Blackhole Attacks Mitigation with Multiple Base ... - Semantic Scholar

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2011 proceedings

BAMBi: Blackhole Attacks Mitigation with Multiple Base Stations in Wireless Sensor Networks Satyajayant Misra† , Kabi Bhattarai† , and Guoliang Xue‡

Black Hole Region

Abstract—Black hole attacks occur when an adversary captures and re-programs a set of nodes in the network to block/drop the packets they receive/generate instead of forwarding them towards the base station. As a result any information that enters the black hole region is captured. Black hole attacks are easy to constitute, and they are capable of undermining network effectiveness by partitioning the network, such that important event information do not reach the base stations. Several techniques based on secret sharing and multi-path routing have been proposed in the literature to overcome black hole attacks in the network. However, these techniques are not very effective, and as we demonstrate in this paper, they may even end up making black hole attacks more effective. We propose an efficient technique that uses multiple base stations deployed in the network to counter the impact of black holes on data transmission. Our simulation results demonstrate that our technique can achieve more than 99% packet delivery success. We prove that our scheme can identify 100% of the black hole nodes and demonstrate by simulation results that the technique suffers from very little false positives. Keywords: Wireless sensor networks, black hole, multiple base stations, security.

I. I NTRODUCTION Large scale distributed wireless sensor networks (WSNs) have become popular in both the military and civilian domains [1]. However, several fundamental problems need to be addressed in these networks, especially in the area of security [8]. Black hole attacks are one such attacks in WSNs. A black hole attack is an attack that is mounted by an external adversary on a subset of the sensor nodes (SNs) in the network. The adversary captures these nodes and re-programs them so that they do not transmit any data packets, namely the packets they generate and the packets from other SNs that they are supposed to forward. In this paper, we term these re-programmed nodes as black hole nodes and the region containing the black hole nodes as a black hole region. We use Fig. 1 to illustrate these terms. In the figure, the small circles filled in black are black hole nodes and the black hole region is represented by the dashed red circle. The techniques proposed in the literature for black hole attacks either use neighborhood interactions and message overhearing [7], [18] or secret sharing and path diversity [13], [12], [19]. Techniques based on neighborhood message interactions and overhearing work under the assumption that the SNs in the neighborhood of a black hole node are not compromised and hence can monitor and report the black hole node. However, if several SNs that are in close proximity are compromised and collude among themselves, then they can easily make neighborhood overhearing-based techniques ineffective. The † Misra and Bhattarai are with the Department of Computer Science, New Mexico State University, Las Cruces, NM 88011. Email: {misra, kbhattar}@cs.nmsu.edu. ‡ Xue is with the School of Computing, Information, and Decision Systems Engineering, Arizona State University, Tempe, AZ 85287. Email: [email protected]. This research was supported in part by ARO grant W911NF-09-1-0467 and NSF grants 0830739 and 0901451. The information reported here does not reflect the position or the policy of the federal government.

u

Fig. 1.

Base Station

Compromised SN

Non−compromised SN

Source SN

Success in data delivery may be very low with one BS.

path diversity and secret sharing based techniques, although better, are still not very effective. For instance in Fig. 1, SN u transmits data to the BS using four node disjoint paths. We note that the best path-diverse routing is based on node disjoint paths. However, despite the path diversity, because of the strategic positioning of the black hole region, none of the packets traversing the four paths reach the BS. This demonstrates that multi-path based routing can perform arbitrarily bad in the presence of black hole attacks. Motivation: The important question is, “What can we do to counteract black hole attacks?” From Fig. 1, it is easy to motivate the idea that if more than one BSs were deployed far apart in the network, then the impact of the black hole region can be reduced. We note that although packet capture by blackhole nodes is a concern, it can be countered with available cryptographic techniques, which ensure that the contents of a captured packet cannot be deciphered by an adversary. Consequently, successful delivery of data to the base station is a more important objective than data capture by the adversary, and thus is the motivation for this study. Our Contributions: In this paper, a) we demonstrate that the secret sharing multi-path based routing techniques proposed in the literature are ineffective against black hole attacks. b) We propose a novel technique BAMBi, which is based on the deployment of spatially diverse base stations in the network to mitigate black hole attacks, and prove its effectiveness. c) We show how BAMBi can be used to identify 100% of the the black hole nodes in the network, with negligible false positives. d) We demonstrate by simulation results that BAMBi can achieve greater than 99% successful packet delivery rate on an average. In Section II, we present the related work. In Section III, we present the system and threat models. Section IV presents our proposed technique, while Section V presents the simulation results. We conclude our paper in Section VI. II. R ELATED W ORK Black hole attacks have been studied in the wired networks [2], [11], agent based networks [3], [6], mobile ad hoc networks (MANETs) [4], [17], and wireless sensor networks [7], [12], [19]. Most of the techniques proposed in non-WSNs do not apply to the black hole problem in WSNs, because of the high computation and storage requirements. In this paper, due to lack of space, we only provide a detailed survey of the related work in WSNs.

