Detecting Wormhole Attacks in Wireless Networks Using Connectivity Information 97598039 梁紀翔 97598050 王謙志 NETLab.

Detecting Detecting Wormhole Attacks Wormhole Attacks

in Wireless in Wireless Networks Using Networks Using

Connectivity Connectivity InformationInformation97598039 97598039 梁紀翔 梁紀翔 97598050 97598050 王謙志王謙志

NETLabNETLab

OutlineOutline

Wormhole Attack ?Wormhole Attack ? Some detecting methods and Some detecting methods and

limitationslimitations Using Bound distance or TimeUsing Bound distance or Time Using Graph theory and GeometricUsing Graph theory and Geometric

Using Connectivity InformationUsing Connectivity Information Unit Disk Graph modelUnit Disk Graph model Other modelsOther models Wormhole removalWormhole removal

Simulation result & ConclusionSimulation result & Conclusion

What is Wormhole ?What is Wormhole ?

http://commons.wikimedia.org/wiki/File:Worm3.jpghttp://commons.wikimedia.org/wiki/File:Worm3.jpg

Shortcut through Shortcut through spacespace and and timetime

Wormhole AttackWormhole Attack

http://http://www.wings.cs.sunysb.edu/~ritesh/wormhole.htmlwww.wings.cs.sunysb.edu/~ritesh/wormhole.html

ThreatsThreats

Dropping or modifying packetsDropping or modifying packets Generating unnecessary routing Generating unnecessary routing

activities by turning off the activities by turning off the wormhole link periodicallywormhole link periodically

Record traffic for later analysisRecord traffic for later analysis Break protocol relies on geographic Break protocol relies on geographic

proximityproximity

Bound distance or TimeBound distance or Time

Use node location info. to bound the Use node location info. to bound the distance a packet can traversedistance a packet can traverse But… hard to determine “legal” But… hard to determine “legal”

distancedistance Use global clock to bound Use global clock to bound

propagation timepropagation time Useless against physical layer attacksUseless against physical layer attacks

Besides… they all need additional Besides… they all need additional hardwarehardware

Graph theory and Graph theory and GeometricGeometric

Use combination of one-time authentiUse combination of one-time authenticated neighbor discovery and Guard ncated neighbor discovery and Guard nodes to attest the source of transmissioodes to attest the source of transmissionn What if attack begin before discovery ?What if attack begin before discovery ?

Special Guard nodes knows their “corSpecial Guard nodes knows their “correct” location and with higher RF porect” location and with higher RF power and different RF characterticswer and different RF charactertics ImpracticalImpractical

Graph theory and Graph theory and Geometric cont.Geometric cont.

Use Directional antennasUse Directional antennas Need a cooperative protocol share Need a cooperative protocol share

directional info. between nodes to detect directional info. between nodes to detect wormholewormhole

Use neighbor distance estimation and Use neighbor distance estimation and Multi-dimensional scaling to draw a Multi-dimensional scaling to draw a “network layout”“network layout” The layout should be “flat”The layout should be “flat” Centralized computationCentralized computation

Physical layer authentication in packet Physical layer authentication in packet modulation/demodulationmodulation/demodulation Special RF hardwareSpecial RF hardware

LimitationsLimitations

Additional hardware is not affordable Additional hardware is not affordable on large scale sensor networks, such ason large scale sensor networks, such as Directional antennasDirectional antennas GPSGPS UltrasoundUltrasound Guard nodes with correct locationGuard nodes with correct location Global clock synchronization or Global clock synchronization or

computationcomputation Localized algorithm is the solutionLocalized algorithm is the solution

Use info. collected by upper layerUse info. collected by upper layer

Algorithm conceptAlgorithm concept

Looks for Looks for forbidden substructureforbidden substructure that should not present in a legal that should not present in a legal connectivity graphconnectivity graph

