Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Networks
1
Computer Science Department, Dartmouth College
2
Computer Science Department, UMass Lowell
{glchen}@cs.uml.edu
3
Univ. of Texas at Arlington, Dept. of Computer Science and Eng.
{Makedon,jford}@cse.uta.edu
which is caused by the existence of a wormhole to provide infrastructures for numerous applica-
inside the network. Since wormhole attacks are tions, such as surveillance, healthcare, industry
passive, this algorithm uses a hop-counting tech- automation, and military uses.
Wireless Sensor Networks (WSNs) [1, 15] are a very powerful position relative to other nodes
an emerging technology consisting of small, low- in the network, compared to other attacks such
power, and low-cost devices that integrate limited as sybil and packet injection attacks, which usu-
computation, sensing, and radio communication ally utilize vulnerabilities in the infrastructure of
wireless sensor networks. An attacker can per- when a network is deployed.
location exactly), which requires manual setup In this paper, we make the following contribu-
tions. (i.) We propose a new feature which can be 2. Related Work
The remainder of the paper is organized as fol- the location difference they observe. Such a solu-
lows. Section 2 discusses related work. Sec- tion requires a synchronized clock and preknown
tion 3 describes some basic concepts related to location for each node. The method we propose
wormhole attacks. Section 4 discusses the fea- here does not have these requirements.
ture which detects wormholes inside of a network In [8], Kong et al. study Denial of Service
and the details of the WGDD algorithm. Section (DoS) attacks, including wormhole attacks, in
5 evaluates the algorithm in an NS-2 simulation UWSN (Under Water Sensor Networking). Be-
environment. And finally Section 6 gives our con- cause UWSN typically uses acoustical methods
ing incorrect localization messages. However, if Additional work by [14] presents a useful graph
anchor nodes are compromised, especially those theoretic framework for modeling of wormhole
attacks, but this theoretic framework is based on which is identified in [14], is that such a visual-
the assumption that there are “guard nodes” know ization cannot be applied to networks with irreg-
their locations exactly. Thus, these nodes actu- ular shapes, such as a string topology (nodes con-
ally work as anchor nodes as described in this pa- nected in one line).
this framework.
ing bending distortions caused by a wormhole in In a typical wormhole attack, an attacker re-
computed maps. The main difference between ceives packets at one point in the network, for-
our approach and MDS-VOW is that MDS-VOW wards them through a wireless or wired link with
can only work in a centralized scheme, so MDS- much less latency than the default links used by
VOW needs to have a central computer to finish the network and relays those packets at another
its computation. In our paper, we extract a new position in the network. In this paper we as-
feature which can efficiently indicate the ends of sume that a wormhole is bidirectional, and when
a wormhole based only on local bending distor- considering a wormhole attack, we refer to the
tions caused by the ends of the wormhole. The end of that wormhole receiving a message as the
algorithm described in this paper is computed by “origin end” of the wormhole and the end that
a distributed scheme and requires no centralized transmits the message as the “destination end” of
computation. A general limitation of MDS-VOW, that wormhole (thus which end is which is en-
tirely context dependent). Figure 1 shows a typ- similar hop-counting technique as a probe proce-
ical wormhole attack. In this work we assume dure (Section 4.2) to detect wormhole attack. Af-
wormholes with two endpoints, although in the- ter the running of the probe procedure, each node
ory multi-end wormholes are possible. will collect the set of hop-count from its neigh-
We also assume that each wormhole in a net- bor nodes which are in one(k) hop(s) distance to
work is (1) passive, and thus does not send out it, then that node will run Dijkstra’s algorithm to
any message without any inbound message, (2) get the shortest path for each pair of the nodes,
static, which means that such wormhole will not after that, it will reconstruct a local map by MDS
Our distributed algorithm called Wormhole Ge- Since a wormhole attack is passive, which
ographic Distributed Detection (WGDD) uses a means that such an attack can only happen when
there is some message being transmitted near the procedure [18] for node a is shown in Procedure
