Intrusion Detection Algorithm Based on Neighbor ...

The Computer Journal Advance Access published May 13, 2014 © The British Computer Society 2014. All rights reserved. For Permissions, please email: [email protected] doi:10.1093/comjnl/bxu036

Intrusion Detection Algorithm Based on Neighbor Information Against Sinkhole Attack in Wireless Sensor Networks Guangjie Han1,2,∗ , Xun Li1 , Jinfang Jiang1 , Lei Shu2 and Jaime Lloret3 of Information and Communication Systems, Hohai University, Changzhou, China Petrochemical Equipment Fault Diagnosis Key Laboratory, Guangdong University of Petrochemical Technology, Maoming, China 3 Integrated Management Coastal Research Institute, Universidad Politecnica de Valencia, Valencia, Spain ∗Corresponding author: [email protected] Recently, wireless sensor networks (WSNs) have been widely used in many applications, such as Smart Grid. However, it is generally known that WSNs are energy limited, which makes WSNs vulnerable to malicious attacks. Among these malicious attacks, a sinkhole attack is the most destructive one, since only one sinkhole node can attract surrounding nodes with unfaithful routing information, and it executes severe malicious attacks, e.g. the selective forwarding attack. In addition, a sinkhole node can cause a large amount of energy wastes of surrounding nodes, which results in abnormal energy hole in WSNs. Thus, it is necessary to design an effective mechanism to detect the sinkhole attack. In this paper, we propose a novel Intrusion Detection Algorithm based on neighbor information against Sinkhole Attack (IDASA). Different from traditional intrusion detection algorithms, IDASA takes full advantage of neighbor information of sensor nodes to detect sinkhole nodes. In addition, we evaluate IDASA in terms of malicious node detection accuracy, packet loss rate, energy consumption and network throughput in MATLAB. Simulation results show that the performance of IDASA is better than that of other related algorithms. Keywords: WSNs; sinkhole attack; neighbor information; IDASA Received 17 January 2014; revised 27 March 2014 Handling editor: Zhangbing Zhou

1.

INTRODUCTION

Nowadays, with the gradual maturity of wireless sensor networks (WSNs), they have been widely used in many applications such as battlefield surveillance, environmental pollution monitoring, smart grid, biomedical health monitoring and habitat monitoring [1, 2]. WSNs consist of many small sensor nodes, which are distributed in open environments without any supervision. These sensor nodes are with insufficient energy supply, thus leading to limited communication range, weak processing capacity and restricted storage space on each sensor node [3, 4], which ultimately makes WSNs vulnerable to malicious attacks. The malicious attacks always waste many energy resources. Designing an efficient mechanism for malicious attack detection is very essential to balance energy consumption and prolong network lifetime. In addition, in WSNs, the commonly used communication pattern is many-to-one communication pattern,

which means many sensor nodes collect and send data to the only one control center, e.g. the sink node or the base station [5]. It is generally known that this kind of many-to-one communication pattern is highly vulnerable to the sinkhole attack. The sinkhole attack can use only one malicious node to threaten the whole network traffic and prevent the base station from receiving the correct data packets. Furthermore, the design constraints on WSNs also make them easily attacked by malicious nodes. The design constraints include natural environment factors [6]. The environment factor plays a key role in the process of deployment. It directly determines the size of the network, the number of sensor nodes and the network topology. In view of abovementioned energy constraints and the commonly used manyto-one communication pattern, WSNs face various attacks such as sinkhole attack, sybil attack, eavesdropping and denial of service attack [7, 8]. Therefore, a lot of research has been done to

Section D: Security in Computer Systems and Networks The Computer Journal, 2014

Downloaded from http://comjnl.oxfordjournals.org/ at Northeastern University Libraries on October 10, 2014

1 Department

2 Guangdong

2

G. Han et al.

(1) Different from conventional related works, the destructive effect of sinkhole attack on routing protocol is carefully analyzed in detail. Based on the ad hoc on-demand distance vector (AODV) routing protocol, the process of sinkhole attack and the direct malicious influence are presented in this paper. (2) Based on the collaboration information of neighbor nodes, a novel algorithm—IDASA is proposed against

sinkhole attack. IDASA is composed of three phases: recognizing suspicious nodes, identifying sinkhole nodes and removing sinkhole nodes. Simulation results demonstrate that IDASA outperforms ABAD in terms of packet loss rate, energy consumption and network throughput. The rest of this paper is organized as follows: In Section 2, related works on the detection of sinkhole attack are introduced. In Section 3, the network model, energy model and attack model are described. IDASA algorithm is presented in detail in Section 4. The performance of IDASA is evaluated in Section 5. Finally, conclusions are made, and the future works are also lay out in Section 6.

2.

RELATED WORK

Many studies have been done focusing on the detection of sinkhole attack. In [15], Ngai et al. propose a novel algorithm to detect the malicious nodes in a sinkhole attack. The proposed algorithm consists of two steps. The first step is to find suspicious nodes. The sensor nodes which are closely located are expected to have similar readings from the environment. Therefore, the base station can check the data consistency among all the sensor nodes to detect malicious nodes. If the data of a sensor node exceeds a predetermined threshold, the sensor node is considered as a suspicious one. The second step is to identify the sinkhole nodes through analyzing the network flow information. During the process of analyzing the network flow information, a message authentication code algorithm is adopted to manage and encrypt a secret key shared by each sensor node and the base station. The identified sinkhole nodes later can be isolated to protect the network. In addition, the complex scenario with colluding nodes that cooperatively cheat the base station is also taken into account. Simulation results show that the proposed algorithm is energy efficient and it can accurately detect the sinkhole nodes. In addition, it is robust to deal with multiple malicious nodes that cooperatively hide the real sinkhole node. However, this algorithm needs additional measurements such as the key’s establishment, which leads to higher computation complexity of the proposed algorithm. Tumrongwittayapak and Varakulsiripunth [16] propose a scheme for detecting sinkhole attack based on the received signal strength indicator (RSSI) readings of messages. This scheme firstly needs four collaborative extra monitor (EM) nodes to determine the position of all sensor nodes. EM nodes create a visual geographic map of investigatory network based on current information. When a sensor node sends messages to other nodes, the four EM nodes receive the messages and RSSI values. They calculate the position of the sender based on RSSI values and meanwhile update the visual geographic map. If the flows of the received messages do not correspond with the normal flows of the visual geographic map, there are suspicious nodes between the original node and the destination node on

