660 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 14, NO. 3, MARCH 2015 Wormhole Attack ... · 2017-09-14 · Wormhole Attack Detection Algorithms in Wireless Network Coding Systems

Wormhole Attack Detection Algorithmsin Wireless Network Coding Systems

Shiyu Ji, Tingting Chen, and Sheng Zhong

Abstract—Network coding has been shown to be an effective approach to improve the wireless system performance. However, many

security issues impede its wide deployment in practice. Besides the well-studied pollution attacks, there is another severe threat, that of

wormhole attacks, which undermines the performance gain of network coding. Since the underlying characteristics of network coding

systems are distinctly different from traditional wireless networks, the impact of wormhole attacks and countermeasures are

generally unknown. In this paper, we quantify wormholes’ devastating harmful impact on network coding system performance through

experiments. We first propose a centralized algorithm to detect wormholes and show its correctness rigorously. For the distributed

wireless network, we propose DAWN, a Distributed detection Algorithm against Wormhole in wireless Network coding systems, by

exploring the change of the flow directions of the innovative packets caused by wormholes. We rigorously prove that DAWN guarantees

a good lower bound of successful detection rate. We perform analysis on the resistance of DAWN against collusion attacks. We find that

the robustness depends on the node density in the network, and prove a necessary condition to achieve collusion-resistance. DAWN

does not rely on any location information, global synchronization assumptions or special hardware/middleware. It is only based on the

local information that can be obtained from regular network coding protocols, and thus the overhead of our algorithms is tolerable.

Extensive experimental results have verified the effectiveness and the efficiency of DAWN.

Index Terms—Wireless networks, random linear network coding, wormhole attack, expected transmission count

Ç

1 INTRODUCTION

IN the efforts to improve the system performance of wire-less networks, network coding has been shown to be an

effective and promising approach (e.g., [1], [2], [3], [4], [5])and it constitutes a fundamentally different approach com-pared to traditional networks, where intermediate nodesstore and forward packets as the original. In contrast, inwire-less network coding systems, the forwarders are allowed toapply encoding schemes on what they receive, and thus theycreate and transmit new packets. The idea of mixing packetson each node takes good advantages of the opportunitydiversity and broadcast nature of wireless communications,and significantly enhances system performance.

However, practical wireless network coding systems facenew challenges and attacks, whose impact and counter-measures are still not well understood because their under-lying characteristics are different from well-studiedtraditional wireless networks. The wormhole attack is oneof these attacks. In a wormhole attack, the attacker canforward each packet using wormhole links and withoutmodifies the packet transmission by routing it to an unau-thorized remote node. Hence, receiving the rebroadcastpackets by the attackers, some nodes will have the illusionthat they are close to the attacker. With the ability of chang-ing network topologies and bypassing packets for furthermanipulation, wormhole attackers pose a severe threat tomany functions in the network, such as routing and locali-zation [6], [7], [8], [9], [10]. To investigate wormhole attacks

in wireless network coding systems, we focus on theirimpact and countermeasures in a class of popular networkcoding scheme—the random linear network coding (RLNC)system [2]. In this system, in order to best utilize resources,before data transmissions, routing decisions (i.e., how manytimes of transmissions a forwarder should make for eachnovel packet) are made based on local link conditions bysome test transmissions.

Since in wireless network coding systems the routingand packet forwarding procedures are different from thosein traditional wireless networks, the first question that weneed to answer is: Will wormhole attacks cause seriousinterruptions to network functions and downgrade systemperformance? Actually no matter what procedures areused, wormhole attacks severely imperil network codingprotocols. In particular, if wormhole attacks are launchedin routing, the nodes close to attackers will receive morepackets than they should and be considered as having agood capability in help forwarding packets. Thus they willbe assigned with more responsibility in packet forwardingthan what they can actually provide. Furthermore, othernodes will be correspondingly contributing less. Thisunfair distribution of workload will result in an inefficientresource utilization and reduce system performance.Wormhole attacks launched during the data transmissionphase can also be very harmful. First, wormhole attackscan be used as the first step towards more sophisticatedattacks, such as man-in-the-middle attacks and entropyattacks [11]. For example, by retransmitting the packetsfrom the wormhole links, some victim nodes will have toprocess much more non-innovative packets that will wastetheir resources; these constitute entropy attacks. Second,the attackers can periodically turn on and off the worm-hole links in data transmissions, confusing the system withfake link condition changes and making it unnecessarily

� S. Ji and T. Chen are with the Oklahoma State University.E-mail: {shiyu, tingtic}@cs.okstate.edu.

� S. Zhong is with the Nanjing University. E-mail: [email protected].

Manuscript received 14 Feb. 2014; revised 7 May 2014; accepted 7 May 2014.Date of publication 15 May 2014; date of current version 29 Jan. 2015.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference the Digital Object Identifier below.Digital Object Identifier no. 10.1109/TMC.2014.2324572

660 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 14, NO. 3, MARCH 2015

1536-1233� 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

rerun the routing process. To further quantify the impactof wormhole attacks in wireless network coding systems,we perform extensive experiments and investigate theresults in Section 3.

The main objective of this paper is to detect and localizewormhole attacks in wireless network coding systems. Themajor differences in routing and packet forwarding rule outusing existing countermeasures in traditional networks [6],[7], [8], [9], [10], [11], [12], [13], [14], [15], [16]. In networkcoding systems like MORE[5], the connectivity in the net-work is described using the link loss probability valuebetween each pair of nodes, while traditional networks useconnectivity graphs with a binary relation (i.e., connectedor not) on the set of nodes. For this reason, prior worksbased on graph analysis [6], [8], [10], [14] cannot be applied.Some other existing works rely on the packet round triptime difference introduced by wormhole attacks to detectthem [13], [15], [16]. Unfortunately, this type of solutionscannot work with network coding either. They requireeither to use an established route that does not exist withnetwork coding, or to calculate the delay between everytwo neighboring nodes which will introduce a hugeamount of error in network coding systems.

In this paper, we first propose a centralized algorithm todetect wormholes leveraging a central node in the network.For the distributed scenarios, we propose a distributed algo-rithm, DAWN, to detect wormhole attacks in wireless intra-flow network coding systems. The main idea of our solu-tions is that we examine the order of the nodes to receivethe innovative packets in the network, and explore its rela-tion with a widely used metric, expected transmission count(ETX), associated with each node [5], [17]. Our algorithmsdo not rely on any location information, global synchroniza-tion assumption or special hardware/middleware. Our sol-utions only depend on the local information that can beobtained from regular network coding protocols, and thusthe overhead that our algorithms introduce is acceptable formost applications.

Different wireless networks have different characteris-tics and requirements. Some wireless networks havecentral controller, while others are highly distributedwithout any centralized authority. It is desirable to applydifferent solutions based on the network types. Our cen-tralized algorithm is inspired by the fact that the worm-hole link can significantly change the network topology,which can be measured by ETX. This idea is also heuristicto our distributed solution DAWN, which emphasizes onthe scenario where no central administration node exists.Thus, our algorithms can address different scenarios. Wefirst present the centralized solution and then discuss thedistributed one, for a clear logic flow. On the other hand,compared with our distributed algorithm DAWN, ourcentralized algorithm also owns several advantages. Thecentralized algorithm concentrates the computation work-load to the central node, and thus each normal node willsuffer much less workload than DAWN. Since the trans-missions between each node and the central node are uni-cast, the caused communication overheads of thecentralized algorithm are lower than DAWN, whichbroadcasts the reports. The centralized algorithm lever-ages the global information of the flows, and thus it can

detect the wormhole link efficiently, and the resultedwarnings can be delivered to each node more quicklythan DAWN.

We summarize the contributions of this paper as follows:

� We are the first to study the impact and counter-measures of wormhole attacks in wireless networkcoding systems.

� We investigate the harmful impact of wormholes onsystem performance and regional nodes’ resourceutilization. We demonstrate the results via simula-tions on various scenarios.

� We propose a centralized algorithm to detect worm-holes. In this algorithm, a central node collects theinformation from all the nodes in the network andanalyzes whether there exists a wormhole link. Thealgorithm leverages the order of the nodes to receivethe innovative packet, and utilizes machine learningtechniques to distinguish the wormhole cases.We also give rigorous analysis of the centralizedalgorithm and find the condition of its effectiveness.