Unit Disk Graph modelUnit Disk Graph model

Idealized model for multi-hop wireless netwIdealized model for multi-hop wireless networkork Node modeled as a disk with unit radiusNode modeled as a disk with unit radius Unit radius is the communication range with oUnit radius is the communication range with o

mni-directional antennamni-directional antenna Each node is a neighbor of all nodes within its diEach node is a neighbor of all nodes within its di

sksk

www.it.uu.se/research/group/mobility/adhocwww.it.uu.se/research/group/mobility/adhoc

HardnessHardness

NP-Hard to detect wormhole in UDGNP-Hard to detect wormhole in UDG Equivalence of finding UDG embedded in 2D Equivalence of finding UDG embedded in 2D

graphgraph Proven NP-Hard problem Proven NP-Hard problem

The algorithm looks for structures that The algorithm looks for structures that do notdo not allow UDG embedding allow UDG embedding

Due to hardness, 100% wormhole Due to hardness, 100% wormhole detection will not guaranteeddetection will not guaranteed

But provides sufficiently high detection But provides sufficiently high detection raterate

Disk packingDisk packing

In a fix region, one can not pack too mIn a fix region, one can not pack too many nodes without having edges in betany nodes without having edges in betweenween

Packing numberPacking number －－ Maximum number of points inside region Maximum number of points inside region

SS such that every pair of points is strictly such that every pair of points is strictly more then distance more then distance rr away from each othe away from each otherr

rSp ,

Disk packing cont.Disk packing cont.

－－ A unit disk A unit disk DD of radius of radius RR center centered at ed at uu

LuneLune －－

Intersection of 2 disks of radius Intersection of 2 disks of radius RR centered centered at at uu, , vv, with distance , with distance rr away away

uDR

5, RuDp R

vDuDRrL RR ,

Disk packing cont.Disk packing cont.

Lemma 1Lemma 1 When When RR = = rr = = 11

Lemma 2Lemma 2 forfor

21, Lp

123 pw

42

4

2arccos

2

18,,

22

2

2r

Rr

R

rRRrLp

Rr 2

Forbidden substructureForbidden substructure

aa and and bb (non-neighbors) have three (non-neighbors) have three common independent neighbor common independent neighbor cc, , dd, , ee

By Lemma 1, this By Lemma 1, this can notcan not happen happen If only If only cc, , dd in region B. It will in region B. It will failfail

Forbidden substructure Forbidden substructure cont.cont.

For low density caseFor low density case Look among Look among kk-hop neighbors-hop neighbors Find common independent Find common independent kk-hop neig-hop neig

hbors of two non-neighbor nodeshbors of two non-neighbor nodes Forbidden substructures used in algoriForbidden substructures used in algori

thmthm 3 independent common 3 independent common 11-hop neighbors-hop neighbors independent common independent common kk-hop neighbors-hop neighbors －－ Forbidden parameterForbidden parameter

kf

kf

kf

Forbidden substructure Forbidden substructure cont.cont.

must be more than the packing nummust be more than the packing number for unit distance inside the lune of ber for unit distance inside the lune of two disks of radii two disks of radii kk placed at distance placed at distance 11 RadiusRadius k k for modeling for modeling kk-hop neighborhoo-hop neighborhoo

dd 11 for modeling the lower bound of distanc for modeling the lower bound of distanc

e between non-neighborse between non-neighbors

kf

11,,1 kLpfk

Forbidden substructure Forbidden substructure cont.cont.

If a network has forbidden If a network has forbidden substructuresubstructure There There mustmust be a wormhole be a wormhole

For a given node density with For a given node density with wormhole presentwormhole present Higher Higher kk, higher detection possibility, higher detection possibility Larger neighborhood provide more Larger neighborhood provide more

nodes to work withnodes to work with

AlgorithmAlgorithm

1.1. Find the forbidden parameterFind the forbidden parameter

2.2. Each node Each node uu determines its determines its 2k2k-hop -hop neighbor list , execute neighbor list , execute following steps for each non-following steps for each non-neighboring node neighboring node vv in in

uN k2

uN k2

Algorithm cont.Algorithm cont.