Section D: Security in Computer Systems and Networks The Computer Journal, 2014

Downloaded from http://comjnl.oxfordjournals.org/ at Northeastern University Libraries on October 10, 2014

seek security support for WSNs against malicious attacks. Some related research has been introduced and analyzed in these literatures [9–11]. In this paper, we focus on the sinkhole attack [12], which is one of the most destructive and representative attack in WSNs. The purpose of sinkhole attack is to lure as much network traffic as possible to one particular place. The malicious node which conducts sinkhole attack is called sinkhole node. It usually claims itself as have the shortest path to the base station. Only one sinkhole node can attract surrounding nodes with unfaithful routing information, and it executes severe malicious attacks, e.g. the selective forwarding attack or altering the passing data. Therefore, the sinkhole node can prevent the base station from obtaining complete and correct sensory data, and it bring serious threats for WSNs. Although some secure mechanisms, e.g, cryptography, the trust models, are proposed to protect the security of WSNs, they often cause high computation overheads and require time synchronization among sensor nodes [13, 14]. Therefore, we propose a novel algorithm—Intrusion Detection Algorithm based on neighbor information against Sinkhole Attack (IDASA). IDASA algorithm is different from traditional strategies such as cryptography which introduces high computation complexity and the trust models which always need the whole network information. In IDASA, only the information of neighbor nodes is needed to detect sinkhole nodes. The proposed algorithm includes the following three phases: recognizing suspicious nodes, identifying sinkhole nodes and removing sinkhole nodes. In the first phase, recognizing suspicious nodes, two kinds of routing paths are defined to recognize suspicious nodes according to the number of sensor nodes on a routing path. In the second phase, identifying sinkhole nodes, the number of interaction times and acknowledgments (ACKs) between two communication sensor nodes are used to detect sinkhole nodes from the suspicious nodes. The last phase is to remove sinkhole nodes. We evaluate the performance of IDASA through experimental simulations. Simulation results show that our algorithm not only can effectively detect sinkhole nodes but also has better performance in terms of packet loss rate, energy consumption and network throughput compared with the novel Agent-Based Approach to Detect sinkhole attacks (ABAD). IDASA has no restriction on hardware conditions, special information or any specific nodes, thus it is greatly suitable for WSNs. Our contribution can be summarized as follows:

Intrusion Detection Algorithm

that it does not allow new nodes to join networks after the initial deployment. In addition, in the proposed algorithm, all the sensor nodes need to know their location information, which introduces additional equipment, e.g. Global Position System (GPS), or localization algorithms. Hamedheidari and Rafeh propose a defensive mechanism against sinkhole attacks. In this paper, the authors use mobile agents to detect sinkhole nodes through a three-step negotiation [19]. We call this novel Agent-Based Approach to Detect sinkhole attacks as ABAD, which can effectively detect sinkhole attacks. Thus, we compare our proposed algorithm with ABAD algorithm in terms of packet loss rate, energy consumption and network throughput. In ABAD algorithm, firstly, it is a network deployment phase. All the sensor nodes can find their neighbor nodes in this phase. When the network deployment phase is finished, a network maintenance phase starts, where a three-step negotiation is done between mobile agents and sensor nodes. Due to nodes mobility, the network maintenance phase is done periodically during the network lifetime. Based on the trusting procedure of a mobile agent and a sensor node, the sensor node can be detected as a trust one or a malicious one. In order to maintain energy level during the whole network lifetime, the agent nodes are assumed to have enough energy to finish detecting tasks. ABAD algorithm uses mobile agents to inform sensor nodes of their valid neighbor nodes so they will not listen to the traffics generated by malicious ones. Therefore, the mobile agents can be used to greatly reduce the communication overhead. In addition, only one type of agent is used in ABAD, so there is no need to store extra fields for the agent type and its communication style. However, since the mobile agents travel the whole network only once, some malicious nodes cannot be detected by the mobile agents. Furthermore, the traveling path of the mobile agents directly affects the detection rate of malicious nodes. Therefore, the path planning of the mobile agents needs further research. In a word, different kinds of security mechanisms, e.g. the key assignment [20], the radio resource test [21] and other methods [22, 23], have been presented to detect sinkhole attacks. While neighbor information of sensor nodes is comparatively emphasized in this paper, and IDASA algorithm is proposed to detect sinkhole nodes.

3. 3.1.

SYSTEM MODEL Network model

We assume that WSNs consist of a large number of randomly distributed sensor nodes and one sink node without mobility. All sensor nodes have the same transmission range. Each sensor node is denoted by a unique identifier ID. The communication pattern is many-to-one between sensor nodes and the sink node. That is to say, each sensor node senses and collects data, then forwards the data to the sink node in a multi-hop routing pattern [24, 25]. The multi-hop routing implies that sensor nodes

