ISSN 1751-8709 Outlier detection and countermeasure for ... · a ring-list to store the history...

IETdoi

www.ietdl.org

Published in IET Information SecurityReceived on 30th September 2009Revised on 19th January 2010doi: 10.1049/iet-ifs.2009.0192

Special Issue on Multi-Agent & Distributed InformationSecurity

ISSN 1751-8709

Outlier detection and countermeasure forhierarchical wireless sensor networksY.-Y. Zhang1 H.-C. Chao2 M. Chen3 L. Shu4,*

C.-H. Park5 M.-S. Park5

1Department of Information and Engineering, Shenyang Institute of Engineering, Shenyang, China2College of Electrical Engineering and Computer Science for National Ilan University, I-Lan, Taiwan, Republic of China3Computer Science and Engineering at Seoul National University, Seoul, Korea4Digital Enterprise Research Institute, National University of Ireland, Galway, Ireland5Department of Computer Science and Engineering, Korea University, Seoul 136-701, Korea*Department of Multimedia Engineering, Osaka University, JapanE-mail: [email protected]

Abstract: Outliers in wireless sensor networks (WSNs) are sensor nodes that issue attacks by abnormal behavioursand fake message dissemination. However, existing cryptographic techniques are hard to detect these inside attacks,which cause outlier recognition a critical and challenging issue for reliable and secure data dissemination in WSNs.To efficiently identify and isolate outliers, this study presents a novel outlier detection and countermeasure scheme(ODCS), which consists of three mechanisms: (i) abnormal event observation mechanism for network surveillance;(ii) exceptional message supervision mechanism for distinguishing fake messages by exploiting spatiotemporalcorrelation and consistency and (iii) abnormal behaviour supervision mechanism for the evaluation of nodebehaviour. The ODCS provides a heuristic methodology and does not need the knowledge about normal ormalicious sensors in advance. This property makes the ODCS not only to distinguish and deal with variousdynamic attacks automatically without advance learning, but also to reduce the requirement of capability forconstrained nodes. In the ODCS, the communication is limited in a local range, such as one-hop or a cluster,which can reduce the communication frequency and circumscribe the session range further. Moreover, the ODCSprovides countermeasures for different types of attacks, such as the rerouting scheme and the rekey securityscheme, which can separate outliers from normal sensors and enhance the robustness of network, even whensome nodes are compromised by adversary. Simulation results indicate that our approach can effectively detectand defend the outlier attack.

:

1 IntroductionWireless sensor networks (WSNs) can effectively employdifferent applications by collecting sensory information inhostile environments, such as enemy detection in battle fieldsor fire monitoring in urban areas [1]. However, sensor nodesare highly constrained in transmission power, on-boardenergy, processing capacity and storage, which requires carefulresource management. Owing to the limited resources andoperation in hostile environments, WSNs are subjected tonumerous threats and are vulnerable to attacks from outside,for example, eavesdropping, or inside, for example, outliers.

Inf. Secur., 2010, Vol. 4, Iss. 4, pp. 361–37310.1049/iet-ifs.2009.0192

Outliers (also called inside attackers) in WSNs are somesensor nodes that do not perform tasks as normal nodesbut exhibit different types of abnormal behaviours, forexample, dropping messages received from their neighbours,forwarding messages to enemy, broadcasting redundantmessages and disseminating fake messages [2, 3]. Outliersalso attack WSNs by tampering messages transferred inWSNs or generating bogus messages and forwarding themto critical nodes (e.g. aggregation nodes or sink node), whichtypically reduces network performance in terms of reliabilityand security because of the following consequences:(i) wasting network bandwidth, (ii) increasing energy

361

& The Institution of Engineering and Technology 2010

36

&

www.ietdl.org

consumption, (iii) interfusing illegal messages into sensorydata streaming and (iv) causing communication obstructionor dynamic holes [4].

In this paper, outliers are typically those sensorscompromised and controlled by adversary. Adversarymanipulates outliers to eavesdrop on the information ofnetwork or attack network with misbehaviours. However,since these attacks come from network inside, they aredifficult to be distinguished by traditional cryptographictechniques [3]. Thus, it is critical to establish an efficient,secure and reliable scheme to detect and prevent outliers.To address this challenging issue, we propose a noveloutlier detection and countermeasure scheme (ODCS) todetect and handle outliers in a hierarchical WSN (e.g. aclustered WSN [5]).

First, in ODCS, we design an abnormal eventobservation mechanism (AEOM) which is used to detectthe abnormal events, such as tampering attack and denialof service (DoS) attack. Observing the data converged onthe cluster head, AEOM can surveille both exceptionalmessages and abnormal behaviours. Once AEOM detectsabnormal event, it will invoke other two mechanisms todetermine the authenticity of event, respectively. AEOMwill further invoke an exceptional messages supervisionmechanism (EMSM) to evaluate disparate messages basedon statistical similarity [6] and spatiotemporal correlationof WSN. EMSM confirms inside attackers by utilisingthe correlations among one-hop neighbours, which havesimilar communication and computation workloads in atypical WSN with collaborative in-network processing(e.g. data aggregation). In EMSM, cluster head maintainsa ring-list to store the history messages sent by itsmember nodes, and identify outlier by computing the‘message deviation’.

Furthermore, an abnormal behaviour supervisionmechanism (ABSM) will be triggered by AEOM toconclude the misbehaviours of outliers (e.g. sendingoverloading/insufficient messages or forwarding message todoubtful target), by a k-means algorithm [7] based on anauthentication scheme. ABSM also provides a one-hopneighbour authentication mechanism to determine furtherwhether the node is an outlier by evaluating the frequencyor target ID of the sent message.

Finally, several strategies for defending outliers are given inODCS according to different attacks from outliers. Once theoutlier is detected out, ODCS provides a reroute rule to avoidthe misbehaviour attack as well as rekey mechanism to protectnetwork from exceptional message attack. The reroutemechanism will establish a new path with creditable nodesto cluster head and bypass outliers, which can separateoutliers from the network effectively; the rekey mechanismfocuses on providing new keys and filtering outliers with aspecial function, and at the same time, the cluster head can

2The Institution of Engineering and Technology 2010

authenticate member nodes, and then deploy a new key tothe legitimate nodes.

