Distributed Wormhole Attack Detection in Wireless Sensor

Networks

Yurong Xu1 Guanling Chen2 James Ford1,3 Fillia Makedon1,3

1
Computer Science Department, Dartmouth College

{yurong, jford, makedon}@cs.dartmouth.edu

2
Computer Science Department, UMass Lowell

{glchen}@cs.uml.edu

3
Univ. of Texas at Arlington, Dept. of Computer Science and Eng.

{Makedon,jford}@cse.uta.edu

Abstract ployed in some hostile environment, attacks (espe-

cially those like wormhole attacks that don’t need

This paper proposes a distributed wormhole
to capture the keys used in the network) may affect
detection algorithm for wireless sensor networks,
current sensor networks and may even disable
a potential technology for infrastructures of many
their functions. This paper proposes a distributed
applications. Currently, most sensor networks
wormhole detection algorithm called Wormhole
assume they will be deployed in a benign envi-
Geographic Distributed Detection (WGDD), that
ronment; however, when a sensor network is de-
is based on detecting disorder of the networks capabilities. This technology has the potential

which is caused by the existence of a wormhole to provide infrastructures for numerous applica-

inside the network. Since wormhole attacks are tions, such as surveillance, healthcare, industry

passive, this algorithm uses a hop-counting tech- automation, and military uses.

nique as a probe procedure to detect wormhole at-

Currently, most applications in WSNs assume
tacks, then reconstructs local maps in each node,
that they are deployed in a trusted environment,
and after that, uses a feature called “diameter” to
but it is possible that a WSN is to be deployed
detect abnormalities caused by wormholes. The
in an untrusted environments, and so dealing with
main advantage of using a distributed wormhole
security issues will become a central requirement.
detection algorithm is that such an algorithm can
In this situation, an adversary can disable the
provide the approximate location of a wormhole,
functionality of a WSN by interfering with packet
which may be useful information for further de-
transmissions inside the networks with different
fense mechanisms. Simulations show that the pro-
attacks such as wormhole attacks, sybil attacks
posed detection method has both a low False Tol-
[12], jamming, and packet injection attacks [17].
eration Rate (FTR) and a low False Detection
This paper focuses on wormhole attack detec-
Rate (FDR) in detecting wormhole attacks.
tion [2, 7, 13]. A wormhole attack doesn’t re-

quire knowing the cryptographic infrastructure of

1. Introduction
the sensor network, and thus it puts an attacker in

Wireless Sensor Networks (WSNs) [1, 15] are a very powerful position relative to other nodes

an emerging technology consisting of small, low- in the network, compared to other attacks such

power, and low-cost devices that integrate limited as sybil and packet injection attacks, which usu-

computation, sensing, and radio communication ally utilize vulnerabilities in the infrastructure of
wireless sensor networks. An attacker can per- when a network is deployed.

form a wormhole attack on a sensor network even

In comparison with the above methods, in
if the network communication infrastructure pro-
this paper we describe a distributed method
vides confidentiality and authenticity, and the at-
called Wormhole Geographic Distributed Detec-
tacker does not have any cryptographic keys.
tion (WGDD) to detect a wormhole attack with-

out using anchor nodes or any additional hard-

Currently, there are many methods that have
ware. Since a wormhole attack is passive, this
been proposed for detecting wormhole attacks in-
algorithm uses a simple hop-counting technique
side of ad hoc networks and wireless sensor net-
as a probe procedure to detect wormhole attack,
works, and encouraging results have been ob-
then reconstructs local maps by MDS (Multidi-
tained. However, these methods usually require
mensional Scaling) in each node, and after that
that some nodes in the network be equipped with
uses a feature introduced in this papce called “di-
special hardware. Solutions such as SECTOR [2]
ameter” to detect distortions caused by a worm-
and “Packet Leashes” [7] need time synchroniza-
hole. The main advantage of using a distributed
tion or highly accurate clocks to detect worm-
wormhole detection algorithm is that such an al-
holes; the method of Hu and Evans [5] requires
gorithm can provide the approximate location of a
that a directional antenna is deployed in each
wormhole, which can assist further defense mech-
node; and LAD [3], SerLoc [9], and the ap-
anisms. Simulation shows that the proposed de-
proach in [6] concentrate on detecting/defending
tection method has both a low False Toleration
against wormholes in localization in WSNs, but
Rate(FTR) and a low False Detection Rate(FDR)
these methods also need the help of anchor nodes
in detecting wormhole attacks.
(which are special nodes that already know their

location exactly), which requires manual setup In this paper, we make the following contribu-
tions. (i.) We propose a new feature which can be 2. Related Work

used to detect wormholes in a distributed scheme.