Section D: Security in Computer Systems and Networks The Computer Journal, 2014

Downloaded from http://comjnl.oxfordjournals.org/ at Northeastern University Libraries on October 10, 2014

the visual geographic map. Finally, all the related messages are transmitted to the base station for detecting sinkhole nodes. Simulation results show that the proposed mechanism is lightweight and does not cause additional communication overhead. However, the changes of signal strengths, which have a great influence on detection accuracy, are not taken into consideration. Sharmila and Umamaheswari propose a sinkhole detection scheme based on one-way hash chains and the message digest algorithm in [17]. The algorithm is composed of two parts: the basic detection algorithm and the advanced algorithm. In the basic detection algorithm, when a new node claims to have a shorter route to the base station, the sink node judges whether the new advertising node is a trustable node or a sinkhole node. First, the sink node sends the message through the original route, and also through the advertised route. Both the two routes will intersect at a point. If the advertising node is a sinkhole node, it can modify the message. Hence, a trustable or sinkhole node can be found by comparing the two messages at the point of intersection. In the advanced algorithm, whenever a node advertises a message, the monitor node finds the digest of the message and sends it along the original path. At the same time, the monitor node also sends the message to the advertising node. If messages are different, the advertising node is a sinkhole node. Otherwise, the advertising node is a trustable node. In the proposed algorithm, the sink node detects the sinkhole attack only when the digest obtained from the trustable forward path and the digest obtained through the trustable node to the destination are different. In this case, a large amount of energy can be saved. It also ensures the data integrity of the messages transferred through the trustable path. In addition, the proposed algorithm is robust to deal with the cooperative malicious nodes that attempt to hide the real sinkhole node. However, the main drawback of the proposed algorithm is that a large amount of information is required to be transferred, thus causing a lot of communication overheads. Furthermore, the hash function used in the proposed algorithm is a kind of cryptography which introduces additional computation complexity. In [18], Bahekmat et al. propose another detection algorithm for sinkhole attacks. When a sensor node wants to send data to the base station, it firstly sends a control packet directly to the base station. After receiving a reply packet, the sensor node transfers a data packet to the base station through multi-hop routing. When the data packet arrives at the base station, the control fields of the data packet will be compared with the original control packet. If any change of these control fields occurs, it means that there are suspicious nodes. In order to identify the sinkhole nodes, the base station needs to check the routing paths of data transmission and record existing nodes on the paths. Once any error in packets is discovered repeatedly, the base station compares the existing nodes kept in the memory with other nodes on the new path. The similar nodes are kept in memory and the remaining data are deleted. This algorithm can effectively detect sinkhole nodes, while a restriction remains

3

4

G. Han et al.

only directly communicate with their neighbor nodes which are within their communication range. At the same time, the packets communicated between two non-neighbor nodes are forwarded by several intermediate nodes, which cannot only transfer the packets from source nodes to destination nodes, but also process the packets based on specific requirements. 3.2.

Energy model

E(K, R) = Eelec k + Eamp kd 2 ,

(1)

where Eelec is the energy consumption for running the transceiver circuitry to deal with one bit packet. Eamp is the energy used to process one bit packet for the transmitter amplifier. d is the communication radius of sensor nodes. In this paper, d is equal to R in our algorithm. When a sensor node receives a k bit packets, the energy consumption is Er = Eelec K. We also assume that the energy consumption of sending a packet is twice as much as that of receiving a packet. 3.3. The AODV routing protocol The AODV routing protocol is an adaptation routing protocol, which enables sensor nodes to obtain routes to their destinations [27–29]. Each node possesses a routing table which lists neighbor information of next hop nodes. Whenever a sensor node wants to send packets to its destination node, it firstly checks its routing table to judge whether a route to the destination node is available. If the route is available, the sensor node uses the route to send packets. Otherwise, the sensor node initiates a route discovery process. Firstly, the sensor node broadcasts a Route REQuest packet (RREQ) to its neighbor nodes. The neighbor nodes which receive the RREQ packet first examine whether they are the destination nodes. If one of the neighbor nodes is the destination node, the neighbor node replies a Route REPly packet (RREP). Otherwise the neighbor nodes continually relay the RREQ packet to their neighbor nodes. In order to avoid the routing loop, a sequence number of the destination node is defined and managed in each route table. The sequence number for the IP address of the destination node is a monotonically increasing number. In AODV, it is used by sensor nodes to determine the freshness of the information contained in neighbor nodes. It is updated whenever a node receives new information about the sequence number from

3.4. Attack model As we all know, WSNs are confronted with various attacks. One of the most popular attacks is the sinkhole attack, which seriously threatens the security of WSNs in almost every layer [30]. We assume that the sinkhole node has higher computation capacity and more communication power than normal sensor node. The purpose of a sinkhole node is to lure nearly all traffic to a particular area, where the sinkhole node claims that it has the shortest path with unfaithful routing information to the base station and makes itself more attractive than neighbor nodes [31], as shown in Fig. 1. The sinkhole node can alter the passing data or perform selective forwarding attack. In addition, the sinkhole node seriously disrupts the network data traffic by launching malicious attacks, such as dropping data packets, tampering data and interfering with routing protocols. Therefore, the sinkhole attack prevents the base station from obtaining complete and correct sensory data packets. In this paper, we also assume that there are no collusion attacks. The collusion attack means some compromised nodes mutually cooperate with each other to capture legitimate node. Since we use AODV as our routing protocol, how a sinkhole attack is launched in AODV will be explained. As shown in Fig. 2, normally, nodeA is not in the communication range of the sink node. They cannot communicate with each other directly, but can exchange packets via routing which is established by node C and node E, or by node B, node D and node F. When

FIGURE 1. An example of the sinkhole attack.

Section D: Security in Computer Systems and Networks The Computer Journal, 2014

Downloaded from http://comjnl.oxfordjournals.org/ at Northeastern University Libraries on October 10, 2014

It is generally known that energy is one of the most important resources in WSNs. Energy is needed to transmit, receive and deal with sensory data. In this paper, our energy model of sensor nodes is based on the proposed energy model in [26]. We assume that each sensor node has the same initial available energy level. While the sink node has higher power and calculation capacity than the sensor node. In order to send a k bit message through distance R, the energy consumed can be calculated by the following formula:

RREP messages related to the destination node. The source node can start data transmission as soon as the first RREP is received, and later update its routing information according to the sequence number. Once the source node receives a further RREP reply packets, it compares the destination sequence number with that in the previous RREP packet. It will propagates the RREP only if the new RREP contains either a greater destination sequence number than the previous RREP, or a same destination sequence number with a smaller hop count. And the route is marked as a fresh one. The source node immediately updates its routing table and sends the packet through the route [27]. However, there is not any security mechanism in AODV, thus AODV is vulnerable to the sinkhole attack.

