Detecting Wormhole Detecting Wormhole Attacks in Attacks in Wireless Networks Wireless Networks Using Connectivity Using Connectivity Information Information 97598039 97598039 梁梁梁 梁梁梁 97598050 97598050 梁梁梁 梁梁梁 NETLab NETLab
Detecting Detecting Wormhole Attacks Wormhole Attacks
in Wireless in Wireless Networks Using Networks Using
Connectivity Connectivity InformationInformation97598039 97598039 梁紀翔 梁紀翔 97598050 97598050 王謙志王謙志
NETLabNETLab
OutlineOutline
Wormhole Attack ?Wormhole Attack ? Some detecting methods and Some detecting methods and
limitationslimitations Using Bound distance or TimeUsing Bound distance or Time Using Graph theory and GeometricUsing Graph theory and Geometric
Using Connectivity InformationUsing Connectivity Information Unit Disk Graph modelUnit Disk Graph model Other modelsOther models Wormhole removalWormhole removal
Simulation result & ConclusionSimulation result & Conclusion
What is Wormhole ?What is Wormhole ?
http://commons.wikimedia.org/wiki/File:Worm3.jpghttp://commons.wikimedia.org/wiki/File:Worm3.jpg
Shortcut through Shortcut through spacespace and and timetime
Wormhole AttackWormhole Attack
http://http://www.wings.cs.sunysb.edu/~ritesh/wormhole.htmlwww.wings.cs.sunysb.edu/~ritesh/wormhole.html
ThreatsThreats
Dropping or modifying packetsDropping or modifying packets Generating unnecessary routing Generating unnecessary routing
activities by turning off the activities by turning off the wormhole link periodicallywormhole link periodically
Record traffic for later analysisRecord traffic for later analysis Break protocol relies on geographic Break protocol relies on geographic
proximityproximity
Bound distance or TimeBound distance or Time
Use node location info. to bound the Use node location info. to bound the distance a packet can traversedistance a packet can traverse But… hard to determine “legal” But… hard to determine “legal”
distancedistance Use global clock to bound Use global clock to bound
propagation timepropagation time Useless against physical layer attacksUseless against physical layer attacks
Besides… they all need additional Besides… they all need additional hardwarehardware
Graph theory and Graph theory and GeometricGeometric
Use combination of one-time authentiUse combination of one-time authenticated neighbor discovery and Guard ncated neighbor discovery and Guard nodes to attest the source of transmissioodes to attest the source of transmissionn What if attack begin before discovery ?What if attack begin before discovery ?
Special Guard nodes knows their “corSpecial Guard nodes knows their “correct” location and with higher RF porect” location and with higher RF power and different RF characterticswer and different RF charactertics ImpracticalImpractical
Graph theory and Graph theory and Geometric cont.Geometric cont.
Use Directional antennasUse Directional antennas Need a cooperative protocol share Need a cooperative protocol share
directional info. between nodes to detect directional info. between nodes to detect wormholewormhole
Use neighbor distance estimation and Use neighbor distance estimation and Multi-dimensional scaling to draw a Multi-dimensional scaling to draw a “network layout”“network layout” The layout should be “flat”The layout should be “flat” Centralized computationCentralized computation
Physical layer authentication in packet Physical layer authentication in packet modulation/demodulationmodulation/demodulation Special RF hardwareSpecial RF hardware
LimitationsLimitations
Additional hardware is not affordable Additional hardware is not affordable on large scale sensor networks, such ason large scale sensor networks, such as Directional antennasDirectional antennas GPSGPS UltrasoundUltrasound Guard nodes with correct locationGuard nodes with correct location Global clock synchronization or Global clock synchronization or
computationcomputation Localized algorithm is the solutionLocalized algorithm is the solution
Use info. collected by upper layerUse info. collected by upper layer
Algorithm conceptAlgorithm concept
Looks for Looks for forbidden substructureforbidden substructure that should not present in a legal that should not present in a legal connectivity graphconnectivity graph