The wormhole attack detection in wireless ad-
(ii.) We propose a distributed wormhole detection
hoc networks was introduced in [2, 6, 7]. Both
algorithm which needs only local connectivity in-
solutions are referred to as “Packet Leashes” [7],
formation. Since the detection of wormholes is
and SECTOR [2]. They detect wormhole attacks
completed under a distributed scheme, it is pos-
based upon the notion of geographical or tempo-
sible that our algorithm can provide the approxi-
ral leashes. Briefly, suppose every node in the net-
mate locations of the ends of wormholes, which
work already knows its exact location and each
will be helpful in further defense against worm-
node embeds its location and a timestamp into
hole attacks. (iii) We provide extensive simula-
each packet it sends. If the network is synchro-
tion for (i-ii) in NS-2, which shows that our meth-
nized, then other nodes receiving that packet can
ods are effective at detecting wormhole attacks on
detect a wormhole by detecting the mismatch be-
different network placements.
tween the timestamp difference they calculate and

The remainder of the paper is organized as fol- the location difference they observe. Such a solu-

lows. Section 2 discusses related work. Sec- tion requires a synchronized clock and preknown

tion 3 describes some basic concepts related to location for each node. The method we propose

wormhole attacks. Section 4 discusses the fea- here does not have these requirements.

ture which detects wormholes inside of a network In [8], Kong et al. study Denial of Service

and the details of the WGDD algorithm. Section (DoS) attacks, including wormhole attacks, in

5 evaluates the algorithm in an NS-2 simulation UWSN (Under Water Sensor Networking). Be-

environment. And finally Section 6 gives our con- cause UWSN typically uses acoustical methods

clusions. to propagate messages under water, the methods

in UWSN can’t be directly applied into wireless anchor nodes that are close to a end of a worm-

sensor networks. hole, SeRLoc will still have difficulty in detect-

ing/defending against wormhole attacks.

In [5], Hu and Evans utilize directional anten-
In more recent papers [3, 10], D. Liu et al. pro-
nas to prevent wormhole links by assuming every
posed an anchor-based scheme which is resistant
node of the network will be equipped with direc-
to several attacks, including wormhole attacks.
tional antennas that all have the same orientation.
By using a hop-counting technique, the scheme
Lazos and Poovendran apply a similar idea in de-
estimates the distance between a node and an an-
signing a secure localization scheme called SeR-
chor node (or “location reference” in the authors’
Loc [9] that protects against wormhole attacks in
terminology). If there is a wormhole inside the
localization. In SeRLoc, there are about 400 an-
network, then it is possible that the distance from
chor nodes (designated as “beacon nodes” in the
a node to some anchor node will be changed, and
paper) deployed in a 5000-node network. Each
a simple threshold method is used to determine
anchor node has a directional antenna and already
whether such a distance difference is caused by
knows its physical location. Other nodes in the
a wormhole attack or by localization error. The
network use these anchor nodes to locate them-
main difference between our method and those of
selves. When there is a wormhole attack in the
[3] and [10] is that the latter methods rely on an-
network, since a wormhole will shortcut the net-
chor nodes, which need manual setup in advance,
work, directional antennas deployed in the an-
while our method does not require any anchor
chor nodes will help in detecting the attack, and
nodes to detect wormholes.
the nodes can then defend against it by discard-

ing incorrect localization messages. However, if Additional work by [14] presents a useful graph

anchor nodes are compromised, especially those theoretic framework for modeling of wormhole
attacks, but this theoretic framework is based on which is identified in [14], is that such a visual-

the assumption that there are “guard nodes” know ization cannot be applied to networks with irreg-

their locations exactly. Thus, these nodes actu- ular shapes, such as a string topology (nodes con-

ally work as anchor nodes as described in this pa- nected in one line).

per. Since in this work we assume that none of the

3. The Wormhole Attack
nodes in the network knows its physical location,

our proposed solution is for a case not covered by

this framework.

