will help in detecting the attack, and
the nodes can then defend against it by discard-
ing incorrect localization messages. However, if
anchor nodes are compromised, especially those
anchor nodes that are close to a end of a worm-
hole, SeRLoc will still have difficulty in detect-
ing/defending against wormhole attacks.
In more recent papers [3, 10], D. Liu et al. pro-
posed an anchor-based scheme which is resistant
to several attacks, including wormhole attacks.
By using a hop-counting technique, the scheme
estimates the distance between a node and an an-
chor node (or location reference in the authors
terminology). If there is a wormhole inside the
network, then it is possible that the distance from
a node to some anchor node will be changed, and
a simple threshold method is used to determine
whether such a distance difference is caused by
a wormhole attack or by localization error. The
main difference between our method and those of
[3] and [10] is that the latter methods rely on an-
chor nodes, which need manual setup in advance,
while our method does not require any anchor
nodes to detect wormholes.
Additional work by [14] presents a useful graph
theoretic framework for modeling of wormhole
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
6/21
attacks, but this theoretic framework is based on
the assumption that there are guard nodes know
their locations exactly. Thus, these nodes actu-
ally work as anchor nodes as described in this pa-
per. Since in this work we assume that none of the
nodes in the network knows its physical location,
our proposed solution is for a case not covered by
this framework.
MDS-VOW [16] allows visualization of a net-
work to allow detection of wormholes by find-
ing bending distortions caused by a wormhole in
computed maps. The main difference between
our approach and MDS-VOW is that MDS-VOW
can only work in a centralized scheme, so MDS-
VOW needs to have a central computer to finish
its computation. In our paper, we extract a new
feature which can efficiently indicate the ends of
a wormhole based only on local bending distor-
tions caused by the ends of the wormhole. The
algorithm described in this paper is computed by
a distributed scheme and requires no centralized
computation. A general limitation of MDS-VOW,
which is identified in [14], is that such a visual-
ization cannot be applied to networks with irreg-
ular shapes, such as a string topology (nodes con-
nected in one line).
3. The Wormhole Attack
Origin end Destinationend
Wormhole tunnel
Figure 1. A Wormhole Attack in a WSN
In a typical wormhole attack, an attacker re-
ceives packets at one point in the network, for-
wards them through a wireless or wired link with
much less latency than the default links used by
the network and relays those packets at another
position in the network. In this paper we as-
sume that a wormhole is bidirectional, and when
considering a wormhole attack, we refer to the
end of that wormhole receiving a message as the
origin end of the wormhole and the end that
transmits the message as the destination end of
that wormhole (thus which end is which is en-
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
7/21
tirely context dependent). Figure 1 shows a typ-
ical wormhole attack. In this work we assume
wormholes with two endpoints, although in the-
ory multi-end wormholes are possible.
We also assume that each wormhole in a net-
work is (1) passive, and thus does not send out
any message without any inbound message, (2)
static, which means that such wormhole will not
move around.
4 Detecting Wormhole Attacks
In this section, at first, we will describe our al-
gorithm in brief, then, by observing the network
with a wormhole inside it, we discuss a feature
which can be used to detect wormhole attacks in
distributed scheme, at last, based on the previous
feature we propose how to detect wormhole at-
tacks.
4.1 Overview of WGDD Algorithm
Our distributed algorithm called Wormhole Ge-
ographic Distributed Detection (WGDD) uses a
similar hop-counting technique as a probe proce-
dure (Section 4.2) to detect wormhole attack. Af-
ter the running of the probe procedure, each node
will collect the set of hop-count from its neigh-
bor nodes which are in one(k) hop(s) distance to
it, then that node will run Dijkstras algorithm to
get the shortest path for each pair of the nodes,
after that, it will reconstruct a local map by MDS
(Multidimensional Scaling) (Section 4.3). After
we discuss a feature called as diameter to de-
tect distortions caused by a wormhole in local
maps in Section 4.4, we will introduce the detec-
tion procedure in Section 4.5. The overview of
this Wormhole Geographic Distributed Detection
(WGDD) algorithm can be seen in Procedure 1.
