A Lightweight Sybil Attack Detection Framework for ...

A Lightweight Sybil Attack Detection Framework for Wireless Sensor Networks P. Raghu Vamsi and Krishna Kant Department of Computer Science and Engineering Jaypee Institute of Information Technology, Noida, India. [email protected], [email protected] Abstract—In the field of Wireless Sensor Networks (WSNs), the problem of Sybil attacks has been widely considered by researchers. However, among the existing solutions, lightweight models are very limited. To accomplish this, the authors suggest a lightweight Sybil attack detection framework (LSDF) in this paper. This framework has two components: first, evidence collection; second, evidence validation. Every node in the network collects the evidences by observing the activities of neighboring nodes. These evidences are validated by running sequential hypothesis test to decide whether neighboring node is a benign node or Sybil node. With extensive simulations, it was revealed that the LSDF can detect Sybil activity accurately with few evidences. Keywords—Wireless Sensor Networks, Sybil Lightweight frameworks, Sequential hypothesis testing.

I.

attacks,

I NTRODUCTION

Wireless Sensor Networks (WSNs) are often deployed in hostile and unattended environments to monitor and report events associated with an object or a process of interest. These networks are composed by low-cost tiny sensor nodes (SNs) with limited resources in-terms of processing, energy and memory. To reduce the commercial cost, SNs are built without tamper proof bodies [1]. In general, every node in the network takes advantage of the broadcast medium to report events. Specific features of SNs in WSNs like the use of the broadcast medium, lack of tamper proof bodies, unattended and hostile deployment etc, often lead to physical capturing, vulnerabilities and security attacks [2]. Among possible attacks in WSNs, node replication attack is a severe attack in which a compromised node projects itself as a part of many places in the network to disrupt the network activities. Sybil attack [9] is a variant of node replication attack, in which a malicious node attempts to falsify node identity, location information and secret key material. In addition, a malicious node tries to send the information with high signal strength to claim its existence within the transmission range of benign nodes. It is very difficult to uncover such malicious nodes when varying signal strengths are used. The term clone attack is also used in the literature in place of node replication and Sybil attacks. The Sybil attack was first addressed in the peer-to-peer networks as subversion of reputation system by duplicating the network identities. An adversary can launch Sybil attack in any or all of the following cases [3-8] 1)

During direct or indirect communication with Sybil node. In indirect communication, a Sybil node passively listens to the ongoing packets and attempts to capture the secret key and identity information. 978-1-4799-5173-4/14/$31.00 ©2014 IEEE

387

2) 3) 4)

Attack can be initiated in the network incrementally or simultaneously in many places. Attack can be launched with stolen or fabricated identities and secret key information. Along with the above possibilities, an attack can be initiated with variation in signal strength.

Numerous solutions are proposed by researchers to address Sybil attacks. However, among the existing solutions, lightweight models are very limited. To accomplish this, the authors suggest a lightweight Sybil attack detection framework (LSDF) in this paper. This framework has two components: first, evidence collection; second, evidence validation using sequential probability ratio test (SPRT). Every node in the network collects the evidences by observing the activities of neighboring nodes. The final computed values of collected evidences are given as inputs to SPRT to identify Sybil attack. With SPRT, a node can accept a hypothesis among two competing hypotheses (H0 (null): neighboring node is a benign node, H1 (alternate): neighboring node is a Sybil node). Having observations of activities carried out by neighboring nodes, a node computes a test statistic T (x) and compares it against two thresholds t1 and t2 respectively to decide among three alternatives. First, acceptance of the null hypothesis if T (x) < t1 . Second, acceptance of the alternate hypothesis if T (x) > t2 . Finally, computing test statistic one more time if t1 < T (x) < t2 . In addition, the test will be carried out using user configured false positive and false negative values. The rest of the paper is organized as follows: After presenting related work in Section II, Section III describes preliminaries for LSDF. Section IV presents the LSD framework. An evaluation of the LSDF with simulation study is presented in section V. Finally, section VI concludes the paper. II.

