Distributed monitoring for misbehaviour detection in ...

SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks (2012) Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.624

SPECIAL ISSUE PAPER

Distributed monitoring for misbehaviour detection in wireless sensor networks Khelifa Benahmed1*, Madjid Merabti1 and Hafid Haffaf2 1 2

School of Computing & Mathematical Sciences, Liverpool John Moores University, Liverpool, U. K. University of Es-Sénia Oran, Oran Algeria

ABSTRACT Wireless sensor networks (WSNs) often consist of tiny devices and offer a variety of potential means to monitor the environment. However, WSNs are vulnerable to several types of attack because of their use in critical applications, their deployment in open and unprotected environments and their limited system resources. Therefore, security design is an important aspect of WSNs. In this work, we focus on detecting misbehaving nodes in WSNs. To the best of our knowledge, we are the first to present a complete and formal study on finding optimised monitor nodes and combining the organisation of the network with monitoring for misbehaviour detection in WSNs. The main idea of this work is to propose simple and efficient distributed monitoring algorithm capable of detecting misbehaviours based on a clustered architecture, where the cluster head is elected according to a new set of metrics. These new election metrics are based on a multiple-criteria decision approach in order to monitor the health status of cluster members and detect misbehaviour. Our proposed strategy ensures a good selection of the nodes responsible for monitoring, reduces energy consumption during the monitoring process—effectively reducing the amount of security information that flows through the network—and reduces latency. The efficiency of our method is evaluated through simulation experiments. Copyright © 2012 John Wiley & Sons, Ltd. KEYWORDS misbehaviour anomaly detection; wireless sensor network; security attacks; distributed monitoring *Correspondence Khelifa Benahmed, School of Computing & Mathematical Sciences, Liverpool John Moores University, Liverpool, U. K. E-mail: [email protected]

1. INTRODUCION Wireless sensor networks (WSNs) are dense in nature, typically composed of small, low-cost sensor nodes with limited resources (battery, bandwidth, processor and memory), which collect and disseminate environmental data. The characteristics of such networks, such as fault tolerance, self-organisation, the detection of high fidelity and rapid deployment, have created many new applications for these networks in a variety of fields such as environmental monitoring, for military purposes, industrial quality control and intelligent buildings [1]. However, the open nature of wireless communication, the lack of infrastructure deployment in hostile environments where they are highly exposed to physical vandalism and the reliance on cooperation for the transmission of data makes them highly vulnerable to a wide range of attacks [2–4]. Conventional techniques for providing security such as encryption mechanisms cannot prevent these attacks because many of them, such as wormhole and rushing attacks, can be launched without violating any cryptographic mechanisms. To address these attacks, many researchers have used the concept of centralised monitoring, Copyright © 2012 John Wiley & Sons, Ltd.

where a control centre is responsible for monitoring all network nodes (such as a base station, central controller or manager and sink) [5]. Other researchers have used a decentralised approach to monitor network nodes, with fault detection through the coordination of neighbouring nodes [6–9] or the use of watchdogs to detect misbehaviour in neighbours [10]. Other research uses local monitoring between neighbouring nodes [11,12]. In the literature, no research has thought to use a monitoring mechanism using a cluster-based architecture. We use an optimisation technique to improve the cluster head (CH) selection process, then each cluster member node (ME) performs a periodic calculation of the metrics necessary for making a local decisions at the CH level. At each change of its state, an ME sends its report to the CH. Then, the base station aggregates the results received from different CHs and begins global and centralised monitoring of network statuses, which can detect abnormalities that require global information. The main goal of our work consists of proposing a mechanism that assures the distributed monitoring of a WSN for security reasons. This mechanism uses a clusterbased architecture, as well as a new set of metrics and rules

Distributed monitoring for misbehaviour detection in WSNs

for diagnosing the state of the sensors. The advantages of this solution are that it reduces the flow of communication and provides stable surveillance environment. Designing monitoring mechanisms for sensor networks has more challenges. The most important challenge is that sensors need to self-organise themselves into a distributed monitoring architecture. Therefore, distributed monitoring is a challenging issue, and we are faced with an NP-complete problem [13] that will become unmanageable as the network grows. We further propose two distributed polynomial algorithms with a provable approximation ratio to address this issue. Through comprehensive simulations, we evaluate the effectives of our strategy. The remainder of this paper is organised as follows. Section 2 summarises security in sensor networks. In Section 3, the related work on the security problem is discussed. The details of our approach are described in Section 4. In Section 5, we evaluate our distributed approach, and in Section 6, we present conclusions and potential future areas of research.

2. SECURITY IN WIRELESS SENSOR NETWORK The wireless nature and inherent features of WSNs make them vulnerable to a wide variety of attacks by misbehaving nodes. For securing WSNs, it is necessary to address the potential attacks on such networks; which can be classified as either passive attack or active attack [14–21]. Figure 1 shows a classification of attacks on WSNs. Passive attackers do not disrupt service; in these attacks, the attacker only listens to traffic that it can intercept and attempts to be as ‘invisible’ as possible. The attacker does not do anything active in the sense of attracting traffic to