Intrusion Detection Algorithm

4.

IDASA ALGORITHM

4.1.

Definitions

Before introducing the details of IDASA algorithm, we first give some related definitions. The event node: a sensor node which senses data from environment and sends the data to its destination node through multi-hop routing is named as an event node. The intermediate node: a sensor node is defined as an intermediate node, which exists between the event node and the destination node, and is responsible for the routing message forwarding or data transmission. For example, in Fig. 3, node C and node E are intermediate nodes between the event A and the destination node SK. The interaction times: the interaction times is the number of times of communication between two sensor nodes. 4.2.

Overview of IDASA

IDASA algorithm consists of the following three phases, namely recognizing suspicious nodes, identifying sinkhole nodes and removing sinkhole nodes. (1) Recognizing suspicious nodes: in this phase, two types of routing paths are considered, which are the shorter routing path and the longer routing path. As shown in Fig. 3, the shorter routing path is a simple routing path,

on which there are only three sensor nodes from the event node to the sink node, such as the routing path A −> S −> SK. The longer routing path is a routing path, on which there are at least four sensor nodes from the event node to the sink node, such as the two types of routing paths A −> C −> E −> SK and A −> B −> D −> F −> SK. On the shorter routing path, the intermediate node is considered as a suspicious one; on the longer routing path, the neighborhood information is used to recognize suspicious nodes. The details of algorithm are presented in Section 4.3. (2) Identifying sinkhole nodes: the number of interaction times and ACKs are used to judge whether the suspicious nodes are sinkhole nodes. (3) Removing sinkhole nodes: the event node removes sinkhole nodes from the network. The ID information of the sinkhole nodes is removed from the routing tables. 4.3.

Recognizing suspicious nodes

4.3.1. Algorithm 1 for the shorter routing path In WSNs, packets are always transmitted by multi-hop routing to reach the base station or to the sink node. Most sensor nodes cannot directly communicate with the network control center. However, the sinkhole nodes have more energy and higher computation capacity than ordinary sensor nodes. Usually, they claim that they have the shortest routing path to the base station or the sink node, even just one-hop distance away. Therefore, they can directly communicate with the base station or the sink node. On the shorter routing path, there are only three sensor nodes. The first one is an event node, the second one is an intermediate node and the last one is the sink node. In each round of time T , the event node broadcasts routing query packets to its neighbor nodes within one-hop communication range. The route query packet contains the ID information of next hop nodes. The neighbor nodes which receive the routing query packets, immediately reply to the event node. After receiving

Section D: Security in Computer Systems and Networks The Computer Journal, 2014

Downloaded from http://comjnl.oxfordjournals.org/ at Northeastern University Libraries on October 10, 2014

FIGURE 3. Two types of routing paths.

FIGURE 2. A sinkhole attack is launched in AODV.

node A wants to send packets to the SK, it firstly broadcasts an RREQ to its one-hop neighbor nodes, e.g. node B and node C. In this case, the sinkhole node can monitor the RREQ packets, modify the hop count from itself to the sink and fabricate a shorter route to the sink node. The modified hop count is added in the RREP packets which will be sent back to node A. When node A receives all the RREP packets from its neighbor nodes and the sinkhole node, it will find that the route through the sinkhole node is the shortest one. Then, it sends packets to the sink node through the sinkhole node.

5

6

G. Han et al.

reply packets, the event node analyzes the reply packets. If the next hope node of the intermediate node is the sink node, the intermediate node is considered as a suspicious node. The details are presented in Algorithm 1. Node A is the event node and T is the round of time.

4.3.2. Algorithm 2 for the longer routing path On the longer routing path, the first node is the event node and the last node is the sink node. Also, there are several intermediate nodes. In WSNs, there are always multiple routing paths between the event node and the sink node. As shown in Fig. 3, on these multiple longer routing paths, the last intermediate nodes on the paths are the neighbor nodes of the sink node. Therefore, all the last intermediate nodes are very likely to be neighbor nodes. In each round of time T , the event node sends neighbor query packets going through each routing path. The neighbor query packet contains the ID information of all the neighbor nodes within communication range. When the last intermediate node receives the neighbor query packet, it immediately replies to the event node. After receiving reply packets, the event node analyzes neighbor information and randomly chooses two longer routing paths. Then, whether the last two intermediate nodes on the two chosen routing path are neighbor nodes or not are checked. The suspicious nodes are detected according to the following three cases: Case 1: If the last two intermediate nodes on the two chosen routing path are neighbor nodes, we conclude that there is no suspicious node on the two routing paths. That is to say, the last intermediate node on the first path is in the neighbor list of the last intermediate node on the second path, and vice versa. For example, in Fig. 3, if node E is in the neighbor list of node F, and node F is also in the neighbor list of E, we can say that there is no suspicious node on the two routing paths. Case 2: If the last intermediate node on the first path is in the neighbor list of the last intermediate node on the second path, but not vice versa, then all the intermediate nodes on the second path are considered to be suspicious ones. For example,

Algorithm 2 For the longer routing path. A broadcasts routing query packets to neighbor nodes during in the round of time T Neighbor nodes reply to A A analyzes the reply packets and randomly chooses two paths if two last intermediate nodes are neighbor nodes there is no any suspicious node on two paths else if IDe exists in the neighbor list of F, but IDf does not exist in the neighbor list of E there are some suspicious intermediate nodes on the routing path where F exists else if IDe dose not exist in the neighbor list of F, and IDf does not exist in the neighbor list of E there are some suspicious intermediate nodes on the two routing paths end

4.4.