Procedure 1 Wormhole Geographic Distributed
Detection (WGDD)
1: Probe Procedure
2: Local Map Computation Procedure
3: Detection Procedure
4.2 Probe Procedure
Since a wormhole attack is passive, which
means that such an attack can only happen when
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
8/21
there is some message being transmitted near the
wormhole area. In order to detect whether there
is a wormhole attack inside a network, we de-
sign a probe procedure to flood an message from
some bootstrap node to the whole networks to let
all other nodes in the network to count the hop
distance from itself to that bootstrap node. Such
probe procedure is based on hop-coordinates [18]
technique to measure the hop distance from each
node to some bootstrap node, which shares the
same idea as hop-counting, but has more accurate
measurement.
(i)In bootstrap node: A bootstrap node x cre-
ates a probe message with (i = idx) to flood
the network. After that, the bootstrap node will
drop any probe message that was originated by it-
self. The bootstrap node has the hop-coordinate:
hopx = 0 and offsetx = 0.
(ii) In all other nodes in the WSN: Suppose that
a node a is calculating its hop distance, and node
b is one of the neighbors of node a. Then the basic
probe procedure 2 is as same as hop-coordinates
procedure [18] for node a is shown in Procedure
2.
Procedure 2 Probe Procedure in node a1: INPUT: message (hopb) from node b Na2: for message (hopb) from any B Na and not
TIMEOUT do
3: ifhopb < hopa then4: hopa = hopb + 15: forward (message(hopa ) ) to MAC6: else
7: drop (message(hopb ) )
8: end if9: end for
10: if|Na| == 0 then11: offseta = 012: else
13: offseta =
bNa(hop
b(hop
a1))+1
2(|Na|+1)
14: end if
15: return hopa
and offseta
Here, a is a node, hopa
is the minimum num-
ber of hops to reach node a counting from some
bootstrap node (x), the initial value of it will be
the largest positive value in practice. the combi-
nation ofhopa
and offsetais the hop coordinate for
node a, Nais a set of nodes which can be reached
by node a in one hop, and |Na| is the number of
nodes in Na.
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
9/21
0 20 40 60 80 100 120 1401440
20
40
60
80
100
120
140144
X
(a) The original location of a 2500node
WSN with one wormhole
0 20 40 60 80 100 120 1401440
20
40
60
80
100
120
140144
0
10
20
30
40
50
60
70
80
90
100
0
10
20
30
40
50
60
70
80
90
100
(b) the same 2500-node WSN with one
wormhole siting on the edges of the
WSN
Figure 2. a 2500-node WSN (r = 2m) with one wormhole
4.3 Local Map Computation
In this step, each node will compute a local map
for its neighbors based on the hop-coordinate
computed in the previous step. After the gener-
ation of hop-coordinates with Procedure 2, each
node will send a request to its neighbor nodes that
are within one(k) hop(s) to send back their hop
coordinate from some bootstrap node (x).
After each node receives the hop coordinate
from its neighbors, that node will compute short-
est paths between all pairs of nodes one (k) hop(s)
to that node, using Dijkstras algorithm or other
similar algorithms.
Then, we apply MDS to the
(|Na|+1)(|Na|+1) shortest path matrix (here
|Na| is the number of nodes that can be reached by
node A in one (k) hop(s)) and retain the first two
(or three) largest eigenvalues and eigenvectors to
construct a 2-D (or 3-D) local map.
The total cost for this step is a computational
cost ofO(|Na|3 n) and a memory cost ofO(|Na|
2)
per node, with no communication cost in this step.
4.4 Detection Procedure
Based on the local map from previous step,
here we will try to detect attacks. At first let us
have a look of the affection of wormhole attack
on computed map.
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
10/21
4.4.1 Observation of a Wormhole in a Recon-
structed Map
In order to observe a wormhole, we implemented
the probe procedure 2 and the local map compu-
tation procedure as routing agents and the boot-
strap node for the probe procedure as a protocol
agent in NS-2 version 2.29 [11] with 802.15.4
MAC layer [19] and CMU wireless extensions
[4]. The configuration parameters used for NS-2
are RF range = 15 meters, propagation = TwoRay-
Ground, and antenna = Omni Antenna.