K. Benahmed, M. Merabti and H. Haffaf

itself through the network. Eavesdropping and monitoring of transmissions are good examples of passive attacks. In contrast, active attackers alter data, obscuring the operation or cutting off nodes from their neighbours. An active attacker must be able to inject packets into the network. Good examples of active attacks include injecting false routing information into the communications in order to partition the network, routing interesting traffic through the attacker, jamming the transmissions of wireless signals, destroying the hardware at certain nodes, injecting false routing information or injecting false monitoring information into the network. In essence, WSNs need protection in order to make attacks more difficult to carry out [14]. In our current work, we focus only on the misbehaviour of malicious nodes and not on the nature of the attacks. Two types of misbehaving nodes, namely selfish and malicious nodes, are participating in WSNs [4]. These two types can cause real security threats such as the loss of certain critical packets. For example, a selfish node may conduct a packet-dropping attack, does not participate in the routing process and does not forward other nodes traffic, in order to save energy, whereas a malicious node might cause a denial-of-service attack. Most of the solutions presented later as related work are based on a monitoring mechanism and a system for intrusion detection. There are, generally, two types of intrusion detection techniques [22]: misuse detection and anomaly detection. Misuse detection works by using traces or patterns of known attacks. Disadvantages of this technique are the inability to detect unknown attacks. Anomaly detection, on the other hand, uses a model of the normal behaviour of a sensor node and flags significant deviations from this model as potentially malicious. The strength of anomaly detection is its ability to detect previously unknown misbehaviours.

Figure 1. Wireless sensor network (WSN) attack classification. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

K. Benahmed, M. Merabti and H. Haffaf

The technique proposed in this paper is targeted at using anomaly detection models, where the behaviour of sensor nodes will be monitored and identification of anything that significantly deviates from this normal behaviour is flagged as an anomaly.

3. RELATED WORK We have shown that WSNs are vulnerable to various types of attacks. In recent years there have been several proposals to solve this by using cryptography, such as SPINS [23], to ensure secure communication. However, cryptography alone is not enough to prevent node compromise attacks and novel misbehaviours in WSNs [24]. Khalil et al. [25] proposed a protocol called DICAS, which uses local monitoring and mitigates the attacks against control traffic by detecting, diagnosing and isolating the malicious nodes. In LITEWORP [26], the authors proposed a countermeasure, which uses local monitoring of control traffic to detect nodes involved in the wormhole attack. Neighbour Watch [27] is used as a component to monitor neighbourhoods and collect information to build trust relationships among nodes in the network. For intrusion detection systems, local monitoring is used to build decentralised protocols [28,29]. Khalil et al. [30] proposed an on-demand sleep–wake protocol to shorten the time that a node needs to be awake for the purpose of monitoring. However, they still did not consider the optimised selection of monitoring nodes in the network. Hsin et al. [31] proposed a self-monitoring mechanism that pays more attention to the system-level fault diagnosis of the network, especially for detecting node failures. However, they did not deal with malicious behaviours. Ramachandran et al. [32] presented DAMON, a distributed system for monitoring multihop mobile networks. Zhao et al. [33] proposed to scan the residual energy and monitor parameter aggregates, including link loss rate and packet count. This information is collected locally at each node and transmitted back to the sink for analysis. Ramanathan et al. [34] proposed a sympathy tool to actively collect runtime statuses from sensor nodes, including routing tables and flow information, and to detect possible faults by analysing these node statuses together with observed network exceptions. Huang and Lee [35] presented an intrusion detection system model for ad hoc networks following the behavioural paradigm. The intrusion detection system is decentralised, and detection is made by clusters. A technique to safely elect the responsible node for monitoring each cycle is also developed. Marti et al. [36] used a watchdog technique or local monitoring for ad hoc networks in order to improve the detection of mischievous nodes and used a technique called path rater to help routing protocols to avoid them. In this work, the monitor node watches its neighbours to know what each one of them does with the messages it receives from another neighbour. If the neighbour of the monitor node changes, delays, replicates or simply keeps a message that should be retransmitted, the monitor counts a failure. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

Distributed monitoring for misbehaviour detection in WSNs

This technique is also used to detect other types of attack. However, it can be efficient because the watchdog needs more memory. None of these previous works has sought to give more importance to the election criteria of nodes responsible for monitoring the network. In addition, the audit data used in monitoring and detecting abnormal behaviour in the network include the flow of traffic, but nobody has taken into account the resources consumed by a sensor node as an index for screening abnormalities. The highlight of our work is summarised in a comprehensive strategy for monitoring the network, in order to detect and remove misbehaving nodes. Our work, therefore, focusses around a strategy of distributed resolution at the algorithmic level, that is to say, an implementation of the distributed algorithm throughout the network, in which each sensor is involved through local pretreatment.

4. OUR APPROACH Network monitoring is an interesting approach that involves collecting the required information in order to analyse the behaviour of a network. Monitoring in WSNs can be local with respect to a node or global with respect to the network, but in sensor networks, local monitoring is insufficient for detecting some types of errors and security anomalies. For this reason, in this paper, we adopt a hybrid approach, that is, global monitoring based on distributed local monitoring. In general, the existing failure detection approaches in WSNs are classified into two types: centralised and distributed approaches. In our case, the observers are the network nodes themselves, and they all perform a collaborative observation action. First, each node collects its security metrics (e.g. local traffic traces and resource consumption) and sends it to the local observer. We assume here that all the nodes have the collector and analyser program running in their systems. 4.1. System architecture Our system consists of several coordinating components, namely a large number of sensing nodes, several monitoring nodes and a base station, likely connected to a wider infrastructure. The general architecture of our approach is illustrated in Figure 2. Sensing nodes: Sensing nodes sense and relay real-life measurements toward the networks. Monitoring nodes: Monitoring nodes (CHs) have processing and communication capabilities. Each monitoring node covers a portion of the network topology (a cluster). Base station: The main role of the base station is to perform filtering and correlation of alerts and information sent by different monitors (the CHs). Calculation of security metrics: This operation is carried out at each ME in the cluster. After each epoch of time, the node performs a calculation based