R ELATED WORK

Physical tampering of sensor nodes by an adversary is the entry point for launching Sybil attacks. The tampered sensor node will be kept back in the network so that the tampered node attempts to convert its neighboring nodes as malicious. In this way, a single tampered node attempts to replicate the conversion of benign nodes as malicious nodes as the network operations progress. The purpose of Sybil attack is to falsify node identities, location information and secure key information. In addition, a compromised node can initiate an attack by varying signal strength. Finally, at a time of network operation there could be several malicious nodes which can attempt Sybil attack to disturb network activities. In the literature, there are various methods to identify Sybil attacks [11]. Nevertheless,

most of these schemes assume costly setup such as the use of relay nodes or use of expensive devices and encryption methods to ascertain the location information. Installing relay nodes in a hostile and unattended environment is not feasible and most of these schemes assume that the relay nodes are non attackable. However, such kind of assumptions cannot hold in the real scenarios. In [10], the authors have proposed several techniques to defend against Sybil attack using conventional random key distribution schemes and public keys generated from polynomials. Along with these techniques, authors have shown that Sybil attack is exceedingly detrimental for sensor network operations. The experimental results reported in [24] show that the conventional cryptography techniques require huge number of multiplication and addition operations to compute single security operation. Hence, the cryptographic operations are expensive for resource limited SNs. Most commonly used methods for detecting Sybil attacks is by distance measurement, location verification, identity verification, and using received signal strength [12][13]. Several techniques have been used in the literature to calculate the distance between two nodes. Angle of Arrival (AOA), Time Difference of Arrival (TODA), Time of Arrival (TOA) and Received Signal Strength (RSS) are the commonly used techniques for distance measurement. However, except RSS based methods, remaining methods require special hardware. So, among the available methods RSSI based methods are more appropriate for WSNs. Mingxi et al [14], have proposed a regional statistics detection scheme against Sybil attacks. In this method, a node collects statistics of RSS values from its neighboring nodes in its region and records them in its regional statistics table. Defending against the Sybil attack will be done using this table. The collected RSS values are validated by comparing them with regional statistic table obtained from three trusted neighbors. However, as the number of malicious nodes in the network increase it is often difficult to find trusted neighbors. Jun et al [17], have proposed an interesting method called ZoneTrust. In this method, entire network is divided into a set of zones. A statistical technique called sequential probability ratio test (SPRT) has been used to detect suspected regions. ZoneTrust detects even a small fraction of compromised nodes while reducing false positive and false negative rates. This detection technique is modeled using Game theoretic analysis. Optimal strategies are defined for the attacker and defender. ZoneTurst proves that node compromise is greatly limited by the defender if the attacker and defender follow optimal strategies. An approach for detecting replica clusters in WSN using SPRT has been proposed in [18]. This method takes the advantage of SPRT to detect and isolate replica clusters using user configured false positives and false negatives. Yawen et al [16], have proposed light weight location verification algorithms that are free from costly hardware setup such as relay nodes. These algorithms are classified as on-spot and in-region verification methods. In an on-spot verification, a validation is carried out between the claimed and true position of the neighboring nodes. Whereas, in an in-region verification, location claims are validated to check wether the nodes are inside the application area or not. These algorithms organize all the observations referred to on-spot and in-region in a matrix and identifies the discrepancy in location claims. However, the number of matrices and their computational complexity increases as node density and node degree increases in the 388

network. Motivated from the works [16-18], in this paper a framework has been proposed to detect and isolate Sybil attacks with SPRT using user configured false positives and false negatives. Lightweight means that the Sybil attack detection procedure does not create communication, memory and processing overhead. This framework detects Sybil attacks by incorporating the evidences related to location, distance and received signal strength. The framework has designed to suit large scale WSNs with an advantage of statistical testing. III.

