Distributed wormhole attack detection in wireless sensor networks

8/14/2019 Distributed wormhole attack detection in wireless sensor networks

1/21

Distributed Wormhole Attack Detection in Wireless Sensor

Networks

Yurong Xu1 Guanling Chen2 James Ford1,3 Fillia Makedon1,3

1Computer Science Department, Dartmouth College

{yurong, jford, makedon}@cs.dartmouth.edu

2Computer Science Department, UMass Lowell

{glchen}@cs.uml.edu

3Univ. of Texas at Arlington, Dept. of Computer Science and Eng.

{Makedon,jford}@cse.uta.edu

Abstract

This paper proposes a distributed wormhole

detection algorithm for wireless sensor networks,

a potential technology for infrastructures of many

applications. Currently, most sensor networks

assume they will be deployed in a benign envi-

ronment; however, when a sensor network is de-

ployed in some hostile environment, attacks (espe-

cially those like wormhole attacks that dont need

to capture the keys used in the network) may affect

current sensor networks and may even disable

their functions. This paper proposes a distributed

wormhole detection algorithm called Wormhole

Geographic Distributed Detection (WGDD), that


2/21

is based on detecting disorder of the networks

which is caused by the existence of a wormhole

inside the network. Since wormhole attacks are

passive, this algorithm uses a hop-counting tech-

nique as a probe procedure to detect wormhole at-

tacks, then reconstructs local maps in each node,

and after that, uses a feature called diameter to

detect abnormalities caused by wormholes. The

main advantage of using a distributed wormhole

detection algorithm is that such an algorithm can

provide the approximate location of a wormhole,

which may be useful information for further de-

fense mechanisms. Simulations show that the pro-

posed detection method has both a low False Tol-

eration Rate (FTR) and a low False Detection

Rate (FDR) in detecting wormhole attacks.

1. Introduction

Wireless Sensor Networks (WSNs) [1, 15] are

an emerging technology consisting of small, low-

power, and low-cost devices that integrate limited

computation, sensing, and radio communication

capabilities. This technology has the potential

to provide infrastructures for numerous applica-

tions, such as surveillance, healthcare, industry

automation, and military uses.

Currently, most applications in WSNs assume

that they are deployed in a trusted environment,

but it is possible that a WSN is to be deployed

in an untrusted environments, and so dealing with

security issues will become a central requirement.

In this situation, an adversary can disable the

functionality of a WSN by interfering with packet

transmissions inside the networks with different

attacks such as wormhole attacks, sybil attacks

[12], jamming, and packet injection attacks [17].

This paper focuses on wormhole attack detec-

tion [2, 7, 13]. A wormhole attack doesnt re-

quire knowing the cryptographic infrastructure of

the sensor network, and thus it puts an attacker in

a very powerful position relative to other nodes

in the network, compared to other attacks such

as sybil and packet injection attacks, which usu-

ally utilize vulnerabilities in the infrastructure of


3/21

wireless sensor networks. An attacker can per-

form a wormhole attack on a sensor network even

if the network communication infrastructure pro-

vides confidentiality and authenticity, and the at-

tacker does not have any cryptographic keys.

Currently, there are many methods that have

been proposed for detecting wormhole attacks in-

side of ad hoc networks and wireless sensor net-

works, and encouraging results have been ob-

tained. However, these methods usually require

that some nodes in the network be equipped with

special hardware. Solutions such as SECTOR [2]

and Packet Leashes [7] need time synchroniza-

tion or highly accurate clocks to detect worm-

holes; the method of Hu and Evans [5] requires

that a directional antenna is deployed in each

node; and LAD [3], SerLoc [9], and the ap-

proach in [6] concentrate on detecting/defending

against wormholes in localization in WSNs, but

these methods also need the help of anchor nodes

(which are special nodes that already know their

location exactly), which requires manual setup

when a network is deployed.

