Pair-wise path key establishment in wireless sensor networks

When sensor networks deployed in unattended and hostile environments, for securing communication between sensors, secret keys must be established between them. Many key establishment schemes have been proposed for large scale sensor networks. In these schemes, each sensor shares a secret key with its neighbors via preinstalled keys. But it may occur that two end nodes which do not share a key with each other could use a secure path to share a secret key between them. However during the transmission of the secret key, the secret key will be revealed to each node along the secure path. Several researchers proposed a multi-path key establishment to prevent a few compromised sensors from knowing the secret key, but it is vulnerable to stop forwarding or Byzantine attacks. To counter these attacks, we propose a hop by hop authentication scheme for path key establishment to prevent Byzantine attacks. Compared to conventional protocols, our proposed scheme can mitigate the impact of malicious nodes from doing a Byzantine attack and sensor nodes can identify the malicious nodes. In addition, our scheme can save energy since it can detect and filter false data not beyond two hops.     

一种基于多跳确认和信任评估的选择性转发攻击检测方法

针对无线传感器网络中的选择性转发攻击行为,提出一种基于多跳确认和信任评估(MHA-TE)的选择性转发攻击检测方法.MHA-TE方法利用基于源节点的请求响应形式的多跳确认方案,通过源节点发送请求包、中间节点回复响应包的方式确定路径中产生恶意丢包行为的节点,进而将被检举出的恶意节点作为信任评估的参数更新标准,运用Bate分布建立信任评估模型分析各个节点的交互情况,确定路径中各节点的信任值,并将更新后的信任值与对应的信任值阈值比较,进行恶意节点的判定.该方法结合多跳确认和信任评估的优势,能够解决路径上多恶意节点误警率高和静态信任阈值适应性差以及检测率低的问题.仿真实验结果表明,相比于Two-hops方法、MLCM方法和ITEM方法,MHA-TE方法不仅能够有效检测恶意节点,具有较高的检测率和较低的误警率,而且可以在很大程度上降低网络开销.     

抵御欺骗攻击的DV-hop安全定位算法

针对无线传感器网络中距离无关的定位技术,提出了DV-Hop定位中普通节点被俘获的欺骗攻击模型,分析了这种欺骗攻击模型对DV-Hop定位过程的影响,进而提出了一种抵御欺骗攻击的DV-Hop安全定位算法.首先,在普通节点端提出了基于发送-转发信息一致性的检测机制来检测恶意节点;其次,在汇聚节点端提出了基于消息转发链举证的检测机制来确定恶意节点;最后,当汇聚节点检测出存在恶意节点进行篡改攻击后,汇聚节点通报全网弃用恶意节点转发的数据分组并重启定位.仿真结果表明,本文提出的安全定位算法可以有效滤除恶意节点,且安全定位算法的定位性能与无攻击下的DV-Hop定位性能基本相当,可以有效解决欺骗攻击对DV-Hop定位过程造成的影响.     

A secure alternate path routing in sensor networks

This paper presents a secure alternate path routing in sensor networks. Our alternate path scheme makes the routing protocol resilient in the presence of malicious nodes that launch selective forwarding attacks. SeRINS (a Secure alternate path Routing IN Sensor networks) detects and isolates the compromised nodes, which try to inject inconsistent routing information, from the network by neighbor report system. In neighbor report system, a node’s route advertisement is verified by its surrounding neighbor nodes so that the suspect node is reported to the base station and is excluded from the network. Simulation experiments show that SeRINS is resilient in the presence of several compromised nodes which launch selective forwarding attacks, and robust by excluding the compromised nodes which inject inconsistent routing information from the network.     

Detection of wormhole attacks in multi-path routed wireless ad hoc networks: A statistical analysis approach

Various routing attacks for single-path routing have been identified for wireless ad hoc networks and the corresponding counter measures have been proposed in the literature. However, the effects of routing attacks on multi-path routing have not been addressed. In this paper, the performance of multi-path routing under wormhole attack is studied in detail. The results show that multi-path routing is vulnerable to wormhole attacks. A simple scheme based on statistical analysis of multi-path (called SAM) is proposed to detect such attacks and to identify malicious nodes. Comparing to the previous approaches (for example, using packet leash), no special requirements (such as time synchronization or GPS) are needed in the proposed scheme. Simulation results demonstrate that SAM successfully detects wormhole attacks and locates the malicious nodes in networks with different topologies and with different node transmission range. Moreover, SAM may act as a module in local detection agents in an intrusion detection system (IDS) for wireless ad hoc networks.     