P RELIMINARIES

A. Network Model Let S be a set of n sensor nodes S = {s1 , s2 , ............, sn } deployed in a geographical region (Xi , Yi ). These nodes interact directly with each other to forward the packets. In this model, it is assumed that each node has a unique identity and is aware of its own location. Generally, location information will be obtained by using any localization scheme [15]. Each node in the network is having a communication range R and communicates using bidirectional transceivers. Basically, WSNs are static that is they are immobile. However, a node may be replaced or relocated manually in case of node failure or running out of battery power. Each node in the network uses a symmetric key for encrypting the data and generating a Hash code for maintaining packet integrity. Each node makes use of promiscuous mode of the network interface. In promiscuous mode, a node can observe all packets passing through its radio range. B. Problem Statement Given a set of sensor nodes which are deployed in a geographical region such that an adversary can capture and tamper a benign node for the purpose of converting them as malicious that can launch Sybil attacks. In this connection, the problem can be defined as, a lightweight framework is required to detect Sybil attacks with localized decisions and that can be scalable to large scale WSNs. This detection is with respect to known deviation in the distance σd and RSS values σr . This means that whenever nodes are deployed in a network, due to localization errors and signal fading there will be a deviation in the distance measurement from location information and computation of RSS value. C. Adversary Model Every node in the network maintains a neighbor table to store information associated with their neighbors. Once the network is deployed and bootstrapped, a node Si can receive a message from node Sj only if Si exists in the transmission range of Sj . If the message consists of node identity, and location information, then the receiving node can compute the distance between the nodes, RSS and store them in the neighbor table. By assuming that after a certain time of network operation, an adversary captures and tampers one or more benign nodes and placed back in the network. These tampered nodes will attempt to convert its neighboring nodes as malicious. This scenario has been illustrated in Figure 1. Let Sj be a malicious node, it exhibits deviated behavior from regular network operations such as

Fig. 1: Sybil attack scenario Fig. 2: Computing confidence interval around mean •

Sj attempts to send false location information.

•

Sj can monitor and analyze all ongoing packets.

•

Sj can broadcast stolen or fabricated network identities.

•

Sj can broadcast false identity and location information with variation in signal strength. IV.

L IGHTWEIGHT S YBIL ATTACK D ETECTION F RAMEWORK

This framework consists of two components. First, evidence collection. Second, evidence validation. During the evidence collection, observations related to location information, distance and RSS values are recorded. Whereas, in evidence validation, the computed evidences are submitted as inputs to sequential hypothesis testing to decide between two alternatives: neighbor node is a benign node and neighboring node is a Sybil node. A. Evidence Collection Let Si be the sensor node which observes all outgoing messages from its neighboring nodes with in its transmission range R. Assume that the time domain of each sensor node divided into non overlapping time intervals (4tn ). During these time intervals, Si observes the out going messages originated from Sj . Each node maintains a table to store evidences. In the table, neighboring node identities, corresponding locations, relative distances and RSS values of messages received from neighboring nodes are stored. The observation of non distinct messages are considered as success and distinct message from previous observation is considered as failure. This distinction is in terms of node identity and location information, distance and RSS value. All the evidences are modeled in-terms of binary values to simplify further computations. 1) Evidence from direct observation: In a homogeneous network, a node can observe all nodes located with in its transmission range. Whenever a packet is received, the receiving node checks whether it can observe the sending node or not. Let Si and Sj be two nodes, the evidence from direct observation Edirect (i, j) is given as 389

 1 if Oi → Oj Edirect (i, j) = 0 otherwise

(1)

This means that Edirect (i, j) becomes 1 if node Si can observe Sj , otherwise it becomes 0. 2) Evidence from distance measurement: After receiving a message from any node, receiving node verify the first step and then computes the euclidean distance (dij ) between its own location and location information received in the message. The evidence from distance measurement Edistance (i, j) is given as

Edistance (i, j) =

 1 if dij ≤ R 0 otherwise

(2)

This means that Edistance (i, j) becomes 1 if dij is less than or equal to transmission range, otherwise it becomes 0. In case if the node distribution in the network follows certain distribution with known mean and deviation, then the Eq(2) can not be applied directly. Let node distribution in a network follow Gaussian distribution, and the mean distance value is µd and deviation σd then the evidence from the distance measurement is given as

Edistance (i, j) =

 1 if dij ∈ µd ± Z99 .σd 0 otherwise

(3)