In our first experiment, we used 2500 nodes in a
uniform placement total 2500 nodes are placed
on a grid with 0.5rrandomized placement error,
where r = 2 m is the width of a small square in
the grid. A wormhole is implemented as a wired
connection.
Fig. 2(a) and 2(b) shows the same sensor net-
work; each x represents a node, and the red cir-
cles indicate the two ends of a wormhole; in Fig.
2(a), the wormhole is siting in the center of the
network, while in Fig. 2(b), the wormhole is sit-
ing on the edges of the network.
4.4.2 New Feature to Detect Wormhole At-
tacks
With the fact that each WSN node has limited re-
sources and has no possibility to store global in-
formation, in order to detect wormholes in a dis-
tributed scheme, each node can only use local in-
formation to detect wormhole attacks.
Consider the two parts of the intruded network
with a wormhole with two ends in Figure 3, by se-
lecting two parts of the network which is close to
the ends of the wormhole in Figure 2(a). We use a
dotted circle to represent the neighbor area where
a particular node can directly reach in transmis-
sion range R, since there are two ends, we shows
two parts of the network. Then, after the cir-
cled node finished local map computation for the
nodes in its local range, it will be getting a lo-
cal map as in Figure 4. From this figure, we can
see that because wormhole shortcuts the two parts
of the network, the circled node can reach more
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
11/21
range than before (if we measure the longest dis-
tance in this local map, it will equal 49m), though
that computed local map is bended by the effect
of the wormhole.
Figure 3. Two Parts of the Network near
Wormhole Ends.Here, parameters: r = 4,R = 15, red circles represents the wormholeends.
2d =49m
Figure 4. Local Map in the Red Circled Node
in Figure 3.After probe procedure and local
map computation in that node which is red
circled.
From the above observation, we instead fo-
cus on detecting wormholes by using a different
featurethe diameter of the computed local map.
We define diameter d for Node a here:
Diameter: d = max(distance(b, c))/2,
Where b, c Na, here Na is the set of neighbor
nodes of node a, distance(a, b) will be computed
as distancde(a, b) = sqrt((x x)2 + (y y)2)
in 2D case, here (x, y),(x, y) are the coordiantes
for node a, b in the local map computed in the
previous step, respectively.
Theoretically, the diameter of the neighbor area
for a node will roughly equal or less its trans-
mission range R, since one node only can hear
from its neighbors within the transmission range
R. But because of the shortcut of wormhole, the
computed map for that neighbor area of that node
will be distorted, and so the diameter of that com-
puted local map will be larger than the physical
one, as shown in 4, we can see 2d = 49m.
In order to verify whether such diameter feature
is working in detecting wormhole in the whole
network, we compute the diameter for each node
in the same 2500-node network with and without
wormhole. The results are shown in Figure 5(a),
if we examine nodes that are very near to a worm-
hole, such as the area near the red circles in Fig-
ure 5(b), the diameters of the local maps for these
nodes will be noticeably increased by proximity
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
12/21
Diameter
0
20
40
60
80
1000
20
40
60
80
100
13
14
15
16
17
(a) Diameter Measurement in the 2500-node
WSN in Figure 2.(a) without Wormhole
0204060801000204060
80100
12
14
16
18
20
22
24
26
X Y
Diameter
(b) Diameter Measurement in the 2500-node
WSN in Figure 2.(a) with a Wormhole
Figure 5. Diameter Measurement without and with Wormhole in a 2500-node WSN. In Figure 5(b),
the diameter of a local map will roughly be R (from 14 to 18, while R = 15 meters) unless thereis a wormhole attack, in which case the diameter of a local map will become longer as the position
draws closer and closer to the wormhole.
to the wormhole, comparing the diameters in the
same nodes in the network without wormhole in
Figure 5(a). But if the nodes are a little farther
away, or in a distant part of the network, such as
the middle area in Figure 5(b), the diameters of
the local maps for these nodes, will be almost as
normal as these in the same area in Figure 5(a),
which is without wormhole.