Compared with the previous works [2, 8–15] for outlierdetection in WSNs, the proposed ODCS has the followingscientific research contributions:

† ODCS utilises the spatiotemporal correlation inneighbourhood activities as well as the statistical similarity,which provides a heuristic methodology and does not needthe knowledge about normal or malicious sensors inadvance. This property makes the ODCS not only todistinguish and deal with various dynamic attacksautomatically without advance learning, but also to reducethe requirement of capability for constrained nodes.

† In ODCS, there are two major points that can reduce theenergy consumption and improve the reliability efficiently: (i)the communication is limited in a local range, for example,one-hop neighbour communication; (ii) cluster head canauthenticate and manage member nodes based on thecluster architecture, which not only reduces thecommunication frequency but also circumscribes the sessionrange further.

† ODCS handles not only exceptional messages but alsoabnormal behaviours.

† ODCS provides a rerouting scheme and a rekey securityscheme, respectively, for different types of attacks, whichcan separate outliers from normal sensors and enhancethe robustness of network, even when some nodes arecompromised by adversary.

The rest of this paper is organised as follows: Section 2presents related works; Section 3 gives attacks model;Section 4 describes the system model and the securityfoundation; Section 5 describes the problem formulation,and ODCS is described in Section 6, including (i) twosupervision mechanisms and (ii) the correspondingcountermeasures. Sections 7 and 8 evaluate ODCS byhaving both security analysis and simulation, respectively.Finally, this paper is concluded in Section 9 with asummary of main ideas.

2 Related worksOutlier detection usually is a research issue in datamanagement [13, 16–21]. Hawkins [13] defines outlier asan observation that deviates a lot from other observationsand can be generated from a different mechanism. Most ofthe previous works focus on the following three aspects [3]:(i) detection of exceptional message, (ii) detection ofabnormal behaviour in routing and (iii) detection ofintrusion in wireless networks.

Detection of exceptional message focuses on the messagesthat are remarkably different from other messages transferred

IET Inf. Secur., 2010, Vol. 4, Iss. 4, pp. 361–373doi: 10.1049/iet-ifs.2009.0192

IEdo

www.ietdl.org

in WSN [2, 8, 10]. In [2], the authors develop a solution that(i) allows flexibility in a heuristic to detect outliers; (ii) worksin-network and balances the proportional outcome incommunication and (iii) is robust with respect to data andnetwork change. However, it does not work well for thefine-granularity event with limited samples. In [8], theauthors identify the faulty sensor(s) using the aggregationtree including the maximum (max) and minimum (min)values of the sensed attribute and their locations. Thereforeif any sensor reports a data value outside the [min, max]range, it can be identified as a faulty sensor. In [10], theauthors compute a running average and compare it with athreshold, which can be adjusted by a false alarm rate. Incontrast, our solution improves the immunity of networkfrom abnormal behaviours.

Detection of abnormal behaviour aims to defend theattacks, for example, spoofing and sink-hole. Some relatedworks [3, 11, 13] have been conducted for WSNs. In [11],the authors propose an in-network outlier cleaningapproach that is accomplished during multi-hop dataforwarding process and uses neighbouring relation. Thisapproach guarantees that outliers can be either corrected orremoved from further transmission. In [13], the naı̈veBayesian classification technique is utilised to detectoutliers’ misbehaviours in WSNs and also uses thespatiotemporal correlations, which are very important fordetecting outliers with high accuracy. In [3], the authorsproposed an insider attacker detection scheme (IADS) inWSNs. IADS is purely localised and fitting to large-scaleWSNs. By exploiting the spatial correlation among thenetworking behaviours of sensors in close proximity, IADScan achieve certain detection accuracy and a low false alarmrate as indicated by the extensive simulation study. But inIADS, some situations from the outlier (called as insideattacker in [3]), such as the tampered message attack andprovocateur attack, are not considered.

Detection of intrusion in wireless networks is studiedin [14, 15]. In [14], Zhang et al. proposed a scheme whichis the first work on intrusion detection in wireless ad hocnetworks. A new architecture is investigated forcollaborative statistical anomaly detection, which providesprotection from attacks. In [15], an intrusion alarm israised when the number of failures exceeds a pre-definedthreshold. In this work, multiple rules are defined, and adecision is made based on a simple summation of the ruleapplication results. Comparing with [14, 15], ourcountermeasures can defend various attacks much better,and require no prior knowledge on normal/malicious sensoractivities.

In short, most existing related works are for ad hocnetworks and just focus on incomplete protection, whichmakes it insufficient for defending various attacksfrom outlier. Therefore our solution provides a moreconsummate scheme, which can detect attacks and defendthe network from outlier in these three aspects.

T Inf. Secur., 2010, Vol. 4, Iss. 4, pp. 361–373i: 10.1049/iet-ifs.2009.0192

3 Attacks modelOutliers can attack WSNs in various ways [22–25]. In thissection, we survey some attacks for WSNs as follows.

1. Provocateur attack: A provocateur is a node compromisedby adversary. Different from eavesdropping attack,provocateur aims to spread fake messages or eavesdropon aggregated data by network to adversary. The outlierusually launches provocateur attack by tampering orgenerating fake messages or eavesdrop messages.

2. Sink-hole attacks: Sink-hole attacks are based on theidea that the nodes controlled by adversary attract thesurrounding nodes with unfaithful routing information, andthen alters the data passing through it.

3. Hello flood attack: Nodes broadcast hello messages toinform one-hop neighbours of their presence, which makesadversary can mount a hello flood and send them from anoutlier. These replayed hello packets reach nodes so thatthe originating node cannot communicate with directly.Any node that uses the originating node as the next hop ina route but is not within that node’s radio range would notbe able to reliably forward traffic.

4. DoS attack: In DoS attack, outliers overwhelm sensornodes with either replayed packets or injected spuriouspackets and attempt to disrupt, subvert or destroy anetwork, which affects WSN on both the functionality andthe overall performance.