Unit Disk Graph modelUnit Disk Graph model
Idealized model for multi-hop wireless netwIdealized model for multi-hop wireless networkork Node modeled as a disk with unit radiusNode modeled as a disk with unit radius Unit radius is the communication range with oUnit radius is the communication range with o
mni-directional antennamni-directional antenna Each node is a neighbor of all nodes within its diEach node is a neighbor of all nodes within its di
sksk
www.it.uu.se/research/group/mobility/adhocwww.it.uu.se/research/group/mobility/adhoc
HardnessHardness
NP-Hard to detect wormhole in UDGNP-Hard to detect wormhole in UDG Equivalence of finding UDG embedded in 2D Equivalence of finding UDG embedded in 2D
graphgraph Proven NP-Hard problem Proven NP-Hard problem
The algorithm looks for structures that The algorithm looks for structures that do notdo not allow UDG embedding allow UDG embedding
Due to hardness, 100% wormhole Due to hardness, 100% wormhole detection will not guaranteeddetection will not guaranteed
But provides sufficiently high detection But provides sufficiently high detection raterate
Disk packingDisk packing
In a fix region, one can not pack too mIn a fix region, one can not pack too many nodes without having edges in betany nodes without having edges in betweenween
Packing numberPacking number -- Maximum number of points inside region Maximum number of points inside region
SS such that every pair of points is strictly such that every pair of points is strictly more then distance more then distance rr away from each othe away from each otherr
rSp ,
Disk packing cont.Disk packing cont.
-- A unit disk A unit disk DD of radius of radius RR center centered at ed at uu
LuneLune --
Intersection of 2 disks of radius Intersection of 2 disks of radius RR centered centered at at uu, , vv, with distance , with distance rr away away
uDR
5, RuDp R
vDuDRrL RR ,
Disk packing cont.Disk packing cont.
Lemma 1Lemma 1 When When RR = = rr = = 11
Lemma 2Lemma 2 forfor
21, Lp
123 pw
42
4
2arccos
2
18,,
22
2
2r
Rr
R
rRRrLp
Rr 2
Forbidden substructureForbidden substructure
aa and and bb (non-neighbors) have three (non-neighbors) have three common independent neighbor common independent neighbor cc, , dd, , ee
By Lemma 1, this By Lemma 1, this can notcan not happen happen If only If only cc, , dd in region B. It will in region B. It will failfail
Forbidden substructure Forbidden substructure cont.cont.
For low density caseFor low density case Look among Look among kk-hop neighbors-hop neighbors Find common independent Find common independent kk-hop neig-hop neig
hbors of two non-neighbor nodeshbors of two non-neighbor nodes Forbidden substructures used in algoriForbidden substructures used in algori
thmthm 3 independent common 3 independent common 11-hop neighbors-hop neighbors independent common independent common kk-hop neighbors-hop neighbors -- Forbidden parameterForbidden parameter
kf
kf
kf
Forbidden substructure Forbidden substructure cont.cont.
must be more than the packing nummust be more than the packing number for unit distance inside the lune of ber for unit distance inside the lune of two disks of radii two disks of radii kk placed at distance placed at distance 11 RadiusRadius k k for modeling for modeling kk-hop neighborhoo-hop neighborhoo
dd 11 for modeling the lower bound of distanc for modeling the lower bound of distanc
e between non-neighborse between non-neighbors
kf
11,,1 kLpfk
Forbidden substructure Forbidden substructure cont.cont.
If a network has forbidden If a network has forbidden substructuresubstructure There There mustmust be a wormhole be a wormhole
For a given node density with For a given node density with wormhole presentwormhole present Higher Higher kk, higher detection possibility, higher detection possibility Larger neighborhood provide more Larger neighborhood provide more
nodes to work withnodes to work with
AlgorithmAlgorithm
1.1. Find the forbidden parameterFind the forbidden parameter
2.2. Each node Each node uu determines its determines its 2k2k-hop -hop neighbor list , execute neighbor list , execute following steps for each non-following steps for each non-neighboring node neighboring node vv in in
uN k2
uN k2
Algorithm cont.Algorithm cont.