978-1-61284-231-8/11/$26.00 ©2011 IEEE

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2011 proceedings

Several algorithms have been proposed to solve the sinkhole attacks and selective forwarding attacks in WSNs. We note here that in some ways the black hole attack is similar to the sinkhole and selective forwarding attacks. However, to differentiate these attacks, black hole nodes do not advertise a better route to the BSs like the sink hole nodes in sink hole attacks. In addition, the black hole nodes drop all the packets that are received by them; unlike the nodes in selective forwarding attack they do not drop packets selectively. We do not consider these attacks in this paper and point interested readers to relevant works in the literature [9], [15], [16], [20]. In [7], Karakehayov proposed a technique in which a transmitting SN performs power control to transmit a packet to more than one SNs in the direction of the BS. If an SN that is on the forwarding path does not forward a packet, then its next hop neighbor on the forwarding path will identify this event and report the SN as a black hole. This scheme is very expensive – for a network with n black hole nodes, for each original message, O(n) extra messages are required, which is very expensive. In [13], Lou et al. proposed an algorithm for MANETs that splits a message into several shared secrets and transmits the shares on multiple independent (node-disjoint) paths to the intended receiver. In [12], the same authors proposed an extension for WSNs, which addressed the combined objectives of security and reliability. In [19], Shu et al. proposed enhanced techniques based on the multi-path routing design proposed by Lou et al. in [12] and [13] to mitigate black hole attacks in the network. They consider the black hole region as illustrated by us in Section I. The best technique was called the Multicast Tree Assisted Random Propagation (MTRP). In MTRP, instead of using deterministic multi-path routes to the BS to transmit data from the SNs, Shu et al. proposed the use of randomized routes. A share is routed in the direction of the BS on a randomized path until it traverses a pre-specified number of hops to a forwarding node. Subsequently, the share is routed deterministically to the BS from the forwarding node. We compare our technique with this algorithm as it is the best in the literature. We note that schemes based on secret-sharing and (nodedisjoint) multi-path routing suffer from a couple of serious problems. Firstly, the schemes cannot handle the scenario in which a black hole region is close to the BS as illustrated in Fig. 1. Given only one BS, eventually the node-disjoint paths have to converge towards the BS. Consequently, a black hole region close (may also hold if it is far) to the BS can capture all packets with high probability. Secondly, if the black hole captures more than N − T + 1 shares, then it is impossible for the BS to reconstruct the packet. The black hole may be able to capture T or more of the N shares and hence capture the packet even as the BS is unable to reconstruct the packet. Our simulation results show that this event is highly likely. In a WSN, the requirement of successful packet delivery to the BS is more essential than the requirement of prevention of data capture by an adversary. With the use of efficient data encryption algorithms, such as AES [5], and data anonymity techniques [14], the information that an adversary can derive from captured packet(s) can be made inconsequential. Consequently, we concentrate on the objective of delivering the