5. Selective forwarding attack: WSNs are usually multi-hopnetworks and assume that the participating nodes couldforward the messages faithfully. Outliers, however, canrefuse to route certain messages and drop them. If theydrop all the packets through them, then it is called as blackhole attack [26]. If they selectively forward the packets, it iscalled selective forwarding.

In summary, there are two typical types of attacks foroutlier. The first type is exceptional message attack thatattacks the network via tampering the message content orgenerating fake messages, such as provocateur attack. Thesecond is abnormal behaviour attack that mainly attacks thenetwork via dropping/forwarding messages to adversary orbroadcasting redundant messages to waste energy and causecommunication traffic, such as attacks (2), (3), (4) and (5)given above. Hence, detecting these attacks by taking thenecessary countermeasures is helpful in maintaining orimproving the performance of the application.

4 System model4.1 Network model

In this paper, we consider a WSN consisting of a base station(BS) and large numbers of sensor nodes that can self-organise

363


364

&

www.ietdl.org

into clusters [4, 22, 27–29], as shown in Fig. 1. Theconsidered WSN can be represented as a graph G(V, E),where V ¼ {v1, . . . , v|V|} is a finite set of sensor nodes(vertices) and E ¼ {e1, . . . , e|E|} is a finite set of links(edges). Here, vi denotes a sensor node and an edge eij

indicates a communication link between the two givensensors vi and vj. We assume that outliers have the similarability with normal nodes in terms of energy capacity andcomputation capability. Given ∀vi, vj [ V (i = j), if ∃ eij [E,we call vj is vi’s direct neighbour node (one-hop node).Let N(vi) represents the set of all vi’s direct neighbour nodes.

Each sensor x has a unique id IDx and can send/receivemessages to/from N(IDx). Let Ci and CHi represent acluster and a cluster head, respectively, whereV ¼ C1 < C2 < . . . < Cn, and Ci > Cj ¼ Ø. All nodes ina cluster are reachable by the cluster head through eitherdirect communication or multi-hop relaying, which onlyuses short distance radio for transmission [2]. In eachcluster, the selection of cluster head is randomised amongall nodes in the cluster to avoid draining of the energy.Since wireless communications use a broadcast transmissionmedium, we assume that an adversary can eavesdrop on alltraffics, inject packets and replay obsolete messages. If anode was compromised by adversary, all the informationthat it holds becomes known to the attacker.

4.2 Security foundation

4.2.1 Establishing pair-wise key: For WSN security,it is very important to establish a secure communicationinfrastructure. In our solution, the security foundation isthat each sensor node x can establish pair-wise keys withN(IDx), which is also used as the security foundation forresearch work in [30–33]. We assume there exists a lowerbound on the time interval Tmin that is necessary for anadversary to compromise a sensor node, and the timeinterval Test for a newly deployed sensor node to discover

Figure 1 Considered WSN

The Institution of Engineering and Technology 2010

its immediate neighbours is smaller than Tmin

(Tmin . Test), especially in the initial phase of deployment.

Definition 1: One-way cryptographic hash function fK(x):fK(x) is a one-way cryptographic hash function, whichutilises node x’s identification IDx and previous key K asparameters to generate a new key via a deterministicprocedure, which can take an arbitrary block of data andreturns a fixed-size bit string.

The BS generates an initial key KI and loads each nodewith this key in time interval Test. As shown in Fig. 2,when sensor nodes are deployed in WSN, each node u canuse KI and hash function f to generate its master keyKu ¼ fKI

(IDu). Once having gotten master key, nodes willerase KI. Note that the processing will be finished in Test,and the adversary cannot eavesdrop the network and obtainKI. After Test, although adversary could compromise anode, it just obtains the materials of the key of thecompromised node, but not KI and information of othernodes. Afterwards, node u broadcasts an advertisementmessage (IDu, Nonceu) containing a nonce Nonceu, andwaits for v (v [ N(u)) to respond with IDv.

Definition 2: MAC(key, msg) is a cryptographic messageauthentication code (MAC) of message msg which uses asymmetric key ‘key ’. A MAC algorithm accepts a secretkey and an arbitrary length message as input to beauthenticated, and outputs a MAC.

Once node v accepts the advertisement message, it willrespond node u with (IDv, MAC(Kv, IDv|Nonceu)) asfollows.

u � N (u):IDu, Nonceu

v � u:IDv, MAC(Kv, IDv|Nonceu)

At the same time, v can also generate the master keyKv ¼ fKI

(IDv). Node u computes its pair-wise key, Kuv asKuv ¼ fKv

(IDu), with v; also to node v and Kvu ¼ fKu(IDv).

Figure 2 Security foundation based on random keypre-distribution


IETdo

www.ietdl.org

Thus, each node can use its neighbour nodes’ IDs and pair-wise key to decrypt the encrypted message by its neighbours,which means that every node can be authenticated by itsimmediate node.

4.2.2 Establishing cluster key: Cluster key establishesa secure link between member nodes and cluster head.Similar to pair-wise keys, the cluster key is generated basedon the master key and pair-wise key. Member node u andits cluster head CH can generate an initial cluster keyK CH

u = fKu(CH). Using K CH

u , u encrypts and sendsmessages to the cluster head via a secure channel. Then thecluster head can decrypt them. However, some exceptionalevents will trigger rekey mechanism (described as follows).The security foundation provides an initial secureenvironment for network and will be utilised by othermechanisms.

5 Problem formulationWe assume there are m clusters, C1, C2, . . . , Cm in a WSN.Suppose ∀vj [ Ci (1 ≤ j ≤ |Ci|), let dj represents themessage from vj and fj represents the sending messagesfrequency of vj. We now formally define the outlierproblem addressed in this paper. As mentioned earlier, anoutlier represents a node whose observation is behaviourallydistant from the rest of nodes on either content ofmessages or number of messages in WSN. We define twotypes of outliers as follows:

Definition 3: Given the frequency list is f1, f2, . . . , fn(n . 0). Let f = 1/nS

ni=1fi and F (f ) = |f − f |. A node

is called an F(t) outlier, if �F (f ) . t, where t is athreshold which defines the deviation toleration offrequency.