In comparison with the above methods, in

this paper we describe a distributed method

called Wormhole Geographic Distributed Detec-

tion (WGDD) to detect a wormhole attack with-

out using anchor nodes or any additional hard-

ware. Since a wormhole attack is passive, this

algorithm uses a simple hop-counting technique

as a probe procedure to detect wormhole attack,

then reconstructs local maps by MDS (Multidi-

mensional Scaling) in each node, and after that

uses a feature introduced in this papce called di-

ameter to detect distortions caused by a worm-

hole. The main advantage of using a distributed

wormhole detection algorithm is that such an al-

gorithm can provide the approximate location of a

wormhole, which can assist further defense mech-

anisms. Simulation shows that the proposed de-

tection method has both a low False Toleration

Rate(FTR) and a low False Detection Rate(FDR)

in detecting wormhole attacks.

In this paper, we make the following contribu-


4/21

tions. (i.) We propose a new feature which can be

used to detect wormholes in a distributed scheme.

(ii.) We propose a distributed wormhole detection

algorithm which needs only local connectivity in-

formation. Since the detection of wormholes is

completed under a distributed scheme, it is pos-

sible that our algorithm can provide the approxi-

mate locations of the ends of wormholes, which

will be helpful in further defense against worm-

hole attacks. (iii) We provide extensive simula-

tion for (i-ii) in NS-2, which shows that our meth-

ods are effective at detecting wormhole attacks on

different network placements.

The remainder of the paper is organized as fol-

lows. Section 2 discusses related work. Sec-

tion 3 describes some basic concepts related to

wormhole attacks. Section 4 discusses the fea-

ture which detects wormholes inside of a network

and the details of the WGDD algorithm. Section

5 evaluates the algorithm in an NS-2 simulation

environment. And finally Section 6 gives our con-

clusions.

2. Related Work

The wormhole attack detection in wireless ad-

hoc networks was introduced in [2, 6, 7]. Both

solutions are referred to as Packet Leashes [7],

and SECTOR [2]. They detect wormhole attacks

based upon the notion of geographical or tempo-

ral leashes. Briefly, suppose every node in the net-

work already knows its exact location and each

node embeds its location and a timestamp into

each packet it sends. If the network is synchro-

nized, then other nodes receiving that packet can

detect a wormhole by detecting the mismatch be-

tween the timestamp difference they calculate and

the location difference they observe. Such a solu-

tion requires a synchronized clock and preknown

location for each node. The method we propose

here does not have these requirements.

In [8], Kong et al. study Denial of Service

(DoS) attacks, including wormhole attacks, in

UWSN (Under Water Sensor Networking). Be-

cause UWSN typically uses acoustical methods

to propagate messages under water, the methods


5/21

in UWSN cant be directly applied into wireless

sensor networks.

In [5], Hu and Evans utilize directional anten-

nas to prevent wormhole links by assuming every

node of the network will be equipped with direc-

tional antennas that all have the same orientation.

Lazos and Poovendran apply a similar idea in de-

signing a secure localization scheme called SeR-

Loc [9] that protects against wormhole attacks in

localization. In SeRLoc, there are about 400 an-

chor nodes (designated as beacon nodes in the

paper) deployed in a 5000-node network. Each

anchor node has a directional antenna and already

knows its physical location. Other nodes in the

network use these anchor nodes to locate them-

selves. When there is a wormhole attack in the

network, since a wormhole will shortcut the net-

work, directional antennas deployed in the an-

chor nodes will help in detecting the attack, and

the nodes can then defend against it by discard-

ing incorrect localization messages. However, if

anchor nodes are compromised, especially those

anchor nodes that are close to a end of a worm-

hole, SeRLoc will still have difficulty in detect-

ing/defending against wormhole attacks.

In more recent papers [3, 10], D. Liu et al. pro-

posed an anchor-based scheme which is resistant

to several attacks, including wormhole attacks.

By using a hop-counting technique, the scheme

estimates the distance between a node and an an-

chor node (or location reference in the authors

terminology). If there is a wormhole inside the

network, then it is possible that the distance from

a node to some anchor node will be changed, and

a simple threshold method is used to determine

whether such a distance difference is caused by

a wormhole attack or by localization error. The

main difference between our method and those of

[3] and [10] is that the latter methods rely on an-

chor nodes, which need manual setup in advance,

while our method does not require any anchor

nodes to detect wormholes.