Origin end Wormhole tunnel Destination

end
MDS-VOW [16] allows visualization of a net-
Figure 1. A Wormhole Attack in a WSN
work to allow detection of wormholes by find-

ing bending distortions caused by a wormhole in In a typical wormhole attack, an attacker re-

computed maps. The main difference between ceives packets at one point in the network, for-

our approach and MDS-VOW is that MDS-VOW wards them through a wireless or wired link with

can only work in a centralized scheme, so MDS- much less latency than the default links used by

VOW needs to have a central computer to finish the network and relays those packets at another

its computation. In our paper, we extract a new position in the network. In this paper we as-

feature which can efficiently indicate the ends of sume that a wormhole is bidirectional, and when

a wormhole based only on local bending distor- considering a wormhole attack, we refer to the

tions caused by the ends of the wormhole. The end of that wormhole receiving a message as the

algorithm described in this paper is computed by “origin end” of the wormhole and the end that

a distributed scheme and requires no centralized transmits the message as the “destination end” of

computation. A general limitation of MDS-VOW, that wormhole (thus which end is which is en-
tirely context dependent). Figure 1 shows a typ-
ical wormhole attack. In this work we assume
wormholes with two endpoints, although in the-
ory multi-end wormholes are possible.
We also assume that each wormhole in a net-
work is (1) passive, and thus does not send out
any message without any inbound message, (2)
static, which means that such wormhole will not
move around.
4 Detecting Wormhole Attacks
In this section, at first, we will describe our al-
gorithm in brief, then, by observing the network
with a wormhole inside it, we discuss a feature
which can be used to detect wormhole attacks in
distributed scheme, at last, based on the previous
feature we propose how to detect wormhole at-
tacks.
4.1 Overview of WGDD Algorithm
Our distributed algorithm called Wormhole Ge-
ographic Distributed Detection (WGDD) uses a
similar hop-counting technique as a probe proce-
dure (Section 4.2) to detect wormhole attack. Af-
ter the running of the probe procedure, each node
will collect the set of hop-count from its neigh-
bor nodes which are in one(k) hop(s) distance to
it, then that node will run Dijkstra’s algorithm to
get the shortest path for each pair of the nodes,
after that, it will reconstruct a local map by MDS
(Multidimensional Scaling) (Section 4.3). After
we discuss a feature called as “diameter” to de-
tect distortions caused by a wormhole in local
maps in Section 4.4, we will introduce the detec-
tion procedure in Section 4.5. The overview of
this Wormhole Geographic Distributed Detection
(WGDD) algorithm can be seen in Procedure 1.
Procedure 1 Wormhole Geographic Distributed
Detection (WGDD)
1: Probe Procedure
2: Local Map Computation Procedure
3: Detection Procedure
4.2 Probe Procedure
Since a wormhole attack is passive, which
means that such an attack can only happen when
there is some message being transmitted near the procedure [18] for node a is shown in Procedure

wormhole area. In order to detect whether there 2.

is a wormhole attack inside a network, we de-

sign a probe procedure to flood an message from

Procedure 2 Probe Procedure in node a
some bootstrap node to the whole networks to let 1: INPUT: message (hopb ) from node b ∈ Na
2: for message (hopb ) from any B ∈ Na and not
all other nodes in the network to count the hop TIMEOUT do
3: if hopb < hopa then
distance from itself to that bootstrap node. Such 4: hopa = hopb + 1
5: forward (message(hopa ) ) to MAC
probe procedure is based on hop-coordinates [18] 6: else
7: drop (message(hopb ) )
technique to measure the hop distance from each 8: end if
9: end for
node to some bootstrap node, which shares the 10: if |Na | == 0 then
11: offseta = 0
same idea as hop-counting, but has more accurate 12: else P
(hop −(hopa −1))+1
13: offseta = b∈Na 2(|Nb a |+1)
measurement. 14: end if
15: return hopa and offseta

(i)In bootstrap node: A bootstrap node x cre-

ates a probe message with (i = idx ) to flood

the network. After that, the bootstrap node will

Here, a is a node, hopa is the minimum num-
drop any probe message that was originated by it-
ber of hops to reach node a counting from some
self. The bootstrap node has the hop-coordinate:
bootstrap node (x), the initial value of it will be
hopx = 0 and offsetx = 0.
the largest positive value in practice. the combi-

(ii) In all other nodes in the WSN: Suppose that nation of hopa and offseta is the hop coordinate for

a node a is calculating its hop distance, and node node a, Na is a set of nodes which can be reached

b is one of the neighbors of node a. Then the basic by node a in one hop, and |Na | is the number of

probe procedure 2 is as same as hop-coordinates nodes in Na .