Definition 4: Suppose the data list d1, d2, . . . , dk, . . .. LetGk(d ) ¼ |dk 2 d| represents the distance between data d andits kth nearest neighbour (k-NN) [34]. A node is called G(d,th) outlier, if ∀k (1 ≤ k ≤ m), Gk(d ) . th, where th is athreshold that represents the deviation between twomessages.

In defiance of the cryptological protection, outliers wantto launch attack via tampering packets or sending abnormalamount of packets, which disseminates untruthful messagesor causes abnormal traffics. Owing to the resource-constrained sensors and the loose infrastructure of network,detection of outlier is not trivial. We establish a hierarchicalarchitecture for the WSN, which can collect and analysemessages into cluster heads. Based on this architectureand the detection of outliers, we propose correspondingalgorithms for detection of outliers with parameters t andth for Definitions 3 and 4, respectively. Considering thevariety of applications in WSN, we adopt a heuristicmethod to generate these parameters.

Inf. Secur., 2010, Vol. 4, Iss. 4, pp. 361–373i: 10.1049/iet-ifs.2009.0192

6 ODCS schemeIn this section, we introduce the strategy to detect outlierand provide the corresponding countermeasures. Theproposed ODCS scheme consists of four mechanisms:AEOM, EMSM, ABSM and countermeasures. Fig. 3shows the architecture of ODCS. When a new messagearrives at the cluster head, AEOM will authenticate it.Afterwards, AEOM uses a trigger mechanism that candiscover abnormal events and trigger relevant mechanisms.Once AEOM detected an abnormal event, it will triggerEMSM or ABSM. EMSM and ABSM are responsible forabnormal behaviour and exceptional message, respectively.Once EMSM and ABSM confirmed the event, thecountermeasure mechanism supports some efficientsolutions. In Fig. 3, M, T and w(IDx) are assistant datasources and described later.

6.1 Abnormal event observationmechanism

For perceiving the abnormal events and invokingcorresponding mechanisms, we design AEOM that issensitive to abnormal events. An adversary can attacknetwork by launching abnormal event, such as sendingexcessive messages to cause DoS attack, hello flood attack,and so on, or dropping normal message to achieve sink-hole attack, selective forwarding attack, and so on. AEOMsurveilles the nodes’ actions in the cluster and discovers theoutlier that behaves abnormally.

Considering the limited storage of sensor, we design astorage architecture, a ring named M as shown in Fig. 4,to store the latest history messages as the data frameof reference. Here history messages indicate thoserepresentative and recent accepted messages.

M stores records circularly, which is convenient forimplementing. Let M ¼ {mi|m1, m2, . . . , m|M|}, which is adynamic set and can be flushed by new messages. Here mi,

Figure 3 Framework of ODCS

365


366

&

www.ietdl.org

a tuple with the format as kmsg, freq, tstampl, is the propertyof message type; msg denotes the content of the representativemessage; for example, if there are five types of messages, Mwould store five representative messages (M ¼ {m1, m2, . . .,m5}); freq indicates the frequency of mi (1 ≤ i ≤ |M|),which indicates that how many types of messages havebeen sent; and tstamp is the timestamp of the nearest sentmessage. Prear denotes the point that traversals the ringalong one-way direction, for example, counter-clockwisedirection.

6.1.1 Outlier detection for G(d, th): When a newmessage mnew coming from the cluster member arrives atcluster head, it can be authenticated by similarity functionwith M. According to Definition 4 and [5], we have a setas follows

G(mnew) = {Gi(mnew)|G1(mnew), G2(mnew), . . . , G|M |(mnew)}

= {|mi − mnew|, |m1 − mnew|, |m2 − mnew|,. . . , |m|M | − mnew|} (1)

In (1), Gi(mnew) denotes the divergence between the newmessage and normal messages [35], for example, thedifference in temperature between the detected temperatureand average temperature. According to (1), this distancemeasurement is appropriate in cases where messages aredefined as ‘different’, if they are different from others oncontents. Suppose we have a certain threshold th. Given ∀i,(1 ≤ i ≤ |M|), mnew should be an exceptional message:a fake or new message, if Gi(mnew) . th. For furtherauthentication, we need to invoke EMSM to distinguishthe message correctly. Otherwise, if Gi(mnew) ≤ th, itindicates mnew [ M. Cluster head just updates relativeinformation in M.

6.1.2 Outlier detection for F(t): Outliers launch attackwith abnormal transmission frequency, for example, too highor too low. To detect this type of attack, we can use k-meansalgorithm. In Euclidean space, the mean of transmission in acluster can be computed by (2) as follows

t = 1

|M |∑

mi[M

mifreq (2)

Here t denotes the mean of history message frequency. Givena cluster Ck, vi [ Ck, the threshold, the differentia between a

Figure 4 Ring-architecture storage list


node message and the cluster mean (centroid) in frequencycan be computed by (3) as follows

diff (Ck, t) =

��∑|Ck|

i=1

(wvi− t)2

√√√√ (3)

Here wvidenotes the frequency of one type of message from

node IDi. In other words, it indicates how many messagesthat node vi has sent and different from freq, whichdenotes the frequency of one type of message for a cluster.If diff (Ck, t) is greater than the threshold value, it meansthat the node has sent too many or too few messages and isconsidered as an outlier candidate. Cluster head theninvokes ABSM mechanism to identify it further. AEOMis shown in Fig. 5.

6.2 Exceptional message supervisionmechanism

Having detected the exceptional message, AEOM invokes theEMSM to further identify whether the messages are fake or

Figure 5 Pseudo-code of AEOM


IETdo

www.ietdl.org

not. EMSM mechanism is responsible for distinguishing falseor fake messages to identify outliers. Based on the facts thatnodes in WSNs are often in spatiotemporal correlation [8],EMSM can utilise the characteristic to classify messages anddistinguish suspicious messages.