基于分组的无线传感器网络入侵检测方案

为了有效地检测无线传感器网络所面临的各种恶意攻击,提出了一种轻量、高效、灵活的分组入侵检测方案.在该方案中,整个传感器网络被划分成若干物理位置临近、具有相似观测结果的分组,组内各传感器节点同时观测其它节点的多个属性,以便精确地检测各种攻击行为.实验结果表明,与传感器网络中现有的入侵检测方案相比,本方案具有较低的误报率和较高的检测精度.同时消耗更少的能量.     

SEEM: Secure and energy-efficient multipath routing protocol for wireless sensor networks

A Wireless Sensor Network (WSN) is a collection of wireless sensor nodes forming a temporary network without the aid of any established infrastructure or centralized administration. In such an environment, due to the limited range of each node’s wireless transmissions, it may be necessary for one sensor node to ask for the aid of other sensor nodes in forwarding a packet to its destination, usually the base station. One important issue when designing wireless sensor network is the routing protocol that makes the best use of the severely limited resource presented by WSN, especially the energy limitation. Another import factor required attention from researchers is providing as much security to the application as possible. The proposed routing protocols in the literature focus either only on increasing lifetime of network or only on addressing security issues while consuming much power. None of them combine solutions to the two challenges. In this paper, we propose a new routing protocol called SEEM: Secure and Energy-Efficient multipath Routing protocol. SEEM uses multipath alternately as the path for communicating between two nodes thus prolongs the lifetime of the network. On the other hand, SEEM is effectively resistive to some specific attacks that have the character of pulling all traffic through the malicious nodes by advertising an attractive route to the destination. The performance of our protocol is compared to the Directed Diffusion protocol. Simulation results show that our protocol surpasses the Directed Diffusion protocol in terms of throughput, control overhead and network lifetime.     

A synopsis on node compromise detection in wireless sensor networks using sequential analysis (Invited Review Article)

By exploiting the unattended nature of the wireless sensor networks, an attacker can physically capture and compromise sensor nodes and then launch a variety of attacks. He can additionally create many replicas of a few compromised nodes and spread these replicas over the network, thus launching further attacks with their help. In order to minimize the damage incurred by compromised and replicated nodes, it is very important to detect such malicious nodes as quickly as possible. In this review article, we synthesize our previous works on node compromise detection in sensor networks while providing the extended analysis in terms of performance comparison to the related work. More specifically, we use the methodology of the sequential analysis to detect static and mobile compromised nodes, as well as mobile replicated nodes in sensor networks. With the help of analytical and simulation results, we also demonstrate that our schemes provide robust and efficient node compromise detection capability.     

基于信任感知的无线传感器网络安全路由协议

为提高无线传感器网络的安全性和节能性,提出一种基于信任的安全路由协议TSRP。根据新的直接信任值、间接信任值、挥发因子和剩余能量来计算邻居节点的综合信任值,以评估节点的安全指标,并快速地识别和排除发起黑洞攻击、选择性转发攻击、Hello洪泛攻击和槽洞攻击的恶意节点。sink针对难以发现的虫洞攻击,根据多条链路的链路质量、传输距离和跳数计算出最优路径以保证所选路由的安全性和节能性。仿真结果表明,与AODV和TBSRP相比,TSRP选择的最优路由有效地减少了每个节点的负载,降低了网络的延迟和丢包率。     

一种有效的无线传感器网络虚假数据过滤方案

虚假数据注入攻击是无线传感器网络的一种严重威胁,针对大多数虚假数据过滤方案没考虑节点身份攻击和中间节点被攻击者俘获的问题,提出了一种抗节点身份攻击的虚假数据过滤方案,方案不仅在数据转发过程中对转发的数据进行验证、过滤,同时对协作产生感知数据的节点的身份进行验证。安全性分析和性能评价表明,该方案不仅能抵抗各种攻击,而且在存储开销方面与其他方案相比,具有明显优势,并且随着数据包被转发跳数的增加,该方案的虚假数据过滤能力和能量节省也显著增加。     