K. Benahmed, M. Merabti and H. Haffaf

Distributed monitoring for misbehaviour detection in WSNs

Figure 2. System architecture.

on a set of security metrics to assess its health status These include level of energy consumption, level of memory usage, the number of incoming and outgoing packets during a time interval and the number of dropped packets. A calculated indicator value of security is then sent to the CH for analysis. Local monitoring: A CH manages various functions. It performs local monitoring of the results obtained from the MEs of its cluster through the reception and emission of the messages but does not manage the function of capturing events. The CH is suitable for making decisions because it has both networklevel information and host-based information for all of its nodes. The CH then sends the results to the base station for more global analysis; this strategy reduces the number of alerts going up toward the base station. Global monitoring: The global observer receives local traces collected by the local observers (the CHs) in order to analyse them. The first step toward performing this analysis is to correlate the traces and order them chronologically. The global observer then performs the following tasks: • filtering of collected alerts and keeping only the relevant information; • monitoring by the CHs; and • alert correlation and the construction of a unique global trace file.

4.2. Distributed approach based clustering architecture Clustering facilitates the distribution of control over the network, saves energy and reduces network contention by enabling locality of communication. In our case, sensor networks are divided into clusters. The reorganisation of the clusters will be made for security reasons, where each CH monitors the MEs of its cluster, which also facilitates the raising of alerts and reduces latency problems. We propose a clustering algorithm that makes decisions based

on one-hop neighbourhood information. These clusters are generated automatically on demand after a reaction to topology changes because of problems such as attacks, malfunctions or redeployment of sensor nodes. Every cluster is assigned a CH by election using a set of metrics. We opted for the election of a CH according to new metrics based on a multiple-criteria approach. The criteria are as follows: the density (the degree of connectivity of each node), the energy (the level of residual energy in each node), the distance between nodes in the cluster, the behaviour level of each node and the index of mobility. Each node first calculates its metrics locally, then evaluates a function of weight according to these metrics (each node is limited to the closest neighbours), and then diffuses the value of this function to its neighbours. The CH of each cluster is then elected on the basis of these results. Three constraints must be respected. First, each cluster has one CH that dominates all other members in the cluster, and two CHs cannot be neighbours. Second, if a node is within range of two CHs, it must belong to the nearest cluster (by using a parameter of distance). Finally, if a node is completely isolated, it automatically becomes a CH. 4.2.1. Clustering algorithm metric In this section, we describe the metric used in our algorithm for cluster formation. Then we present its election protocol and update policy. The update policy is called locally after mobility or the addition of new nodes to the network. To decide how suitable a node is for being a CH to offer security services, we consider the following characteristics. The node behaviour level B(i,t): Nodes with a behaviour level less than a threshold behaviour will not be accepted as CH candidates even if they have the other interesting characteristics such as high energy, high degree of connectivity or low mobility. Initially, each node is assigned an equal static behaviour level B = 1. However, this level can be decreased by the anomaly detection algorithm if a node is misbehaving. For computing the behaviour level of each node, Figure 3 presents the classification of the behaviour values. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

K. Benahmed, M. Merabti and H. Haffaf

Distributed monitoring for misbehaviour detection in WSNs

ERx ðkÞ ¼ kEelec

The node connectivity degree C(i,t): Suppose N(i) is the set of all the neighbours of a node i, where a neighbour is a node for which its distance from node i falls within the transmission radius txrange, given by Equation (6):

Figure 3. Behaviour level, B 2 [0,1].

N ðiÞ ¼

The details can be summarised as in formula (1). 8 > >
Suspect node : 0:3≤B < 0:5 > : Malicious node : 0≤B < 0:3

T 1 X pffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi ðxt  xt1 Þ2 þ ðyt  yt1 Þ2 T t¼1

(1)

(2)

where (xt, yt) and (xt  1, yt  1) are the coordinates of the node i at time t and (t  1), respectively. The distance to neighbours D(i,t): It is better to elect a node with the nearest members as a CH [40,41]. This is likely to reduce node detachments and enhance cluster stability. For each node i, we compute the sum of the distances Di with all its neighbours j, as follows: Di ¼

X

fdist ði; jÞg

(3)

j2N ðiÞ

The node remaining energy E(i,t): We aim to elect nodes with high remaining battery power as CHs. Therefore, the transmission cost to transfer a k-bit message to a distance d is given by Equation (4) [42]: ETx ðk; dÞ ¼ kEelec þ kEamp d2

(4)

where Eamp is the required amplifier energy. Similarly, the receiving cost is given by Equation (5): Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

∪

j2V; j6¼i

  jdist ði; jÞ < txrange

(6)

The set of neighbours for a node i defines the node’s degree Ci [6]. This is given by Equation (7):