3.3. uu determines the set of common determines the set of common kk-hop -hop neighbors with neighbors with vv from their from their kk-hop neighbor -hop neighbor listlist

can be obtained by simply exchanging listscan be obtained by simply exchanging lists

4.4. uu determines the maximal independent set determines the maximal independent set of of

Find maximum independent set is NP-HardFind maximum independent set is NP-Hard Use greedy algorithmUse greedy algorithm

vNuNvuC kkk ,

vNk

vuCk ,

Algorithm cont.Algorithm cont.

5.5. If the maximal independent set size is If the maximal independent set size is equal or larger than , equal or larger than , uu declares the declares the presence of a wormholepresence of a wormhole

For most case, For most case, kk = 1 is sufficient, with = 1 is sufficient, with to check non-neighbor nodes in 2-to check non-neighbor nodes in 2-

hop neighborhoodhop neighborhood to find maximal independent setto find maximal independent set dd is the average degree of nodes is the average degree of nodes

kk = 2 for fairly low density cases = 2 for fairly low density cases

kf

2d

d

3d

Node distributionNode distribution

is theoretical worst caseis theoretical worst case With known distribution, can be With known distribution, can be

much smallermuch smaller Smaller , higher detection rateSmaller , higher detection rate

But… too small will have false positivesBut… too small will have false positives

Unless node density is very highUnless node density is very high It’s unlikely to find that many common It’s unlikely to find that many common

independent 2-hop neighborsindependent 2-hop neighbors

1kf

kf

kf

191181,2,12 Lpf

Communication modelsCommunication models

UDG is overly simplifiedUDG is overly simplified Packet reception range is not prefect Packet reception range is not prefect

diskdisk For other communication modelsFor other communication models

Same algorithm appliedSame algorithm applied But finding by Mathematical or But finding by Mathematical or

Geometrical waysGeometrical ways

kf

Known modelsKnown models

Quasi-UDGQuasi-UDG Distance within Distance within αα≦≦11 －－ linklink Distance larger than 1Distance larger than 1 －－ no linkno link

Run simulation with target distributioRun simulation with target distribution to obtain connectivity graphn to obtain connectivity graph

Then estimate forbidden parameterThen estimate forbidden parameter

1,, kLpfk

Known models cont.Known models cont.

For any pair of non-neighboring nodesFor any pair of non-neighboring nodes Find the maximal independent set among Find the maximal independent set among

their common their common kk-hop neighbors-hop neighbors Take the maximum asTake the maximum as Used in simulation result to obtain tight Used in simulation result to obtain tight

boundbound If model is probabilisticIf model is probabilistic

is also probabilisticis also probabilistic Notice that false positives still possibleNotice that false positives still possible

1kf

1kf

Unknown modelUnknown model

Parametric search for unknownParametric search for unknown Use large initial value to run the Use large initial value to run the

algorithmalgorithm If no detection, half the value, re runIf no detection, half the value, re run Until vary small fraction of nodes report Until vary small fraction of nodes report

wormholewormhole Or minimum number of tolerable false Or minimum number of tolerable false

positivespositives Run this search in safe part of Run this search in safe part of

networknetwork

kf

Unknown model cont.Unknown model cont.

If there is no safe placeIf there is no safe place Assume a “threat level”Assume a “threat level”

Guidance for what fraction of nodes Guidance for what fraction of nodes must report wormholemust report wormhole

So will not reduced any furtherSo will not reduced any furtherkf

Wormhole removalWormhole removal

Manually isolate links effectedManually isolate links effected Process for 1-hop, UDGProcess for 1-hop, UDG

Corrupted nodes verify its neighbor list Corrupted nodes verify its neighbor list with uncorrupted nodeswith uncorrupted nodes

Ignore transmission from suspicious Ignore transmission from suspicious nodesnodes

Simulation environmentSimulation environment

ModelsModels UDGUDG Quasi-UDGQuasi-UDG Model used in TOSSIM simulatorModel used in TOSSIM simulator

DistributionsDistributions Perturbed grid (a planed sensor Perturbed grid (a planed sensor

deployment)deployment) RandomRandom

144 nodes, single wormhole, 144 nodes, single wormhole, kk ≤ 2, ≤ 2, repeat 10,000 timesrepeat 10,000 times