This means that Edistance (i, j) becomes 1 if dij remains in between 99% confidence interval around mean value. The Z99 value is the 99% confidence interval value which can be obtained from normal distribution table [26]. In a similar way, Edistance (i, j) can be computed when the noise in the distance measure is known in advance. For example, Let nf be noise factor and nf ∈ [−0.01, 0.01] then the dij is verified as d∗ij ∈ dij ± nf .dij . It is clear from the formulation of Edistance that it is flexible in fixing the thresholds for the measured distance in the presence of noise with known deviation and euclidean distance measurement.

3) Evidence from Received Signal Strength: A malicious node can attempt to send false location information with variation in transmission power. Since the transmission power and the distance up to which a node can transmit is directly proportional, when a node receives such message it assumes that the transmitting node is very near to it due to good RSS value. In this way a malicious node launches Sybil attack by falsifying location information, node identities and varying signal strength. Let a node Si estimates RSS value of messages received from another node Sj and these estimations follow Gaussian distribution with the mean RSS value µr and deviation σr then the evidence from the distance measurement is given as

Frss = Edirect ⊕ Erss

(8)

Where, ⊕ is XOR operation between two evidences. With the values of Fdistance and Frss malicious activity can be identified. For example, if Edirect = 1 and Edistance = 0 then Fdistance = 1, this means that node Si can observe node Sj but Sj has claimed wrong location. In the other case, if Edirect = 1 and Erss = 0 then Frss = 1, this means that node Si can observe node Sj but Sj has used different transmission power. In the same way, verification between claimed location and RSS can be verified as Fdr = Edistance ⊕ Erss . B. Evidence Validation

 1 if rssij ∈ µr ± Z99 .σr Erss (i, j) = 0 otherwise

(4)

This means that Erss (i, j) becomes 1 if rssij remains in between 99% confidence interval around mean value. In general, the deviation in signal strength occurs due to signal fading in real environmental conditions. So, with the known deviation σr the mean value of RSS will be unknown since the RSS will vary from the message to message. This problem can turns out to be computing unknown mean with known deviation. For example, an average RSS value µr required to be estimated from the sample mean of RSS values R1 , R2 , ..., RN estimated by a node, such that the error of estimation is less than δ with a probability of 99%, then the interval centered at sample mean with 99% confidence interval will be µR −δ ≤ µr ≤ µR +δ. Let the RSS deviation σr is known then r the δ can be estimated as δ = pσ(N .Z1−α/2 , where α is the ) risk of rejecting correct RSS estimation. With the estimation δ, the number of samples required is obtained as   Z1−α/2 2 2 N≥ σr (5) δ

Since the values of finalized evidences results into binary values, let us define a Bernoulli random variable Xi such that the variable holds the values as Xi =

 1 if Fdistance OR Frss 0 otherwise

(9)

Where, OR is basic logical OR operation. This means that in any case of Fdistance or Frss is true, the Bernoulli random variable holds value 1 (true/success in identifying Sybil attack) otherwise value 0 (false/fail). The success probability (p) of Bernoulli distribution is defined as p = P r(Xi = 1) = 1−P r(Xi = 0). A node observes the non distinct messages as X ∼ f (x|θ), where f (x|θ) represents the conditional density over data vector X given the parameter θ ∈ Θ and Θ denotes the parameter space as Θ = {Θ0 = Benign node, Θ1 = Sybil node} with prior density π(θ) for θ on Θ. The prior πi (θ) with support to Θi for i = 0, 1 is given as πi (θ) =

I(θ ∈ Θi )π(θ) ´ π(θ)dθ Θi

In addition to α, if the risk of accepting false RSS estimation β is included then the number of samples required are

where I(.) takes the value 1 if the given condition satisfy and 0 otherwise.