We have proposed the values of formula (1) on the basis of several research models of reputation and trust in WSNs, as in Shaikh et al. [37]. We have performed testing through simulation as will be seen later (see, for example, Figure 12, which confirms our tests). The node mobility M(i,t): Mobility is one of the most important challenges for WSNs, and it is the main factor likely to cause a change in the network topology. A good candidate for CH election should have low speed, because when a CH moves fast, the nodes within its cluster are likely to move out of range and be forced to join another existing cluster, thus reducing the stability of the network. We aim to have stable clusters, so we should elect nodes with low relative mobility as CHs. To characterise the instantaneous nodal mobility, we use a simple heuristic mechanism [38,39], where each node i estimates its relative mobility index Mi by implementing the following procedure: compute the running average of the speed for every node i until current time T. This gives a measure of mobility and is denoted by Mi, as follows: Mi ¼

(5)

Ci ¼ jN ðiÞj

(7)

Finally, we should elect nodes with very high connectivity as CHs, provided the other criteria are satisfied. The node weight Pi: Each node Si computes its weight Pi according to a weighted sum decision model, given by Equation (8): Pi ¼ w1 Bi þ w2 Eri þ w3 Mi þ w4 Ci þ w5 Di

(8)

where w1, w2, w3, w4 and w5 are the weighting factors for the corresponding system parameters. The weights considered are w1 = 4, w2 = 3, w3 = 1, w4 = 1 and w5 = 1. Note that these weighting factors reflect the relative importance of B, Er, M, C and D, respectively, such that w1 + w2 + w3 + w4 + w5 = 10. Usually, they are determined by experience. In the literature, the summation of these factors is equal to 1, but in our case, we have taken the summation equal to 10 in order to facilitate the calculation of the weight P of each sensor node. Because our goal is to monitor sensors, we have taken high coefficients for the behaviour Bi and the remaining energy Eri. This weighting focusses on creating as few CHs as possible to cover the space, with each CH running at high efficiency. 4.2.2. Proposed methodology Our goal is to detect malicious activities in the network caused by attacks or failure of nodes. We will offer primarily an organisation of a cluster network, where the CH of each cluster is responsible for monitoring the MEs of its cluster. Subsequently, we propose a system for detecting anomalies based on a distributed approach. 4.2.3. Assumptions A node in a WSN can be in one of two possible states: an ME or a CH. Initially, every node is in the ME state. It initiates an election and may become a CH node if it does not have a link to any other CH node; otherwise, it remains as an ME. The following assumptions are taken in order to design the proposed algorithms: • A node interacts with its one-hop neighbours directly and with other nodes via intermediate nodes using multi-hop packet forwarding based on a routing protocol such as ad hoc on-demand distance vector [43].

Distributed monitoring for misbehaviour detection in WSNs

• Every sensor node i has a unique identity Idi in the network. • Nodes are randomly deployed and dynamic. • Each cluster is monitored by only one CH. • Each ME communicates directly with its CH for the transmission of security metrics. • A CH communicates directly with the base station for the transmission of security information and alerts. 4.2.4. Algorithms The cluster formation algorithm that we present next is based on ideas proposed by Elhdhili et al. [44] and Chatterjee et al. [41,44], with modifications made for our application. Algorithm 1: Cluster Formation Step 1: • Each node Si broadcasts a Hello message periodically to discover its one-hop neighbours. • Each node Si computes its metrics: C(i,t), B(i,t), M(i,t), Er(i,t) and D(i,t). • Each node Si computes its weight according to Equation (8), stores its weight Pi in a list LPi = {Idi, Pi} and broadcasts its Idi and its weight value Pi to all its one-hop neighbours. Step 2: For the case of normal nodes with a behaviour level B such that (0.8 ≤ B ≤ 1): • The weight Pi of each node Si is compared with the weights in a list LPi. If it has the greatest weight Pi and its behaviour level is greater than the threshold B-min = 0.8, then it proclaims itself as a CH, broadcasts a role message CHMSG to its one-hop neighbours to confirm its role as a CH and launches a timer T. Otherwise, Si broadcasts a role message MEMSG to its one-hop neighbours to confirm its role as an ME and attaches itself to the CH that has the greatest weight. • If the nodes have the same maximum weight, the CH is the one that has the best criteria ordered by their importance (B, Er, M, C and D). If all criteria of nodes are equal, the choice is random. • If among the neighbours of a node Si, we have a node u that has the maximum weight and belongs to another cluster node v, we choose the node v that has the next highest weight (Pv ≤ Pu) and so on. • If the node has no one-hop neighbour as a CH or the CHMSG messages were lost (meaning that it is either an isolated node or the messages were lost during transmission), it declares itself as a CH. Step 3: For the case of abnormal nodes with a behaviour level B such that (0.5 ≤ B < 0.8): • If a node Si, with a behaviour level less than the threshold B-min = 0.8 but greater than the threshold B-critical = 0.5, receives at least one declaration CHMSG before the end of the timer T, it chooses the greatest weight CH and broadcasts a role message