� For distributed network without centralized author-ity, we propose DAWN, a Distributed detectionAlgorithm against Wormhole in wireless Networkcoding systems. In DAWN, during regular datatransmissions, each node records the abnormalarrival of innovative packets and share this informa-tion with its neighbors. This algorithm is efficientand practical without strong assumptions. Further-more, we theoretically prove that DAWN guaranteesa good lower bound of successful detection rate.

� We perform analysis on the resistance of DAWNagainst collusion attacks. We find that the robustnessdepends on the node density in the network, andprove a necessary condition to achieve collusion-resistance.

� We use extensive experiments in various networksettings, to verify that DAWN is effective (with over89.43 percent detection rate), and efficient.

The rest of this paper is organized as follows. Section 2will introduce related technical preliminaries. Then we willdemonstrate the detrimental influences of wormhole attackin Section 3. Section 4 will explain how to determine theETX of each node, and Section 5 will propose a centralizedalgorithm to detect the wormhole attack. In Section 6, wewill describe our wormhole attack detection algorithm, andwe will show the effectiveness and robustness of our solu-tions. Our experiments and the related analysis will be dis-cussed in Section 7. After the Related Work Section 8 wewill conclude this paper in Section 9.

2 TECHNICAL PRELIMINARIES

In this section, we describe the technical preliminariesneeded in this paper.

2.1 Random Linear Network Coding

Linear network coding (LNC), especially random linear net-work coding, owns numerous applications [18], [19], [20].Linear network coding permits each node in the network to

JI ET AL.: WORMHOLE ATTACK DETECTION ALGORITHMS IN WIRELESS NETWORK CODING SYSTEMS 661

pass on the combinations of the received data, in order tooptimize the information capacity. Let r1; r2; . . . ; rn denotethe received data, and s be the encoded data to be passed toanother node. We can obtain the combination f based onthe received data based on Equation (1):

s ¼ fðr1; r2; . . . ; rnÞ: (1)

For RLNC, f in Equation (1) is a random linear combinationin the field GF ð2kÞ:

fðr1; r2; . . . ; rnÞ ¼Xni¼1

�iri: (2)

Here, �i is a randomly generated coefficient.In network coding, every node except the recipient

applies a random linear mapping from the inputs to outputsover the field GF ð2kÞ. Each packet contains a vector in them-dimensional code vector space V . Particularly, eachpacket sent by the source node contains a basis of the codevector space V . If one intermediate node receives a packetwhich is linearly independent from previous packets, thispacket is called an innovative packet. Essentially, an innova-tive packet must contain at least one basis that the node hasnot received, and the arrival of an innovative packet willincrease the rank of the received packets by one. When thedestination receives m innovative packets, whose vectorsare linearly independent from each other, it can restore thesource information S based on the received data R:

S ¼ C�1R: (3)

Here C is the matrix of the coefficients of the received pack-ets. Since each received packet is essentially a linear combi-nation of the original packets from the source, we canperfectly restore the original messages by multiplying theinverse of C. The capacity of RLNC converges to the opti-mum in probability [2], and owns an ideal performance onthe compression of the transmitted data. However, since thepacket can derive various forms during the transmissions innetwork coding, when the wormhole attack is initiated, it isdifficult to apply some traditional solutions (i.e., tracing thetimestamps of a particular packet) to defend. Thus, thewide applications of network coding push us to findanother way to defend against wormhole attack.

2.2 Expected Transmission Count

ETX has extensive applications in network coding systems[3], [4], [5], [21]. In this paper, the ETX of a node u in the net-work coding system denotes the expected total number oftransmissions (including retransmissions) that the sourcenode should make, in order to make the node u receive oneinnovative packet successfully. A node of high ETX meansit is difficult to make it heard from the source, usuallybecause the node is far from the source and the linksbetween them are very lossy. Thus, the metric of the ETXs isa good representation of the network structure.

In existing works (e.g., [5], [17]), the ETXs are calculatedbased on the probabilities of packet loss between each pairof the nodes in the network. Let u and v be two nodes, andpðu; vÞ be the probability of successful transmission betweennodes u and v. For the simplest case, if the network only has

a sender u and a recipient v, then the ETX of the sender u is1.0, and the ETX of v is shown as Equation (4):

ETXðvÞ ¼ 1

pðu; vÞ : (4)

The probability pðu; vÞ can be estimated based on the previ-ous transmission record, using some statistical models likeweighted means and window-based observation [5]. Basedon (4), if the link between the nodes is very lossy, the ETX ofv can be very high, indicating that it is difficult to delivermessages through the link. Usually too many hops mightcontribute to the high link loss probability. As we will talkabout, the wormhole link connects two distant nodes withone hop of very low loss probability, and thus reduces theETXs significantly. This fact is heuristic to our algorithms.

2.3 Our System Model

In this paper, we consider a wireless network with a set ofhomogeneous nodes running network coding protocols(including routing protocols like [5] to calculate the numberof per-packet transmissions for each node, and data trans-mission protocols). Nodes are connected via lossy wirelesslinks. For any two nodes u and v in the network such thatthe successful transmission rate between u and v,pðu; vÞ > 0, then we say u and v are neighbors. We assumethat ETXs are calculated to describe the network topology,and are measured periodically to support routing functions.Each node knows its own ETXs and its neighbors’ ETXs.

In the wireless network systems, we consider that publickey infrastructure (PKI) is in place to implement the publickey cryptographic techniques. For the wireless network, weregard each node1 as a user who has a pair of public andprivate keys. The identity and the public key of each userare managed by the certificate authority (CA), which is atrusted entity. If any node A wants to safely communicatewith node B, A has to request B’s public key from the CAfirst. After the transmission, node B has to request A’s pub-lic key from the CA in order to verify the message from A.CA is also responsible to predistribute and revoke the keypairs of the nodes. The nodes and the CA together form thePKI, which can guarantee that no node can forge reportsfrom other nodes.

2.4 Wormhole Attack Model

In wormhole attacks, the attackers between distantlocations transmit packets using a out-of-band tunnel.The transmission tunnel is called a wormhole link. Thepacket loss rate on the wormhole link is negligible. Thekinds of the wormhole links can be various, such as anEthernet cable, an optical link, or a secured long-rangewireless transmission [8]. When the wormhole attack isinitiated, the attackers can capture data packets on eitherside, forward them through the wormhole link andrebroadcast them on the other node.

1. Here each node includes the normal nodes in the wireless net-work, and the central administrator, which presents in our centralizedalgorithm.


3 IMPACT OF THE WORMHOLE LINKS ON RLNCSYSTEMS

As we have mentioned earlier in Section 1, wormholeattacks have severe impact on wireless network coding sys-tems. Depending on different launching time, wormholeattacks can seriously downgrade the system performance(by forging link states and thus generating inefficient rout-ing assignment), and cause individual nodes to deal withmany non-innovative packets and waste their resources.We now examine these negative impact via simulations.

We configure a RLNC network with seven nodes ran-domly distributed as Fig. 1. In the network coding system,MORE [5] is running (including the routing phase). The linkloss probability p0ðu; vÞ between two nodes u and v is calcu-lated as pðu; vÞ ¼ PB � fðdðu; vÞÞ, where PB is the baselineloss probability, and fð�Þ is a coefficient function based onthe transmission distance dðu; vÞ. A data flow is establishedbetween node 1 (the source), and node 7 (the destination).The default data sending rate is 40 kbps.

We first examine wormholes’ impact on networkthroughput if launched in the routing phase. In particular,we let the wormhole link be established between node 2and 6, in the routing procedure. The wormhole link discon-nects 1 minute after the network starts to transmit the pack-ets from the source to the destination. The simulation runsfor 10 minutes, and we measure the average networkthroughput and compare it with the case without the worm-hole attack.

Fig. 2 shows the wormhole attack brings great negativeinfluence on the network throughput. The throughputs ofnormal network are always greater than twice of those withwormhole link for the same setting. Similar results can befound in Fig. 3 when we test the network with differentdata sending rates and PB ¼ 30%. The reason is that theexistence of wormhole link cheats each node in the topologysensing, making the ETXs of the surrounding nodes lowerthan the actual values. Thus, in the packet forwardingphase, when the wormhole link disconnects, the through-puts will decrease due to the insufficient times of packetforwarding.

We then investigate the wormhole links’ impact onlocal nodes’ resource consumption if launched duringdata transmission phase. Fig. 4 shows the number oftransmissions of node 3 in different scenarios, with andwithout wormhole link respectively. The result demon-strates that Node 3 suffers a significant increment oftransmissions and thus energy consumption for redun-dancy due to the wormhole link.