 144

10
0
140 144
140

90
80
70
120
120

60
50
100

40
100

30
20
80

10
80

0 0
60

10
60

20

30
40

40
40

50

60
20 20

70

80

90
0 0

10
0 20 40 60 80 100 120 140
144X

0
0 20 40 60 80 100 120 140
144

(a) The original location of a 2500node (b) the same 2500-node WSN with one
WSN with one wormhole wormhole siting on the edges of the
WSN

Figure 2. a 2500-node WSN (r = 2m) with one wormhole

4.3 Local Map Computation (|N a |+1)×(|N a |+1) shortest path matrix (here

|N a | is the number of nodes that can be reached by

In this step, each node will compute a local map
node A in one (k) hop(s)) and retain the first two
for it’s neighbors based on the hop-coordinate
(or three) largest eigenvalues and eigenvectors to
computed in the previous step. After the gener-
construct a 2-D (or 3-D) local map.
ation of hop-coordinates with Procedure 2, each
The total cost for this step is a computational
node will send a request to its neighbor nodes that
cost of O(|Na |3 n) and a memory cost of O(|Na |2 )
are within one(k) hop(s) to send back their hop
per node, with no communication cost in this step.
coordinate from some bootstrap node (x).

After each node receives the hop coordinate

4.4 Detection Procedure

from its neighbors, that node will compute short-

est paths between all pairs of nodes one (k) hop(s) Based on the local map from previous step,

to that node, using Dijkstra’s algorithm or other here we will try to detect attacks. At first let us

similar algorithms. have a look of the affection of wormhole attack

Then, we apply MDS to the on computed map.

4.4.1 Observation of a Wormhole in a Recon- ing on the edges of the network.

structed Map

4.4.2 New Feature to Detect Wormhole At-

In order to observe a wormhole, we implemented
tacks
the probe procedure 2 and the local map compu-

tation procedure as routing agents and the boot- With the fact that each WSN node has limited re-

strap node for the probe procedure as a protocol sources and has no possibility to store global in-

agent in NS-2 version 2.29 [11] with 802.15.4 formation, in order to detect wormholes in a dis-

MAC layer [19] and CMU wireless extensions tributed scheme, each node can only use local in-

[4]. The configuration parameters used for NS-2 formation to detect wormhole attacks.

are RF range = 15 meters, propagation = TwoRay-

Consider the two parts of the intruded network
Ground, and antenna = Omni Antenna.
with a wormhole with two ends in Figure 3, by se-

In our first experiment, we used 2500 nodes in a lecting two parts of the network which is close to

uniform placement— total 2500 nodes are placed the ends of the wormhole in Figure 2(a). We use a

on a grid with ±0.5r randomized placement error, dotted circle to represent the neighbor area where

where r = 2 m is the width of a small square in a particular node can directly reach in transmis-

the grid. A wormhole is implemented as a wired sion range R, since there are two ends, we shows

connection. two parts of the network. Then, after the cir-

Fig. 2(a) and 2(b) shows the same sensor net- cled node finished local map computation for the

work; each ‘x’ represents a node, and the red cir- nodes in its local range, it will be getting a lo-

cles indicate the two ends of a wormhole; in Fig. cal map as in Figure 4. From this figure, we can

2(a), the wormhole is siting in the center of the see that because wormhole shortcuts the two parts

network, while in Fig. 2(b), the wormhole is sit- of the network, the circled node can reach more
range than before (if we measure the longest dis-
tance in this local map, it will equal 49m), though
that computed local map is bended by the effect
of the wormhole.
Figure 3. Two Parts of the Network near
Wormhole Ends.Here, parameters: r = 4,
R = 15, red circles represents the wormhole
ends.
2d =49m
Figure 4. Local Map in the Red Circled Node
in Figure 3.After probe procedure and local
map computation in that node which is red
circled.
From the above observation, we instead fo-
cus on detecting wormholes by using a different
feature—the diameter of the computed local map.
We define diameter d for Node a here:
Diameter: d = max(distance(b, c))/2,
Where b, c ∈ Na , here Na is the set of neighbor
nodes of node a, distance(a, b) will be computed
as distancde(a, b) = sqrt((x − x0 )2 + (y − y 0 )2 )
in 2D case, here (x, y),(x0 , y 0 ) are the coordiantes
for node a, b in the local map computed in the
previous step, respectively.
Theoretically, the diameter of the neighbor area
for a node will roughly equal or less its trans-
mission range R, since one node only can hear
from its neighbors within the transmission range
R. But because of the shortcut of wormhole, the
computed map for that neighbor area of that node
will be distorted, and so the diameter of that com-
puted local map will be larger than the physical
one, as shown in 4, we can see 2d = 49m.
In order to verify whether such diameter feature
is working in detecting wormhole in the whole
network, we compute the diameter for each node
in the same 2500-node network with and without
wormhole. The results are shown in Figure 5(a),
if we examine nodes that are very near to a worm-
hole, such as the area near the red circles in Fig-
ure 5(b), the diameters of the local maps for these
nodes will be noticeably increased by proximity
 26