一种新颖的移动自组网灰洞攻击检测方案

移动自组网(mobile ad hoc networks,MANETs)是典型的分布式网络,没有集中式的管理节点,网络拓扑动态变化,而且网络带宽有限.移动自组网无网络基础设施的特点,使其易于受到各种拒绝服务攻击(denial of service,DoS).灰洞攻击是一种类型的拒绝服务攻击,攻击者在网络状态良好的情况下,首先以诚实的方式参与路由发现过程,然后以不被察觉的方式丢弃部分或全部转发数据包.首先介绍了相关工作、DSR算法、聚合签名算法和网络模型.然后基于聚合签名算法,给出了用于检测丢包节点的3个相关算法:证据产生算法、审查算法和诊断算法.证据产生算法用于节点产生转发证据;审查算法用于审查源路由节点;诊断算法用于确定丢包节点.最后分析了算法的效率.ns-2仿真结果表明,在移动速度中等的网络中,提出的算法可以检测出多数丢包节点,且路由包开销较低.舍弃含丢包节点的路由后,数据发送率有相应的改善.     

面向配电网故障检测的WSN可信路由算法

为了提高配电网故障检测数据传输的可信性,提出一种面向配电网故障检测的WSN可信路由算法。算法提出一种防范针对信任模型攻击的轻量级信任值计算方法,并在簇头选举与簇间多跳路由中引入信任值,避免恶意节点降低网络安全;簇间多跳阶段中,对邻居节点的位置因子、距离因子、信任值及剩余能量等参数进行融合判决,构建最优数据传输路径。仿真结果表明,提出的算法能够自适应剔除网络恶意节点,防范恶意攻击,最大化网络生存时间。     

A light-weight trust-based QoS routing algorithm for ad hoc networks

In a mobile ad hoc network (MANET), the lack of a trusted infrastructure makes secure and reliable packet forwarding very challenging, especially for providing QoS guarantee for multimedia applications. In this paper, we firstly introduce the concept of trust and QoS metric estimation into establishing a trust-based QoS model. In this model, we estimate the trust degree between nodes from direct trust computation of direct observation and indirect trust computation by neighbors’ recommendations. On the other hand, due to the NP-completeness of the multi-QoS constraints problem, we only take into account link delay as the QoS constraint requirement. Then, we design a trust-based QoS routing algorithm (called TQR) from the trade-off between trust degree and link delay. At last, by using NS2 we implement this algorithm based on AODV (Ad hoc On-demand Distance Vector). We compare its performance with AODV, Watchdog-DSR and QAODV. The simulation results show that TQR scheme can prevent attacks from malicious nodes and improve the security performance of the whole network, especially in terms of packet delivery ratio, average end-to-end delay, routing packet overhead and detection ratio of malicious nodes.     

A novel intrusion detection framework for wireless sensor networks

Vehicle cloud is a new idea that uses the benefits of wireless sensor networks (WSNs) and the concept of cloud computing to provide better services to the community. It is important to secure a sensor network to achieve better performance of the vehicle cloud. Wireless sensor networks are a soft target for intruders or adversaries to launch lethal attacks in its present configuration. In this paper, a novel intrusion detection framework is proposed for securing wireless sensor networks from routing attacks. The proposed system works in a distributed environment to detect intrusions by collaborating with the neighboring nodes. It works in two modes: online prevention allows safeguarding from those abnormal nodes that are already declared as malicious while offline detection finds those nodes that are being compromised by an adversary during the next epoch of time. Simulation results show that the proposed specification-based detection scheme performs extremely well and achieves high intrusion detection rate and low false positive rate.     

MANET分簇IDS报文丢弃攻击全局感知方案

在分析现有报文丢弃攻击检测算法的基础上,提出了一种基于簇首协作的报文丢弃攻击全局感知方案,利用IDS簇首协同监视节点报文收发状态,改进现有算法的监测方式和节点状态判定算法。仿真结果表明,该算法具有良好的检测率和误检率,在规避网络中的恶意节点以及维护网络正常吞吐量等方面具有较好的性能。     

A sinkhole resilient protocol for wireless sensor networks: Performance and security analysis