N = (Z1−α/2 + Z1−β )2 .(σr /δ)2

1) Formulating Hypothesis: With the prior, the problem of comparing two competing hypothesis can be considered as

(6)

Z(.) is the critical value obtained from normal distribution table [26]. For example, let σr = 4.0, δ = 2.58, α = 0.05 and β = 0.05, then the number of samples required to achieve 99% confidence interval around mean is ∼ = 32. So, with the desired confidence interval around mean, every node in the network needs to be trained with required number of samples during the early stages of network operations. Once the training has been completed with sufficient number of samples, accuracy can be achieved in computing the evidence using Eq.(3). Figure 2 illustrates this entire procedure. 4) Finalizing evidences: It is clear that a node obtains the evidences from direct observations by computing the distance and RSS values. These obtained evidences are finalized to identify Sybil attacks. The finalized evidences with the Edirect , Edistance , and Erss is as follows Fdistance = Edirect ⊕ Edistance

(7) 390

H0 : Neighboring node Sj is a benign node. H1 : Neighboring node Sj is a Sybil node. where, H0 and H1 are the null and the alternative hypotheses respectively. During the hypothesis testing, the false positives (α) and false negatives (β) are defined as follows α: false positive error that the decision leads to acceptance of H1 , when H0 is true. β: false negative error that the decision leads to acceptance of H0 , when H1 is true. In hypothesis testing, it is good to achieve α = β = 0, however, α and β are opposite to each other, which means that as α decreases β increases. To minimize the α and β values, we require large number of samples. However, with sequential hypothesis testing a decision can be achieved with few samples by maintaining desired α and β values. Sequential Probability Ratio Test (SPRT) is a statistical decision process that was developed by Wald [19]. Unlike conventional hypothesis testing methods, SPRT reaches the decision without fixed sample size

TABLE I: Simulation Parameters Simulator Examined Protocol Mac Simulation Time Area Nodes Propagation model Transmission range Transmission power Receive power Pt Traffic type Bandwidth Maximum connections Packet size Security attack

 ∗    ∗ β In this, t0 = ln 1−α , t1 = ln 1−β and α∗ , β ∗ ∗ ∗ α respectively are the user configured false positive and false negative values [18]. Every node computes the test with new observations whenever the test statistic remains between the lower and upper thresholds. Figure 3 illustrates the entire procedure of evidence collection and validation.

Fig. 3: Evidence collection and validation

V. and with only limited samples of evidence. The researchers have modeled SPRT as a random walk model with a lower and upper bound. In this random walk model, the process of making a decision will start from a point between two bounds and move towards the upper bound or lower bound with respect to incoming input evidence. When the random walk reaches to or exceeds the lower bound then SPRT accepts the null hypothesis. On the other hand, if the random walk reaches to or exceeds the upper bound then the SPRT reject the null hypothesis and accepts the alternate hypothesis. Since β is the probability of false negatives, 1 − β is the probability of detecting Sybil attack. The lower bound on detecting Sybil   1−α∗ −β ∗ attack is given with the inequality as (1 − β) ≥ 1−α∗ [17], where α∗ and β ∗ are user configured false positives and false negatives. 2) Test statistic: Among n observations, let γn be the number of observations that Xi = 1, then the test statistic T (X) can be defined as [18]

T (X) = γn ln

P1 1 − P1 + (n − γn )ln , P0 1 − P0

ns-2.35 GPSR with LSDF 802.15.4 1000 seconds 100 x 100 meters 100 Shadowing 10 meters 0.0522 mW 0.0522 mW 0.001 CBR over UDP 200 kbps 25 64 bytes Sybil attack

(10)

where P0 = P r(Xi = 1|Θ0 ), P1 = P r(Xi = 1|Θ1 ), and P0 < P1 . Configuring a small value to P0 and a large value to P1 helps the test in detecting Sybil attacks accurately. 3) Stopping criteria: The test involves comparing T (X) to two thresholds t0 and t1 , and the hypothesis test is carried as follows •

T (X) ≤ t0 : accept H0 and terminate the test.

•

T (X) ≥ t1 : accept H1 and terminate the test.