packet(s) to the BS in the presence of black hole nodes. We propose a novel solution that uses the placement of multiple BSs to improve the likelihood of packets from the SNs reaching at least one BS in the network, thus ensuring high packet delivery success. Given that in a WSN a BS is a laptop class device, the idea of deploying multiple BSs is inexpensive. Use of multiple base stations have been proposed in the literature to handle the flow of large amounts of heterogeneous data from the network and several optimization techniques have been designed for query allocation and base station placement [10], [20]. However, we are the first to propose the use of multiple BSs for improving data delivery in the presence of black hole attacks. Our solution BAMBi, despite being simple, outperforms the state of the art algorithms by more than 90%. Theoretical and simulation results reinforce the effectiveness of BAMBi. III. S YSTEM AND T HREAT M ODEL The system model and assumptions for our technique are as follows. The network consists of a set of randomly deployed SNs, N = {1, . . . , n}. The network consists of a set of BSs, B = {B1 , . . . , Bm }, which are more powerful than SNs and are connected to a replenishable power source. The density of the WSN is high enough to ensure adequate connectivity so that each SN can route data packets to all the BSs in the network. The BSs are assumed to be connected to each other over a wired network. The Euclidean distance between two nodes i and j is given by dij . The maximum transmission range of the SNs is r, which corresponds to their maximum power output Pmax . To ensure symmetric communication, the BSs are assumed to have a transmission range of r when communicating with the SNs. The base stations use the TinyOS beaconing to set up routes from/to the SNs [8]. The threat model for the network is as follows. We assume that the SNs in the network can be compromised by an external adversary and programmed to analyze the packets they receive and drop them instead of forwarding them to the BSs. We refer to a compromised SN as a black hole node. The adversary is capable of compromising more than one SNs in the network, thus creating one or more black hole regions. In addition, the compromised nodes are capable of colluding with other compromised nodes in their neighborhood or in other black hole regions to analyze the captured packets. The black hole nodes follow the route set up protocol, based on TinyOS beaconing diligently, as they want to be a part of the routing trees, obtained from the TinyOS beacons, rooted at the BSs. This allows them to capture packets traveling towards the BSs and analyze them. We assume that the SNs in the black hole region do not perform their environment sensing tasks as they are compromised. An SN u shares a unique key Kui with each BS Bi ∈ B. Since the data is encrypted, analysis of the content of the data by the malicious nodes in the black hole is not possible. The malicious nodes can only perform traffic analysis of the packets they receive. Traffic analysis can be prevented by the SNs with the use of pseudonyms, generated using schemes proposed in the literature [14]. We do not address the sybil and selective forwarding attacks in this paper. We are interested in active black hole attacks

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2011 proceedings

Black Hole Region

broadcasts the beacon in its own neighborhood. This beaconing process creates a routing tree in the network rooted at Bi . As a result each SN will be part of |B| routing trees.

u

Fig. 2.

Base Station

Compromised SN

Non−compromised SN

Source SN

Data delivery success improves with multiple BSs.

where the malicious SNs in the black hole capture the packets and stop their transmission towards the BS(s). This kind of attack is more potent because a strategically positioned black hole region can effectively partition the whole network preventing a large number of SNs from reaching the BS(s). Our technique BAMBi performs resilient routing of packets in the network and helps attain a high data delivery percentage in the presence of more than one black hole regions. IV. T ECHNICAL D ESCRIPTION OF BAMB I In this section, we present the details of our technique which uses multiple BSs placed in the network to help mitigate the effect of black holes on data delivery in a WSN. We have discussed in the last section how the black hole nodes that form a part of the routing tree can severely undermine successful data delivery. We have also noted in Section II that the proposed secret splitting and multi-path routing based solutions [12], [13], [19] cannot provide adequate data delivery guarantees in the presence of black hole nodes. Under these circumstances, one of the most effective mechanisms to ensure that data still reaches the BS is to have several BSs deployed in the network. We use Fig. 2 to illustrate the effectiveness of multiple BSs. This figure is similar to Fig. 1, but instead of only one BS at the top right corner of the network, four BSs are deployed at the four corners. This is one of the many possible ways of placing a set of BSs. As can be seen from the illustration, the packets from the SN u to the BS on the top right hand corner are captured by the black hole region. However, since u can route to the other BSs, its packets can still reach the remaining three BSs. We use this concept to provide a robust solution, with very little extra computation and message exchange overheads on the SNs in the WSN. Our technique requires transmission of redundant copies of a packet from each SN, but we note that this is no different from transmitting several shares. In fact, we use much fewer redundant communications. Our technique assumes that we can place a set B of BSs in the network. The network is connected such that every SN can reach each Bi ∈ B. The SNs transmit copies of their data packet to each BS Bi ∈ B. Since the BSs are connected, if the packet from an SN reaches at least one of the BSs, then we assume that the packet is delivered successfully. To ensure that every SN has a route to it, each BS Bi uses TinyOS beaconing [8]. The beacon packet from any BS consists of: the ID of the sender of the packet, the ID of the BS from which it originated, and the hop count of the sender from the BS. BS Bi broadcasts the beacon packet with its ID as the sender ID as well as the BS ID, and hop count value of 0. Each neighbor that receives the beacon from Bi , puts its own ID as the source in the packet, increments the hop count, and