3.3. uu determines the set of common determines the set of common kk-hop -hop neighbors with neighbors with vv from their from their kk-hop neighbor -hop neighbor listlist
can be obtained by simply exchanging listscan be obtained by simply exchanging lists
4.4. uu determines the maximal independent set determines the maximal independent set of of
Find maximum independent set is NP-HardFind maximum independent set is NP-Hard Use greedy algorithmUse greedy algorithm
vNuNvuC kkk ,
vNk
vuCk ,
Algorithm cont.Algorithm cont.
5.5. If the maximal independent set size is If the maximal independent set size is equal or larger than , equal or larger than , uu declares the declares the presence of a wormholepresence of a wormhole
For most case, For most case, kk = 1 is sufficient, with = 1 is sufficient, with to check non-neighbor nodes in 2-to check non-neighbor nodes in 2-
hop neighborhoodhop neighborhood to find maximal independent setto find maximal independent set dd is the average degree of nodes is the average degree of nodes
kk = 2 for fairly low density cases = 2 for fairly low density cases
kf
2d
d
3d
Node distributionNode distribution
is theoretical worst caseis theoretical worst case With known distribution, can be With known distribution, can be
much smallermuch smaller Smaller , higher detection rateSmaller , higher detection rate
But… too small will have false positivesBut… too small will have false positives
Unless node density is very highUnless node density is very high It’s unlikely to find that many common It’s unlikely to find that many common
independent 2-hop neighborsindependent 2-hop neighbors
1kf
kf
kf
191181,2,12 Lpf
Communication modelsCommunication models
UDG is overly simplifiedUDG is overly simplified Packet reception range is not prefect Packet reception range is not prefect
diskdisk For other communication modelsFor other communication models
Same algorithm appliedSame algorithm applied But finding by Mathematical or But finding by Mathematical or
Geometrical waysGeometrical ways
kf
Known modelsKnown models
Quasi-UDGQuasi-UDG Distance within Distance within αα≦≦11 -- linklink Distance larger than 1Distance larger than 1 -- no linkno link
Run simulation with target distributioRun simulation with target distribution to obtain connectivity graphn to obtain connectivity graph
Then estimate forbidden parameterThen estimate forbidden parameter
1,, kLpfk
Known models cont.Known models cont.
For any pair of non-neighboring nodesFor any pair of non-neighboring nodes Find the maximal independent set among Find the maximal independent set among
their common their common kk-hop neighbors-hop neighbors Take the maximum asTake the maximum as Used in simulation result to obtain tight Used in simulation result to obtain tight
boundbound If model is probabilisticIf model is probabilistic
is also probabilisticis also probabilistic Notice that false positives still possibleNotice that false positives still possible
1kf
1kf
Unknown modelUnknown model
Parametric search for unknownParametric search for unknown Use large initial value to run the Use large initial value to run the
algorithmalgorithm If no detection, half the value, re runIf no detection, half the value, re run Until vary small fraction of nodes report Until vary small fraction of nodes report
wormholewormhole Or minimum number of tolerable false Or minimum number of tolerable false
positivespositives Run this search in safe part of Run this search in safe part of
networknetwork
kf
Unknown model cont.Unknown model cont.