In Figure 5(b), the diameter of a local map will
roughly be R (from 14 to 18, while R = 15 me-
ters) unless there is a wormhole attack, in which
case the diameter of a local map will become
longer as the position draws closer and closer to
the wormhole. The diameter reaches the highest
(about 25 m) at the nodes at about 7 m to the ends
of wormhole, then the diameter is decreased, be-
cause the nodes are approaching to the edges of
the network, but still above 22 m.
The diameter feature is also good at de-
tect wormhole attack in networks with irregular
shapes, and in networks with multiple wormholes
inside them. We did some experiments of diam-
eter in a network with string topology, and a net-
work with two wormholes inside it.
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
13/21
0 20 40 60 80 100
15.2
15.4
15.6
15.8
16
16.2
16.4
16.6
16.8
X
diameter
(a) Diameter Measurement in the 50-
node WSN in String Placement with-
out a Wormhole
0 20 40 60 80 100
12
14
16
18
20
22
24
26
X
Diameter
(b) Diameter Measurement in the 50-
node WSN in String Placement with a
Wormhole
Figure 6. Diameter Measurement in the 50-node WSN in String Placement without/with a Wormhole
In a string topology experiment, we tested a
50-node network, inside of which, each node are
uniformally distributed in a 100 meter string in
one dimension. First we measure the diameter for
each node without any wormhole in the network,
the result is in Figure 6(a). The diameter is at most
16.8 m in Figure 6(a). Then, we add a wormhole
into the network with the two ends of that worm-
hole at the two ends of the string. We can see that
right now, the diameters of nodes which are close
to the ends of the wormhole are larger than 22 m,
shown in Figure 6(b).
In order to test the feature of diameter in de-
tecting multiple wormholes in a network, we de-
ployed two wormholes in the network of Figure
2.a. The measurement of diameter for all nodes
as shown in Figure 7. The locations of the ends
of these two wormholes are represented as red
circles in the same figure. From the figure, we
can see that even two wormholes are very close
to each other, the peaks of diameter are still ap-
peared in the nodes which are close to the ends of
the wormholes, from our measurement, four peak
values are 24.8, 25.2, 22.2, 22.6 m respectively.
So, by computing the diameter d for local map,
such detection algorithm can runs independently
in each node, in conjunction with the computation
of a local map for the neighboring area. Since
all nodes in this area are within one(k) hop(s) of
the calculating node, the detection algorithm can
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
14/21
Figure 7. Diameter Measurement in the 2500-
node WSN in Figure 2.(a) with Two Worm-
holes.Here, red cycles are the ends of worm-holes, the dashed lines are the tunnels of the
wormholes. A X is represented as a node.
The 50X50 mesh is only for visualization
purpose. Color bar represents the value of
diameter.
compute the diameter of each local map after de-
termining each neighbor nodes location.
4.4.3 Detection Procedure
Thus, we propose to use the diameter to deter-
mine whether there is a wormhole attack present
or not. From the experiment in Figure 5(a) and
5(b), we can see that usually the diameters for lo-
cal maps will be around R, but if there is a worm-
hole in the network, then the diameters of the lo-
cal maps which are computed by the nodes close
to the ends of the wormhole will be higher to over
22m. So, we can define a threshold for the diame-
ter to detect wormholes in the network. Since, the
lower the value we assign to such threshold, the
higher possibility it is that nodes send the error
alarms of wormhole. So, based on the above ex-
periments, we define a threshold as 1.4R (in our
configuration 1.4R = 1.4 15 = 21 m) to deter-
mine whether there is a wormhole attack present
or not. In order to adjust the sensitivity of detec-
tion procedure we introduce a constant parameter
:
Suppose the diameter of a local relative map is
d; ifd > (1+)1.4R (here is a constant parame-
ter which is less than 1 and larger than 0), then we
can say there is a wormhole in the network, and
if not, we can say that the error probably comes
from localization error. The details of the detec-
tion algorithm follow.