Protocol 1 Parents Identification at SN u 1: u receives beacons of the BSs in B through its neighbors. 2: for all Ni such that u receives beacon of Bi ∈ B through Ni do 3: u sets Ni as its parent to reach BS Bi . 4: end for 5: if u receives the beacons from all Bi ∈ B then 6: Create the PINFO packet, which contains the tuples (Ni , Bi ) for each Bi . 7: end if 8: Encrypt the PINFO packet using key Kui for each BS Bi ∈ B. 9: Transmit the encrypted PINFO to each corresponding Bi ∈ B. Protocol 1 presents the protocol followed by an SN u to identify its parent in each of the routing trees using the beacon messages. After receiving the beacon messages and identifying the corresponding parents, u creates the PINFO packet. The PINFO packet contains the set of tuples (Ni , Bi ) where {Bi ∈ B} and Ni is the parent of u in the routing tree rooted at Bi . The encrypted PINFO packet is transmitted to all the BSs in the network so that the chance of reaching at least one of the BSs increases. Each SN u transmits a copy of its data packet to the parent in the path to each of the BSs. The data packet to a BS Bi is encrypted with the shared key Kui . Since in the worst case, each packet from u can potentially travel through all the nodes in the network, the message complexity of the protocol is bounded by O(n2 ), which is the same for any packet transmission in the network. A. Analysis of Improvement in Data Delivery With an SN transmitting copies of a data packet to several BSs, even in the presence of black hole nodes more than one copy can reach the BSs. In fact, even if a single copy reaches one of the BSs that implies successful delivery of the packet. For this to happen, at least one of the paths from an SN to the BSs should not pass through the black hole region. Let’s calculate the probability of this event. We assume that the WSN is deployed in a square region of area A m2 , the radius of a black hole region is Rb . Given that the deployment of the n SNs is uniform and random, then the number of SNs in the black hole is nb = n · π · Rb2 /A. If we approximate the average hop count (number of intermediate SNs) of the path Pui taken by the packet from an SN u to a BS Bi as ha , then Corollary 1 gives the probability that the path from u to Bi will not contain any black hole nodes. Corollary 1: Given the uniformly random deployment of n SNs in a square region of area A, if the network contains a black hole of radius Rb , then a) the probability that the path Pui from an SN u to one of the BSs Bi does not contain any black hole node is given by 1 − pbui = 1 − n−nb b +...+ (min{nnbb ,ha })·(ha −min{n ) (n1b )·(n−n ha −1 ) b ,ha } , and b) the proban (ha ) bility that at least one path Pui from an SN u to a Bi ∈ B does

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2011 proceedings

 not contain any black hole node is given by 1 − Bi ∈B pbui , where pbui is the probability that at least one SN in the path  from SN u to the BS Bi is a black hole node. Proof: a) If the path Pui contains only one SN from the black hole, nb then this SN can be chosen from the black hole bechosen nodes in  1 ways. The remaining ha −1 nodes nb  can n−n  b b ways; the choice can be made in · in n−n ha −1 1 ha −1 ways. Similarly, we can obtain the expressions for the path containing exactly two, exactly three, . . ., and exactly min{nb , ha } SNs from the black hole. In addition, ha number of SNs can be chosen from n SNs in hna ways. Thus the probability that the path Pui contains at least one SN from the black hole is, n−nb b +...+ (n1b )·(n−n (min{nnbb ,ha })·(ha −min{n ) ha −1 ) b ,ha } pbui = . Hence the (n ) ha