4 CHARACTERIZING WORMHOLE ATTACKS IN

WIRELESS NETWORK CODING SYSTEMS

As we have mentioned, detecting wormhole attacks in wire-less network coding systems is difficult compared with tra-ditional networks, due to the different nature of topologydescription and different principle of packet transmission.In order to facilitate the design of countermeasures, in thissection we investigate the unique characteristics of networkcoding system behavior with wormhole links.

Unlike traditional networks, packet round trip time is nota valid metric for wireless network coding to distinguish thesystem under attack and the normal case. The fundamental

Fig. 1. We show the coordinates of each node. In our simulation, thewormhole link between node 2 and 6 is valid when the topology sensingis going on. The wormhole link will disconnect one minute after the net-work starts to transmit the packets, giving a huge reduction in the net-work performance.

Fig. 2. The average throughput for different baseline link loss probabili-ties with or without wormhole link.

Fig. 3. The average throughput for different source sending rates with orwithout wormhole link.

Fig. 4. The No. of local transmissions (node 3) in RLNC network with orwithout wormhole attack.


reason is that with network coding, the packets being trans-mitted on each hop are different, and thus it is difficult totrack down packets and record their trip time. Therefore,this packet-centric idea does not work for network coding.Instead, in this paper, our method is node-centric, i.e., wefocus on the metrics that can be naturally obtained by nodesin the existing network coding protocols. In particular, weexplore the relationship between the innovative packettransmission direction and ETX.

General result. In wireless network coding systems, pack-ets are transmitted from source to destination not in theiroriginal form. Actually, given fixed source and destinationnodes, for a pair of intermediate neighbor nodes, it is diffi-cult to tell whether the information flow directions arealways the same. To figure out this question, we leverageone widely used metric, ETX. In wireless network codingsystems, where no fixed routes exist, ETX, the expectednumber of the packets for the source node to transmit sothat the target node (intermediate node or recipient)receives the packet, provides a way to portray the topologi-cal structure of the network and the relations among nodes.On the other hand, to describe the information flow direc-tion, one important concept to explore is innovative packet,i.e., the packet received by a node containing new informa-tion that cannot be derived from already received packets.

In particular, for systems without wormhole links, wequantify the probability of the packet transmission direc-tions between a pair of neighbor nodes, based on the con-cept of innovative packet and ETX, as shown in Theorem 1.

Theorem 1. For any two neighbor nodes u and v in the networksatisfying ETXðuÞ < ETXðvÞ, the probability that v willreceive an innovative packet from u is ETXðvÞ�1

ETXðuÞþETXðvÞ�1.

Proof. ETX is the expected number of the sent packets tomake sure the forwarding node or recipient receives theinnovative packet. Let p ¼ 1=ETXðuÞ and q ¼ 1=ETXðvÞ,and then p and q are the probabilities to deliver the novelpacket from the source node to u and v, respectively.Since ETXðuÞ < ETXðvÞ, p > q. We set up two randomvariablesX and Y , thatX ¼ x is the event it takes x pack-ets to make u hear the innovative packet, and Y ¼ y is theevent y packets make the novel packet arrive at v success-fully. In fact, X and Y apply to geometric distributionand they are independent from each other. We calculatethe probability of the eventX < Y as Equation (5):

P ðX < Y Þ ¼X1x¼1

X1y¼xþ1

P ðX ¼ xÞP ðY ¼ yÞ ¼ p� pq

pþ q � pq

¼ ETXðvÞ � 1

ETXðuÞ þETXðvÞ � 1:

(5)

tuThe basic idea of this theorem is that in general informa-

tion flows are more likely to be transmitted from the nodesof low ETXs to those of high ETXs.

When the network contains wormhole links, they willchange the overall topological structure of the network. Theactual ETX (with wormhole links) metric suffers a hugechange as well, and then the transmissions of the novelpackets are distinguishable from the expected.

Algorithm to determine ETX. Since ETX is an importantmetric to characterize wormhole attacks, below we describehow to determine the ETX of each node based on the proba-bility of successful transmission P ði; jÞ between every twonodes vi and vj. Each P ði; jÞ between two nodes can be mea-sured by sending and receiving small packets and gettingthe statistical result. All the probabilities of successful trans-mission P ð�; �Þ together form the network adjacency matrixP. We assume the matrix P is known for the network. WeproposeAlgorithm 1 EDA to calculate the ETX for each node.

Algorithm 1. ETX-Determining Algorithm (EDA)

Input: the entire network Gwith nodes V and theirlocations L, and the source node vs

Output: the ETXs for all the nodes in the network G

1: ETXðvsÞ 1:0

2: for each node vi in V , except vs do

3: ETXðviÞ þ14: end for

5: repeat6: ETXupdated false

7: for each node vi in the network G, other than vs do

8: Let N be the set of the neighbors of vi s.t.ETXðvkÞ < þ1 for any vk 2 N

9: If ETXðviÞ > 11�Q

vk2N1

ETXðvkÞð1�P ðvk;viÞÞ

then

10: ETXðviÞ 11�Q

vk2N1


11: ETXupdated true

12: end if

13: end for

14: until ETXupdated = false

15: return the ETXs for all the nodes

In Algorithm 1, we make the ETXs depict the difficulty ofdelivering the innovative packet to each node. For eachtransmission of innovative packet, any node can receive itas long as at least one of its neighbors has received thepacket and successfully transmit it to the node. That givesrise to lines 9 to 11 in Algorithm 1. Another important reve-lation is any node can derive its own ETX given the ETXs ofits neighbors and the relevant loss probabilities. That is, it isnot necessary for each node to know the global ETXs or anylocation information of other nodes. Thus, our algorithmsare independent on location information. In Theorem 2, wecan show that Algorithm 1 can determine the ETXs with aunique answer.

Theorem 2. The returned solution of Algorithm 1 is unique.

Proof. We first study the scenario of connected network.The outer loop from line 5 to 14 keeps decreasing theETXs based on the successful transmission probabilitiesbetween each pair of nodes. Note that if the ETX of anynode decreases, the ETXs of all its neighbor nodes willremain the same according to the conditional branch atline 9. That is, if ETXðviÞ decreases, and let vj be any oneof vi’s neighbors and let N be the set of vj’s neighbors,

we have the value T ¼ 11�Q

vk2N1


increases

and thus ETXðvjÞ < T . Then the value of ETXðvjÞ


cannot change. Thus, there is no pair of nodes whoseETX values are directly dependent on each other.Algorithm 1 can halt in definite steps and output aunique solution. If the network is not connected, all theETXs of the nodes that are not connected with the sourcenode will be infinite, and the solution is also unique.Proof completes. tu

Since our wormhole detection algorithm will rely on thevalues of ETXs, it is important to ensure that the system hasappropriate defense against possible attacks on ETXs. Inpractice link loss probabilities used in ETXs calculation aremeasured and reported using small control packets sentamong nodes and these packets are transmitted under con-ventional protocols instead of network coding. To protectthese protocols from wormhole attacks, existing counter-measures of wormholes in conventional wireless networkscan be leveraged such as [13], [15], [16]. To defend againstother cheating and malicious behavior in measuring linkloss probabilities, e.g., submitting untruthful reports, bothcryptographic and incentive-mechanism approaches can beused [22].

5 THE CENTRALIZED ALGORITHM

In this section, we propose the centralized algorithm, whichutilizes the ETX metric and the order of rank increment todetect wormhole attacks. In order to protect the validity ofour method, we also introduce the public cryptographicscheme for the network. For the proposed algorithm, we notonly perform the analysis of its correctness, but also discussits technical details in this section.

5.1 Algorithm Design

As what we have presented in Section 2.1, for each forward-ing node in RLNC network, receiving the innovative packetwill cause the rank of the previously received packetsincreases by one. We also find that the nodes with lowerETXs will be more likely to receive innovative packets (i.e.,increase the rank) earlier than other nodes. On the otherhand, wormhole links will make some nodes receive inno-vative packets (i.e., increase the rank) much earlier that theyshould. Thus, in the proposed centralized algorithm, weexplore the order of rank increments in order to detect thewormhole links.