Suppose node a is an arbitrary node in the
WSN. At first, we propose a distributed detec-
tion Procedure 3, which is used to compute the
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
15/21
diameter after running the probe procedure 2 and
local map computation in Section 4.3, and detect
whether there is a wormhole in the network.
Procedure 3 Wormhole Detection Procedure in
node a1: INPUT: local map G in node a for Na {a}2: diameter d = 03: for each b Na {a} do4: for each node c Na {a} {b} do5: if 2d < distance(b, c) in local map G
then
6: 2d = distance(a, b) in local map G7: end if
8: end for9: end for
10: ifd > (1 + ) 1.4R then11: return FOUND WORMHOLE to sink
node.
12: end if
The total cost for this step is a computational
cost ofO(|Na|2
n) and a memory cost ofO(|Na|)
per node, with no communication cost in this
step.
5. Simulations Results
5.1 Simulation Environment Setup
Same as to the experiment setup in the previous
section, we implemented our whole detection al-
gorithm as a routing agent in NS-2 version 2.29
[11] with 802.15.4 MAC layer [19] and CMU
wireless [4] extensions. The configuration used
for NS-2 is RF range = 15 meters, propagation =
TwoRayGround, antenna = Omni Antenna. We
implemented a wormhole as a wired connection
with smaller latency that forwards packets from
one node to another node.
0 20 40 60 80 100 1200
20
40
60
80
100
120
Figure 8. A typical placement for simulation
(Constructed with n = 400, r = 4. greendashed ovals are holes and small blue circles
are islands.)
In our all experiments, we used uniform
placementn nodes are placed on a grid with
0.5r randomized placement error. Here r is the
width of a small square in the grid. We con-
structed a total of 60 placements with n = 400,
900, 1600 and 2500, and with r = 2, 4,6, 8, 10
and 12 meters, respectively. The reason we use
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
16/21
uniform placement with 0.5r error is that usu-
ally such placement produces both node holes and
islands in one placement, as demonstrated in Fig-
ure 8. The place of the wormhole is totally ran-
domized inside of the network.
5.2 Detection Simulation Result
5.2.1 Metrics
As we decrease the value of , we can increase
the accuracy of detecting wormhole attack, but
the possibility of fault alarm will be increased. In
order to evaluate the accuracy of our wormhole
attack detection under different values, we in-
troduce the following concepts:
False Detection Rate (FDR): the frequency
with which the detection system falsely recog-
nizes identical characteristics as being different,
thus failing to tolerate, for example, a normal lo-
calization error.
FDR = (number of normal localization errors
flagged as detected wormholes) / (total number of
trials).
In practice, we count the number of the nodes,
which send out FOUND WORMHOLE mes-
sages but are far away from the ends of a worm-
hole (We define that if a node is R = 15m away
from all ends of a wormhole, then this node ob-
viously has few impact of wormhole, and so we
say that such node is far away from the worm-
hole.), into the number of normal localization er-
rors flagged as detected wormholes. When FDR
= 0, it means that there is no wrong alarm in de-
tecting wormholes.
False Toleration Rate (FTR): the frequency
with which the detection system falsely recog-
nizes different characteristics as identical, thus
failing to detect a wormhole attack.
FTR = (number of wormhole attacks not de-
tected) / (total number of trials).
If there is a wormhole in a experiment, but there
is no node to send out FOUND WORMHOLE
messages, we will count this as wormhole at-
tacks not detects. So, if FTR = 0, it means that
our detection algorithm is successful in detecting
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
17/21
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
0.09
0.1
0 2 4 6 8 10 12 15r(m)
FDR
(%)
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
0.09
0.1
FTR
(%)
FDR
FTR
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
0.09
0.1
0 2 4 6 8 10 12 15r(m)
FDR
(%)
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
0.09
0.1
FTR
(%)
FDR
FTR
(a) when = 0 (b) when = 0.1
Figure 9. False Detection Rate (FDR) and False Toleration Rate (FTR) for various node spacings.
wormholes in all experiments.