probability that Pui contains no black hole nodes is 1 − pbui . b) Since each path Pui from the SN u to Bi ∈ B is independent of all the other paths, the event of each path Pui , {i|Bi ∈ B} having at least one SN from the black hole is independent of the same event for another path Puk , {k|Bk ∈ B \ Bi }. Hence the combined probability of each path having at least one black hole node is Bi ∈B pbui . Consequently, the probability that at least one of the paths Pui , where {i|B  i ∈ B} does not contain a black hole node is given by 1 − Bi ∈B pbui . To illustrate, if n = 20, nb = 5, and ha = 5, then the probability of one path from an SN to a BS not containing a black hole node is 0.2. If |B| = 4, then the probability of at least one of the four paths from an SN not containing a black hole node is 0.59. This demonstrates the advantage of transmitting copies of packets to multiple BSs in the network. We note that our probability estimate is a pessimistic one, we show in the next section that on an average the probability is very close to 1.0, when the locations of the BSs are spatially diverse. B. Identification of the Black Hole Nodes BAMBi can also be used to identify all the black hole nodes in the network. We use the PINFO message sent by each SN to the BSs for this task. Without loss of generality, let the path taken by a packet from SN u, in the routing tree rooted at Bi be given by (u, v, w, x, y, z, Bi ). Since each SN sends a PINFO packet to Bi , consequently, Bi has information about the parent of each node on the path. In fact, as the PINFO packet is sent by each SN in the network (black hole node or not) to every BS in B, each BS Bi can obtain the information about the parent of an SN along the shortest path from the SN to it. Note that since the paths from an SN to each BS are different it is highly likely that the parent of an SN along the route to each BS may be different. Using the information about the parents of the SNs in the network, when a BS Bi receives a data packet from any SN u, it can compute the route taken by the packet to reach it. For all SNs, this can be done with a one time calculation which has a worst case running time of O(n2 ), where n is the number of SNs. We use Si to denote the set of SNs identified by Bi as black hole nodes. For the black hole nodes identification procedure, initially all SNs in the network are added to the set Si . If Bi receives a data packet from SN u, then all the SNs in the path from u to Bi are removed from the set Si . This is because these SNs are involved in data forwarding and obviously cannot be black hole nodes. Each BS monitors the received packets for

Tmonitor seconds, which is a system parameter chosen based on the data frequency in the network. Even if an SN does not have any sensed data to send or forward, it periodically sends a blank data packet to the BSs to help in black hole identification. After Tmonitor seconds, all the BSs in B get |B|  together and create the global black hole set as S = Si , i=1

which are the SNs from whom none of the BSs got any data packets. This procedure is performed in the network at regular intervals of time to identify the presence of a black hole region. The protocol can be made more efficient, with the SNs sending duplicate packets to all BSs at certain time intervals, instead of all the time, which we will explore in the future. We do not deal with revocation in detail, but note that revocation of the black hole nodes can be performed by having the BSs broadcast a revocation list. We note that it is easy to prove that this procedure can identify all the black hole nodes in the network. This is because a black hole node does not transmit/forward any packet to the BSs. As a result, no black hole node is going to be a part of the path from any nonblack hole SN to a BS. Consequently, these nodes will not be removed from the set Si , where {i|Bi ∈ B}. So all the black hole nodes will be present in the set S. This proves that our scheme will be able to identify all the black hole nodes. However, our technique may result in some false positives, that is, non-black hole nodes identified as black hole nodes. This may happen when the BSs do not receive any messages from an SN which is obstructed by the black hole region(s). However, as we show in the next section, with as few as two BSs, the false positives are on an average less than 5%. V. P ERFORMANCE E VALUATION For evaluation, we perform simulation of our protocol in a realistic setting. The WSN is deployed in a square field of dimensions 100 × 100 m2 . The SNs are deployed randomly in the network, with the number of SNs being 200. The transmission range of the SNs was chosen to be 20m. For our simulation, the number of BSs deployed in the network were one, two, three, or four, with the positions being at the four corners of the square field, namely (0, 0), (100, 100), (0, 100), and (100, 0) respectively. To simulate different black hole sizes (hence number of black hole nodes), we chose 3 different radii for the black hole region, namely 20m, 30m, and 40m. To make the simulation more realistic, we considered two randomly placed black hole regions in the network. We averaged our results over 100 topologies. For a network topology, we ran our result for two different sets of random placement of the two black hole regions. For each topology, we considered 50 transmitting SNs, chosen randomly from the 200 randomly placed SNs. We compared BAMBi with the MTRP technique proposed in [19]. For the MTRP technique, we chose N = 10 and T = 6. Among other analyses, we compared the results on the basis of percentage of packets successfully delivered to the BS(s) and also the percentage of packets captured by the black hole nodes. We also study other performance aspects for our technique. Fig. 3 presents the simulation results. Fig. 3(a) illustrates the super-linear increase in the percentage of black hole nodes with an increase in the radius of the black hole region. When