(ii) In all other nodes in the WSN: Suppose that nation of hopa and offseta is the hop coordinate for
a node a is calculating its hop distance, and node node a, Na is a set of nodes which can be reached
b is one of the neighbors of node a. Then the basic by node a in one hop, and |Na | is the number of
10
0
140 144
140
90
80
70
120
120
60
50
100
40
100
30
20
80
10
80
0 0
60
10
60
20
30
40
40
40
50
60
20 20
70
80
90
0 0
10
0 20 40 60 80 100 120 140
144X
0
0 20 40 60 80 100 120 140
144
(a) The original location of a 2500node (b) the same 2500-node WSN with one
WSN with one wormhole wormhole siting on the edges of the
WSN
4.3 Local Map Computation (|N a |+1)×(|N a |+1) shortest path matrix (here
est paths between all pairs of nodes one (k) hop(s) Based on the local map from previous step,
to that node, using Dijkstra’s algorithm or other here we will try to detect attacks. At first let us
structed Map
tation procedure as routing agents and the boot- With the fact that each WSN node has limited re-
strap node for the probe procedure as a protocol sources and has no possibility to store global in-
agent in NS-2 version 2.29 [11] with 802.15.4 formation, in order to detect wormholes in a dis-
MAC layer [19] and CMU wireless extensions tributed scheme, each node can only use local in-
[4]. The configuration parameters used for NS-2 formation to detect wormhole attacks.
In our first experiment, we used 2500 nodes in a lecting two parts of the network which is close to
uniform placement— total 2500 nodes are placed the ends of the wormhole in Figure 2(a). We use a
on a grid with ±0.5r randomized placement error, dotted circle to represent the neighbor area where
where r = 2 m is the width of a small square in a particular node can directly reach in transmis-
the grid. A wormhole is implemented as a wired sion range R, since there are two ends, we shows
Fig. 2(a) and 2(b) shows the same sensor net- cled node finished local map computation for the
work; each ‘x’ represents a node, and the red cir- nodes in its local range, it will be getting a lo-
cles indicate the two ends of a wormhole; in Fig. cal map as in Figure 4. From this figure, we can
2(a), the wormhole is siting in the center of the see that because wormhole shortcuts the two parts
network, while in Fig. 2(b), the wormhole is sit- of the network, the circled node can reach more
range than before (if we measure the longest dis- as distancde(a, b) = sqrt((x − x0 )2 + (y − y 0 )2 )
tance in this local map, it will equal 49m), though in 2D case, here (x, y),(x0 , y 0 ) are the coordiantes
that computed local map is bended by the effect for node a, b in the local map computed in the
Figure 4. Local Map in the Red Circled Node one, as shown in 4, we can see 2d = 49m.
in Figure 3.After probe procedure and local
map computation in that node which is red
circled. In order to verify whether such diameter feature
From the above observation, we instead fo- network, we compute the diameter for each node
cus on detecting wormholes by using a different in the same 2500-node network with and without
feature—the diameter of the computed local map. wormhole. The results are shown in Figure 5(a),
We define diameter d for Node a here: if we examine nodes that are very near to a worm-
Diameter: d = max(distance(b, c))/2, hole, such as the area near the red circles in Fig-
Where b, c ∈ Na , here Na is the set of neighbor ure 5(b), the diameters of the local maps for these
nodes of node a, distance(a, b) will be computed nodes will be noticeably increased by proximity
26
24
17 22
16
20
Diameter
Diameter
15
18
14
13 16
0 100
20 80 14
40 60
60 40 12
80 20 100 80 20 0
60 40 60 40
X 20 100
0 80 Y
0100
(a) Diameter Measurement in the 2500-node (b) Diameter Measurement in the 2500-node
WSN in Figure 2.(a) without Wormhole WSN in Figure 2.(a) with a Wormhole
Figure 5. Diameter Measurement without and with Wormhole in a 2500-node WSN. In Figure 5(b),
the diameter of a local map will roughly be R (from 14 to 18, while R = 15 meters) unless there
is a wormhole attack, in which case the diameter of a local map will become longer as the position
draws closer and closer to the wormhole.
to the wormhole, comparing the diameters in the longer as the position draws closer and closer to
same nodes in the network without wormhole in the wormhole. The diameter reaches the highest
Figure 5(a). But if the nodes are a little farther (about 25 m) at the nodes at about 7 m to the ends
away, or in a distant part of the network, such as of wormhole, then the diameter is decreased, be-
the middle area in Figure 5(b), the diameters of cause the nodes are approaching to the edges of
the local maps for these nodes, will be almost as the network, but still above 22 m.