Basically, in RLNC, when an innovative packet is sentfrom the source node, the nodes near the source node aremore likely to receive the innovative packets earlier thanthe nodes that are far from the source node. In Section 4,we have demonstrated ETX is a proper metric to measurethe distances between each node and the source node.Thus, the nodes with low ETXs can probably receive theinnovative packets earlier. However, the existence of worm-hole link intuitively changes the normal network topologysince the innovative packets can be transmitted through thewormhole link directly and safely, and thus the nodesaround the remote side of the wormhole link can receive thenovel packets earlier than expected. With a wormhole link,the order of the rank increments among the nodes will besignificantly changed.

To illustrate the significant changes, we have a RLNCsimulation and Figs. 5 and 6 demonstrate the orders of rankincrements with and without wormhole link. Here we have100 nodes in the network, and we run Algorithm 1 to calcu-late the ETXs. In the figures, the red curve denotes theascending ETXs of the nodes. Then we start the networkcoding transmission. The source node sends out an innova-tive packet, and for each node, receiving the innovativepacket will result in rank increment from 0 to 1. We collectthe time stamps of rank increments on the nodes during thewhole transmission, and find out the time order of rankincrements. That is the blue line, which denotes the ETXs ofthe nodes based on the ascending time order of rank incre-ments. We find that the blue line deviates from the red linewhen the wormhole link exists. That is, the wormhole linktruly changes the network topology as well as the transmis-sion flows. Therefore, we can observe the time order of rankincrements, and release alerts when the deviation of theorder exceeds the bound, which is set by the administrator.We can even determine the range of the nodes who may beinvolved in wormhole attack. For example, in Fig. 6, thenodes whose ETXs are from 6.0 to 10.0 may be involvedwith wormhole attack, since they contribute majorly to thedeviation of the blue curve.

For the centralized algorithm, we set up a central node,which owns the authority to gather information from all thenodes in the network, and we run a wormhole detectionalgorithm based on the rank increasing information on thecentral node. Each node is responsible to record the time

Fig. 5. Node rank increment order of normal RLNC network. Fig. 6. Node rank increment order of network under wormhole attack.


when the rank of the received packets increases and thengenerates a report, which includes the details such as thetime, the node address, and the rank. Each node deliversthe reports to the central node via common unicast.

Based on the intuitions above, we propose Algorithm 2,the centralized algorithm to detect wormhole attacks on thecentral node. In Algorithm 2, the central node chooses anevent of rank change, i.e., the rank increment from i to iþ 1,and then searches the received reports to find all the relatedones. Then we compare the time order of ETXs with theascending ETX sequence and calculate the distance betweenthem. If the distance exceeds the threshold, we decide thereexists wormhole attack, and release the warning. At last, weupdate the bound of the distance for the next detection, inorder to make our algorithm adaptive. We apply k-means[23] to determine the bound, since k-means is powerful tolearn the bound distinguishing two opposite samples.2

Algorithm 2. The Centralized Algorithm

Input: T : the reports from all the nodes V in the network G;D: the number of dimensions of the code vector space;Normal: the normal distance; Threshold: the threshold ofalertOutput: whether there exists a wormhole attack in thenetwork G; the updatedNormal

1: Randomly select a rank r s.t. r � 1 and r should besmall enough, i.e., 1 � r � 5.

2: Let Tr be the set of the reports whose rank incrementsare from r� 1 to r.

3: Sort Tr into a sequence Ter s.t. the values of ETX in Te

r

are ascending.4: Let Le be the sequence of ascending ETXs in Te

r .

5: Sort Tr into a sequence Ttr s.t. the values of time in Tt

r

are ascending.6: Let Lt be the sequence of ETXs in Tt

r while preservingthe order.

7: Distance Calculate� DistanceðLe; Lt; jV jÞ8: ifDistance�Normal > Threshold then

9: Find out the addresses of the nodes with the mostaberrant ETXs.

10: Release a warning of wormhole attack.

11: end if

12: Update the value ofNormal using k-means.

In Algorithm 2, each report t is a tuple as Equation (6):

t ¼ ðtime; addr; ETX; rank;Kpub; sigÞ (6)

Here, time denotes the time stamp of the rank increment;addr denotes the address of the node who sends thereport; ETX is the ETX of the reporting node; the valuerank means the rank increased from rank� 1 to rank.Kpub is the public key of the reporting node. sig is the dig-ital signature of the report. The signature can be calcu-lated by Equation (16). In Equation (16), we adopt a

hashing function to obtain the abstract of the plain dataP ¼ ðtime; addr; ETX; rank;KpubÞ, and then encrypt theabstract using secret key Ksec of the local node. The resultis the signature sig. In Algorithm 2, Tr denotes the set ofthe reports of rank increment from r� 1 to r.

Algorithm 3. Calculate-Distance

Input: L1; L2: two lists; n: the number of nodes

Output: the distance between L1 and L2

1: Set up two n-dimensional vectors X and Y .

2: d 0

3: for i from 1 to n do

4: d dþ ðL1½i� � L2½i�Þ25: end for

6: returnffiffiffidp

5.2 Analysis

We now perform the analysis of the correctness of Algo-rithm 2. That is, the wormhole link can remarkably aggra-vate the Distance in Algorithm 2 so that we can leveragesome learning mechanisms to distinguish whether worm-hole links exist with high accuracy. The Distance essen-tially illustrates the euclidean distance between the twoETX orders. One order owns ascending ETXs, and theother applies the order of rank increments. We now ana-lyze the Distance in quantitative way. We denote by dðlÞthe set of the ETX differences between two nodes, and thelocation distance between the two nodes is l. For instance,in the network there is a node a with ETX 2.0, and thereis a node b with ETX 5.0. The location distance between aand b is 10 units. Thus, the ETX difference 5:0� 2:0 ¼ 3:0is in the set dð10Þ. We denote by maxl�rdðlÞ the maximumETX difference when the location distance is no longerthan r, and minl�rdðlÞ denotes the minimum ETX differ-ence when the location distance is no shorter than r. LetR be the radius of neighborhood, and let L be the lengthof wormhole link, if any. Then we have the lower boundof Distance.

Theorem 3. If there exists a wormhole link with length L in theconnected RLNC network, we have

Distance � minl�L

dðlÞ �maxl�R

dðlÞ: (7)

Proof. Let thewormhole link connect the nodes a and b. With-out loss of generality, we assume ETXðaÞ < ETXðbÞ. Theorder of the nodeswith ascending ETXs should be

. . . ; a; c1; c2; . . . ; ck; b; . . . (8)

The ETX difference between a and c1 has to be no largerthan maxl�RdðlÞ. Otherwise, in (8) no node before a(including a) can be neighbor of any node after a. Thusthe RLNC network is not connected, with at least twoseparated components. The wormhole link can directlydeliver the innovative packet from a to b. Thus, with thewormhole link, the order will be

� � � ; a; b; � � � (9)

2. Here the scenario is unsupervised learning since we do not knowwhether there exists wormhole link temporarily after each transmis-sion. If we have the knowledge of some historic wormhole attacks, wecan utilize the supervised learning algorithms, such as support vectormachine [24].


We next estimate the lower bound of Distance based on(8) and (9). That is

Distance

� ETXðbÞ � ETXðc1Þ¼ ETXðbÞ � ETXðaÞ � ðETXðc1Þ � ETXðaÞÞ� ETXðbÞ � ETXðaÞ �max

l�RdðlÞ

� minl�L

dðlÞ �maxl�R

dðlÞ:

(10)

Here to obtain the first inequality, we consider the mini-mal difference between (8) and (9). That is, the changefrom (8) to (9) is only the swap between b and c1. Theabove inequality finishes the proof. tu

Since the length of wormhole link L is much longer thanthe neighborhood radius R, for most cases the ETXdifference for L is much larger than that for R, and thusminl�LdðlÞ is much larger than maxl�RdðlÞ.3 That is, we canguarantee a sufficiently large lower bound for the Distancegiven the long enough wormhole link. Since the estimationof the lower bound in the proof of Theorem 3 is quite rough,the actual Distance is much larger than the lower boundhere. Thus, the wormhole link can guarantee a large enoughDistance to make it recognizable.