This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the IEEE ICC 2011 proceedings

40 30 20 10 0

20

30 Black hole radius (in m)

40

80

100 80 60 MTRP 1 BS 2 BSs 3 BSs 4 BSs

40 20 0

20

30 Black hole radius (in m)

40

MTRP 1 BS 2 BSs 3 BSs 4 BSs

60 40 20 0

30

Avg. false positives %

% of total nodes

Avg. % of black hole nodes 50

Avg. failure %

Avg. successful delivery %

60

1 BS 2 BSs 3 BSs 4 BSs

25 20 15 10 5 0

20

30 Black hole radius (in m)

40

20

30 Black hole radius (in m)

40

(a) Black hole nodes % (b) Packet Delivery Success % (c) Packet delivery Failure % (d) False Positives % Fig. 3. Results: #SNs = 200, |B| = {1, 2, 3, 4}; 2 black hole regions with radius chosen from ∈ {20m, 30m, 40m}; and r = 20m.

the radius of the black hole region was 20m, the percentage of nodes in black hole region was around 20% of the total nodes, when the radius was 30m it was around 35%, and when the radius was 40m it was around 50%. This implies that a linear increase in the black hole region radius may result in a disproportionate decrease in the probability of successful packet delivery. Fig. 3(b) illustrates the percentage of packets successfully delivered in the network for our technique with one, two, three, or four BSs and MTRP. The MTRP technique performs worse than our technique with one BS. This can be attributed to the capture of at least N − T + 1 shares of a data packet by the black hole nodes, belonging to the two black hole regions, resulting in the failure of data delivery. As expected, the success rate falls, in general, with an increase in the radius of the black hole region. Despite the presence of two large black holes in the network, with four BSs greater than 99% of the data is delivered successfully by our technique. Fig. 3(c) illustrates the failure percentage of the transmitted packets, with the same set-up as above for BAMBi and MTRP. As expected, with an increase in the radius of the black hole region, the failure percentage for MTRP increases. Note that the failure in MTRP, implies that the BS is unable to receive 6 or more shares corresponding to a packet. And in our technique, if a packet does not reach any BS we count it as a failure. With three or more BSs, the failure percentage in our technique is always lower than 7%, whereas, with MTRP the failure percentage could be more than 60%. Results showed that BAMBi identifies all the black hole nodes in the network without fail. This is expected as per the discussion in Section IV-B. So, BAMBi can be used to identify the black hole nodes and these nodes can be revoked or replaced. An important aspect of the study is percentage of false positives. Fig. 3(d) illustrates the false positives in our technique. With one BS the false positive values are high, because a large number of non-black hole nodes that are unable to reach the BS, due to disruption by the black hole nodes, are in turn identified as black hole nodes. The false positives value reduces drastically with two or more BSs, to the point where it is less than 0.5% for the case with 4 BSs. The results demonstrate the effectiveness of our technique in both delivering data to the BSs with high probability as well identifying all the black hole nodes with very little false positives. VI. C ONCLUSIONS AND F UTURE W ORK In this paper, we propose BAMBi, a technique to effectively mitigate the adverse effects of black hole attacks on WSNs. BAMBi is based on the deployment of multiple base stations in the network and routing of copies of data packets to these base stations. Our solution is highly effective and requires very little computation and message exchanges in the network, thus saving the energy of the SNs. In the future, we wish to identify