•

t0 ≤ T (X) ≤ t1 : continue the process with another observation. 391

S IMULATION S TUDY

A. Simulation Setup The proposed LSD framework was examined with network simulator ns-2.35 [21]. It has been incorporated into well known Greedy Perimeter Stateless Routing (GPSR) [20] protocol. It does not imply that LSD framework is hard coded with GPSR protocol, however, it can be used with any ad hoc routing protocol. Since GPSR protocol makes routing decisions based on the location information, it is a suitable candidate to test the LSD framework. In the area of 100 X 100 m2 , 100 nodes are arranged in a grid topology with an average of 5 meters difference between each node. Each node in the network was configured according to CC2420 specification [22]. This chip follows the IEEE 802.15.4 specification and operates at 2.4 GHz frequency. In general, to obtain location information, the CC2431 [23] system-on-chip solution for IEEE 802.15.4 specification has been used popularly in the research community. This chip has the advantage of CC2420 transceiver and location detection hardware module. Shadowing radio propagation model has been used for simulation. Unlike, Two ray ground and free space models, shading model is suitable to model the signal fading and antenna radiation patterns occur in the real environments [25]. Each node is configured with 10 meters of transmission range and shadowing deviation of 1.0 meter. Details of other simulation parameters are provided in Table 1. Among 100 nodes, 25 nodes send their data to various destinations in the network. Different random seeds generated from system clock has been used to select source and destination nodes. The communication pattern used for simulation in [18] has been used to transmit data by source nodes in this framework. It is modeled as communication between two distinct nodes as homogeneous Poisson process with rate parameter λ. With this, the inter occurrence time between two communications of a node is modeled as −(ln(U )/λ), where U is a uniform random variate generated between 0 and 1. The value of λ for benign nodes are configured between 0.02 and 0.09,

seconds. This growth will continue till 50 percent of nodes in the network become malicious. The SPRT parameters are configured as follows: α∗ = 0.01, β ∗ = 0.01, P0 = 0.1 and P1 = 0.9. B. Result Analysis The following performance metrics are considered to validate our model.

(a) Average Number of Packets Vs. False Positives

(b) Average Number of Packets Vs. False Negatives

Fig. 4: Performance metrics

whereas in malicious case, it is configured in between 0.2 and 0.4. To model asymmetric distance between two nodes, simulation setup used in [16] has been used. Let dij be the distance between two nodes i and j, with a noise factor nf and nf ∈ [−0.01, 0.01] the distance is measured as d∗ij = dij + nf .dij . In a similar way dji between node j and i is modeled. As as result, this procedure models the asymmetric links between two nodes. In general, when the network operations are going on, an adversary captures the node and temper it to obtain the information related to identity, location, and secret key material. The tampered node will be kept back in the network so that it slowly captures the neighboring nodes for the purpose of converting them as malicious. In this connection, the simulation has been done with an incremental appearance of Sybil attacks. It is configured that the first Sybil attack starts with 3 nodes after 15 seconds from beginning of simulation time and the attacking nodes will be doubled for every 15 392

•

Average number of samples: It is the average number of samples required by a node to accept a hypothesis among two competitive hypotheses.

•

False positive: It is the probability that a non Sybil node is misidentified as Sybil node.

•

False negative: It is the probability that a Sybil node is misidentified as benign node.