Quasi-UDGQuasi-UDG

Transmission radiusTransmission radius －－ RR Quasi-UDG factorQuasi-UDG factor －－ 0 ≤0 ≤αα ≤ 1≤ 1 LinkLink －－ distance distance dd within withinααRR No linkNo link －－ dd ＞ ＞ RR dd in [ in [αα RR, , RR] ] －－ link with probabilitylink with probability UseUseαα= 0.75 in simulation= 0.75 in simulation

TOSSIM modelTOSSIM model －－ link probabilitylink probability －－ bit error probabilitybit error probability

RR

d

bP1

bP

DistributionsDistributions

Perturbed 12×12 gridPerturbed 12×12 grid [[x-pxx-px, , x+pxx+px], [], [y-pyy-py, , y+pyy+py]] Perturbation parameterPerturbation parameter －－ 0.0 0.0 ≤ ≤ pp ≤ 0.5 ≤ 0.5

Randomly chosen Randomly chosen xx, , yy coordinates coordinates Node densityNode density

Change Change RR for (Quasi-)UDG for (Quasi-)UDG Change geographic area for TOSSIMChange geographic area for TOSSIM

ExperimentsExperiments

Create topologyCreate topology Check connectivityCheck connectivity

Disconnected if any two node do not Disconnected if any two node do not have routehave route

Run algorithm to see false positiveRun algorithm to see false positive Apply wormhole, run algorithm to Apply wormhole, run algorithm to

detectdetect

ResultsResults

Perturbed grid Perturbed grid pp = 0.2 = 0.2

UDG

Quasi-UDG

TOSSIM

RandomRandom

TOSSIM

UDG

Quasi-UDG

100% detecting and no false alarms 100% detecting and no false alarms when network is connectedwhen network is connected

90% detection when 50% chance 90% detection when 50% chance disconnecteddisconnected

Detection drop for low density cases, Detection drop for low density cases, but network disconnected also but network disconnected also increaseincrease

Detection performance get worse as Detection performance get worse as the randomnessthe randomness Estimation of is more accurate if Estimation of is more accurate if

less randomnessless randomness

kf

11-hop dose not perform well in non--hop dose not perform well in non-UDG casesUDG cases

Quasi-UDG, random distributionQuasi-UDG, random distribution 1-hop detection rate when 1-hop detection rate when

increaseincrease1f

Parametric search forParametric search for kk = = 11, quasi-UDG, Perturbed grid with , quasi-UDG, Perturbed grid with pp

= = 0.20.2, average degree = , average degree = 66 Suitable can be estimated by Suitable can be estimated by

observing false positive probabilityobserving false positive probability Detection show first before false Detection show first before false

positivepositive Critical value of is Critical value of is 44

kf

1f

1f

ConclusionConclusion

ProsPros Simple and localizedSimple and localized Universal to node distribution and Universal to node distribution and

communication modelcommunication model ConsCons

Not suitable for frequent connectivity Not suitable for frequent connectivity change (VANET, MANET)change (VANET, MANET)

Can not detect short wormhole linkCan not detect short wormhole link

ReferencesReferences

R. Maheshwari, J. Gao and S. R. Das,“DetecR. Maheshwari, J. Gao and S. R. Das,“Detecting Wormhole Attacks in Wireless Networkting Wormhole Attacks in Wireless Networks Using Connectivity Information,” in s Using Connectivity Information,” in INFOINFOCOM 2007. 26th IEEE International ConferenCOM 2007. 26th IEEE International Conference on Computer Communications. IEEEce on Computer Communications. IEEE , 20 , 2007, pp. 107-11507, pp. 107-115

Wikipedia Wikipedia ((http://http://en.wikipedia.orgen.wikipedia.org//))

Wormhole Attack Detection in Wireless NetWormhole Attack Detection in Wireless Network work ((http://http://www.wings.cs.sunysb.edu/~ritesh/wormhole.htmlwww.wings.cs.sunysb.edu/~ritesh/wormhole.html))

Any Any Questions ?Questions ?

and Thanks !!and Thanks !!