K. Benahmed, M. Merabti and H. Haffaf

MEMSG to its one-hop neighbours to confirm its role as an ME and attaches itself to that CH. • If a node Si is connected to CHu and CHv, then Si belongs to the CH that has the maximum weight between CHu and CHv. If we have nodes that have the same maximum weight, the CH is the one that has the best criteria ordered by their importance (B, Er, M, C and D). If all of the criteria are equal between the nodes, the choice is random. • If the node Si is connected to only one member, it will become a CH. • If the node has no one-hop neighbours as a CH or the CHMSG messages were lost (meaning that it is either an isolated node or the messages were lost in transmission), it declares itself as a CH. Step 4: Each CHi sends a message ‘Start monitoring’ to its members (meaning that the algorithm for misbehaviour detection has been started). Update algorithm for cluster formation There are five situations that require the maintenance of clusters. • adding, deleting or moving a node; • battery depletion of a node; and • the node has a behaviour level less than or equal to 0.3. In all of these cases, if a node Si is a CH, then the clustering will be repeated. In the following example illustrated by Figures 4, 5 and 6, we will explain the performance of our cluster formation algorithm. The nodes in Figure 4 are represented by circles containing their identity Ids at the top and the levels of behaviour at the bottom. Table I shows the values of the different criteria for the nodes that have behaviour B > 0.8. Table II shows the weights P of neighbours for each node that have behaviour B > 0.8. According to this table, node 1 has a choice between CH9 and CH2 (they have the same weight), but the behaviour level of node 9 is greater than that of node 2 (B9 > B2), so node 1 will be attached to CH9.

Figure 4. Topology of the network. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

K. Benahmed, M. Merabti and H. Haffaf

Distributed monitoring for misbehaviour detection in WSNs

For the other nodes, we have various conditions. Node 2 declares itself as a CH. Node 6 will be attached to CH2. Node 7 is connected to CH6, but node 6 is attached to CH2; thus, node 7 declares itself as a CH. Node 9 declares itself as a CH. Node 11 will be attached to CH2. Node 13 declares itself as a CH, because it is an isolated node. These results give us the representation shown in Figure 5. Node 3 is connected to CH2, which implies that node 3 will be attached to CH2. Node 4 is connected to CH2, and node 4 will be attached to CH2. Node 5 is not connected to any CH, so node 5 declares itself as a CH. Node 8 is connected to CH2 and CH7. Node 8 will be attached to CH2, because CH2 has the maximum weight (14317.68 > 12510). Node 10 is connected to CH9, and then node 10 will be attached to CH9. Node 12 is not connected to any CH, which implies that node 12 declares itself as a CH.

At the end of this example, we obtain a network of six clusters (as shown in Figure 6). Algorithm 2: Misbehaviour Detection Algorithm Step 1: This step runs in each CHi: Each CHi becomes the monitor node of its cluster members and broadcasts a ‘Start monitoring’ message with its Idi to all its cluster MEs. Step 2: Calculation of security metrics, performed by each member Sj of the cluster i. Each node Sj (i 6¼ j) receives the message ‘Start monitoring’ and calculates its security metrics as follows. Number of packets sent by node Sj at time interval Δt = [t0, t]: NpS(Sj, Δt). Number of packets received by node j at time interval Δt = [t0,t]: NpR(Sj, Δt). Delay between the arrival of two consecutive packets: Let APTi be the arrival time of packet number i and APTi  1 the arrival time of packet number i  1. The packet delay is given by the following equation: DbPðSj; t Þ ¼ APTi  APTi1

(9)

Energy consumption: The energy consumed by the node j in receiving and sending packets is measured using the following equation:       Ec Sj ; Δt ¼ Er Sj ; t0  Er Sj ; t

Figure 5. Identification of cluster nodes.

(10)

where Δt is the time interval, Δt = [t0,t]; Er(Sj, t0) is the residual energy of node Sj at time t0; Er(Sj, t) is the residual energy of node Sj at time t: and Ec(Sj, Δt) is the energy consumption of node Sj at time interval Δt.

Figure 6. The final identification of clusters.

Table I. Computing of the various criteria of nodes. Sensor Id 1 2 6 7 9 11 12

B

Er

C

D

M

P

0.88 0.81 0.98 0.86 0.92 0.97 0.89

3661.86 4813.84 4053.83 4053.83 4814.52 4569.00 4200.00

4 6 4 2 2 4 0

1.10 1.58 0.80 2.12 0.70 1.10 0.00

1.33 0.10 0.20 0.40 2.50 0.85 0.66

10995.52 14452.44 13351.92 12169.44 14452.44 13716.83 12604.22

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

Step 3: Sending all metrics to the CH. • After each computation of the security metrics, the state of a node Sj at time t is denoted as state (Sj, ti). For economy of storage volume, each node keeps only the latest state calculation. • In the initial deployment, each ME in cluster i sends some states (State(Sj, ti)) to the CHi for making a normal behaviour model of node Sj by using a learning mechanism. Each state contains the following information: (Idj, NpS(Sj, Δt), NpR(Sj, Δt), DbP(Sj,t), Ec(Sj, Δt)). • If State(Sj, ti)  State(Sj, ti  1) 6¼ e with e as a given threshold, then node Sj sends a message MsgMet = {Idj, NpS(Sj, Δt), NpR(Sj, Δt), DbP(Sj,t), Ec(Sj, Δt))} to its CHi for monitoring purposes. Otherwise, no information is sent to the CH. • The message received by CHi will be stored in a table TMet for future analysis. • If a sensor node Sj does not respond during this monitoring period, it will be considered as misbehaving. The behaviour level of sensor node Sj is computed using the following equation:

K. Benahmed, M. Merabti and H. Haffaf

Distributed monitoring for misbehaviour detection in WSNs

Table II. Weights of neighbours.