5.2.2 Simulation Result
We use the same experimental setup as in section
5.1, with one wormhole in each placement, again
implemented in NS-2 as a wired connection with
a latency far less than the latency of the wireless
connections. Results in terms of FTR and FDR
are shown in Figure 9. Our detection algorithm
has a low FTR with FDR=0 when = 0.0as in
Figure 9.a; when = 0.1as in Figure 9.b, our
detection algorithm can achieve a low FDR with
FTR=0.
In order to consider about the performance of
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
2 7 12 17 22 27 32 37Hop Distance Between Two Ends of a
Wormhole
FDR(%)
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
FTR(%)
FDRFTR
Figure 10. FTR/FDR vs Hop Distance Be-
tween Two Ends of a Wormhole ( = 0)
our algorithm to detect smaller wormholes (such
as two to three hops long), we plot the all FTR and
FDR experiment data( when = 0) on Figure 10
based on the number of hops between two ends of
a wormhole in one experiment. We can see that
if it is a long wormhole such as 3 hops long,
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
18/21
our detection algorithm archives almost 100% de-
tection rate (shown as FTR = 0). Even when fac-
ing shorter wormhols which are less than 3 hops
long, our algorithm can still make more than 80%
detection rate (shown as FTR < 20%).
6. Summary and Discussion
In this paper, we discuss how to detect worm-
hole attacks in distributed scheme. By assuming
that wormhole attacks are passive, we provide a
probe procedure to let some bootstrap node flood
a probe message to detect some possible worm-
holes in the network, the probe procedure pro-
duces a hop-coordinates to each node which rep-
resents the hop distance from that node to the
bootstrap node. Then each node will compute a
local map for its neighbors and itself with the hop-
coordinates collected in the previous step. Since
if there is a wormhole in the network, it causes
some distortions in some local maps of the nodes
which are close to the ends of the wormhole, so
we find a feature called diameter to detect such
distortion in distributed scheme, with the help of
that feature diameter, we propose a wormhole
detection procedure.
We test our Wormhole Geographic Distributed
Detection (WGDD) algorithm in simulation envi-
ronment under different placements of networks.
The extensive simulation result shows that our de-
tection algorithm can archive almost 100% over-
all detection rate (shown as FTR is around zero,
when = 0 in Figure 10.a). Even consider-
ing about the cases of shorter wormholes which
are less than 3 hops long, our algorithm can still
make more than 80% detection rate (shown as
FTR < 20% in Figure 10). We can run our de-
tection algorithm in stricter model by setuping
= 0.1, it this case, we can archive almost zero
wrong alarm rate (shown as FDR = 0 in Figure
10.b).
Since our algorithm is running under dis-
tributed scheme, it means that if there is a worm-
hole, then some nodes close to the wormhole will
detect the wormhole attacks, so such advantage
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
19/21
of our algorithm may help in defending against
wormholes. We may propose the idea of freez-
ing nodes that have detected wormhole attacks in
their vicinity, along with their neighbor nodes, in
order to isolate and negate the effect of a worm-
hole.
Suppose that the wireless range for a wormhole
attack equals k times the transmission range R of
a normal node; if this is the case, then it is possi-
ble that we can stop the transmission of a worm-
hole attack by freezing the nodes within k times
transmission range R of one detecting location.
Procedure 4 Defending against wormhole attacks
Require: triggered by DetectionProcedure
1: send message(freezing)to all neighbor nodes
in 1(k) hop(s)2: Broadcast message(relocalization) to the
bootstrap node and other nodes.
From a node (or nodes), which detects worm-
hole attack, a special message will flood out
to freeze neighboring nodes. If the bootstrap
node (x) receives this message, it will restart the
wormhole detection algorithm again, while other
nodes receive such message will clean the hop-
coordinate inside itself. Such process will be
ended until there is no node detects any wormhole
attack.
Right now, we are basing experiment to decide
the threshold and in deciding whether a diame-
ter measurement triggers an alarm for wormhole.
One future work may need to improve our algo-
rithm is how to decide such threshold and auto-
matically.