This work focuses on: (1) understanding the impact of selective forwarding attacks on tree-based routing topologies in wireless sensor networks (WSNs), and (2) investigating cryptography-based strategies to limit network degradation caused by sinkhole attacks. The main motivation of our research stems from the following observations. First, WSN protocols that construct a fixed routing topology may be significantly affected by malicious attacks. Second, considering networks deployed in a difficult to access geographical region, building up resilience against such attacks rather than detection is expected to be more beneficial. We thus first provide a simulation study on the impact of malicious attacks based on a diverse set of parameters, such as the network scale and the position and number of malicious nodes. Based on this study, we propose a single but very representative metric for describing this impact. Second, we present the novel design and evaluation of two simple and resilient topology-based reconfiguration protocols that broadcast cryptographic values. The results of our simulation study together with a detailed analysis of the cryptographic overhead (communication, memory, and computational costs) show that our reconfiguration protocols are practical and effective in improving resilience against sinkhole attacks, even in the presence of collusion.     

无线传感器网络选择性传递攻击的检测和防御机制

针对无线传感器网络的选择性转发攻击,以提高恶意节点检测率和系统防御性为目标,提出了一种基于最优转发策略的随机路由算法和可信邻居节点监听的检测和防御方法。该方法通过引入距离、信任度等参数构建转发路径,同时,在路由发现和选择过程中,采用节点监听机制对恶意节点进行检测和防御处理。在Matlab环境下对该机制进行了仿真实验,并与其他方法进行了性能对比分析。实验结果表明：该方法能够在消耗相对较少能量情形下有效检测出选择性传递攻击,保持较高事件报文成功率,并且对恶意节点能做到有效的防御和处理。     

Pattern recognition for detecting distributed node exhaustion attacks in wireless sensor networks

Malicious attacks when launched by the adversary-class against sensor nodes of a wireless sensor network, can disrupt routine operations of the network. The mission-critical nature of these networks signifies the need to protect sensory resources against all such attacks. Distributed node exhaustion attacks are such attacks that may be launched by the adversarial class from multiple ends of a wireless sensor network against a set of target sensor nodes. The intention of such attacks is the exhaustion of the victim’s limited energy resources. As a result of the attack, the incapacitated data-generating legitimate sensor nodes are replaced with malicious nodes that will involve in further malicious activity against sensory resources. One such activity is the generation of fictitious sensory data to misguide emergency response systems to mobilize unwanted contingency activity. In this paper, a model is proposed for such an attack based on network traffic flow. In addition, a distributed mechanism for detecting such attacks is also defined. Specific network topology-based patterns are defined to model normal network traffic flow, and to facilitate differentiation between legitimate traffic packets and anomalous attack traffic packets. The performance of the proposed attack detection scheme is evaluated through simulation experiments, in terms of the size of the sensor resource set required for participation in the detection process for achieving a desired level of attack detection accuracy. The results signify the need for distributed pattern recognition for detecting distributed node exhaustion attacks in a timely and accurate manner.     

A collaborative routing protocol against routing disruptions in MANETs

Mobile ad hoc networks (MANETs) are vulnerable to active attacks, such as dropping attacks, replay attacks, collusion attacks, and tampering attacks. Many researches have been proposed to provide security transmission. However, they cannot effectively and efficiently resist colluding attacks. Therefore, we propose a collaborative routing protocol (CRP) to detect and isolate colluding attackers via monitor mechanism. Monitor nodes observe and record the behavior of intermediate nodes. Based on the records of intermediate nodes, source node can distinguish malicious nodes and isolate them. Finally, security analyses and simulation verify that CRP can effectively and efficiently resist black hole attacks, gray hole attacks, modify and fake packet attacks, rushing attacks, and collusion attacks.     

一种基于IBE的WSNs选择转发攻击检测方案

无线传感器网络因节点能力的限制,通常采用多跳的方式进行节点间消息的互发,这种多跳路由协议为选择转发攻击提供了便利。基于此,提出一种基于随机检查点的多跳确认方案来检测无线传感器网络中的选择转发攻击,将IBE加密及LEACH路由协议引入其中,用以对选择转发攻击的检测方法加以改进。给出检测防御方案的总体框架,对其工作方式进行了具体描述。在NS2环境下,从检测点数目、计算速度与能耗、存储要求及健壮性等几方面对改进方案进行了仿真,以验证其对无线传感器网络安全性的提高。