In Figure 5(b), the diameter of a local map will shapes, and in networks with multiple wormholes
roughly be R (from 14 to 18, while R = 15 me- inside them. We did some experiments of ‘diam-
ters) unless there is a wormhole attack, in which eter’ in a network with string topology, and a net-
case the diameter of a local map will become work with two wormholes inside it.
16.8 26
16.6 24
16.4
22
16.2
diameter
Diameter
20
16
18
15.8
16
15.6
15.4 14
15.2 12
0 20 40 60 80 100 0 20 40 60 80 100
X X
(a) Diameter Measurement in the 50- (b) Diameter Measurement in the 50-
node WSN in String Placement with- node WSN in String Placement with a
out a Wormhole Wormhole
Figure 6. Diameter Measurement in the 50-node WSN in String Placement without/with a Wormhole
In a string topology experiment, we tested a 2.a. The measurement of diameter for all nodes
50-node network, inside of which, each node are as shown in Figure 7. The locations of the ends
uniformally distributed in a 100 meter string in of these two wormholes are represented as red
one dimension. First we measure the diameter for circles in the same figure. From the figure, we
each node without any wormhole in the network, can see that even two wormholes are very close
the result is in Figure 6(a). The diameter is at most to each other, the peaks of diameter are still ap-
16.8 m in Figure 6(a). Then, we add a wormhole peared in the nodes which are close to the ends of
into the network with the two ends of that worm- the wormholes, from our measurement, four peak
hole at the two ends of the string. We can see that values are 24.8, 25.2, 22.2, 22.6 m respectively.
In order to test the feature of ‘diameter’ in de- of a local map for the neighboring area. Since
tecting multiple wormholes in a network, we de- all nodes in this area are within one(k) hop(s) of
ployed two wormholes in the network of Figure the calculating node, the detection algorithm can
to the ends of the wormhole will be higher to over
λ:
compute the diameter of each local map after de-
Suppose the diameter of a local relative map is
termining each neighbor node’s location.
d; if d > (1+λ)1.4R (here λ is a constant parame-
4.4.3 Detection Procedure ter which is less than 1 and larger than 0), then we
cal maps will be around R, but if there is a worm- Suppose node a is an arbitrary node in the
hole in the network, then the diameters of the lo- WSN. At first, we propose a distributed detec-
cal maps which are computed by the nodes close tion Procedure 3, which is used to compute the
diameter after running the probe procedure 2 and [11] with 802.15.4 MAC layer [19] and CMU
local map computation in Section 4.3, and detect wireless [4] extensions. The configuration used
whether there is a wormhole in the network. for NS-2 is RF range = 15 meters, propagation =
8: end for
80
9: end for
10: if d > (1 + λ) × 1.4R then 60
node.
12: end if 20
0
0 20 40 60 80 100 120
step.