The simulation results presented here are the average of 100 simulation runs. To analyze the results, the term false positives and false negatives respectively, are used to represent identifying a benign node as benign node and identifying a Sybil node as Sybil node. Every node conducts the SPRT for each and every observation (also said to be sample). Since every node in the network operates in promiscuous mode, each node observes and records all ongoing activities carried out by its neighboring nodes. It is to note that SPRT will be repeated with new observations when the computed test statistic remains between these lower and upper bounds. It is observed from the simulation results that the accuracy in detecting benign and Sybil node is 99.9%. It means that out of 100 simulation runs for every combination of λ, 3 to 4 readings are recorded mis-detection as 99.4%. This fraction can be negligible because every node requires proper training to identify the accurate confidence interval around mean. As the number of communications is increased in the former levels of network operation, and continuing to record RSS values if neighboring nodes are not malicious, will also assist in improving the accuracy in the detection rate. The simulation results with SPRT model in [18] have shown that there is no impact of false positives and false negatives. This model considers direct observations. However, in LSDF, SPRT is conducted with the final evidences made from observations of location information, distance measurement and RSS values. With the known deviation in signal propagation, to know confidence interval around mean require a larger number of samples to attain accuracy. In any case, with the selection of 99% confidence interval for RSS value, distance measurement, and user configured false positive and negative rates α∗ = 0.01 and β ∗ = 0.01, the LSD framework has achieved above 99.9% detection accuracy in identifying benign and Sybil nodes. An advantage of this framework in addition to Sybil attack detection is that, with known noise factor and by distance measurement, the localization errors can be predicted. Figure 4 (a) plots the average number of samples needed to detect a benign node. This average is the mean of the maximum number of samples taken by a node to accept the null hypothesis. The simulations have been conducted for all combinations of λ in a benign case with all combinations of the malicious case. It is noted from the simulation results that the average number of samples required to accept the null hypothesis has steadily decreased. This sample size is varied

between 5.13 and 5.31. This implies that in all cases the average samples required to validate a node as benign node are with a minimum of 5 samples. Figure 4 (b) plots the average number of samples required to detect a Sybil node. The results presented are the mean of the maximum number of samples taken by a node to accept the alternate hypothesis. In all combinations of malicious case λ, it is observed that the average number of samples required are varied between 8.08 to 8.34. This implies that in all cases a node requires at most 8 to 9 samples to accept the alternate hypothesis. Training nodes to predict correct RSS value can be achieved by allowing them to record RSS values from the neighboring nodes during the early stages of the network. However, it is not recommended for high confidence interval in the early stages because as the number of communications are high then more energy can be depleted and there by nodes can die early. To overcome this problem, LSDF suggests that nodes are trained with samples required to achieve minimum confidence interval around the mean first and then the training can be continued if the neighboring nodes are not malicious. In order to train further special messages are not required, however, data packets sent by the neighboring nodes will be sufficient. In this way, starting with minimum number of communications, better confidence interval around the mean RSS value can be achieved while saving node energy. VI.

[6]

[7]

[8]

[9] [10]

[11]

[12]

[13]

[14]

C ONCLUSIONS

In this paper, a Lightweight Sybil Attack Detection Framework (LSDF) has been proposed to to detect Sybil attacks. The proposed framework works with general observations carried by each and every node in the network. In addition, the LSDF detection accuracy in identifying malicious node was found above 99.9%. With this LSDF, a node approaches to a decision on deciding a Sybil attack with the direct observations related to location, distance measurement, and received signal strength values. These observations are given as inputs to sequential probability ratio test to validate the observations. Distributed nature of the LSDF enabled it to suit for networks deployed in a large network dimension. Finally, the simulation results show that LSDF is robust against Sybil attacks. R EFERENCES

[15]

[16]

[17]

[18]

[19] [20]

[21]

[1] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci, “Wireless sensor networks: a survey,” Computer networks, vol. 38, no. 4, pp. 393–422, 2002. [2] K. Xing, S. S. R. Srinivasan, M. Jose, J. Li, X. Cheng, et al., “Attacks and countermeasures in sensor networks: A survey,” in Network Security, pp. 251–272, Springer, 2010. [3] T. Bonaci, P. Lee, L. Bushnell, and R. Poovendran, “Distributed clone detection in wireless sensor networks: An optimization approach,” in World of Wireless, Mobile and Multimedia Networks (WoWMoM), 2011 IEEE International Symposium on a, pp. 1–6, IEEE, 2011. [4] M. Conti, R. Di Pietro, L. V. Mancini, and A. Mei, “Distributed detection of clone attacks in wireless sensor networks,” Dependable and Secure Computing, IEEE Transactions on, vol. 8, no. 5, pp. 685–698, 2011. [5] B. Zhu, V. G. K. Addada, S. Setia, S. Jajodia, and S. Roy, “Efficient distributed detection of node replication attacks in sensor networks,” in Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pp. 257–267, IEEE, 2007.