1 2 6 7 9 11

1

2

6

10995.52 10995.52

14452.44 14452.44 14452.44

7

9

11

12

14452.44 13351.92 13351.92 13351.92

12169.44 12169.44

10995.52

14452.44 14452.44

13716.83 12604.22

    B Sj ¼ B Sj  rate

(11)

The rate is fixed on the basis of the nature of the application, for example, whether it is fault tolerant or not. In our case, we take rate = 0.1. Step 4: Misbehaviour detection, which is performed by CHi. • For each node Sj in the cluster i, the state in time slot t is expressed by the three-dimensional vector, x = (xt1, xt2, xt3).Here, xt1 is the number of packets dropped by Sj. X X Packetssent by Sj Packetsreceived by Sj ¼ X þ Packetsdestined to Sj X þ Packetslost X X Packetsreceived by Sj  Packetssent by Sj X  Packetsdestined to Sj

xt1 ¼

(12)

(13)

8 < dðxÞ > Th : Sj is an abnormal node; called the punishing function; : dðxÞ≤Th : Sj is a normal node

(16)

Punishing Function     B Sj ¼ B Sj  Rate • If B(Sj) 2 [0.8–1], then the sensor node Sj is normal. • If B(Sj) 2 [0.5–0.8], then the sensor node Sj is abnormal. If node Sj is a CH, then repeat the clustering formation. • If B(Sj) 2 [0.3–0.5], then the sensor node Sj is suspect. If node Sj is a CH, then repeat the clustering formation. • If B(Sj) 2 [0–0.3], then sensor node Sj is malicious, so send an alert to the base station and add the node Sj to the blacklist. If node Sj is a member, then eliminate the sensor node Sj from the list of members. If node Sj is a CH, then repeat the clustering formation.

5. RESULTS AND DISCUSSION For a normal node, xt1  0. xt2 is the delay between the arrival of two consecutive packets, so that xt2 = DbP(Sj, t). xt3 is the energy consumption, so that xt3 = Ec(Sj, Δt).Here, t2[t0, t] = Δt; in our case, the first interval is used for the training data set of n time slots. We calculate the mean vector
x from x by using Equation (14). tn P


x ¼

xt

t¼t0

n

(14)

• After modelling a normal behaviour model for each sensor node, the behaviours of all nodes are sent to the base station for further analysis. • We compute the deviation d by using Equation (15). dðxÞ ¼ jx 
xj

(15)

When the distance is larger than the threshold Th (which means it is out of the range of normal behaviour), it will be judged as a misbehaving node. In this case, the level of behaviour is B(Sj)  0.

In this section, we present our simulation model and the results of our work. 5.1. Simulation model In the literature, some simulators have been developed or adapted for WSNs, such as TOSSIM [45]. Unfortunately, none of them are appropriate for our work. In order to evaluate the effectiveness of our work, we have developed a new discrete event simulator for WSNs. It is a node generator built in C++, specifically designed to achieve the following goals: modularity, performance and extensibility. On the other hand, this simulator is used to generate network instances composed of normal nodes plus malicious nodes, all deployed in a square field. No two different nodes share the same coordinates. In our simulation, the sensor nodes are randomly distributed in an 880 m  360 m square field, and the communication range is 150 m. The scenario simulation consists of two steps: the first is for the formation of a cluster, and the second is to monitor the network through the different CHs and the detection of abnormal behaviour. For the simulation of abnormal behaviour in the network, we generated 100 nodes with seven Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

K. Benahmed, M. Merabti and H. Haffaf

malicious nodes. The states of the malicious nodes will move from a normal node with green colour, to an abnormal node with yellow colour, to a suspicious node with red colour, and finally, to a malicious node with black colour. All the states of the MEs are detected by their CH. Malicious CHs are detected by the base station.

Distributed monitoring for misbehaviour detection in WSNs

Furthermore, when the transmission range increases, the average number of clusters is reduced. The possible reason for this behaviour is that CHs with a large transmission range will cover a larger area. For a small transmission range, most nodes tend to be out of the transmission. In this case, the network may become disconnected. Therefore, most of the nodes must form a cluster, which consists only of themselves.

5.2. Results All our simulation results are shown in Figures 7–12. Figure 7(b) shows the number of clusters formed according to the transmission range. In Figure 8, we have taken networks with sizes of 50, 75 and 100 nodes and transmission range Rt taking the values 100, 110, 120, 130, 140 and 150 m. We note that the number of clusters generated is stabilised independently of the network size when the transmission range Rt increases and becomes approximately Rt = 130 m. Figure 9 shows the average number of clusters versus the number of nodes and transmission range Rt = 150 m. We see from these results that our algorithm secure distributed clustering algorithm (SDCA) has fewer clusters than other clustering algorithms such as lowest-ID algorithm, highest-degree algorithm, weighted clustering algorithm and enhanced weighted clustering algorithm.

Figure 8. Number of clusters formed with varying transmission range.

Figure 7. (a) Graph connectivity of 100 nodes; (b) network after clustering formation. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

Distributed monitoring for misbehaviour detection in WSNs

Figures 10(a, b) and 11 show the simulation results for a scenario with malicious nodes. We see that these nodes will move from a normal state to the abnormal, suspicious and finally malicious states as expected.

K. Benahmed, M. Merabti and H. Haffaf

In Figure 11, the black (malicious) sensor nodes will be placed in a blacklist and will be disconnected from the network. We note from Figure 12 that the sensor nodes 6, 7 and 19 are malicious and have a behaviour level less than 0.3.

6. CONCLUSION

Figure 9. Number of nodes versus average number of clusters, Rt = 150 m. EWCA, enhanced weighted clustering algorithm; WCA, weighted clustering algorithm.