If there is no safe placeIf there is no safe place Assume a “threat level”Assume a “threat level”
Guidance for what fraction of nodes Guidance for what fraction of nodes must report wormholemust report wormhole
So will not reduced any furtherSo will not reduced any furtherkf
Wormhole removalWormhole removal
Manually isolate links effectedManually isolate links effected Process for 1-hop, UDGProcess for 1-hop, UDG
Corrupted nodes verify its neighbor list Corrupted nodes verify its neighbor list with uncorrupted nodeswith uncorrupted nodes
Ignore transmission from suspicious Ignore transmission from suspicious nodesnodes
Simulation environmentSimulation environment
ModelsModels UDGUDG Quasi-UDGQuasi-UDG Model used in TOSSIM simulatorModel used in TOSSIM simulator
DistributionsDistributions Perturbed grid (a planed sensor Perturbed grid (a planed sensor
deployment)deployment) RandomRandom
144 nodes, single wormhole, 144 nodes, single wormhole, kk ≤ 2, ≤ 2, repeat 10,000 timesrepeat 10,000 times
Quasi-UDGQuasi-UDG
Transmission radiusTransmission radius -- RR Quasi-UDG factorQuasi-UDG factor -- 0 ≤0 ≤αα ≤ 1≤ 1 LinkLink -- distance distance dd within withinααRR No linkNo link -- dd > > RR dd in [ in [αα RR, , RR] ] -- link with probabilitylink with probability UseUseαα= 0.75 in simulation= 0.75 in simulation
TOSSIM modelTOSSIM model -- link probabilitylink probability -- bit error probabilitybit error probability
RR
d
bP1
bP
DistributionsDistributions
Perturbed 12×12 gridPerturbed 12×12 grid [[x-pxx-px, , x+pxx+px], [], [y-pyy-py, , y+pyy+py]] Perturbation parameterPerturbation parameter -- 0.0 0.0 ≤ ≤ pp ≤ 0.5 ≤ 0.5
Randomly chosen Randomly chosen xx, , yy coordinates coordinates Node densityNode density
Change Change RR for (Quasi-)UDG for (Quasi-)UDG Change geographic area for TOSSIMChange geographic area for TOSSIM
ExperimentsExperiments
Create topologyCreate topology Check connectivityCheck connectivity
Disconnected if any two node do not Disconnected if any two node do not have routehave route
Run algorithm to see false positiveRun algorithm to see false positive Apply wormhole, run algorithm to Apply wormhole, run algorithm to
detectdetect
ResultsResults
Perturbed grid Perturbed grid pp = 0.2 = 0.2
UDG
Quasi-UDG
TOSSIM
RandomRandom
TOSSIM
UDG
Quasi-UDG
100% detecting and no false alarms 100% detecting and no false alarms when network is connectedwhen network is connected
90% detection when 50% chance 90% detection when 50% chance disconnecteddisconnected
Detection drop for low density cases, Detection drop for low density cases, but network disconnected also but network disconnected also increaseincrease
Detection performance get worse as Detection performance get worse as the randomnessthe randomness Estimation of is more accurate if Estimation of is more accurate if
less randomnessless randomness
kf
11-hop dose not perform well in non--hop dose not perform well in non-UDG casesUDG cases
Quasi-UDG, random distributionQuasi-UDG, random distribution 1-hop detection rate when 1-hop detection rate when
increaseincrease1f
Parametric search forParametric search for kk = = 11, quasi-UDG, Perturbed grid with , quasi-UDG, Perturbed grid with pp
= = 0.20.2, average degree = , average degree = 66 Suitable can be estimated by Suitable can be estimated by
observing false positive probabilityobserving false positive probability Detection show first before false Detection show first before false
positivepositive Critical value of is Critical value of is 44
kf
1f
1f
ConclusionConclusion
ProsPros Simple and localizedSimple and localized Universal to node distribution and Universal to node distribution and
communication modelcommunication model ConsCons
Not suitable for frequent connectivity Not suitable for frequent connectivity change (VANET, MANET)change (VANET, MANET)
Can not detect short wormhole linkCan not detect short wormhole link
ReferencesReferences
R. Maheshwari, J. Gao and S. R. Das,“DetecR. Maheshwari, J. Gao and S. R. Das,“Detecting Wormhole Attacks in Wireless Networkting Wormhole Attacks in Wireless Networks Using Connectivity Information,” in s Using Connectivity Information,” in INFOINFOCOM 2007. 26th IEEE International ConferenCOM 2007. 26th IEEE International Conference on Computer Communications. IEEEce on Computer Communications. IEEE , 20 , 2007, pp. 107-11507, pp. 107-115
Wikipedia Wikipedia ((http://http://en.wikipedia.orgen.wikipedia.org//))
Wormhole Attack Detection in Wireless NetWormhole Attack Detection in Wireless Network work ((http://http://www.wings.cs.sunysb.edu/~ritesh/wormhole.htmlwww.wings.cs.sunysb.edu/~ritesh/wormhole.html))
Any Any Questions ?Questions ?
and Thanks !!and Thanks !!