Identifying sinkhole nodes

After recognizing suspicious nodes, we must try our best to identify the sinkhole nose among the suspicious ones. The general idea is to detect and distinguish the suspicious nodes one by one. In this section, the algorithm of identifying sinkhole nodes consists of the following four steps: Step 1: In each round of time T , the event node sends a neighbor query packet to the first intermediate node on the path where suspicious intermediate nodes exist. After receiving the neighbor query packet, the first intermediate node immediately replies to the event node. Step 2: Based on the reply packets from the first intermediate node, the event node firstly checks whether it has the ID information of the intermediate node, and whether the ID of the event node is in the neighbor list of the first intermediate

Section D: Security in Computer Systems and Networks The Computer Journal, 2014

Downloaded from http://comjnl.oxfordjournals.org/ at Northeastern University Libraries on October 10, 2014

Algorithm 1 For the shorter routing path. A broadcasts routing query packets to neighbor nodes during in the round of time T Neighbor nodes reply to A A analyzes the replied packets if the next hop node of the intermediate node is the sink node then the intermediate node is suspicious else the intermediate node is a normal node end

in Fig. 3, if node E is in the neighbor list of node F, but node F is not in the neighbor list of node E, then all the intermediate nodes such as B and D on the second routing path are labeled as suspicious. Case 3: If the last two intermediate nodes are not neighbor nodes. They cannot find each other in their neighbor lists. Then, all the intermediate nodes on the two paths are considered to be suspicious. For example, in Fig. 3, if node E is not in the neighbor list of node F, and vice versa, then all the intermediate nodes such as node B, node C and node D on the two routing paths are labeled as suspicious. The details are presented in Algorithm 2. Node A is the event node and T is the round of time. IDe is the ID of node E and IDf is the ID of node F.

7

Intrusion Detection Algorithm

Algorithm 3 Identifying sinkhole nodes. A broadcasts neighbor query packets to neighbor nodes while in the round of time T The neighbor nodes which receive the packets immediately reply to node A A analyzes replied information if the first intermediate node has IDa but A does not have IDt the first intermediate node is a sinkhole node else if A and the first intermediate node have mutual ID A broadcasts data query packets the first intermediate node replies to A A analyzes the replied interacted times IEs and ACKs if IEs and ACKs from both the first interacted node and A are consistent the first intermediate node is safe else the first intermediate node is a sinkhole node end regard the first intermediate node as the event node and follow aforementioned steps to judge whether the second intermediate node is the sinkhole node or not

4.5.

Removing sinkhole nodes

After identifying the sinkhole nodes, the event node can remove the ID information of sinkhole nodes and delete

related information from the route table, then broadcast the ID information of the sinkhole nodes to the whole network to inform other sensor nodes.

5.

SIMULATION RESULTS

In this section, we show the performance of IDASA algorithm utilizing numerical simulator-MATLAB. The simulated network is a 200 × 200 m2 field [32]. Sensor nodes are randomly deployed in the environment. The sink node is placed at the center of the network in order to collect data from sensor nodes. The initial energy of each sensor node is 2 joule [33]. Other simulation parameters are listed in Table 1. The experiments are divided into two sets. In the first set, we vary the number of sensor nodes from 100 to 400 with a step of 50. We simulate the successful detection rate, the false negative rate and the false positive rate of sinkhole nodes. In the second set, we compare IDASA algorithm with ABAD algorithm in terms of packet loss rate, energy consumption and network throughput. 5.1.

Performance of IDASA

5.1.1. The accuracy of sinkhole nodes detection We assume that sensor nodes obey 2D Gaussian distribution. The probability distribution function for sensor nodes is demonstrated in the following equation: 1 −[(x−xi )2 +(y−yi )2 ]/2δ2 e = f (x − xi , y − yi ), 2π δ 2 (2) where δ is the standard deviation and f (x, y) = 2 2 2 (1/2π δ 2 ) e−(x −y )/2δ , thus the probability of sensor nodes in certain area is shown in the following equation: fs i (x, y) =

 p1 =



m

dy n

k

l

fsi (x, y) dx,

(3)

TABLE 1. Parameter settings. Parameters Network scale Location of the sink node Number of sensor nodes Transmission range Initial energy Communication circuit power Communication antenna power Packet size Routing protocol Number of malicious nodes Message drop rates

Section D: Security in Computer Systems and Networks The Computer Journal, 2014

Values 200 × 200 m2 (100,100) 100–400 15 m 2J 50 nJ/bit 10 pJ/bit/signal 40 bytes AODV 10–30 0–50%

Downloaded from http://comjnl.oxfordjournals.org/ at Northeastern University Libraries on October 10, 2014

node. If the first intermediate node has the ID of the event node in its neighbor list, but the event node does not have the ID of the first intermediate node, then the first intermediate node is detected as a sinkhole node. Step 3: If both the event node and the first intermediate node have the ID information of each other in their neighbor lists, the event node continually sends a data query packet to the first intermediate node. The data query packet includes the number of interaction times and ACKs between the event node and the first intermediate node. If the number of interaction times and ACKs recorded by the first intermediate node is not consistent with that recorded by the event node, the first intermediate node is also detected as a sinkhole node. Step 4: If the first intermediate node is detected as a normal node, it is then labeled as the event node. Steps 1–3 are repeated in order to judge whether the second intermediate node is a normal node or a sinkhole node. The details of identifying sinkhole nodes are presented step by step in Algorithm 3. IDa is the ID of the event node. IDt is the ID of the first intermediate node. IEs is the interaction times between the event node and the sink node.

8

G. Han et al.

where k is an original point and l is a terminal point in the X-axis of certain area Gi . n is an original point and m is a terminal point in the Y -axis of the area Gi . A neighbor node of the suspicious node is randomly chosen from the neighbor list, and the probability is revealed in the following equation: p2 =

i 

k [cM (1 − p1 )k p1M−k ],

(4)

k=0

In the first set of experiments, the successful detection rate, the false negative rate and the false positive rate are simulated to evaluate the performance of IDASA. The successful detection rate is the percentage of sinkhole nodes which have been successfully identified. The false negative rate is the percentage of sinkhole nodes that have not been identified but they actually exist in WSNs. The false positive rate is the percentage of sensor nodes that have been wrongly detected as sinkhole nodes. In this paper, the proposed algorithm can identify nearly all the sinkhole nodes. The value of the false negative rate is zero. The successful detection rate and the false positive rate are shown in Figs 4 and 5. As shown in Fig. 4, m is the number of sinkhole nodes. As the number of sensor nodes increases, the successful detection rate of sinkhole nodes is also rising gradually and steadily. Because we detect sinkhole nodes based on the neighbor information in IDASA. When the number of sensor nodes increases, much more neighbor information can be checked for sinkhole detection. At the beginning of the simulation, when the number of sensor nodes is 100 and the number of sinkhole nodes

FIGURE 4. The successful detection rate of sinkhole nodes.