In our all experiments, we used uniform
Same as to the experiment setup in the previous structed a total of 60 placements with n = 400,
section, we implemented our whole detection al- 900, 1600 and 2500, and with r = 2, 4,6, 8, 10
gorithm as a routing agent in NS-2 version 2.29 and 12 meters, respectively. The reason we use
uniform placement with ±0.5r error is that usu- In practice, we count the number of the nodes,
ally such placement produces both node holes and which send out “FOUND WORMHOLE” mes-
islands in one placement, as demonstrated in Fig- sages but are far away from the ends of a worm-
ure 8. The place of the wormhole is totally ran- hole (We define that if a node is R = 15m away
domized inside of the network. from all ends of a wormhole, then this node ob-
with which the detection system falsely recog- FTR = (number of wormhole attacks not de-
thus failing to tolerate, for example, a normal lo- If there is a wormhole in a experiment, but there
FDR = (number of normal localization errors messages, we will count this as “wormhole at-
flagged as detected wormholes) / (total number of tacks not detects”. So, if FTR = 0, it means that
FDR(%)
FDR(%)
FTR(%)
FTR(%)
0.05 0.05 0.05 0.05
0 0 0 0
0 2 4 6 8 10 12 15 0 2 4 6 8 10 12 15
r (m) r (m)
1 1
wormholes in all experiments. 0.9 0.9
FDR
0.8 FTR 0.8
0.7 0.7
FTR(%)
FDR(%)
0.6 0.6
0.5 0.5
5.2.2 Simulation Result 0.4 0.4
0.3 0.3
0.2 0.2
0.1 0.1
We use the same experimental setup as in section 0 0
2 7 12 17 22 27 32 37
Hop Distance Between Two Ends of a
5.1, with one wormhole in each placement, again Wormhole
implemented in NS-2 as a wired connection with Figure 10. FTR/FDR vs Hop Distance Be-
tween Two Ends of a Wormhole (λ = 0)
a latency far less than the latency of the wireless
are shown in Figure 9. Our detection algorithm our algorithm to detect smaller wormholes (such
has a low FTR with FDR=0 when λ = 0.0as in as two to three hops long), we plot the all FTR and
Figure 9.a; when λ = 0.1as in Figure 9.b, our FDR experiment data( when λ = 0) on Figure 10
detection algorithm can achieve a low FDR with based on the number of hops between two ends of
In order to consider about the performance of if it is a long wormhole such as ≥ 3 hops long,
our detection algorithm archives almost 100% de- distortion in distributed scheme, with the help of
tection rate (shown as FTR = 0). Even when fac- that feature– “diameter”, we propose a wormhole
ing shorter wormhols which are less than 3 hops detection procedure.
if there is a wormhole in the network, it causes Since our algorithm is running under dis-
some distortions in some local maps of the nodes tributed scheme, it means that if there is a worm-
which are close to the ends of the wormhole, so hole, then some nodes close to the wormhole will
we find a feature called “diameter” to detect such detect the wormhole attacks, so such advantage
of our algorithm may help in defending against coordinate inside itself. Such process will be
wormholes. We may propose the idea of freez- ended until there is no node detects any wormhole
their vicinity, along with their neighbor nodes, in Right now, we are basing experiment to decide
order to isolate and negate the effect of a worm- the threshold and λ in deciding whether a diame-
Suppose that the wireless range for a wormhole One future work may need to improve our algo-
attack equals k times the transmission range R of rithm is how to decide such threshold and λ auto-
From a node (or nodes), which detects worm- TOR: secure tracking of node encounters in
hole attack, a special message will flood out multi-hop wireless networks. Proceedings of the
to freeze neighboring nodes. If the bootstrap 1st ACM workshop on Security of ad hoc and
node (x) receives this message, it will restart the sensor networks, pages 21–32, 2003.
wormhole detection algorithm again, while other [3] W. Du, L. Fang, and N. Peng. LAD: Localization
nodes receive such message will clean the hop- anomaly detection for wireless sensor networks.
Journal of Parallel and Distributed Computing, [9] L. Lazos and R. Poovendran. SeRLoc: secure
[7] Y. Hu, A. Perrig, and D. Johnson. Packet fenses. Proceedings of the third international
[8] J. Kong, Z. Ji, W. Wang, M. Gerla, R. Bagro- for mobile ad hoc networks. SCS Communica-
dia, and B. Bhargava. Low-cost attacks against tion Networks and Distributed Systems Model-
packet delivery, localization and time synchro- ing and Simulation Conference (CNDS 2002),
works. Proceedings of the 4th ACM workshop [14] R. Poovendran and L. Lazos. A Graph Theoretic
on Wireless security, pages 87–96, 2005. Framework for Preventing the Wormhole Attack
in Wireless Ad Hoc Networks. ACM Wireless
Networks (WINET).
2002.
ee.ccny.cuny.edu/zheng/pub.