On the Intruder Detection for Sinkhole Attack in Wireless Sensor Networks - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

On the Intruder Detection for Sinkhole Attack in Wireless Sensor Networks

Description:

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1 1Department of Computer Science and Engineering The Chinese University of Hong Kong 2School of Computing Science – PowerPoint PPT presentation

Number of Views:115
Avg rating:3.0/5.0
Slides: 24
Provided by: chn3
Category:

less

Transcript and Presenter's Notes

Title: On the Intruder Detection for Sinkhole Attack in Wireless Sensor Networks


1
On the Intruder Detection for Sinkhole Attack in
Wireless Sensor Networks
  • Edith C. H. Ngai1, Jiangchuan Liu2, and Michael
    R. Lyu1
  • 1Department of Computer Science and Engineering
  • The Chinese University of Hong Kong
  • 2School of Computing Science
  • Simon Fraser University
  • 12 Jun 2006
  • IEEE International Conference on Communications
    (ICC 2006)

2
Outline
  • Introduction
  • Related Work
  • Sinkhole Attack Detection
  • Enhancements Against Multiple Malicious Nodes
  • Performance Evaluation
  • Conclusion and Future Work

3
Wireless Sensor Networks
  • Increasingly popular to solve challenging
    real-world problems
  • Industrial sensing
  • Environmental monitoring
  • Set of sensor nodes
  • Many-to-one communication
  • Vulnerable to the sinkhole attack

4
Sinkhole Attack
  • Prevent the base station from obtaining complete
    and correct sensing data
  • Particularly severe for wireless sensor networks
  • Some secure or geographic based routing protocols
    resist to the sinkhole attacks in certain level
  • Many current routing protocols in sensor networks
    are susceptible to the sinkhole attack

5
Sinkhole Attack
  • Left using an artificial high quality route
  • Right using a wormhole

6
Related Work
  • Intrusion detection has been an active research
    topic for the Internet extensively
  • Sensor network that we are considering
  • asymmetric many-to-one communication pattern
  • power of the sensor nodes is rather weak
  • Protocols based on route advertisement are
    vulnerable to sinkhole attacks

7
Related Work
  • Wood et al.
  • mechanism for detecting and mapping jammed
    regions
  • Ding et al.
  • algorithm for the identification of faulty
    sensors and detection of the reach of events
  • Staddon et al.
  • trace the identities of the failed nodes with the
    topology conveyed to the base station
  • Ye et al.
  • a Statistical En-route Filtering (SEF) mechanism
    that can detect and drop false reports
  • Perrig et al.
  • a packet leash mechanism for detecting and
    defending against wormhole attacks

8
Our Work
  • Propose an algorithm for detecting sinkhole
    attacks and identifying the intruder in an attack
  • Base station collects the network flow
    information with a distributed fashion in the
    attack area
  • An efficient identification algorithm that
    analyzes the collected network flow information
    and locate the intruder
  • Consider the scenario that a set of colluding
    nodes cheat the base station about the location
    of the intruder

9
Estimate the Attacked Area
  • Consider a monitoring application in which sensor
    nodes submit sensing data to the BS periodically
  • By observing consistent data missing from an
    area, the BS may suspect there is an attack with
    selective forwarding
  • BS can detect the data inconsistency using the
    following statistical method
  • Let X1, ..., Xn be the sensing data collected in
    a sliding window, and be their mean. Define
    f(Xj) as

10
Estimate the Attacked Area
  • Identify a suspected node if f(Xj) is greater
    than a certain threshold
  • The BS can estimate where the sinkhole locates
  • It can circle a potential attacked area, which
    contains all the suspected nodes

11
Identifying the Intruder
  • Each sensor stores the ID of next-hop to the BS
    and the cost in its routing table
  • The BS sends a request message to all the
    affected nodes
  • The sensors reply with ltID, IDnext-hop, costgt
  • Since the next-hop and the cost could already be
    affected by the attack
  • The reply message should be sent along the
    reverse path in the flooding, which corresponds
    to the original route with no intruder

12
Identifying the Intruder
  • Network flow information can be represented by a
    directed edge
  • Realizes the routing pattern by constructing a
    tree using the next hop information collected
  • An invaded area possesses special routing pattern
  • All network traffic flows toward the same
    destination, which is compromised by the intruder
    SH

13
Enhancement on Network Flow Information Collection
  • Multiple malicious nodes may prevent the BS from
    obtaining correct and complete flow information
    for intruder detection
  • They may cooperate with the intruder to perform
    the following misbehaviors
  • Modify the packets passing through
  • Forward the packets selectively
  • Provide wrong network flow information of itself
  • We address these issues through encryption and
    path redundancy

14
Multiple Malicious Nodes
  • Drop some of the reply packets
  • Provide incorrect flow information

Their objective is to hide the real intruder SH
and blame on a victim node SH
15
Dealing with Malicious Nodes
  • Maintain an array Count
  • Entry Counti stores the total number of nodes
    having hop count difference i
  • Index i can be negative (a node is smaller than
    its actual distance from the current root)
  • If Count0 is not the dominated one in the
    array, it means the current root is unlikely the
    real intruder

16
Dealing with Malicious Nodes
  • By analyzing the array Count, we may estimate the
    hop counts from SH to SH
  • The BS can make root correction and re-calculate
    the array Count among the nodes within two hops
    from SH
  • Concludes the intruder based on the most
    consistent result

17
Example
  • The array Count of the following figure is

18
Example
  • Eventually, node SH becomes the new root

19
Performance Evaluation
  • Accuracy of Intruder Identification
  • Success Rate
  • False-positive Rate
  • False-negative Rate
  • Communication Cost
  • Energy Consumption

No. of nodes in network 400
Size of network 200m x 200m
Transmission range 10m
Location of BS (100,100)
Location of sinkhole (50, 50)
Percentage of colluding codes (m) 0 50
Message drop rate (d) 0 80
No. of neighbors which a message is forwarded to (k) 1 2
Packet size 100bytes
Max. number of reply messages per packet 5
20
Success Rate
21
False-positive and False-negative Rate
22
Communication Cost and Energy Consumption
23
Conclusion and Future Work
  • An effective method for identifying sinkhole
    attack in wireless sensor networks
  • It locates a list of suspected nodes by checking
    data consistency, and then identifies the
    intruder in the list through analyzing the
    network flow information
  • A series of enhancements to deal with cooperative
    malicious nodes that attempt to hide the real
    intruder
  • Numerical analysis and simulation results are
    provided to demonstrate the effectiveness and
    accuracy of the algorithm
  • We are interested in more effective statistical
    algorithms for identifying data inconsistency
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "On the Intruder Detection for Sinkhole Attack in Wireless Sensor Networks" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!