References
[1] I. Akyildiz, W. Su, Y. Sankarasubramaniam, and
E. Cayirci. A survey on sensor networks. Com-
munications Magazine, IEEE, 40(8):102114,
2002.
[2] S. Capkun, L. Buttyan, and J. Hubaux. SEC-
TOR: secure tracking of node encounters in
multi-hop wireless networks. Proceedings of the
1st ACM workshop on Security of ad hoc and
sensor networks, pages 2132, 2003.
[3] W. Du, L. Fang, and N. Peng. LAD: Localization
anomaly detection for wireless sensor networks.
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
20/21
Journal of Parallel and Distributed Computing,
66(7):874886, 2006.
[4] T. C. M. Group. Wireless and Mo-
bility Extensions to ns-2. obtain from
http://www.monarch.cs.cmu.edu/cmu-ns.html.
[5] L. Hu and D. Evans. Using Directional Anten-
nas to Prevent Wormhole Attacks. Proceedings
of the 11th Network and Distributed System Se-
curity Symposium, pages 131141, 2004.
[6] Y. Hu, A. Perrig, and D. Johnson. Wormhole de-
tection in wireless ad hoc networks. Department
of Computer Science, Rice University, Tech. Rep.
TR01-384, June, 2002.
[7] Y. Hu, A. Perrig, and D. Johnson. Packet
Leashes: A Defense against Wormhole Attacks
in Wireless Ad Hoc Networks. Proceedings of
INFOCOM, 2003, 2003.
[8] J. Kong, Z. Ji, W. Wang, M. Gerla, R. Bagro-
dia, and B. Bhargava. Low-cost attacks against
packet delivery, localization and time synchro-
nization services in under-water sensor net-
works. Proceedings of the 4th ACM workshop
on Wireless security, pages 8796, 2005.
[9] L. Lazos and R. Poovendran. SeRLoc: secure
range-independent localization for wireless sen-
sor networks. Proceedings of the 2004 ACM
workshop on Wireless security, pages 2130,
2004.
[10] D. Liu, P. Ning, and W. Du. Attack-resistant lo-
cation estimation in sensor networks. Informa-
tion Processing in Sensor Networks, 2005. IPSN
2005. Fourth International Symposium on, pages
99106, 2005.
[11] S. McCanne and S. Floyd. ns-2 Network Simu-
lator. Obtain via: http://www. isi. edu/nsnam/ns.
[12] J. Newsome, E. Shi, D. Song, and A. Perrig. The
sybil attack in sensor networks: analysis & de-
fenses. Proceedings of the third international
symposium on Information processing in sensor
networks, pages 259268, 2004.
[13] P. Papadimitratos and Z. Haas. Secure routing
for mobile ad hoc networks. SCS Communica-
tion Networks and Distributed Systems Model-
ing and Simulation Conference (CNDS 2002),
2002.
[14] R. Poovendran and L. Lazos. A Graph Theoretic
Framework for Preventing the Wormhole Attack
-
8/14/2019 Distributed wormhole attack detection in wireless sensor networks
21/21
in Wireless Ad Hoc Networks. ACM Wireless
Networks (WINET).
[15] M. Vieira, C. Coelho Jr, D. da Silva Jr, and
J. da Mata. Survey on wireless sensor network
devices. IEEE Emerging Technologies and Fac-
tory Automation, pages 537544, 2003.
[16] W. Wang and B. Bhargava. Visualization of
wormholes in sensor networks. Proceedings of
the 2004 ACM workshop on Wireless security,
pages 5160, 2004.
[17] A. Wood and J. Stankovic. Denial of service
in sensor networks. Computer, 35(10):5462,
2002.
[18] Y. Xu, J. Ford, and F. S. Makedon. A Varia-
tion on Hop-counting for Geographic Routing.
Embedded Networked Sensors, 2006. EmNetS-
III. The third IEEE Workshop on, 2006.
[19] J. Zheng and et.al. 802.15.4 exten-
sion to NS-2. Obtain via: http://www-
ee.ccny.cuny.edu/zheng/pub.