FIGURE 5. The false positive rate of sinkhole nodes.

varies from 10 to 30, the successful detection rate varies from 80 to 90%. In addition, as the number of sinkhole nodes increases from 10 to 30, the successful detection rate also rises gradually and steadily. When the number of sensor nodes is 400 and the number of sinkhole nodes is 10, the successful detection rate is 90%. When the number of sinkhole nodes is 30, the successful detection rate can be up to 93.33%. The relationship between the false positive rate and the number of sensor nodes is shown in Fig. 5. As the number of sensor nodes increases, the detection accuracy of sinkhole nodes grows and the false positive rate relatively decreases. 5.1.2. Energy consumption For sensor nodes in WSNs, energy is needed to sense, transmit, receive and deal with packets. As one of the most important resources, the energy consumed in IDASA should be simulated to evaluate whether IDASA is energy efficient. As shown in Fig. 6, the energy consumption of sensor nodes while executing IDASA algorithm for 10 times is presented, where the number of sensor nodes changes from 100 to 400, and the number of sinkhole nodes varies from 10 to 30. Generally, as the number of sensor nodes or sinkhole nodes increases, the energy consumption rate of IDASA is also increasing. Because when the number of sensor nodes increases, more routing paths should be established and checked to detect sinkhole attack, thus introducing additional energy consumption. With the growth of the detection rate, the energy consumption for IDASA also increases. However, even if the number of sinkhole nodes increases to 30, IDASA still consumes limited energy to detect sinkhole nodes. As shown in Fig. 6, when the number of sensor nodes is 400 and the number of sinkhole nodes is 30, the energy consumption rate is just 0.01925%. In a word, our proposed IDASA is an energy efficient intrusion detection algorithm. For each sensor node, we also simulate its energy consumption in terms of the distance from the sink node. Here

Section D: Security in Computer Systems and Networks The Computer Journal, 2014

Downloaded from http://comjnl.oxfordjournals.org/ at Northeastern University Libraries on October 10, 2014

where M is the number of sensor nodes in the area Gi , and i is the number of neighbor nodes of the suspicious node. Thus, the detection rate of a sinkhole node is shown in the following equation: (5) p = p1 p2 .

Intrusion Detection Algorithm

9

FIGURE 6. The energy consumption rate for 10 times in the network.

FIGURE 7. The energy consumption rate vs. the number of hops.

FIGURE 8. The packet loss rate with 100 nodes in network.

the distance is calculated by the number of hops to the sink node. As shown in Fig. 7, when the hops increase, the energy consumption decreases. The reason is that sensor nodes which are closer to the sink node are more likely to be chosen to transmit and deal with packets, therefore, they consume much more energy than the sensor nodes farther away from the sink node. 5.2.

Comparison of IDASA and ABAD

In this section, IDASA is compared with ABAD, which has been described in [19]. The simulation results are compared in terms of the packet loss rate, energy consumption and network throughput. 5.2.1. The packet loss rate It is generally known that the purpose of sinkhole attack is to lure nearly all the network traffic to one particular area, where the

FIGURE 9. The packet loss rate with 200 nodes in network.

Section D: Security in Computer Systems and Networks The Computer Journal, 2014

Downloaded from http://comjnl.oxfordjournals.org/ at Northeastern University Libraries on October 10, 2014

sinkhole nodes claim that they have the shortest routing paths to the base station. However, the claimed routing paths do not actually exist. After receiving packets from other sensor nodes, the sinkhole nodes modify or drop off some packets. Usually, they completely drop all the received packets and do not forward the packets to their next hop nodes. Thus, the sinkhole attack has great impact on packet loss. When evaluating whether an intrusion algorithm is efficient or not, it is necessary to measure the number of lost packets with the designed algorithm. Because AODV routing protocol has no security mechanism, malicious nodes can easily launch any kind of malicious attack. Thus, it is inevitable to lose many packets in the process of data transmission. As shown in Figs 8–11, ABAD and IDASA have different packet loss rates.

10

G. Han et al.

FIGURE 12. The residual energy with 100 nodes.

FIGURE 13. The residual energy with 200 nodes. FIGURE 11. The packet loss rate with 400 nodes in network.

Generally, as the number of sinkhole nodes increases, the packet loss rate with IDASA first slightly grows and then keeps steady. Since there are still several sinkhole nodes cannot be detected. When the number of sinkhole nodes varies from 0 to 30, these undetected sinkhole nodes continually to capture sensor nodes and drop off the received packets. Therefore, the packet loss rate with IDASA slightly grows. However, IDASA can efficiently detect sinkhole nodes and then choose normal nodes for data transmission, so the packet loss rate can keep steady after a short while. In addition, we can find that the packet loss rates with ABAD in Figs 8 and 11 are similar to the packet loss rates with IDASA. However, the packet loss rates with ABAD in Figs 9 and 10 have small fluctuations. Because the packet loss rates with ABAD are related to many parameters such as the percentage of mobile agents, the number

FIGURE 14. The residual energy with 300 nodes.

Section D: Security in Computer Systems and Networks The Computer Journal, 2014

Downloaded from http://comjnl.oxfordjournals.org/ at Northeastern University Libraries on October 10, 2014

FIGURE 10. The packet loss rate with 300 nodes in network.

Intrusion Detection Algorithm

11

FIGURE 17. The network throughput with 200 nodes in network.

FIGURE 16. The network throughput with 100 nodes in network.