In this paper, we have presented a decentralised approach to monitor the status and behaviour of a WSN. For this, we have developed a completely distributed monitoring mechanism for securing WSNs. On the basis of an on-demand weighted clustering algorithm, which can dynamically adapt itself to the dynamic topology of a sensor network, the algorithm is executed only when there is a need. A number of node parameters were taken into consideration for assigning weights to nodes during election of CHs. The proposed algorithm chooses the most robust CHs with the responsibility of monitoring the nodes in their clusters and maintaining clusters locally. Our second algorithm analyses and detects specific misbehaviour in the WSN. The algorithm ensures the update of a behaviour-level metric and isolates misbehaving

Figure 10. (a) Sensors with yellow colour are abnormal but not malicious; (b) the red sensors have a suspect behaviour. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

K. Benahmed, M. Merabti and H. Haffaf

Distributed monitoring for misbehaviour detection in WSNs

Figure 11. The sensors with black colour are compromised and are exhibiting malicious behaviour.

REFERENCES

Figure 12. Behaviour level of some sensors before and after attacks.

nodes. The advantage of our approach is the minimisation of communication between the monitor nodes and the normal nodes, yielding a low number of clusters, maintaining cluster stability, minimising the number of invocations for the algorithm and maximising the lifetime of nodes. In our future work, we will focus on further assessment to the performance of the proposed algorithms, and on the basis of our previous work, we plan to reduce and optimise the size of our programs to take into account the resource limitations of the sensors, without affecting the effectiveness of our algorithms. We also hope to implement a routing protocol based on our clustering algorithm, for the purpose of energy saving and network security. Moreover, an implementation of a monitoring mechanism with more distributivity and collaboration among sensor nodes will be considered to provide more fault tolerance and improve availability in our system.

ACKNOWLEDGEMENT The authors would like to thank Prof. Qi Shi, Dr David Llewellyn-Jones, Dr Bob Askwith and Dr Michael MacKay for their very helpful comments, suggestions, improvements and corrections. Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

1. Akyildiz IF, Vuran MC. Wireless Sensor Networks. John Wiley & Sons: Ltd, Chichester, UK, 2010. ISBN: 9780470036013 2. Kavitha T, Sridharan D. Security vulnerabilities in wireless sensor networks: a survey. Journal of Information Assurance and Security 2010; 5: 031–044. 3. Han S, Chang E, Gao L, Dillon T. Taxonomy of attacks on wireless sensor networks. Proceedings of the First European Conference on Computer Network Defence School of Computing, University of Glamorgan, Wales, UK, 2005. 4. Ang EZ. Node Misbehaviour in Mobile Ad Hoc Networks. National University of Singapore: Singapore, 2004. 5. Yu M, Mokhtar H, Merabti M. A Survey on Fault Management in Wireless Sensor Networks. School of Computing & Mathematical Science Liverpool John Moores University: UK, 2007. 6. Benahmed K, Haffaf H, Merabti M, Llewellyn-Jones D. Monitoring connectivity in wireless sensor networks. IEEE Symposium on Computers and Communications (ISCC’09), Sousse, Tunisia, 5–8 July 2009. 7. Hsin C, Liu M. A distributed monitoring mechanism for wireless sensor networks. In 3rd Workshop on Wireless Security. ACM Press, 2002. 8. Chen J, Kher S, Somani A. Distributed fault detection of wireless sensor networks. In DIWANS’06. ACM Pres: Los Angeles, USA, 2006. 9. Sheth A, Hartung C, Han R. A decentralized fault diagnosis system for wireless sensor networks. In 2nd Mobile Ad Hoc and Sensor Systems. Washington, USA, 2005. 10. Marti S, Giuli TJ, Lai K, Baker M. Mitigating routing misbehaviour in mobile ad hoc networks. In 6th International Conference on Mobile Computing

Distributed monitoring for misbehaviour detection in WSNs

11.

12.

13. 14.

15.

16.

17.

18.

19.

20.

21.

22.

23. 24.

and Networking. Boston, Massachusetts, USA: ACM, 2000. Huang Y, Lee W. A cooperative intrusion detection system for ad hoc networks. In Proceedings of the 1st ACM Workshop on Security of Ad Hoc and Sensor Networks, 2003; 135–147. Silva A, Martins M, Rocha B, Loureiro A, Ruiz L, Wong H. Decentralized intrusion detection in wireless sensor networks. In Proceedings of the 1st ACM International Workshop on Quality of Service & Security in Wireless and Mobile Networks, 2005; 16–23. Dong D, Liu Y, Liao X. Self-monitoring for sensor. MobiHoc, 2008; 431–440. Ghamgin H, Akhgar MS, Jafari MT. Attacks in wireless sensor network. Australian Journal of Basic and Applied Sciences 2011; 5(N. 7):954–960 ISSN: 1991–8178. Mäkelä JP. Security in Wireless Sensor Networks. Oulu University of Applied Sciences, School of Engineering: Oulu, Finland, 2009. Rehana J. Security of wireless sensor network. Helsinki University of Technology, Helsinki, Technical Report TKK-CSE-B5, 2009. Chatzigiannakis I. A Decentralized Intrusion Detection System for Increasing Security of Wireless Sensor Networks. University of Patras: Greece, 2007. Karlof C, Wagner D. Secure routing in wireless sensor networks: attacks and countermeasures. In Proceedings of the 1st IEEE International Workshop on Sensor Network Protocols and Applications (Anchorage, AK, May 11, 2003). Pathan A-SK, Lee H-W, CS Hong. Security in wireless sensor networks: issues and challenges. Proceedings of 8th IEEE ICACT 2006, Volume II, February 20–22, Phoenix Park, Korea, 2006; 1043–1048. Walters JP, Liang Z, Shi W, Chaudhary V. Wireless sensor network security: a survey In. In Distributed, Grid, and Pervasive Computing, Auerbach Publications, Xiao Y (eds.). CRC Press: USA, 2006. Martins D, Guyennet H. Security in wireless sensor networks: a survey of attacks and counter measures. International Journal of Space-Based and Situated Computing 2011; 1(2/3): 151–162. Kumar S, Spafford EH. A Software Architecture to support Misuse Intrusion Detection. Department of Computer Sciences, Purdue University: West Lafayette, USA, 1995. Perrig A. SPINS: security protocols for sensor networks. In Proc. of ACM MobiCom, 2001. Ganeriwal S, Srivastava MB. Reputation-based framework for high integrity sensor networks. In Proc. Of ACM SASN, 2004.