24

17 22

16
20

Diameter
Diameter

15

18
14

13 16
0 100

20 80 14
40 60

60 40 12
80 20 100 80 20 0
60 40 60 40
X 20 100
0 80 Y
0100

(a) Diameter Measurement in the 2500-node (b) Diameter Measurement in the 2500-node
WSN in Figure 2.(a) without Wormhole WSN in Figure 2.(a) with a Wormhole

Figure 5. Diameter Measurement without and with Wormhole in a 2500-node WSN. In Figure 5(b),
the diameter of a local map will roughly be R (from 14 to 18, while R = 15 meters) unless there
is a wormhole attack, in which case the diameter of a local map will become longer as the position
draws closer and closer to the wormhole.

to the wormhole, comparing the diameters in the longer as the position draws closer and closer to

same nodes in the network without wormhole in the wormhole. The diameter reaches the highest

Figure 5(a). But if the nodes are a little farther (about 25 m) at the nodes at about 7 m to the ends

away, or in a distant part of the network, such as of wormhole, then the diameter is decreased, be-

the middle area in Figure 5(b), the diameters of cause the nodes are approaching to the edges of

the local maps for these nodes, will be almost as the network, but still above 22 m.

normal as these in the same area in Figure 5(a),

The ‘diameter’ feature is also good at de-
which is without wormhole.
tect wormhole attack in networks with irregular

In Figure 5(b), the diameter of a local map will shapes, and in networks with multiple wormholes

roughly be R (from 14 to 18, while R = 15 me- inside them. We did some experiments of ‘diam-

ters) unless there is a wormhole attack, in which eter’ in a network with string topology, and a net-

case the diameter of a local map will become work with two wormholes inside it.
 16.8 26

16.6 24

16.4
22
16.2

diameter

Diameter
20
16
18
15.8
16
15.6

15.4 14

15.2 12
0 20 40 60 80 100 0 20 40 60 80 100
X X

(a) Diameter Measurement in the 50- (b) Diameter Measurement in the 50-
node WSN in String Placement with- node WSN in String Placement with a
out a Wormhole Wormhole

Figure 6. Diameter Measurement in the 50-node WSN in String Placement without/with a Wormhole

In a string topology experiment, we tested a 2.a. The measurement of diameter for all nodes

50-node network, inside of which, each node are as shown in Figure 7. The locations of the ends

uniformally distributed in a 100 meter string in of these two wormholes are represented as red

one dimension. First we measure the diameter for circles in the same figure. From the figure, we

each node without any wormhole in the network, can see that even two wormholes are very close

the result is in Figure 6(a). The diameter is at most to each other, the peaks of diameter are still ap-

16.8 m in Figure 6(a). Then, we add a wormhole peared in the nodes which are close to the ends of

into the network with the two ends of that worm- the wormholes, from our measurement, four peak

hole at the two ends of the string. We can see that values are 24.8, 25.2, 22.2, 22.6 m respectively.

right now, the diameters of nodes which are close

So, by computing the diameter d for local map,
to the ends of the wormhole are larger than 22 m,
such detection algorithm can runs independently
shown in Figure 6(b).
in each node, in conjunction with the computation

In order to test the feature of ‘diameter’ in de- of a local map for the neighboring area. Since

tecting multiple wormholes in a network, we de- all nodes in this area are within one(k) hop(s) of

ployed two wormholes in the network of Figure the calculating node, the detection algorithm can
 to the ends of the wormhole will be higher to over

22m. So, we can define a threshold for the diame-

ter to detect wormholes in the network. Since, the

lower the value we assign to such threshold, the

higher possibility it is that nodes send the error

alarms of wormhole. So, based on the above ex-

periments, we define a threshold as 1.4R (in our

Figure 7. Diameter Measurement in the 2500-
node WSN in Figure 2.(a) with Two Worm- configuration 1.4R = 1.4 ∗ 15 = 21 m) to deter-
holes.Here, red cycles are the ends of worm-
holes, the dashed lines are the tunnels of the mine whether there is a wormhole attack present
wormholes. A ’X’ is represented as a node.
The 50X50 mesh is only for visualization or not. In order to adjust the sensitivity of detec-
purpose. Color bar represents the value of
diameter. tion procedure we introduce a constant parameter