Additional work by [14] presents a useful graph

theoretic framework for modeling of wormhole


6/21

attacks, but this theoretic framework is based on

the assumption that there are guard nodes know

their locations exactly. Thus, these nodes actu-

ally work as anchor nodes as described in this pa-

per. Since in this work we assume that none of the

nodes in the network knows its physical location,

our proposed solution is for a case not covered by

this framework.

MDS-VOW [16] allows visualization of a net-

work to allow detection of wormholes by find-

ing bending distortions caused by a wormhole in

computed maps. The main difference between

our approach and MDS-VOW is that MDS-VOW

can only work in a centralized scheme, so MDS-

VOW needs to have a central computer to finish

its computation. In our paper, we extract a new

feature which can efficiently indicate the ends of

a wormhole based only on local bending distor-

tions caused by the ends of the wormhole. The

algorithm described in this paper is computed by

a distributed scheme and requires no centralized

computation. A general limitation of MDS-VOW,

which is identified in [14], is that such a visual-

ization cannot be applied to networks with irreg-

ular shapes, such as a string topology (nodes con-

nected in one line).

3. The Wormhole Attack

Origin end Destinationend

Wormhole tunnel

Figure 1. A Wormhole Attack in a WSN

In a typical wormhole attack, an attacker re-

ceives packets at one point in the network, for-

wards them through a wireless or wired link with

much less latency than the default links used by

the network and relays those packets at another

position in the network. In this paper we as-

sume that a wormhole is bidirectional, and when

considering a wormhole attack, we refer to the

end of that wormhole receiving a message as the

origin end of the wormhole and the end that

transmits the message as the destination end of

that wormhole (thus which end is which is en-


7/21

tirely context dependent). Figure 1 shows a typ-

ical wormhole attack. In this work we assume

wormholes with two endpoints, although in the-

ory multi-end wormholes are possible.

We also assume that each wormhole in a net-

work is (1) passive, and thus does not send out

any message without any inbound message, (2)

static, which means that such wormhole will not

move around.

4 Detecting Wormhole Attacks

In this section, at first, we will describe our al-

gorithm in brief, then, by observing the network

with a wormhole inside it, we discuss a feature

which can be used to detect wormhole attacks in

distributed scheme, at last, based on the previous

feature we propose how to detect wormhole at-

tacks.

4.1 Overview of WGDD Algorithm

Our distributed algorithm called Wormhole Ge-

ographic Distributed Detection (WGDD) uses a

similar hop-counting technique as a probe proce-

dure (Section 4.2) to detect wormhole attack. Af-

ter the running of the probe procedure, each node

will collect the set of hop-count from its neigh-

bor nodes which are in one(k) hop(s) distance to

it, then that node will run Dijkstras algorithm to

get the shortest path for each pair of the nodes,

after that, it will reconstruct a local map by MDS

(Multidimensional Scaling) (Section 4.3). After

we discuss a feature called as diameter to de-

tect distortions caused by a wormhole in local

maps in Section 4.4, we will introduce the detec-

tion procedure in Section 4.5. The overview of

this Wormhole Geographic Distributed Detection

(WGDD) algorithm can be seen in Procedure 1.

Procedure 1 Wormhole Geographic Distributed

Detection (WGDD)

1: Probe Procedure

2: Local Map Computation Procedure

3: Detection Procedure

4.2 Probe Procedure

Since a wormhole attack is passive, which

means that such an attack can only happen when


8/21

there is some message being transmitted near the

wormhole area. In order to detect whether there

is a wormhole attack inside a network, we de-

sign a probe procedure to flood an message from

some bootstrap node to the whole networks to let

all other nodes in the network to count the hop

distance from itself to that bootstrap node. Such

probe procedure is based on hop-coordinates [18]

technique to measure the hop distance from each

node to some bootstrap node, which shares the

same idea as hop-counting, but has more accurate

measurement.