Considering the constrained source, we design a temporalbuffer named T for accumulating several coming messages asthe frame of reference. Let T ¼ {(ti, wi)|(t1,w1), (t2,w2), . . . ,(t|T|, w|T|)}. Here, ti indicates a fresh message; wi is thefrequency of ti. According to the cosine similarity [36], wecan compute the similarity between mnew and ti, and thenidentify the mnew’s attribute. The cosine similarity caneffectively differentiate mnew and ti according to thespatiotemporal correlation with high fine-grained

cosine(mnewfreq, T ) = kmnew†T l‖mnew‖ × ‖T‖

=∑|T |

i=1 mnewfreq × wi��∑|T |i=1 mnewfreq2

√×

��∑|T |i=1 w2

i

√

(4)

If similar messages come from different nodes, mnew will beconsidered as a new type message and added to M;otherwise, it will be considered as a fake message and thenode will be marked as an outlier. At the same time, clusterhead will inform its members and BS. The process is shownin Fig. 6.

6.3 Abnormal behaviour supervisionmechanism

According to the discussion, the outliers often behaveabnormally, such as (i) tampering messages from othermembers; (ii) dropping the messages that need to beforwarded to cluster head or other members, such as sink-hole attack and selective forwarding attack; (iii)broadcasting redundant messages to waste energy and causecommunication traffics, for example, DoS attack and (iv)eavesdropping messages and leaking them to adversary.ABSM focuses on detecting these types of attacks.

Subsequently, for authenticating an outlier candidate, wepropose a one-hop neighbour authentication mechanism.According to Definition 1, each node IDx which keeps itsN(IDx) can obtain wIDi

that indicates the frequency ofnode IDj [ N(IDx) and store them in a queue. Letw(IDx) ¼ {(IDj, wIDj

)|(ID1, wID1), (ID2, wID2

), . . . , (IDm,wIDm

)}, here w denotes a queue of the outlier candidateIDx’s neighbour nodes; m is the amount of IDx’s neighbournodes. According to z-score theory [37], the z-scoremethod transforms an attribute value based on the meanand the standard deviation of the attribute. That is, thez-score of the value indicates how far and in whichdirection the value deviates from the mean value of theattribute, expressed in units of the standard deviation of the


attribute. Therefore we can provide correct judgment basedon the z-score method as follows

mIDx= 1

m

∑m

j=1

wIDj(5)

sIDx=

��1

m − 1

∑m

j=1

(wIDj− mIDx

)2

√√√√ (6)

wIDx=

wIDx− mIDx

sIDx

∣∣∣∣∣

∣∣∣∣∣ (7)

where mIDxand sIDx

denote the mean and standard deviationof the neighbours of IDx, respectively, and wIDx

representsthe distance between the outlier and the population meanof w(IDx) of the standard deviation. If w(IDx) is negativewhen the wIDx

is below the mean, the node will bereported to cluster head as a real outlier. Otherwise, theneighbours suggest cluster head to cancel the identificationof outlier candidate.

Furthermore, if wIDiis high enough for collection, it

means that the cluster head has gotten sufficient messages

Figure 6 Pseudo-code of EMSM

367


368

&

www.ietdl.org

Figure 7 To defend DoS attack

a Outlier launches DoS attackb Reject outlier and establish new path

and then informs its members to pause or delay transmission.In this situation, if the member nodes still transfer messagesout of controlling, it should be considered as an outlier. Forthe attack (4), the main task of eavesdropping is to forwardmessages to adversary’s receivers, which means the targetID is different from other nodes, especially its neighbours.For each node, its neighbour nodes in the same clusterhave the ability to authenticate the node’s messages. Oncethe neighbour nodes parse the message and find its targetID that is different from theirs, the neighbour nodes willreport the candidate outlier ID to cluster head.

6.4 Countermeasures

Since the inside attacks are not detectable and many of themattack network without decryption of messages [3], itis insufficient to defend against the outlier only bycryptography-based techniques. Having detected theoutliers, cluster head informs its members to refuse serviceto them and filter their messages simultaneously. In thissubsection, we present a series of mechanisms fordefending against diversified outlier attacks.

6.4.1 Defend against the tampering attack anddeviant frequency attack: For the tampering attackand deviant frequency attack, for example, DoS and sink-hole,we adopt rejection rule. First, identified by above approaches


and authenticated by cluster head, the outlier’s ID will beannounced in the cluster. Then the normal nodes will delivermessages via a new route and evade outlier as well as refuse itsmessages as shown in Fig. 7. In Fig. 8 to defend against thesink-hole attack, the nodes in the set of w(IDoutlier) wouldexchange the old route information for establishing the newpath. We design a reroute approach to prevent the attack.

Let IDi, IDj [ w(IDoutlier), then IDi, IDj, N(IDi) andN(IDj) know the outlier IDoutlier. There were two idealpaths originally

P1: IDi � IDoutlier � · · · � CH

P2: IDj � · · · � CH

As shown in Fig. 8, to prevent from outlier, IDi in P1 willrejoin new path P2 as IDi � IDj � . . . � CH.

Considering the relationships among neighbours andcluster members are typically hierarchical, we choosebreadth-first traversal (BFT) algorithm to establish newroute. Since the communication in WSN has broadcastingcharacteristic and the cluster has very limited membernodes, BFT is very easily deployed. First, node IDi sends areroute message to N(IDi), each node in N(IDi) will replythe message with the path information (e.g. the strongpath of the node). IDi chooses a most suitable node as the

Figure 8 To defend sink-hole attack

a Outlier launches Sinkhole attackb Bypass outlier and establish new path


IETdoi

www.ietdl.org

next-hop node (e.g. the nearest node). We repeat this processuntil a new route to cluster head is established. The processfor finding next-hop node is shown in Fig. 9.

6.4.2 Defend against the provocateur attack: Todefend against the provocateur attack, we present a rekeymechanism that can support dynamic key to protect thenetwork and filter the outliers [38]. Once the cluster headdetects an outlier, it will inform the overall member nodesto rekey. Then the new generated cluster key replaces theobsolete one.

For rekeying normal nodes as well as filtering outlier, CHsends a control message ctl to inform its members to rekey asfollows

CH � Si: IDoutlier; ctl ; MAC (Knew, K CHSj

|NonceCH)

Si � CH: IDSi; IDCH; MAC (KSi, IDSi)

The control message includes the ID of outlier. In order toavoid the outlier, we design a new function C(.) as follows

C(IDx) =∏m

i=1

(IDx − IDi) (8)

IDoutlier cannot recover the new key because C(IDoutlier) ¼ 0,and it does not have the ability to decrypt ctl and cannot rekey.