393

[22] [23] [24] [25]

[26]

W. Z. Khan, M. Y. Aalsalem, M. N. B. M. Saad, and Y. Xiang, “Detection and mitigation of node replication attacks in wireless sensor networks: A survey,” International Journal of Distributed Sensor Networks, vol. 2013, 2013. S. Ubeda, “Hierarchical node replication attacks detection in wireless sensor networks,” International Journal of Distributed Sensor Networks, vol. 2013, 2013. C. Karlof and D. Wagner, “Secure routing in wireless sensor networks: Attacks and countermeasures,” Ad hoc networks, vol. 1, no. 2, pp. 293–315, 2003. J. R. Douceur, “The sybil attack,” in Peer-to-peer Systems, pp. 251–260, Springer, 2002. J. Newsome, E. Shi, D. Song, and A. Perrig, “The sybil attack in sensor networks: analysis & defenses,” in Proceedings of the 3rd international symposium on Information processing in sensor networks, pp. 259–268, ACM, 2004. Q. Zhang, P. Wang, D. S. Reeves, and P. Ning, “Defending against sybil attacks in sensor networks,” in Distributed Computing Systems Workshops, 2005. 25th IEEE International Conference on, pp. 185–191, IEEE, 2005. J. Wang, G. Yang, Y. Sun, and S. Chen, “Sybil attack detection based on rssi for wireless sensor network,” in Wireless Communications, Networking and Mobile Computing, 2007. WiCom 2007. International Conference on, pp. 2684–2687, IEEE, 2007. M. Demirbas and Y. Song, “An rssi-based scheme for sybil attack detection in wireless sensor networks,” in Proceedings of the 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks, pp. 564–570, IEEE Computer Society, 2006. M. Li, Y. Xiong, X. Wu, X. Zhou, Y. Sun, S. Chen, and X. Zhu, “A regional statistics detection scheme against sybil attacks in wsns,” in Trust, Security and Privacy in Computing and Communications (TrustCom), 2013 12th IEEE International Conference on, pp. 285–291, IEEE, 2013. H. Wymeersch, J. Lien, and M. Z. Win, “Cooperative localization in wireless networks,” Proceedings of the IEEE, vol. 97, no. 2, pp. 427–450, 2009. Y. Wei and Y. Guan, “Lightweight location verification algorithms for wireless sensor networks,” Parallel and Distributed Systems, IEEE Transactions on, vol. 24, no. 5, pp. 938–950, 2013. J.-W. Ho, M. Wright, and S. K. Das, “Zonetrust: fast zone-based node compromise detection and revocation in wireless sensor networks using sequential hypothesis testing,” Dependable and Secure Computing, IEEE Transactions on, vol. 9, no. 4, pp. 494–511, 2012. J.-W. Ho, “Sequential hypothesis testing based approach for replica cluster detection in wireless sensor networks,” Journal of Sensor and Actuator Networks, vol. 1, no. 2, pp. 153–165, 2012. A. Wald, Sequential analysis. Courier Corporation, 1973. B. Karp and H.-T. Kung, “Gpsr: Greedy perimeter stateless routing for wireless networks,” in Proceedings of the 6th annual international conference on Mobile computing and networking, pp. 243–254, ACM, 2000. “Network simulator ns-2.35.” http:// www.isi.edu/nsnam/ns. Accessed: 2014-05-10. “Cc2420 data sheet.” http://www.ti.com/product/cc2420. Accessed: 2014-05-10. “Cc2431 data sheet.” www.ti.com/cn/lit/gpn/cc2431. Accessed: 2014-05-10. Y. Wang, G. Attebury, and B. Ramamurthy, “A survey of security issues in wireless sensor networks,” 2006. J. Xu, W. Liu, F. Lang, Y. Zhang, and C. Wang, “Distance measurement model based on rssi in wsn.,” Wireless Sensor Network, vol. 2, no. 8, 2010. R. E. Walpole, R. H. Myers, S. L. Myers, and K. Ye, Probability and statistics for engineers and scientists, vol. 5. Macmillan New York, 1993.