(i)In bootstrap node: A bootstrap node x cre-

ates a probe message with (i = idx) to flood

the network. After that, the bootstrap node will

drop any probe message that was originated by it-

self. The bootstrap node has the hop-coordinate:

hopx = 0 and offsetx = 0.

(ii) In all other nodes in the WSN: Suppose that

a node a is calculating its hop distance, and node

b is one of the neighbors of node a. Then the basic

probe procedure 2 is as same as hop-coordinates

procedure [18] for node a is shown in Procedure

2.

Procedure 2 Probe Procedure in node a1: INPUT: message (hopb) from node b Na2: for message (hopb) from any B Na and not

TIMEOUT do

3: ifhopb < hopa then4: hopa = hopb + 15: forward (message(hopa ) ) to MAC6: else

7: drop (message(hopb ) )

8: end if9: end for

10: if|Na| == 0 then11: offseta = 012: else

13: offseta =

bNa(hop

b(hop

a1))+1

2(|Na|+1)

14: end if

15: return hopa

and offseta

Here, a is a node, hopa

is the minimum num-

ber of hops to reach node a counting from some

bootstrap node (x), the initial value of it will be

the largest positive value in practice. the combi-

nation ofhopa

and offsetais the hop coordinate for

node a, Nais a set of nodes which can be reached

by node a in one hop, and |Na| is the number of

nodes in Na.


9/21

0 20 40 60 80 100 120 1401440

20

40

60

80

100

120

140144

X

(a) The original location of a 2500node

WSN with one wormhole

0 20 40 60 80 100 120 1401440

20

40

60

80

100

120

140144

0

10

20

30

40

50

60

70

80

90

100

0

10

20

30

40

50

60

70

80

90

100

(b) the same 2500-node WSN with one

wormhole siting on the edges of the

WSN

Figure 2. a 2500-node WSN (r = 2m) with one wormhole

4.3 Local Map Computation

In this step, each node will compute a local map

for its neighbors based on the hop-coordinate

computed in the previous step. After the gener-

ation of hop-coordinates with Procedure 2, each

node will send a request to its neighbor nodes that

are within one(k) hop(s) to send back their hop

coordinate from some bootstrap node (x).

After each node receives the hop coordinate

from its neighbors, that node will compute short-

est paths between all pairs of nodes one (k) hop(s)

to that node, using Dijkstras algorithm or other

similar algorithms.

Then, we apply MDS to the

(|Na|+1)(|Na|+1) shortest path matrix (here

|Na| is the number of nodes that can be reached by

node A in one (k) hop(s)) and retain the first two

(or three) largest eigenvalues and eigenvectors to

construct a 2-D (or 3-D) local map.

The total cost for this step is a computational

cost ofO(|Na|3 n) and a memory cost ofO(|Na|

2)

per node, with no communication cost in this step.

4.4 Detection Procedure

Based on the local map from previous step,

here we will try to detect attacks. At first let us

have a look of the affection of wormhole attack

on computed map.


10/21

4.4.1 Observation of a Wormhole in a Recon-

structed Map

In order to observe a wormhole, we implemented

the probe procedure 2 and the local map compu-

tation procedure as routing agents and the boot-

strap node for the probe procedure as a protocol

agent in NS-2 version 2.29 [11] with 802.15.4

MAC layer [19] and CMU wireless extensions

[4]. The configuration parameters used for NS-2

are RF range = 15 meters, propagation = TwoRay-

Ground, and antenna = Omni Antenna.

In our first experiment, we used 2500 nodes in a

uniform placement total 2500 nodes are placed

on a grid with 0.5rrandomized placement error,

where r = 2 m is the width of a small square in

the grid. A wormhole is implemented as a wired

connection.

Fig. 2(a) and 2(b) shows the same sensor net-

work; each x represents a node, and the red cir-

cles indicate the two ends of a wormhole; in Fig.