Figure 9 Pseudo-code for finding next-hop node

Inf. Secur., 2010, Vol. 4, Iss. 4, pp. 361–373: 10.1049/iet-ifs.2009.0192

Thus, the network becomes secure by eliminating the outliersand retains the normal nodes. In addition, the rekey locallyhappens within a cluster, which improves the energy efficiency.

7 Security analysisComparing with the previous works, we focus on the outlierdetection and present corresponding countermeasures todefend against the exceptional message attack and abnormalbehaviour attack. First, we establish a secure environment bya random key pre-distribution, which makes nodes securethe link among immediate neighbours as well as supportsthe friendly relations among them in initial phase. Everynode shares pair-wise keys with its direct neighbours andalso establishes the relationship among nodes. The pair-wisekeys are used for securing communications that requireprivacy or source authentication. For example, a node canuse its pair-wise key to secure the transmission of its sensorreadings to an aggregation node. Note that the use of pair-wise keys precludes passive participation.

Secondly, in ODCS, EMSM uses similarity approach as wellas spatiotemporal correlation to prevent the tampered messagesor fake messages from malicious nodes. Based on the k-NNdistance and cosine similarity formula, EMSM can detect theoutlier out by the distinguished bogus messages efficiently. Byadjusting the threshold value, EMSM can distinguish themessages in different granularities. Comparing with thehistory messages and current messages, respectively, EMSMcan avoid those new messages considered as exceptionalmessages, which improves the reliability. The EMSMeffectively defends against tampering message attack.

Finally, ABSM focuses on detecting the abnormal behaviourof node. Essentially, the abnormal behaviours often cause thetraffic unconventionality in WSN by dropping or burstingmessages or forwarding messages to discrediting targets.Computing the deviant frequency out, ABSM can locate theoutlier and invoke the rekey mechanism. For rekeying thecluster, ABSM sends the control messages with filterfunction that can bypass the indicated sensors. ABSM candefend against the hello flood attack, the sink-hole attack,provocateur attack, and so on. Table 1 compares theperformances of LEACH, IADS and ODCS in immunity.

Table 1 Analysis on immunity

Attacks types LEACH IADS ODCS

selective-forwarding × × p

sink-hole attack × p p

sybil attack × p p

worm-hole × p p

hello floodp p p

provocateur attack × × p

369


37

&

www.ietdl.org

8 SimulationIn this section, we evaluate the performance of supervisionmechanisms. According to the requirements of LEACH,we designed a sensor network simulation incorporatingwith a hierarchical sensor network as the foundationalenvironment by using C ++ and MATLAB. We simulatea temperature monitoring system. In our simulation, weestablish a 100 m × 100 m network, 100 nodes are set todetect the temperature in the region from 8:00 AM to 4:00PM. Detailed parameters of the simulations are shown inTable 2 [5].

In Table 2, the Eelec is for running the transmitter orreceiver circuitry; the 1amp is for the transmit amplifier. Weassume that the outliers are distributed uniformly in thenetwork. The outliers’ misbehaviours are mainly expressedby tampering messages.

Table 2 Simulation parameters

Parameters Values

region area (0, 0) to (100, 100)

quantity of sensor 100

base station (75,120)

initial energy 2 J

cluster radius 40 m

packet size 500 bytes

Eelec 50 nJ/bit

1fs 10 pJ/bit/m2

1amp 0.0013 pJ/bit/m4

EDA 5 nJ/bit/signal

Figure 10 Mixed-data model


First, we establish and observe the attack model. Weassume that outliers are very intelligent that they can sendbogus messages mixed with normal messages. Fig. 10shows a mixed-data model where outliers send about 80%fake messages (higher or lower than normal value). Withthe increase of the amount of the outlier, the data-linesdeviate from normal curve increasingly. If outliers exceed15%, the deviation is almost 0.58C, which indicates thatthe outliers seriously impact the results.

Furthermore, we employ ODCS and LADS on the attackmodel to evaluate them. Figs. 11 and 12 show the results ofODCS against IADS in different degree attacks. Althoughthe two mechanisms have similar functions, the results,however, show ODCS has higher performance. In Fig. 11,there are ten outliers in the network. Both ODCS andIADS can effectively detect and avoid the outliers. FromFig. 11, ODCS curve is closer to the normal curve thanIADS curve, which indicates ODCS has higher precisionthan IADS. Meanwhile, ODCS curve almost close the

Figure 11 ODCS against IADS (with ten outliers)

Figure 12 ODCS against IADS (with 25 outliers)


IETdoi

www.ietdl.org

normal curve after 13 o’clock as well as the IADS does after15 o’clock, which indicates that our solution has higherperformance than IADS, that is, ODCS can distinguishoutliers out faster. The delay mainly due to theauthentication of IADS needs more multi-hop (e.g. two-hop) nodes to attend; in contrast, in ODCS, CH and one-hop nodes can collaborate on the same work. Comparingwith Figs. 11 and 12, also indicates that both algorithmscan detect the outliers in more time, if there are moreoutliers, for example, 25 outliers.

Fig. 13 shows our approach can efficiently detect the insideattackers. When the outliers are below 30% in network, theamount of detection outliers is almost 95% by ODCSas well as 90% by IDAS. Typically, ODCS limits thecommunication range in one-hop local, but IDAS generallyemploys multi-hop (e.g. two-hop) sensors, whichsometimes entangles more different events simultaneouslyand makes error judgment.

Figure 14 To detect outliers by abnormal behaviours ofABSM

Figure 13 Results of detection

Inf. Secur., 2010, Vol. 4, Iss. 4, pp. 361–373: 10.1049/iet-ifs.2009.0192

In Fig. 14, the error detection of ODCS is about 5%, andfor the error rate, there are two main reasons: first, the nodeshave fault or are interfered by outside molestation, and thedetection will be affected. In this situation, some sensorswill emit interfered messages, which cause easily errorjudgment; sometimes the quantity of detection is morethan the quantity of actual outlier; secondly, if there aremore than two outliers in a cluster and send the fakemessages at the same time, the supervision work becomesmore difficult. In that situation, the spatiotemporalcorrelation cannot work well, especially when the outlierssend similar messages. However, if the outliers are notneighbours or send different messages, we can distinguishthem well by using the supervision mechanism.