λ:
compute the diameter of each local map after de-
Suppose the diameter of a local relative map is
termining each neighbor node’s location.
d; if d > (1+λ)1.4R (here λ is a constant parame-

4.4.3 Detection Procedure ter which is less than 1 and larger than 0), then we

can say there is a wormhole in the network, and

Thus, we propose to use the diameter to deter-
if not, we can say that the error probably comes
mine whether there is a wormhole attack present
from localization error. The details of the detec-
or not. From the experiment in Figure 5(a) and
tion algorithm follow.
5(b), we can see that usually the diameters for lo-

cal maps will be around R, but if there is a worm- Suppose node a is an arbitrary node in the

hole in the network, then the diameters of the lo- WSN. At first, we propose a distributed detec-

cal maps which are computed by the nodes close tion Procedure 3, which is used to compute the
diameter after running the probe procedure 2 and [11] with 802.15.4 MAC layer [19] and CMU

local map computation in Section 4.3, and detect wireless [4] extensions. The configuration used

whether there is a wormhole in the network. for NS-2 is RF range = 15 meters, propagation =

Procedure 3 Wormhole Detection Procedure in TwoRayGround, antenna = Omni Antenna. We

node a
1: INPUT: local map G in node a for Na ∪ {a} implemented a wormhole as a wired connection
2: diameter d = 0
3: for each b ∈ Na ∪ {a} do with smaller latency that forwards packets from
4: for each node c ∈ Na ∪ {a} − {b} do
5: if 2d < distance(b, c) in local map G one node to another node.
then 120

6: 2d = distance(a, b) in local map G

7: end if 100

8: end for
80

9: end for
10: if d > (1 + λ) × 1.4R then 60

11: return “FOUND WORMHOLE” to sink

40

node.
12: end if 20

0
0 20 40 60 80 100 120

The total cost for this step is a computational

Figure 8. A typical placement for simulation
(Constructed with n = 400, r = 4. green
cost of O(|Na |2 n) and a memory cost of O(|Na |)
dashed ovals are holes and small blue circles
are islands.)
per node, with no communication cost in this

step.
In our all experiments, we used uniform

5. Simulations Results placement—n nodes are placed on a grid with

±0.5r randomized placement error. Here r is the

5.1 Simulation Environment Setup
width of a small square in the grid. We con-

Same as to the experiment setup in the previous structed a total of 60 placements with n = 400,

section, we implemented our whole detection al- 900, 1600 and 2500, and with r = 2, 4,6, 8, 10

gorithm as a routing agent in NS-2 version 2.29 and 12 meters, respectively. The reason we use
uniform placement with ±0.5r error is that usu- In practice, we count the number of the nodes,

ally such placement produces both node holes and which send out “FOUND WORMHOLE” mes-

islands in one placement, as demonstrated in Fig- sages but are far away from the ends of a worm-

ure 8. The place of the wormhole is totally ran- hole (We define that if a node is R = 15m away

domized inside of the network. from all ends of a wormhole, then this node ob-

viously has few impact of wormhole, and so we

5.2 Detection Simulation Result
say that such node is far away from the worm-

hole.), into the “number of normal localization er-

5.2.1 Metrics
rors flagged as detected wormholes”. When FDR
As we decrease the value of λ, we can increase
= 0, it means that there is no wrong alarm in de-
the accuracy of detecting wormhole attack, but
tecting wormholes.
the possibility of fault alarm will be increased. In
False Toleration Rate (FTR): the frequency
order to evaluate the accuracy of our wormhole
with which the detection system falsely recog-
attack detection under different λ values, we in-
nizes different characteristics as identical, thus
troduce the following concepts:
failing to detect a wormhole attack.
False Detection Rate (FDR): the frequency

with which the detection system falsely recog- FTR = (number of wormhole attacks not de-

nizes identical characteristics as being different, tected) / (total number of trials).

thus failing to tolerate, for example, a normal lo- If there is a wormhole in a experiment, but there

calization error. is no node to send out “FOUND WORMHOLE”

FDR = (number of normal localization errors messages, we will count this as “wormhole at-

flagged as detected wormholes) / (total number of tacks not detects”. So, if FTR = 0, it means that

trials). our detection algorithm is successful in detecting

 0.1 0.1 0.1 0.1

0.09 0.09 0.09 0.09

FDR
0.08 0.08 0.08 0.08
FTR
0.07 0.07 0.07 0.07

0.06 0.06 0.06 0.06

FDR(%)
FDR(%)