5.3 Discussions

We now discuss the technical details in Algorithm 2. Wefirst explain why we have the bounds (Normal andThreshold) on Distance, a value describing the deviation ofETX order, at line 8 of Algorithm 2. The main reason is thatthe Distance owns uncertainty in nature. In order to studythe uncertainty in Distance, we need to analyze the trans-missions of each innovative packet. Let p be the successfultransmission probability over one hop. From the sourcenode to the destined node, the number of the sent packetsuntil the transmission succeeds is a random variable Xwhich conforms to geometric distribution. Denoted by TX

the ETX value of the destined node, and then TX is theexpected value ofX.4 Thus, we have

TX ¼ E½X� ¼X1k¼1

kpð1� pÞk�1 ¼ 1

p: (11)

In RLNC, since the transmissions over the hops are inde-pendent from each other, the successful transmission proba-bility p between two nodes is the product of all theprobabilities of the hops that together connect both nodes:

p ¼Yhk2H

pk; (12)

where H denotes the set of the hops that connect the sourceand destination, and pk denotes the successful transmissionprobability over the hop hk. In RLNC, each innovativepacket can be transmitted through different sequences ofhopsH. Among the hop-sequences, there exists one that cantransmit the packets in the shortest time. To make sure that

the packets through the fastest hop-sequence arrive earlierthan others in a high probability, the variance of X over thefastest hop-sequence should be as low as possible. We cal-culate the variance as follows:

VarðXÞ ¼ E½X2� � E2½X� ¼ 1� p

p2: (13)

Applying Equation (11), we obtain Equation (14):

VarðXÞ ¼ E½X�ðE½X� � 1Þ ¼ TXðTX � 1Þ: (14)

As the ETX value TX increases, the variance VarðXÞbecomes even larger and it increases much faster than ETX.That means if the ETX of the target node is high (that is, thetarget node is far from the source node), it is difficult to pre-dict the time when the innovative packet arrives at the tar-get node. In Fig. 5, there are obvious deviations on thenodes of high ETXs (around 8.0 to 12.0), even though thereis no wormhole link. Thus we have to give tolerance to suchdeviations. We define a deviation Normal for the normalcase at line 8 of Algorithm 2, and we leverage some unsu-pervised learning techniques to obtain the bounds Normaland Threshold. Since wormhole links contribute more devi-ation by redirecting innovative packet flows, the centralizedalgorithm can correctly detect the wormhole links withproper learning algorithms.

We next explain why we choose a relatively small rank atline 1 of Algorithm 2. The essential reason is about the corre-spondence between the order of rank increments and theinnovative packet sent by the source node. In RLNC, eachinnovative packet sent by the source contains a basis of thecode vector space. For each forwarding node, an innovativepacket must have at least one basis that the node has notreceived. Thus, the order of rank increments is essentiallythe order of receiving the basis from the source. However, ifthere are pervading undelivered innovative packets in thenetwork, it is difficult to guarantee that the rank incrementof each node is due to the latest basis sent by the source.Thus, it is desirable to observe the rank increments whenthere are relatively a small number of innovative packetspervading the whole network. In other words, the rank ofthe sent innovative packets should be small enough. Thus,we choose a relatively small rank at line 1 of Algorithm 2. Asmall enough rank can guarantee the correspondencebetween the order of rank increments and the basis, andthus the centralized algorithm can effectively distinguishwhether there exists wormhole link based on the order ofrank increments.

6 THE DISTRIBUTED DETECTION ALGORITHM

In this section, we consider a practical scenario where cen-tralized authority cannot be found. We propose DAWN, adistributed algorithm to detect wormhole attacks in wirelessnetwork coding systems. We will perform rigorous analysison the detection rate of our algorithm and its resistanceagainst collusions.

6.1 Algorithm Design

The basic idea of DAWN is based on the result ofTheorem 1. For any two nodes in the neighborhood, the

3. There are some cases that the ETX difference is very small even ifL is much longer than R. To circumvent such scenarios, we may chooseanother pair of source and destination, and recalculate the ETXs tomake the ETXs distinguishable.

4. According to [17], ETX denotes the expected number of the pack-ets to send until one packet successfully arrives at the destination.


one with lower ETX is supposed to receive novel packetsearlier than the other one with high probabilities. In otherwords, innovative packets are transmitted from low ETXnodes to high ETX nodes with high probabilities. In orderto monitor the innovative packets transmission direction,nodes will work collaboratively. In particular, DAWN hastwo phases on each node: 1) Report packets directionobservation results to its neighbors (Algorithm 4) and 2)Detect whether any attackers exist (Algorithm 5). TheDetect phase is based on the received results from neigh-bors during the Report phase. Both of the algorithmsare running on every node in the network. Algorithm 4runs simultaneously while passing on the packets, andAlgorithm 5 should be asynchronous for different nodesand run at random time slots.

Algorithm 4. ReportFunction

Input:NðuÞ: the set of u’s neighbors; the number ofthe novel packets u received from each neighbor inthe last batch; d: the threshold on ETX difference.

Output: sv: the local observation result for eachneighbor v 2 NðuÞ ; Report messages if any.

1: for v 2 NðuÞ do2: Denote pv the number of novel packets that u

received from v during the last batch3: if ETX(v) � ETX(u) d AND pv > 0g then4: u broadcasts the report rðu; v; 0Þ;5: Note: rðu; v; 0Þ represents the report sent

from u about suspicious wormhole behavior of v,with hop count 0.

6: sv ¼ 1;

7: else

8: sv ¼ 0;

9: end if

10: end for

Report phase. As shown in Algorithm 4, for each node, itwill suspect that one neighbor is an attacker if it receivesnovel packets from the neighbor but the ETX of this neigh-bor is much higher than that of itself (i.e., the distancebetween the ETXs is greater than the threshold d). It sendsits judgment as a report to its neighbors (line 3-5). A node iscalled a judge node of a neighbor if the distance between theirETXs is greater than the threshold. Each report r is a tuple asEquation (15):

r ¼ ðtime;Asuspect; Aself ;Kpub; Snovel; sigÞ: (15)

Here, time is when the reporting node discovers the abnor-mal transmission. Asuspect is the address of the suspectednode, which sends out a novel packet and owns a higherETX than the recipient’s. Aself is the address of the reportinglocal node. Since any node can modify the report when for-warding it, we need to apply cryptographic techniques toprotect the integrity of the reports. We use digital signaturesof the reports to defend against malicious modification, andabstract of the novel packet for administrative verification.Thus, we introduce symmetric cryptographic schemeinto our system to make it more robust against attacks. InEquation 15 Kpub is the public key of the reporting node.

Snovel is the set of the signatures of the received novel pack-ets. sig is the signature of the report. The signatures are pro-duced as Equation (16):

sig ¼ EncryptðKsec; ðHashðP ÞÞ: (16)

Here Ksec is the secret key of the reporting node. P is thenovel packet that was received from the target.

Algorithm 5. The Distributed Detection Algorithm forWormholes in Wireless Network Coding Systems(DAWN) on Node u

Input: R: the set of reports received in the last batch;NðuÞ: the set of u’s neighbors; sj: the local observationresult of each neighbor j 2 NðuÞ; d: the threshold.

Output: Detected wormhole attackers in NðuÞ, if any.1: for Each report rði; j; kÞ 2 R do

2: if ETX(j) � ETX(i) � d OR i =2 NðjÞ then3: Discard this report;4: else

5: if j 2 NðuÞ then6: sj sj þ 1;

7: end if

8: if k < 2 then

9. Forward this report rði; j; kþ 1Þ;10: end if

11: end if

12: end for

13: for each v 2 NðuÞ do14: Let CðvÞ ¼ fi ji 2 NðvÞ s.t. ETX(v) � ETX(i) d

15: if sv � djCðvÞjþ12 e then16: Mark v as a detected wormhole attacker, and block

any traffic from or to node v in future batches.17: end if

18: end for

Detect phase. Algorithm 5 presents the pseudocode of theDetect phase of DAWN. For each node in the Detect phase, itreceives reports from the judge nodes of any potentialattackers. It first examines whether a report is from a validjudge node. If so, it will forward the report unless it hasalready been forwarded twice. Three-hops of the reportsmake sure that more (reachable) neighbors of the potentialattacker will hear this report (line 8). Fig. 7 illustrates an

Fig. 7. An illustration of report forwarding.


example that a report is forwarded twice to make sure moreneighbors receive it.

The detection algorithm on each node accumulatesand calculates the number of its judge nodes who sendreport about the reported potential attacker in the cur-rent batch. If the number of judge nodes compose themajority (line 15), the node will make the decision thatthe attacker is involved in a wormhole attack and blockit from future communications.

6.2 Lower Bound of Detection Rate

In this section, we will show our proposed distributedalgorithm DAWN can perform well with a high lowerbound on detection rate. In particular, we have obtainthe result in Theorem 4.

Theorem 4. For an individual node v to be detected, let NðvÞdenote the set of the neighbors of v, and SðvÞ is the subset ofNðvÞ s.t.