For studying the performance further, we can adjustthe distance parameter as threshold in both EMSM andABSM as shown in Figs. 14 and 15. According toDefinition 3 and ABSM, we adjust t as the parameter todetect outlier. When t is small, such as t ¼ 1, the strictcondition makes cluster head catch some nodes whosemessages have a little differentia affected by outsidemistakenly and increases wrong outliers. On the contrary, ift is very big, ABSM cannot obtain detailed informationabout outliers, and some outliers will be ignored underthe loose conditions. Therefore we can choose suitableparameter according to statistical method. In Fig. 15,EMSM is similar to ABSM. However, it is more difficultto provide semantic criterion for judgment of exceptionalmessages.

9 Conclusion and future worksIn this paper, an outlier detection approach ODCS isproposed to identify malicious nodes and consequentlydefend against outlier attacks by using correspondingcountermeasures. Compared with other existing LEACH-based (cluster-based WSNs) security solutions, the

Figure 15 To detect outliers by exceptional message ofEMSM

371


37

&

www.ietdl.org

significant research contribution of this work is that theproposed ODCS can address outlier attack issues viainteroperable mechanisms.

We propose to use AEOM to observe network. AEOMcan distinguish the abnormal event and identify thepotential outliers. Furthermore, triggered by AEOM,EMSM can distinguish the exceptional message by usingdistance measurement based on spatiotemporal correlationand consistency in some spatial granularity, for example,in one cluster. Similar to EMSM, ABSM can also beactivated by AEOM to evaluate node behaviour via afrequency mechanism or target ID of message. Thecorresponding countermeasures can support effectiveapproaches to defend against outliers. ODCS provides alocal and efficient outlier detection scheme. Simulationresults show that our approach can efficiently detect anddefend against the outlier. Despite these benefits, severalaspects of this approach need to be improved. Besides theaforementioned open issues, future research needs toconsider the new node joining to improve the extension ofWSN securely. Moreover, in the future, we will apply ourapproach to practical applications.

10 AcknowledgmentsProfessor Myong-Soon Park is the corresponding author. LeiShu’s work in this paper was supported by (in part) the Lionproject supported by Science Foundation Ireland under grantno. SFI/08/CE/I1380 (Lion-2), (in part) by the Europeanproject CONET (Cooperating Objects NETwork ofexcellence) under grant no. 224053 and (in part) byGrant-in-Aid for Scientific Research (S)(21220002) ofthe Ministry of Education, Culture, Sports, Science andTechnology, Japan.

11 References

[1] AKYILDIZ L.F., SU W.L., SANKARASUBRAMANIAM Y., CAYIRCI E.: ‘Asurvey on sensor networks’, IEEE Commun. Mag., 2002,40, (8), pp. 102–114

[2] BRANCH J.W., SZYMANSKI B.K., GIANNELLA C., WOLFF R., KARGUPTA

H.: ‘In-network outlier detection in wireless sensornetworks’. IEEE ICDCS’06, Lisboa, Portugal, July 2006,pp. 51–58

[3] LIU F., CHENG X.Z., CHEN D.C.: ‘Insider attacker detection inwireless sensor networks’. INFOCOM 2007. 26th IEEE Int.Conf. on Computer Communications, Anchorage, Alaska,USA, May 2007, pp. 1937–1945

[4] SHU L., ZHANG Y., ZHOU Z., HAUSWIRTH M., YU Z., HYNES G.:‘Transmitting and gathering streaming data in wirelessmultimedia sensor networks within expected networklifetime’. Fifth Int. Conf. on Ubiquitous Intelligence and


Computing (UIC 2008), Oslo, Norway, 23 – 25 June 2008,pp. 306–322

[5] BANDYOPADHYAY S., COYLE E.J.: ‘An energy efficienthierarchical clustering algorithm for wireless sensornetworks’. Proc. IEEE INFOCOM’03, San Francisco, USA,April 2003

[6] DAVID M., TAX J., ROBERT D., RIDDER D.D.: ‘Classification,parameter estimation and state estimation: anengineering approach using MATLAB’ (Wiley, 2004)

[7] MACQUEEN J.B.: ‘Some methods for classificationand analysis of multivariate observations’. Proc. FifthBerkeley Symp. on Mathematical Statistics and Probability,University of California Press, 1967, vol. 1, pp. 281–297

[8] BANERJEEA T., XIEA B., AGRAWAL D.P.: ‘Fault tolerant multipleevent detection in a wireless sensor network’, J. ParallelDistrib. Comput., 2008, 68, (9), pp. 1222–1234

[9] DENG J., HAN R., MISHRA S.: ‘INSENS: intrusion-tolerantrouting for wireless sensor networks’, Elsevier J. Comput.Commun., 2006, 29, (2), pp. 216–230

[10] LI D., WONG K.D., HU Y.H., SAYEED A.M.: ‘Detection,classification, and tracking of targets’, IEEE Signal Process.Mag., 2002, 19, pp. 17–29

[11] ZHUANG Y., CHEN L.: ‘In-network outlier cleaning for datacollection in sensor networks’. Proc. 1st Int. VLDBWorkshop on Clean Databases (CleanDB’06), Seoul, Korea,September 2006, pp. 41–48

[12] JANAKIRAM D., REDDY V.A., KUMAR A.V.U.P.: ‘Outlierdetection in wireless sensor networks using Bayesianbelief networks’. First Int. Conf. on CommunicationSystem Software and Middleware, New Delhi, India, 2006,pp. 1–6

[13] HAWKINS D.: ‘Identification of outliers’ (Chapman andHall, 1980)

[14] ZHANG Y., LEE W.: ‘Intrusion detection in wireless ad-hocnetworks’. ACM MOBICOM 2000, Boston, Massachusetts,USA, August 2000, pp. 275–283