FTR(%)
FTR(%)
0.05 0.05 0.05 0.05

0.04 0.04 0.04 0.04

0.03 0.03 0.03 0.03

0.02 0.02 0.02 FDR 0.02

FTR
0.01 0.01 0.01 0.01

0 0 0 0
0 2 4 6 8 10 12 15 0 2 4 6 8 10 12 15
r (m) r (m)

(a) when λ = 0 (b) when λ = 0.1

Figure 9. False Detection Rate (FDR) and False Toleration Rate (FTR) for various node spacings.

1 1
wormholes in all experiments. 0.9 0.9
FDR
0.8 FTR 0.8

0.7 0.7

FTR(%)
FDR(%)

0.6 0.6

0.5 0.5
5.2.2 Simulation Result 0.4 0.4

0.3 0.3

0.2 0.2

0.1 0.1
We use the same experimental setup as in section 0 0
2 7 12 17 22 27 32 37
Hop Distance Between Two Ends of a
5.1, with one wormhole in each placement, again Wormhole

implemented in NS-2 as a wired connection with Figure 10. FTR/FDR vs Hop Distance Be-
tween Two Ends of a Wormhole (λ = 0)
a latency far less than the latency of the wireless

connections. Results in terms of FTR and FDR

are shown in Figure 9. Our detection algorithm our algorithm to detect smaller wormholes (such

has a low FTR with FDR=0 when λ = 0.0as in as two to three hops long), we plot the all FTR and

Figure 9.a; when λ = 0.1as in Figure 9.b, our FDR experiment data( when λ = 0) on Figure 10

detection algorithm can achieve a low FDR with based on the number of hops between two ends of

FTR=0. a wormhole in one experiment. We can see that

In order to consider about the performance of if it is a long wormhole such as ≥ 3 hops long,
our detection algorithm archives almost 100% de- distortion in distributed scheme, with the help of

tection rate (shown as FTR = 0). Even when fac- that feature– “diameter”, we propose a wormhole

ing shorter wormhols which are less than 3 hops detection procedure.

long, our algorithm can still make more than 80%

We test our Wormhole Geographic Distributed
detection rate (shown as FTR < 20%).
Detection (WGDD) algorithm in simulation envi-

ronment under different placements of networks.

6. Summary and Discussion
The extensive simulation result shows that our de-

tection algorithm can archive almost 100% over-

In this paper, we discuss how to detect worm-
all detection rate (shown as FTR is around zero,
hole attacks in distributed scheme. By assuming
when λ = 0 in Figure 10.a). Even consider-
that wormhole attacks are passive, we provide a
ing about the cases of shorter wormholes which
probe procedure to let some bootstrap node flood
are less than 3 hops long, our algorithm can still
a probe message to detect some possible worm-
make more than 80% detection rate (shown as
holes in the network, the probe procedure pro-
FTR < 20% in Figure 10). We can run our de-
duces a hop-coordinates to each node which rep-
tection algorithm in stricter model by setuping
resents the hop distance from that node to the
λ = 0.1, it this case, we can archive almost zero
bootstrap node. Then each node will compute a
wrong alarm rate (shown as FDR = 0 in Figure
local map for its neighbors and itself with the hop-
10.b).
coordinates collected in the previous step. Since

if there is a wormhole in the network, it causes Since our algorithm is running under dis-

some distortions in some local maps of the nodes tributed scheme, it means that if there is a worm-

which are close to the ends of the wormhole, so hole, then some nodes close to the wormhole will

we find a feature called “diameter” to detect such detect the wormhole attacks, so such advantage
of our algorithm may help in defending against coordinate inside itself. Such process will be

wormholes. We may propose the idea of freez- ended until there is no node detects any wormhole

ing nodes that have detected wormhole attacks in attack.

their vicinity, along with their neighbor nodes, in Right now, we are basing experiment to decide

order to isolate and negate the effect of a worm- the threshold and λ in deciding whether a diame-

hole. ter measurement triggers an alarm for wormhole.