8w 2 SðvÞ; ETXðwÞ � ETXðvÞ > d: (17)

Here d is the threshold. Let n ¼ jSðvÞj, then the lower bound ofthe success rate of the algorithm is

B ¼ 1� exp �2ðnp� bn2cÞ

2

n

!: (18)

Here p is specified as Equation (19):

p ¼ ETXðvÞ þ d� 1

2ETXðvÞ þ d� 1: (19)

Proof. Based on Theorem 1, one lower bound of theprobabilities that one node in SðvÞ will receive thenovel packet earlier than v equals to p in Equation (19)by introducing the threshold d. Thus, the success rateR satisfies

R �Xn

k¼dnþ12 e

n

k

� �pkð1� pÞn�k: (20)

The lower bound B can be determined by applyingHoeffding’s inequality [25]:

R � 1�Xbn2ck¼0

n

k

� �pkð1� pÞn�k (21)

� 1� exp �2ðnp� bn2cÞ

2

n

!¼ B: (22)

tu

To illustrate the lower bound more clearly, we now showsome numerical results with different settings. Fig. 8 dem-onstrates the lower bound of the detection rate of DAWNwith various number of judge nodes and threshold (i.e., nand d in Equations (18) and (19) respectively). We mayset proper n and d for each node (i.e. n ¼ 41, d ¼ 10:0,ETX ¼ 5:0) in order to address the attackers successfullywith a high probability near 1, as what Table 1 indicates. Asthe simulations in Section 7, the real detection rate is muchhigher than the lower bound.

6.3 Collusion Resistance of DAWN

The distributed detection algorithm DAWN requires thecollaboration of the wormhole attackers’ neighbor nodes,i.e., monitoring attackers’ behavior, sending, forwardingand analyzing reports. It is possible that although thesenodes do not participate in wormhole links, they colludewith wormhole attackers by making false reports againsthonest nodes or other misbehavior in the report procedureto make the detection algorithm malfunction.

In this section, we analyze the resistance of DAWNagainst collusions in the report procedure. In particular, weobtain a condition on the number of colluding nodes, underwhich DAWN is resistant against colluding attacks, asstated in Theorem 5.

Theorem 5. Let M be the set of the colluding nodes in the wholenetwork. Then a necessary condition for DAWN to be resistantagainst colluding attacks is that Equation (23) holds for anynode v:

jM \ SðvÞj < jSðvÞj þ 1

2

� �: (23)

Here SðvÞ is the same as in Theorem 4.

Proof. Sketch: We prove by contrapositive, i.e., if Equa-tion (23) does not hold, the decision error rate is notbounded. Suppose that DAWN is making a decisionwhether any node v is a wormhole attacker. If v is inno-cent, all the malicious nodes in SðvÞ can send falsereports claiming v is involved in the wormhole attack.However, the number of the good nodes in SðvÞ who cansend reports indicating v is innocent is specified as

Fig. 8. The lower bound of the success probability of the proposed dis-tributed algorithm, with variables n and d. The ETX of the node to bedetected is 5.

TABLE 1Lower Bounds B for Different Scenarios

ETXðvÞ d n B

5.0 9.0 39 98.665.0 8.0 49 98.975.0 10.0 41 99.38


Equation (24):

jSðvÞ nMj < jSðvÞj � 1

2

� �� jM \ SðvÞj: (24)

Because it is the same with the scenario that most nodesof SðvÞ is honest while v is malicious, it is impossible tojudge whether v is malicious. For the case where v is awormhole attacker and Equation (23) does not hold, sim-ilar conclusion can be drawn. tu

For other scenarios where the colluding nodes dominatethe neighborhood of wormholes attackers, since it falls outof the main scope of this paper, we omit the detailed solu-tions here and leave it to future work.

6.4 Attackers Can Be Smarter

Above discussions have covered the ordinary wormholeattack and the collusion attack. However, the attacker canmanipulate the wormhole link more intellectually. Forexample, the attacker may cheat its neighbors about its ETXby misreporting the link loss probabilities. The attacker canalso initiate the wormhole link opportunistically. The ulti-mate objective of the attacker is to avoid being detected bythe judge nodes. In this section, we discuss the defendingsolutions against these intellectual strategies.

The attacker can successfully forge its ETX only by misre-porting the distances between its neighbors and itself. Oth-erwise, its neighbors, which are good nodes and can sharecorrect information with each other, can find the attacker’sclaimed ETX is incorrect. Moreover, we can eliminate suchmisreporting behaviors by letting at least three of its neigh-bors work collaboratively to discover that the attacker’sclaimed position (based on its claimed distances) does notexist. Thus, we can make it impractical for the attacker toforge its ETX given the threshold and others’ ETXs.

It is still possible for the attacker to apply a opportunisticpolicy on initiating the wormhole link, in order to avoidbeing detected. That is, the attacker only initiates the worm-hole link when there is no judge node in its neighborhood,assuming the wireless network is dynamic (i.e., some meshnetworks or sensor networks). For this scenario, we canassign some trusted nodes along the network boundary5 toensure that there are always enough judge nodes for eachnode. Even though this solution is a little expensive, webelieve it is efficient when the network is deployed within anot too large area.

7 EVALUATIONS

To evaluate the effectiveness and efficiency of our Central-ized Algorithm and DAWN, we have developed a C baseddiscrete event simulator for network coding systems andimplemented our algorithms in the simulator.

7.1 Simulation Setup

We run our simulations on a Linux workstation (2.0 GHzCPU and 32 GB memory). We use the cryptography library

Beecrypt [26] to implement the encryption and signaturealgorithms. We adopt RSA [27] and MD5 [28] algorithmswith 4,096-bit key size. We also simulate a certificate author-ity, which manages the public keys and identities of thenodes. That is, a public key infrastructure is applied in oursimulations. When we calculate the time cost and communi-cation overhead, we also include the contribution of PKI.

Performance metrics. The main performance metrics in ourevaluations include true positive rate (TPR), false positiverate (FPR), extra computation time and the ratio of extracommunication over the total data transmissions. We defineTPR and FPR as follows:

1) TPR, the true positives out of the positives, is definedas Equation (25):

TPR ¼ TPPu2M jNðuÞj

: (25)

Here TP denotes the number of the attackers’ neigh-bors, who correctly detect the attack.

Pu2M jNðuÞj is

the total number of attackers’ neighbors.2) FPR is false positives out of the negatives, as

Equation (26):

FPR ¼ FPPu62M jNðuÞj

: (26)

Here FP denotes the total number of the false detectionalarms initiated by any node.

7.2 True Positive Rate versus False Positive Rate

To take a closer look at the effectiveness of our algorithms,our first simulation is on the network with a fixed topology.Hundred nodes are distributed uniformly within the area of1,000 � 1,000 length units, as Fig. 9 illustrates. Two nodes,whose addresses are 21 and 22, are involved in the worm-hole link. The attackers can initiate the wormhole link atany time during the simulation. We consider the unicastand broadcast. For the unicast case, the source node’saddress is 1 and the destination node’s is 31. When node 31receives each innovative packet, it sends an ACK messageto node 1 in unicast. For broadcast, the destination node isnot specified. We will test random topologies later, when

Fig. 9. Deployment of the 100 nodes. Malicious node 21 and 22 are con-nected by a wormhole link. The attackers can enable or disable thewormhole link at any time.

5. There are very few nodes near the network boundary, indicatingsome nodes may have insufficient judge nodes.


we will choose the source and destined nodes randomly aswell. For unicast, if the source and destination are not con-nected by the network, we eliminate this trial when we cal-culate the measurements.

Fig. 10 presents the ROC diagram of CentralizedAlgorithm and DAWN with the fixed deployment of Fig. 9.The points in the ROC diagram are drawn using the pairs ofTPR and FPR with different thresholds, i.e., Threshold inAlgorithm 2 and d in Algorithm 5. Too low threshold (i.e.,Threshold < 10 or d < 0:5) will make both TPR and FPRnear 100 percent. That is, the system is over sensitive andalways gives false alarms. Reversely, too high threshold(i.e., Threshold > 100 or d > 2:0) will make both TPR andFPR near 0 percent. That is, the system seldom releaseswarnings about attacks, because the Centralized Algorithmis too tolerant, and for DAWN there will be few judge nodesof the target due to the strict requirement brought by highthreshold. If we choose proper threshold (i.e., Thresholdaround 50 and d 2 ð1:4; 1:6Þ), for Centralized Algorithm theTPR is over 92.00 percent and the FPR is less than 11.50 per-cent, and for DAWN the TPR is over 91.10 percent and theFPR is less than 12.01 percent. It verifies both CentralizedAlgorithm and DAWN can detect the attackers accurately.