2(a), the wormhole is siting in the center of the

network, while in Fig. 2(b), the wormhole is sit-

ing on the edges of the network.

4.4.2 New Feature to Detect Wormhole At-

tacks

With the fact that each WSN node has limited re-

sources and has no possibility to store global in-

formation, in order to detect wormholes in a dis-

tributed scheme, each node can only use local in-

formation to detect wormhole attacks.

Consider the two parts of the intruded network

with a wormhole with two ends in Figure 3, by se-

lecting two parts of the network which is close to

the ends of the wormhole in Figure 2(a). We use a

dotted circle to represent the neighbor area where

a particular node can directly reach in transmis-

sion range R, since there are two ends, we shows

two parts of the network. Then, after the cir-

cled node finished local map computation for the

nodes in its local range, it will be getting a lo-

cal map as in Figure 4. From this figure, we can

see that because wormhole shortcuts the two parts

of the network, the circled node can reach more


11/21

range than before (if we measure the longest dis-

tance in this local map, it will equal 49m), though

that computed local map is bended by the effect

of the wormhole.

Figure 3. Two Parts of the Network near

Wormhole Ends.Here, parameters: r = 4,R = 15, red circles represents the wormholeends.

2d =49m

Figure 4. Local Map in the Red Circled Node

in Figure 3.After probe procedure and local

map computation in that node which is red

circled.

From the above observation, we instead fo-

cus on detecting wormholes by using a different

featurethe diameter of the computed local map.

We define diameter d for Node a here:

Diameter: d = max(distance(b, c))/2,

Where b, c Na, here Na is the set of neighbor

nodes of node a, distance(a, b) will be computed

as distancde(a, b) = sqrt((x x)2 + (y y)2)

in 2D case, here (x, y),(x, y) are the coordiantes

for node a, b in the local map computed in the

previous step, respectively.

Theoretically, the diameter of the neighbor area

for a node will roughly equal or less its trans-

mission range R, since one node only can hear

from its neighbors within the transmission range

R. But because of the shortcut of wormhole, the

computed map for that neighbor area of that node

will be distorted, and so the diameter of that com-

puted local map will be larger than the physical

one, as shown in 4, we can see 2d = 49m.

In order to verify whether such diameter feature

is working in detecting wormhole in the whole

network, we compute the diameter for each node

in the same 2500-node network with and without

wormhole. The results are shown in Figure 5(a),

if we examine nodes that are very near to a worm-

hole, such as the area near the red circles in Fig-

ure 5(b), the diameters of the local maps for these

nodes will be noticeably increased by proximity


12/21

Diameter

0

20

40

60

80

1000

20

40

60

80

100

13

14

15

16

17

(a) Diameter Measurement in the 2500-node

WSN in Figure 2.(a) without Wormhole

0204060801000204060

80100

12

14

16

18

20

22

24

26

X Y

Diameter

(b) Diameter Measurement in the 2500-node

WSN in Figure 2.(a) with a Wormhole

Figure 5. Diameter Measurement without and with Wormhole in a 2500-node WSN. In Figure 5(b),

the diameter of a local map will roughly be R (from 14 to 18, while R = 15 meters) unless thereis a wormhole attack, in which case the diameter of a local map will become longer as the position

draws closer and closer to the wormhole.

to the wormhole, comparing the diameters in the

same nodes in the network without wormhole in

Figure 5(a). But if the nodes are a little farther

away, or in a distant part of the network, such as

the middle area in Figure 5(b), the diameters of

the local maps for these nodes, will be almost as

normal as these in the same area in Figure 5(a),

which is without wormhole.

In Figure 5(b), the diameter of a local map will

roughly be R (from 14 to 18, while R = 15 me-

ters) unless there is a wormhole attack, in which

case the diameter of a local map will become

longer as the position draws closer and closer to

the wormhole. The diameter reaches the highest

(about 25 m) at the nodes at about 7 m to the ends

of wormhole, then the diameter is decreased, be-

cause the nodes are approaching to the edges of

the network, but still above 22 m.