Suppose that the wireless range for a wormhole One future work may need to improve our algo-

attack equals k times the transmission range R of rithm is how to decide such threshold and λ auto-

a normal node; if this is the case, then it is possi- matically.

ble that we can stop the transmission of a worm-

hole attack by freezing the nodes within k times References

transmission range R of one detecting location.
[1] I. Akyildiz, W. Su, Y. Sankarasubramaniam, and
Procedure 4 Defending against wormhole attacks
Require: triggered by DetectionProcedure E. Cayirci. A survey on sensor networks. Com-
1: send message(freezing)to all neighbor nodes
in 1(k) hop(s) munications Magazine, IEEE, 40(8):102–114,
2: Broadcast message(relocalization) to the
bootstrap node and other nodes. 2002.

[2] S. Čapkun, L. Buttyán, and J. Hubaux. SEC-

From a node (or nodes), which detects worm- TOR: secure tracking of node encounters in

hole attack, a special message will flood out multi-hop wireless networks. Proceedings of the

to freeze neighboring nodes. If the bootstrap 1st ACM workshop on Security of ad hoc and

node (x) receives this message, it will restart the sensor networks, pages 21–32, 2003.

wormhole detection algorithm again, while other [3] W. Du, L. Fang, and N. Peng. LAD: Localization

nodes receive such message will clean the hop- anomaly detection for wireless sensor networks.
 Journal of Parallel and Distributed Computing, [9] L. Lazos and R. Poovendran. SeRLoc: secure

66(7):874–886, 2006. range-independent localization for wireless sen-

sor networks. Proceedings of the 2004 ACM

[4] T. C. M. Group. Wireless and Mo-
workshop on Wireless security, pages 21–30,
bility Extensions to ns-2. obtain from
2004.
http://www.monarch.cs.cmu.edu/cmu-ns.html.
[10] D. Liu, P. Ning, and W. Du. Attack-resistant lo-
[5] L. Hu and D. Evans. Using Directional Anten-
cation estimation in sensor networks. Informa-
nas to Prevent Wormhole Attacks. Proceedings
tion Processing in Sensor Networks, 2005. IPSN
of the 11th Network and Distributed System Se-
2005. Fourth International Symposium on, pages
curity Symposium, pages 131–141, 2004.
99–106, 2005.
[6] Y. Hu, A. Perrig, and D. Johnson. Wormhole de-
[11] S. McCanne and S. Floyd. ns-2 Network Simu-
tection in wireless ad hoc networks. Department
lator. Obtain via: http://www. isi. edu/nsnam/ns.
of Computer Science, Rice University, Tech. Rep.
[12] J. Newsome, E. Shi, D. Song, and A. Perrig. The
TR01-384, June, 2002.
sybil attack in sensor networks: analysis & de-

[7] Y. Hu, A. Perrig, and D. Johnson. Packet fenses. Proceedings of the third international

Leashes: A Defense against Wormhole Attacks symposium on Information processing in sensor

in Wireless Ad Hoc Networks. Proceedings of networks, pages 259–268, 2004.

INFOCOM, 2003, 2003. [13] P. Papadimitratos and Z. Haas. Secure routing

[8] J. Kong, Z. Ji, W. Wang, M. Gerla, R. Bagro- for mobile ad hoc networks. SCS Communica-

dia, and B. Bhargava. Low-cost attacks against tion Networks and Distributed Systems Model-

packet delivery, localization and time synchro- ing and Simulation Conference (CNDS 2002),

nization services in under-water sensor net- 2002.

works. Proceedings of the 4th ACM workshop [14] R. Poovendran and L. Lazos. A Graph Theoretic

on Wireless security, pages 87–96, 2005. Framework for Preventing the Wormhole Attack
 in Wireless Ad Hoc Networks. ACM Wireless

Networks (WINET).

[15] M. Vieira, C. Coelho Jr, D. da Silva Jr, and

J. da Mata. Survey on wireless sensor network

devices. IEEE Emerging Technologies and Fac-

tory Automation, pages 537–544, 2003.

[16] W. Wang and B. Bhargava. Visualization of

wormholes in sensor networks. Proceedings of

the 2004 ACM workshop on Wireless security,

pages 51–60, 2004.

[17] A. Wood and J. Stankovic. Denial of service

in sensor networks. Computer, 35(10):54–62,

2002.

[18] Y. Xu, J. Ford, and F. S. Makedon. A Varia-

tion on Hop-counting for Geographic Routing.

Embedded Networked Sensors, 2006. EmNetS-

III. The third IEEE Workshop on, 2006.

[19] J. Zheng and et.al. 802.15.4 exten-

sion to NS-2. Obtain via: http://www-

ee.ccny.cuny.edu/zheng/pub.