The second set of simulations is on multiple networkswith various topologies. We deploy 100 different topologies,and calculate the average TPR and FPR. For each topology,we run 100 instances. The TPR and FPR for each topologyare averaged over the 100 instances. Fig. 11 presents theROC diagram of Centralized Algorithm and DAWN onnetworks with different topologies. The TPRs of both thealgorithms still remain over 89.43 percent for multipletopologies and the FRPs can be less than 11.10 percent.The performance is a little worse than that in Section 7.2 asthere are some scenarios where the wormhole link con-nected two nodes whose ETXs are close. It verifies that

Centralized Algorithm and DAWN can detect the maliciousnodes accurately for different scenarios.

7.3 Impact of the Amount of Judge Nodes on DAWN

To investigate the influence of the number of judge nodeson the performance of DAWN, we conduct the followingexperiments. We vary the node density in the network tochange the number of judge node around the wormholeattackers. For different scenarios with different judgenodes, we calculate the actual TPR in the network as well asthe theoretical lower bound (as described in Section 6.2).

Fig. 12 demonstrates the TPR with different number ofjudge nodes in the unicast networks. Basically, we can seethat both the actual TPR and the theoretical lower boundincrease when the number of the judge nodes increasesfrom 2 to 7. Even in the scenario where there are only twojudge nodes around the wormhole attackers, the TRP canstill be over 92.32 percent. Moreover, the actual TPR isalways greater than the theoretical lower bound. It verifiesthe TPR can be sufficiently high if the number of the judgenodes is big enough.

7.4 Evaluation on Collusion Resistance of DAWN

In order to examine the capability of DAWN in resisting col-lusions among judge nodes. We test our algorithm in thescenarios with different numbers of colluding judge nodes.We perform experiments in the setting where there areseven judge nodes in total. We observe the TPRs with differ-ent number of colluding nodes.

In Fig. 13, it shows that the TPR decreases as the num-ber of the colluding judge nodes increases. There is anabrupt reduction of the TPR when the number of collud-ing nodes changes from 3 to 4. In the cases with 1, 2 and3 colluding nodes, all the TPRs are over 87.41 percent. It

Fig. 10. The ROC diagram of Centralized Algorithm and DAWN basedon the deployment of Fig. 9.

Fig. 11. The ROC diagram of Centralized Algorithm and DAWN on net-works with various topologies.

Fig. 12. The TPR increases as the number of the judge nodes surround-ing the attacker increases.

Fig. 13. The ROC diagram of colluded attacks for different scenarios.The performance reduces as the number of attackers in the judge nodesincreases. There were seven judge nodes of the attacker in total.


verifies that DAWN has strong resistance against the col-luding attacks.

7.5 Overhead

We investigate the overheads of Centralized Algorithm andDAWN using two metrics: the computation time and com-munication overhead in percentage.

7.5.1 Computation Cost

We measure the average computation time of the centralnode in the Centralized Algorithm, as well as the averagetime cost per each node in the network for DAWN. The sim-ulation takes one batch of the data transmission.

For Centralized Algorithm, Fig. 14 shows the averagecomputation time cost of the central node, when we set dif-ferent node densities of the network (with different numberof nodes in the 1,000 � 1,000 sized area). The computationtime grows linearly with the total number of the nodes,since more nodes can generate more reports for the centralnode to process. For both unicast and broadcast, the totaltime cost is several milliseconds, which is tolerable for mostRLNC systems.

For DAWN, Fig. 15 shows the average computation timecost per node and per batch with various node densities.We can observe that our algorithm costs more time, whenthere are more nodes in the network and correspondinglymore events to monitor and report. Overall it shows thecomputation time cost of DAWN is tolerable for mostRLNC applications, with a few milliseconds at most.

7.5.2 Communication Overhead

For communication overhead, the metric we use is the ratioof the number of the extra packets generated by the worm-hole attack defending algorithm, and the number of theoriginal total data packets transmitted. Tables 2 and 3 show

the communication overheads for Centralized Algorithmand DAWN in unicast and broadcast respectively. It dem-onstrates that both the communication overheads are tolera-ble if the node density in the network is not too high.

8 RELATED WORKS

RLNC has extensive applications in wireless network fieldas it improves the throughput and utilization of the informa-tion capacity greatly [1], [2], such as ExOR [3], COPE [4] andMORE [5]. It is challenging to bring these solutions to reali-ties due to the complexity of implementation or lackingresearch of the related security problems. The naive RLNCis vulnerable to several types of attack, such as pollutionattack [29], Byzantine attack [30] and wormhole attack [9]. Inthis paper, we focus on wormhole attack at RLNC network.

For traditional networks, researchers offered several sol-utions to detect and avoid such attacks [8], [9], [10], [12],[13], [14], [15], [31], [32], [33], and [34]. These solutions canbe divided into two major groups: utilizing temporal andspatial information, and detecting network topology changebased on graph analysis. For example, Hu et al. use packetleashes to detect wormhole attacks [13], by appending ineach packet the location information of the senders andthey accordingly detect the physically impossible transmis-sions. Both [16] and [15] are based on the round-trip traveltime of packet to detect wormhole links. Khalil et al. intro-duced the guard node to help the local node detect the mali-cious attackers, assuming the network had a static topology[32]. There were two limitations for the methods dependenton time and space: the nodes in the network have to betightly synchronous and the node location information isavailable [32]. In the second group [6], [8], [10], [14], amongothers, Wang and Bhargava use visualization methods todetect wormhole links in sensor networks, revealing theintrinsic change of network topological structure underattacks [14]. In [6], Dong et al. detect and locate variouswormholes and relies on observing inevitable topologydeviations introduced in the network by wormholes. As we

Fig. 14. Centralized Algorithm: the average time cost of the central nodein different scenarios.

Fig. 15. DAWN: the average time cost per each node in differentscenarios.

TABLE 2The Communication Overhead Statistics for Unicast

# nodes Centralized Alg.overhead (%)

DAWN overhead(%)

30 1.32 3.5440 1.44 3.6450 3.01 8.2260 3.53 10.4970 4.11 12.72

TABLE 3The Communication Overhead Statistics for Broadcast

# nodes Centralized Alg.overhead (%)

DAWN overhead(%)

30 1.45 4.3440 1.65 3.7150 3.41 9.4360 3.94 12.4470 4.32 15.90


mentioned earlier, in wireless network coding systems, theconnectivity in the network is described in different waysthan traditional networks. Unfortunately, there is no solu-tions of the wormhole attack detection for wireless networkcoding systems.

9 CONCLUSION

In this paper, we have investigated the negative impacts ofwormhole attacks on wireless network coding systems. Wehave proposed two algorithms that utilize the metric ETX todefend against wormhole attacks. We have proposed a Cen-tralized Algorithm that assigns a central node to collect andanalyze the forwarding behaviors of each node in the net-work, in order to react timely when wormhole attack is initi-ated. We have proven the correctness of the CentralizedAlgorithm by deriving a lower bound of the deviation inthe algorithm. We have also proposed a Distributed detec-tion Algorithm against Wormhole in wireless Network cod-ing systems, DAWN. DAWN is totally distributed for thenodes in the network, eliminating the limitation of tightlysynchronized clock. DAWN is efficient and thus it fits forwireless sensor network. For both centralized and distrib-uted algorithms, we have utilized the digital signatures toensure every report is undeniable and cannot be forged byany attackers. The simulations have shown that the pro-posed algorithms can detect the malicious nodes participat-ing in wormhole attack with high successful rate and thealgorithm is efficient in terms of computation and commu-nication overhead.

ACKNOWLEDGMENTS

Some results in this paper will be in the proceedings of IEEEINFOCOM 2014. Sheng Zhong was supported in part byRPGE, NSFC-61321491, and NSFC-61300235. Part of thework was done while supported in part by US NSF-0845149.

REFERENCES

[1] S. Li, R. Yeung, and N. Cai, “Linear network coding,” IEEE Trans.Inf. Theory, vol. 49, no. 2, pp. 371–381, Feb. 2003.

[2] T. Ho, M. Medard, R. Koetter, D. R. Karger, M. Effros, J. Shi, and B.Leong, “A random linear network coding approach to multicast,”IEEE Trans. Inf. Theory, vol. 52, no. 10, pp. 4413–4430, Oct. 2006.