[15] SILVA A.P., MARTINS M.H., ROCHA B.P., LOUREIRO A.A., RUIZ L.B.,WONG H.C.: ‘Decentralized intrusion detection in wirelesssensor networks’. ACM Q2SWinet’05, Montreal, Quebec,Canada, 2005, pp. 16–23

[16] AGGARWAL C.C., YU P.S.: ‘Outlier detection for highdimensional data’. SIGMOD’01, New York, NY, USA, 2001,pp. 37–46

[17] BAY S.D., SCHWABACHER M.: ‘Mining distance-basedoutliers in near linear time with randomization and a


IETdo

www.ietdl.org

simple pruning rule’. KDD’03, New York, NY, USA, 2003,pp. 29–38

[18] BREUNIG M.M., KRIEGEL H.P., NG R.T., SANDER J.: ‘LOF:identifying density-based local outliers’. SIGMOD’00,New York, NY, USA, 2000, pp. 93–104

[19] KNORR E.M., NG R.T.: ‘Finding intensional knowledge ofdistance-based outliers’. VLDB’99, San Francisco, CA, USA,1999, pp. 211–222

[20] LAZAREVIC A., KUMAR V.: ‘Feature bagging for outlierdetection’. KDD’05, New York, NY, USA, 2005, pp. 157–166

[21] RAMASWAMY S., RASTOGI R., SHIM K.: ‘Efficient algorithmsfor mining outliers from large data sets’. SIGMOD’00,New York, NY, USA, 2000, pp. 427–438

[22] ABDALLA M., BELLARE M.: ‘Increasing the lifetime of a key:a comparative analysis of the security of re-keyingtechniques’. Proc. Asiacrypt 2000, Kyoto, Japan, December2000, (LNCS, 1976), pp. 546–559

[23] JAMIESON K., BALAKRISHNAN H., TAY Y.C.: ‘Sift: a MAC protocolfor event-driven wireless sensor networks’. Proc. ThirdEuropean Workshop on Wireless Sensor Networks (EWSN),ETH Zurich, Switzerland, February 2006, pp. 260–275

[24] CAGALJ M., CAPKUN S., HUBAUX J.P.: ‘Wormhole-based anti-jamming techniques in sensor networks’, IEEE Trans.Mobile Comput., 2007, 6, (1), pp. 100–114

[25] COSKUN V., CAYIRCI E., LEVI A., SANCAK S.: ‘Quarantine regionscheme to mitigate spam attacks in wireless-sensornetworks’, IEEE Trans. Mobile Comput., 2006, 5, (8),pp. 1074–1086

[26] SANJAY R., HUIRONG F., MANOHAR S., JOHN D., KENDALL N.:‘Prevention of cooperative black hole attack in wirelessad hoc networks’. Proc. 2003 Int. Conf. on WirelessNetworks (ICWN’03), Las Vegas, Nevada, USA, pp. 570–575

[27] FERREIRA A.C., VILAC M.A., OLIVEIRA L.B., HABIB E., WONG H.C.,LOUREIRO A.A.F.: ‘On the security of cluster basedcommunication protocols for wireless sensor networks’.4th IEEE Int. Conf. on Networking (ICN’05), Reunion Islan,April 2005, (LNCS, 3420), pp. 449–458

[28] MANJESHWAR A., GRAWAL D.P.: ‘TEEN: a protocol forenhanced efficiency in wireless sensor networks’. Proc.


15th Parallel and Distributed Processing Symp. on IEEEComputer Society, San Francisco, 2001, pp. 2009–2015

[29] CHANG R.S., KUO C.J.: ‘An energy-efficient routingmechanism for wireless sensor networks’. AdvancedInformation Networking and Applications (AINA’06), IEEE,18–20 April 2006, vol. 2, p. 5

[30] ZHU S., SETIA S., JAJODIA S.: ‘LEAP: efficient securitymechanisms for large-scale distributed sensor networks’.Proc. 10th ACM Conf. on Computer and CommunicationsSecurity, New York, 2003, pp. 62–72

[31] LEONARDO B., OLIVEIRA HAO C., WONG M.: ‘SecLEACH:a random key distribution solution for securing clusteredsensor networks’. Fifth IEEE Int. Symp. on NetworkComputing and Applications, Washington, DC, USA, 2006,pp. 145–154

[32] CHAN H., PERRIG A., SONG D.: ‘Random key predistributionschemes for sensor networks’. Proc. IEEE Symp. onSecurity and Privacy, Berkeley, CA, USA, May 2003,pp. 197–213

[33] LUK M., MEZZOUR G., PERRIG A., GLIGOR V.: ‘MiniSec: a securesensor network communication architecture’. Proc. SixthInt. Conf. on Information Processing in Sensor Networks(IPSN 2007), Cambridge, Massachusetts, April 2007,pp. 479–488

[34] SHAKHNAROVISH G., DARRELL T., INDYK P.: ‘Nearest-neighbormethods in learning and vision’ (MIT Press, 2005)

[35] LIU M.J.: ‘Studies on knowledge discovery methods(in Chinese)’. PhD Dissertation of Nankai University, 2001

[36] STREHL J.G., MOONEY R.: ‘Impact of similarity measureson web-page clustering’. Proc. 7th Natl. Conf. on ArtificialIntelligence: Workshop of Artificial Intelligence for WebSearch, Austin, Texas, 2000, pp. 58–64

[37] RICHARD J.L., MORRIS L.: ‘Marx: an introduction tomathematical statistics and its applications’, 2000, 3rdedn., p. 282

[38] ZHANG Y.Y., YANG W.C., KIM K.B., CUI M.Y., PARK M.S.: ‘ARekey-boosted security protocol in hierarchical wirelesssensor network’. 2008 Int. Conf. on Multimedia andUbiquitous Engineering (MUE), Busan, Korea, 2008,pp. 57–61

373


ISSN 1751-8709 Outlier detection and countermeasure for ... · a ring-list to store the history...

Documents

Transcript of ISSN 1751-8709 Outlier detection and countermeasure for ... · a ring-list to store the history...