the optimal number of BSs and their positions and improve the message complexity of the protocol. R EFERENCES [1] I. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci. Wireless sensor networks: A survey. Computer Networks, 38(4):393–422, 2002. [2] M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A distributed blackhole monitoring system. In Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (SNDSS), pages 167–179, 2005. [3] C. Cooper, R. Klasing, and T. Radzik. Searching for black-hole faults in a network using multiple agents. Lecture Notes in Computer Science, 4305:318–330, 2006. [4] H. Deng, W. Li, and D. Agrawal. Routing security in wireless ad hoc networks. IEEE Communications Magazine, 40(10):70–75, 2002. [5] S. Didla, A. Ault, and S. Bagchi. Optimizing aes for embedded devices and wireless sensor networks. In Proceedings of the 4th International Conference on Testbeds and research infrastructures for the development of networks & communities (Trident), pages 1–10, 2008. [6] S. Dobrev, P. Flocchini, and N. Santoro. Improved bounds for optimal black hole search with a network map. Lecture notes in computer science, pages 111–122, 2004. [7] Z. Karakehayov. Using REWARD to detect team black-hole attacks in wireless sensor networks. In ACM Workshop on Real-World Wireless Sensor Networks, 2005. [8] C. Karlof and D. Wagner. Secure routing in wireless sensor networks: Attacks and countermeasures. Elsevier’s Ad Hoc Networks Journal, Special Issue on Sensor Network Applications and Protocols, 1(2– 3):293–315, September 2003. [9] I. Khalil, S. Bagchi, and C. Nina-Rotaru. DICAS: Detection, diagnosis and isolation of control attacks in sensor networks. In Proceedings of IEEE SECURECOMM, pages 89–100, 2005. [10] S. Kim, J.-G. Ko, J. Yoon, and H. Lee. Multiple-objective metric for placing multiple base stations in wireless sensor networks. In Proceedings of the International Symposium on Wireless Pervasive Computing, pages 627–631, February 2007. [11] R. Kompella, J. Yates, A. Greenberg, and A. Snoeren. Detection and localization of network black holes. In Proceedings of IEEE INFOCOM, pages 2180–2188, 2007. [12] W. Lou and Y. Kwon. H-SPREAD: A hybrid multipath scheme for secure and reliable data collection in wireless sensor networks. IEEE Transactions on Vehicular Technology, 55(4):1320–1330, 2006. [13] W. Lou, W. Liu, Y. Zhang, and Y. Fang. SPREAD: Enhancing data confidentiality in mobile ad hoc networks. In IEEE INFOCOM, volume 4, pages 2404–2413, 2004. [14] S. Misra and G. Xue. Efficient anonymity schemes for clustered wireless sensor networks. Intl. Journal of Sensor Networks, 1(1):50–63, 2006. [15] H. Al Nahas, J. Deogun, and E. Manley. Proactive mitigation of impact of wormholes and sinkholes on routing security in energy-efficient wireless sensor networks. Wireless Networks, 15(4):431–441, 2009. [16] E. Ngai, J. Liu, and M. Lyu. An efficient intruder detection algorithm against sinkhole attacks in wireless sensor networks. Computer Communications, pages 2353–2364, 2007. [17] S. Ramaswamy, H. Fu, M. Sreekantaradhya, J. Dixon, and E. Kendall. Prevention of cooperative black hole attack in wireless ad hoc networks. In Proceedings of the Intl. Conf. on Wireless Networks, 2003. [18] S. Roy, S. Singh, S. Choudhary, and N. Debnath. Countering sinkhole and black hole attacks on sensor networks using dynamic trust management. In IEEE Symposium on Computers and Communications, pages 537–542, 2008. [19] T. Shu, S. Liu, and M. Krunz. Secure data collection in wireless sensor networks using randomized dispersive routes. In IEEE INFOCOM, pages 2846–2850, 2009. [20] B. Xiao, B. Yu, and C. Gao. CHEMAS:Identify suspect nodes in selective forwarding attacks. Journal of Parallel and Distributed Computing, pages 1218–1230, 2007.