K. Benahmed, M. Merabti and H. Haffaf

25. Khalil I, Bagchi S, Nina-Rotaru C. DICAS: detection, diagnosis and isolation of control attacks in sensor networks. In Proc. of IEEE SecureComm, 2005. 26. Khalil I, Bagchi S, Shroff N. LITEWORP: a lightweight countermeasure for the wormhole attack in multihop wireless networks. In Proc. of IEEE/IFIP DSN, 2005. 27. Lee S-B, Choi Y-H. A resilient packet-forwarding scheme against maliciously packet-dropping nodes in sensor networks. In Proc. of ACM SASN, 2006. 28. Ioannis K, Dimitriou T, Freiling FC. Towards intrusion detection in wireless sensor networks. In Proc. of the 13th European Wireless Conference, 2007. 29. Huang Y, Lee W. A cooperative intrusion detection system for ad hoc networks. In Proc. of ACM SASN, 2003. 30. Khalil I, Bagchi S, Shroff NB. SLAM: sleep-wake aware local monitoring in sensor networks. In Proc. Of IEEE/IFIP DSN, 2007. 31. Hsin C, Liu M. Self-monitoring of wireless sensor networks. Elsevier Computer Communications 2006; 29: 462–476. 32. Ramachandran K, Belding-Royer EM, Almeroth KC. DAMON: a distributed architecture for monitoring multi-hop mobile networks. In Proceedings of the 1st IEEE International Conference on Sensor and Ad hoc Communications and Networks (SECON), October 2004. 33. Zhao J, Govindan R, Estrin D. Residual energy scans for monitoring wireless sensor networks. In IEEE Wireless Communications and Networking Conference (WCNC), 2002. 34. Ramanathan N, Chang K, Kapur R, Girod L, Kohler E, Estrin D. Sympathy for the sensor network debugger. In 3rd Embedded Networked Sensor Systems. ACM Press: San Diego, USA, 2005. 35. Huang Y, Lee W. A cooperative intrusion detection system for ad hoc networks. In Proc of the 1st ACM Workshop on Security of Ad hoc and Sensor Networks, 2003; 135–147. 36. Marti S, Giuli TJ, Lai K, Baker M. Mitigating routing misbehaviour in mobile ad hoc networks. In Mobile Computing and Networking, 2000; 255–265. 37. Shaikh RA, Jameel H, Lee S, Rajput S, Song YJ. Trust management problem in distributed wireless sensor networks. Proceedings of the 12th IEEE International Conference on Embedded and Real-Time Computing Systems and Appli-cations (RTCSA’06), 2006. 38. Hussein AH, Abu Salem AO, Yousef S. A Flexible Weighted Clustering Algorithm Based on Battery

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

K. Benahmed, M. Merabti and H. Haffaf

39.

40.

41.

42.

Power for Mobile Ad Hoc Networks. IEEE: Cambridge UK, 2008. Li C, Wang Y, Huang F, Yang D. A Novel Enhanced Weighted Clustering Algorithm for Mobile Networks. IEEE: Beijing, 2009. Kadri B, M’hamed A, Feham M. Secured clustering algorithm for mobile ad hoc networks. IJCSNS 2007; 7(3): 27–34. Chatterjee M, Das SK, Turgut D. WCA: a weighted clustering algorithm for mobile ad hoc networks. Cluster Computing 2002; 5: 193–204. Jian-wu Z, Ying-ying J, Ji-ji Z, Cheng-lei Y. A Weighted Clustering Algorithm Based Routing Protocol in Wireless

Security Comm. Networks (2012) © 2012 John Wiley & Sons, Ltd. DOI: 10.1002/sec

Distributed monitoring for misbehaviour detection in WSNs

Sensor Networks. ISECS, Hangzhou Dianzi University: Hangzhou Zhejiang, China, 2008. 43. Taneja S, Kush A. A survey of routing proto-cols in mobile ad hoc networks. International Journal of Innovation, Management and Technology 2010; 1 (3ISSN: 2010–0248). 44. Elhdhili ME, Azzouz LB, Kamoun F. CASAN: clustering algorithm for security in ad hoc networks. Computer Communications 2008; 31: 2972–2980. 45. Levis P, Lee N, Welsh M, Culler D. TOSSIM: accurate and scalable simulation of entire TinyOS applications. In Proc of the 1st Int’l Conf on Embedded Networked Sensor Systems, 2003; 126–137.