FIGURE 18. The network throughput with 300 nodes in network.

of undetected sensor nodes, and the number of died sensor nodes. It is easy find that IDASA performs better than ABAD and results in less packet loss. The reason is that ABAD uses mobile agents to detect sinkhole nodes, while the mobile agents travel the network only once. However, all the sensor nodes in the network are randomly deployed. Thus, some sinkhole nodes cannot be detected by the mobile agents. The undetected sinkhole nodes introduce additional packet loss. While IDASA utilizes the data consistency of neighbor nodes to detect sinkhole nodes, so the performance of IDASA algorithm is superior to ABAD in terms of packet loss rate. In addition, the results show that when the number of sensor nodes increases from 100 to 400, the changes of the packet loss rates between ABAD and IDASA are small. Therefore, we can conclude that both ABAD and IDASA are suitable for large-scale WSNs.

5.2.2. The residual energy In our experiments, the percentage of mobile agents is set as 15% in ADAD. The percentage of sinkhole nodes is set as 10% and they are randomly deployed in the area. As shown in Figs 12–15, the average residual energy of network with IDASA is relatively higher than that withABAD algorithm. The reason is thatABAD utilizes the mobile agents to detect malicious nodes. The mobile agents traveling the whole network will inevitably consume large amounts of energy. While IDASA takes full advantage of the neighbor nodes’ information to detect sinkhole nodes, thus IDASA consumes less energy than ABAD. In a word, IDASA is much more energy efficient than ABAD algorithm. 5.2.3. The network throughput Since sinkhole nodes tend to lure packets from nearby areas and then drop the data packets, the base station cannot receive

Section D: Security in Computer Systems and Networks The Computer Journal, 2014

Downloaded from http://comjnl.oxfordjournals.org/ at Northeastern University Libraries on October 10, 2014

FIGURE 15. The residual energy with 400 nodes.

12

G. Han et al. mixing it with other techniques. And we will continue to study the security problems in WSNs, and explore more efficient countermeasures to meet new challenges in the future.

FUNDING

enough packets from the sensor nodes. The sinkhole attack greatly affects the data transmission and causes reduction in network throughput. As shown in Figs 16–19, with the simulation time increases from 0 to 16 s, the number of delivered packets with IDASA and ABAD algorithms both rapidly increase. This because the sinkhole nodes are detected and removed from the network, thus the network throughput is improved (Figs 16–19).

6.

CONCLUSION AND FUTURE WORK

In this paper, malicious behaviors and severe impacts of a sinkhole attack were analyzed in WSNs. Then, a novel IDASA algorithm was proposed to detect sinkhole nodes. To evaluate the performance of our detection algorithm, we simulate the IDASA on MATLAB simulator. Simulation results show that the IDASA can efficiently identify nearly all the sinkhole nodes. Without sinkhole nodes, the energy consumption of sensor nodes can be well balanced, which ultimately prolongs the network lifetime of WSNs. The advantages of IDASA can be concluded as follows. (1) No traditional security mechanism, e.g. cryptography, is needed, so there is no extra time overhead or computation complexity to manage the public or private keys. (2) IDASA does not use any special nodes such as mobile agents to detect sinkhole nodes. And no extra hardware equipments or other algorithms are needed. So IDASA is a very lightweight algorithm for sinkhole detection. (3) IDASA takes full advantage of the collaboration information of neighbor nodes to detect sinkhole nodes. It is a distributed algorithm and energy efficient. Based on performance results, we can conclude that the performance of IDASA algorithm can be further improved by

REFERENCES [1] Yick, J., Mukherjee, B. and Ghosal, D. (2008) Wireless sensor network survey. Comput. Netw., 52, 2292–2330. [2] Akyildiz, I., Su, W., Sankarasubramaniam, Y. and Cayirci, E. (2002) Wireless sensor networks: a survey. Comput. Netw., 38, 393–422. [3] Karlof, C., Sastry, N. and Wagner, D. (2004) Tinysec: A Link Layer Security Architecture for Wireless Sensor Networks. Proc. 2nd Int. Conf. Embedded Networked Sensor Systems, New York, NY, USA, pp. 162–175. [4] Wener-Allen, G., Lorincz, K., Ruiz, M., Marcillo, O., Johnson, J., Lees, J. and Walsh, M. (2006) Deploying a wireless sensor network on an active volcano. Data-Driven Appl. Sensor Netw. (Special Issue), IEEE Internet Comput., 10, 18–25. [5] Nguyen, H.L. and Nguyen, U.T. (2008) A Study of Different Types of Attacks on Multicast in Mobile Ad Hoc Networks. Networking, Int. Conf. Systems and Int. Conf. Mobile Communications and Learning Technologise, 6, 32–46. [6] Jiang, J., Han, G., Zhu, C., Dong, Y. and Zhang, N. (2011) Secure localization in wireless sensor networks: a survey. J. Commun., 6, 460–470. [7] Su, Z. and Lin, C. (2006) Security Mechanisms Analysis of Wireless Sensor Networks specific Routing Attacks. Pervasive Computing and Applications, Urumqi, pp. 579–584. [8] Ssu, K.F., Wang, W.T. and Chang, W.C. (2009) Detecting Sybil attacks in wireless sensor networks using neighboring information. Comput. Netw., 53, 3042–3056. [9] Norman, J. and Joseph, P. (2011) Secure Neighbor Authentication in Wireless Sensor Networks. Wireless Communication, Vehicular Technology, Information Theory and Aerospace and Electronic Systems Technology (Wireless VITAE), Chennai, pp. 1–4.

Section D: Security in Computer Systems and Networks The Computer Journal, 2014

Downloaded from http://comjnl.oxfordjournals.org/ at Northeastern University Libraries on October 10, 2014

FIGURE 19. The network throughput with 400 nodes in network.