[3] S. Biswas and R. Morris, “Opportunistic routing in multihop wire-less networks,” ACM SIGCOMM Comput. Commun. Rev., vol. 34,pp. 69–74, Sep. 2004.

[4] S. Katti, H. Rahul, W. Hu, D. Katabi, M. Medard, and J. Crow-croft, “XORs in the air: Practical wireless network coding,” inProc. Conf. Appl., Technol., Archit. Protocols Comput. Commun.,2006, pp. 243–254.

[5] S. Chachulski, M. Jennings, S. Katti, and D. Katabi, “Trading struc-ture for randomness in wireless opportunistic routing,” in Proc.Conf. Appl., Technol., Archit. Protocols Comput. Commun., Aug. 2007,pp. 169–180.

[6] D. Dong, Y. Liu, X. Li, and X. Liao, “Topological detection onwormholes in wireless ad hoc and sensor networks,” IEEE Trans.Netw., vol. 19, no. 6, pp. 1787–1796, Dec. 2011.

[7] J. Kim, D. Sterne, R. Hardy, R. K. Thomas, and L. Tong, “Timing-based localization of in-band wormhole tunnels in MANETs,” inProc. 3rd ACM Conf. Wireless Netw. Security, 2010, pp. 1–12.

[8] S. R. D. R. Maheshwari, J. Gao, “Detecting wormhole attacks inwireless networks using connectivity information,” in Proc. IEEE26th Int. Conf Commun., 2007, pp. 107–115.

[9] Y.-C. Hu, A. Perrig, and D. B. Johnson, “Wormhole attacks inwireless networks,” IEEE J. Sel. Areas Commun., vol. 24, no. 2,pp. 370–380, Feb. 2006.

[10] R. Poovendran and L. Lazos, “A graph theoretic framework forpreventing the wormhole attack in wireless ad hoc networks,”Wireless Netw., vol. 13, no. 1, pp. 27–59, 2007.

[11] A. J. Newell, R. Curtmola, and C. Nita-Rotaru, “Entropyattacks and countermeasures in wireless network coding,” inProc. 5th ACM Conf. Security Privacy Wireless Mobile Netw.,2012, pp. 185–196.

[12] W. Wang, B. Bhargava, Y. Lu, and X. Wu, “Defending againstwormhole attacks in mobile ad hoc networks: Research articles,”Wireless Commun. Mobile Comput., vol. 6, no. 4, pp. 483–503, Jun.2006.

[13] Y.-C. Hu, A. Perrig, and D. B. Johnson, “Packet leashes: A defenseagainst wormhole attacks in wireless networks,” in Proc. IEEE23rd Annu. Joint Conf. IEEE Comput. Commun., Mar. 2003,pp. 1976–1986.

[14] W. Wang and B. Bhargava, “Visualization of wormholes in sensornetworks,” in Proc. 3rd ACM Workshop Wireless Security, Oct. 2004,pp. 51–60.

[15] J. Eriksson, S. Krishnamurthy, and M. Faloutsos, “Truelink: Apractical countermeasure to the wormhole attack in wirelessnetworks,” in Proc. IEEE Int. Conf. Netw. Protocols, 2006,pp. 75–84.

[16] S. �Capkun, L. Butty�an, and J.-P. Hubaux, “Sector: Secure trackingof node encounters in multi-hop wireless networks,” in Proc. 1stACMWorkshop Security Ad Hoc Sensor Netw., 2003, pp. 21–32.

[17] D. S. J. D. Couto, D. Aguayo, J. Bicket, and R. Morris, “A high-throughput path metric for multi-hop wireless routing,” WirelessNetw., vol. 11, no. 4, pp. 419–434, 2005.

[18] A. G. Dimakis, P. B. Godfrey, Y. Wu, M. J. Wainwright, and K.Ramchandran, “Network coding for distributed storage sys-tems,” IEEE Trans. Inf. Theory, vol. 56, no. 9, pp. 4539–4551,Sep. 2010.

[19] A. S. Avestimehr, S. N. Diggavi, and D. N. Tse, “Wireless networkinformation flow: A deterministic approach,” IEEE Trans. Inf. The-ory, vol. 57, no. 4, pp. 1872–1905, Apr. 2011.

[20] B. Nazer and M. Gastpar, “Compute-and-forward: Harnessinginterference through structured codes,” IEEE Trans. Inf. Theory,vol. 57, no. 10, pp. 6463–6486, Oct. 2011.

[21] P. Santi, “Topology control in wireless ad hoc and sensornetworks,” ACM Comput. Surv., vol. 37, no. 2, pp. 164–194, 2005.

[22] F. Wu, T. Chen, S. Zhong, L. E. Li, and Y. R. Yang, “Incentive-com-patible opportunistic routing for wireless networks,” in Proc. 14thACM Int. Conf. Mobile Comput. Netw., 2008, pp. 303–314.

[23] S. Lloyd, “Least squares quantization in PCM,” IEEE Trans. Inf.Theory, vol. IT-28, no. 2, pp. 129–137, Mar. 1982.

[24] C. Cortes and V. Vapnik, “Support vector machine,” Mach. Learn.,vol. 20, no. 3, pp. 273–297, 1995.

[25] W. Hoeffding, “Probability inequalities for sums of bounded ran-dom variables,” J. Amer. Statist. Assoc., vol. 58, no. 301, pp. 13–30,1963.

[26] Beecrypt [Online]. Available: http://sourceforge.net/projects/beecrypt/

[27] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtainingdigital signatures and public-key cryptosystems,” Commun. ACM,vol. 21, no. 2, pp. 120–126, 1978.

[28] R. Rivest, “The md5 message-digest algorithm,” RFC 1321, 1992.[29] J. Dong, R. Curtmola, and C. Nita-Rotaru, “Practical defenses

against pollution attacks in intra-flow network coding for wirelessmesh networks,” in Proc. ACM Conf. Security Privacy WirelessMobile Netw., Mar. 2009, pp. 111–122.

[30] T. Ho, B. Leong, R. Koetter, M. Medard, M. Effros, and D. Karger,“Byzantine modification detection in multicast networks usingrandomized network coding,” in Proc. IEEE Int. Symp. Inf. Theory,Jan. 2004, p. 143.

[31] Z. Li, D. Pu, W. Wang, and A. Wyglinski, “Forced collision:Detecting wormhole attacks with physical layer network coding,”Tsinghua Sci. Technol., vol. 16, no. 5, pp. 505–519, 2011.

[32] I. Khalil, S. Bagchi, and N. B. Shroff, “Liteworp: A lightweightcountermeasure for the wormhole attack in multihop wirelessnetworks,” in Proc. Int. Conf. Dependable Syst. Netw., Jul. 2005,pp. 612–621.

[33] L. Qian, N. Song, and X. Li, “Detection of wormhole attacks inmulti-path routed wireless ad hoc network: A statistical analysisapproach,” J. Netw. Comput. Appl., vol. 30, no. 1, 2007.

[34] L. Buttyan, L. Dora, and I. Vajda, “Statistical wormhole detectionin sensor networks,” in Proc. Eur. Workshop Security Privacy Ad-Hoc Sensor Netw., Jul. 2005, pp. 128–141.


Shiyu Ji is a graduate student in the ComputerScience Department at Oklahoma State Univer-sity. He received the BE degree in 2012 fromHarbin Institute of Technology in computerscience. He is interested in crowdsourcing,incentives, security, and privacy.

Tingting Chen received the BS and MS degreesin computer science from the Department of Com-puter Science and Technology, Harbin Institute ofTechnology, China, in 2004 and 2006, respec-tively, and the PhD degree from the Computer Sci-ence and Engineering Department, StateUniversity of New York at Buffalo, in 2011. She isan assistant professor with the Computer ScienceDepartment at Oklahoma State University. Herresearch interests include data privacy and eco-nomic incentives in wireless networks.

Sheng Zhong received the BS and MS degrees in1996 and 1999, respectively, from Nanjing Univer-sity, and the PhD degree in 2004 from Yale Uni-versity, all in computer science. He is interested inincentives, security, and privacy issues.

" For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


660 IEEE TRANSACTIONS ON MOBILE COMPUTING, VOL. 14, NO. 3, MARCH 2015 Wormhole Attack ... · 2017-09-14 · Wormhole Attack Detection Algorithms in Wireless Network Coding Systems

Documents