The work is supported by ‘Natural Science Foundation of JiangSu Province of China, No. BK20131137’, ‘Science and Technology Pillar Program (Social development) of Changzhou Science and Technology Bureau, No. CE20135052’, ‘the Guangdong University of Petrochemical Technology’s Internal Project, No. 2012RC0106’, ‘Jiangsu Province Ordinary University Graduate Innovation Project, No. CXZZ13_02’. Jaime Lloret’s work has been partially supported by the ‘Ministerio de Ciencia e Innovacion’, through the ‘Plan Nacional de I+D+i 2008-2011’ in the ‘Subprograma de Proyectos de Investigacion Fundamental’, project TEC201127516.

Intrusion Detection Algorithm

[22] Stafrace, S.K. and Antonopoulos, N. (2009) Military tactics in agent-based sinkhole attack detection for wireless ad hoc networks. Comput. Commun., 38, 619–638. [23] Sheela, D., Kumar, C.N. and Mahadevan, G. (2011) A non Cryptographic Method of Sinkhole Attack Detection in Wireless Sensor Networks. Proc. IEEE Int. Conf. Recent Trends in Information Technology (ICRTIT), Chennai, Tamil Nadu, pp. 527–532. [24] Sutagundar, A.V. and Manvi, S.S. (2013) Location aware event driven multipath routing in wireless sensor networks: agent based approach. Egypt. Inf. J., 14, 55–65. [25] Karlof, C. and Wagner, D. (2003) Secure routing in wireless sensor networks: attacks and countermeasures. Ad hoc Netw., 1, 293–315. [26] Ren, F., Zhang, J., He, T. and Das, S.K. (2011) EBRP: energy-balanced routing protocol for data gathing in wireless sensor networks. TEEE Trans. Parallel Distrib. Syst., 22, 2108–2125. [27] Perkins, C.E., Das, S.R. and Royer, E. (2000) Ad-Hoc on Demand DistanceVector routing (AODV). Mobile Computing Systems and Applications, New Orleans, LA, pp. 90–100. [28] Chen, L. and Leneutre, J. (2009) On multipath routing in multihop wireless networks: security performance and their tradeoff. EURASIP J. Wirel. Commun. Netw., 2009, 1–13. [29] Zhou, J., Peng, L., Deng, Y. and Lu, J. (2012) An ondemand routing protocol for improving channel use efficiency in multichannel ad hoc networks. J. Netw. Comput. Appl., 35, 1606–1614. [30] Mohammadi, S. and Jadidoleslamy, H. (2011) A comparison of link layer attacks on wireless sensor networks. Int. J. Appl. Graph Theory Wirel. Ad Hoc Netw. Sensor Netw. (GRAPH-HOC), 3, 1–22. [31] Challal, Y., Ouadjaout, A., Lasla, N., Bagaa, M. and Hadjidj, A. (2011) Secure and efficient disjoint multipath construction for fault tolerant routing in wireless sensor networks. J. Netw. Comput. Appl., 34, 1380–1397. [32] Yu, W. and Ray Liu, K.J. (2005) Attack-resistant cooperation stimulation in autonomous ad hoc networks. IEEE J. Sel. Areas Commun., 23, 2260–2271. [33] Ding, M., Chen, D., Xing, K. and Cheng, X. (2005) Localized fault-tolerant event boundary detection in sensor networks. Proc. INFOCOM, 2, 902–913.

Section D: Security in Computer Systems and Networks The Computer Journal, 2014

Downloaded from http://comjnl.oxfordjournals.org/ at Northeastern University Libraries on October 10, 2014

[10] Alrajeh, N.A. and Lloret, J. (2013) Intrusion detection systems based on artificial intelligence techniques in wireless sensor networks. Int. J. Distrib. Sensor Netw., 2013, 1–7. [11] Llewellyn, L., Hopkinson, K. and Graham, S. (2011) Distributed fault-tolerant quality of wireless networks. IEEE Trans. Mob. Comput., 10, 175–190. [12] Shafiei, H., Khonsari, A., Derakhshi, H. and Mousavi, P. (2014) Detection and mitigation of sinkhole attacks in wireless sensor networks. J. Comput. Syst. Sci., 80, 644–653. [13] Delgosha, F. and Fekri, F. (2005) Key Pre-Distribution on Wireless Sensor Networks Using Multivariate polynomials. Sensor and Ad Hoc Communications and Networks, 2005. IEEE SECON 2005. 2005 Second Annual IEEE Communications Society Conference, pp. 118–129. [14] Deng, J., Han, R. and Mishra, S. (2006) INSENS: intrusiontolerant routing for wireless sensor networks. Elsevier Comput. Commun., 29, 216–230. [15] Ngai, E.C.H., Liu, J. and Lyu, M.R. (2007) An efficient intruder detection algorithm against sinkhole attacks in wireless sensor networks. Comput. Commun., 30, 2353– 2364. [16] Tumrongwittayapak, C. and Varakulsiripunth, R. (2009) Detecting Sinkhole Attacks in Wireless Sensor Networks. Proc. Int. Joint Conf., Fukuoka, pp. 1966–1971. IEEE. [17] Sharmila, S. and Umamaheswari, G. (2006) Detection of sinkhole attack in wireless sensor networks using message digest algorithms. Proc. Process Autom. Control Comput. (PACC), 8, 3383–3389. [18] Bahekmat, M., Yaghmaee, M.H., Heydari, A.S. and Sadeghi, S. (2012) A novel algorithm for detecting sinkhole attacks in wireless sensor networks. Int. J. Comput. Theory Eng., 4, 1–4. [19] Hamedheidari, S. and Rafeh, R. (2013) A novel agent-based approach to detect sinkhole attacks in wireless sensor networks. Comput. Secur., 37, 1–14. [20] Han, G., Jiang, J., Shu, L., Niu, J. and Chao, H.C. (2014) Managements and applications of trust in wireless sensor networks: a survey. J. Comput. Syst. Sci., 80, 602–617. [21] Samundiswary, P., Priyadarshini, P. and Dananjayan, P. (2010) Detection of sinkhole attacks for mobile nodes in heterogeneous sensor networks with mobile sinks. Int. J. Comput. Electr. Eng. (IJCEE), 2, 127–133.

13