The diameter feature is also good at de-

tect wormhole attack in networks with irregular

shapes, and in networks with multiple wormholes

inside them. We did some experiments of diam-

eter in a network with string topology, and a net-

work with two wormholes inside it.


13/21

0 20 40 60 80 100

15.2

15.4

15.6

15.8

16

16.2

16.4

16.6

16.8

X

diameter

(a) Diameter Measurement in the 50-

node WSN in String Placement with-

out a Wormhole

0 20 40 60 80 100

12

14

16

18

20

22

24

26

X

Diameter

(b) Diameter Measurement in the 50-

node WSN in String Placement with a

Wormhole

Figure 6. Diameter Measurement in the 50-node WSN in String Placement without/with a Wormhole

In a string topology experiment, we tested a

50-node network, inside of which, each node are

uniformally distributed in a 100 meter string in

one dimension. First we measure the diameter for

each node without any wormhole in the network,

the result is in Figure 6(a). The diameter is at most

16.8 m in Figure 6(a). Then, we add a wormhole

into the network with the two ends of that worm-

hole at the two ends of the string. We can see that

right now, the diameters of nodes which are close

to the ends of the wormhole are larger than 22 m,

shown in Figure 6(b).

In order to test the feature of diameter in de-

tecting multiple wormholes in a network, we de-

ployed two wormholes in the network of Figure

2.a. The measurement of diameter for all nodes

as shown in Figure 7. The locations of the ends

of these two wormholes are represented as red

circles in the same figure. From the figure, we

can see that even two wormholes are very close

to each other, the peaks of diameter are still ap-

peared in the nodes which are close to the ends of

the wormholes, from our measurement, four peak

values are 24.8, 25.2, 22.2, 22.6 m respectively.

So, by computing the diameter d for local map,

such detection algorithm can runs independently

in each node, in conjunction with the computation

of a local map for the neighboring area. Since

all nodes in this area are within one(k) hop(s) of

the calculating node, the detection algorithm can


14/21

Figure 7. Diameter Measurement in the 2500-

node WSN in Figure 2.(a) with Two Worm-

holes.Here, red cycles are the ends of worm-holes, the dashed lines are the tunnels of the

wormholes. A X is represented as a node.

The 50X50 mesh is only for visualization

purpose. Color bar represents the value of

diameter.

compute the diameter of each local map after de-

termining each neighbor nodes location.

4.4.3 Detection Procedure

Thus, we propose to use the diameter to deter-

mine whether there is a wormhole attack present

or not. From the experiment in Figure 5(a) and

5(b), we can see that usually the diameters for lo-

cal maps will be around R, but if there is a worm-

hole in the network, then the diameters of the lo-

cal maps which are computed by the nodes close

to the ends of the wormhole will be higher to over

22m. So, we can define a threshold for the diame-

ter to detect wormholes in the network. Since, the

lower the value we assign to such threshold, the

higher possibility it is that nodes send the error

alarms of wormhole. So, based on the above ex-

periments, we define a threshold as 1.4R (in our

configuration 1.4R = 1.4 15 = 21 m) to deter-

mine whether there is a wormhole attack present

or not. In order to adjust the sensitivity of detec-

tion procedure we introduce a constant parameter

:

Suppose the diameter of a local relative map is

d; ifd > (1+)1.4R (here is a constant parame-

ter which is less than 1 and larger than 0), then we

can say there is a wormhole in the network, and

if not, we can say that the error probably comes

from localization error. The details of the detec-

tion algorithm follow.

Suppose node a is an arbitrary node in the

WSN. At first, we propose a distributed detec-

tion Procedure 3, which is used to compute the


15/21

diameter after running the probe procedure 2 and

local map computation in Section 4.3, and detect

whether there is a wormhole in the network.

Procedure 3 Wormhole Detection Procedure in

node a1: INPUT: local map G in node a for Na {a}2: diameter d = 03: for each b Na {a} do4: for each node c Na {a} {b} do5: if 2d < distance(b, c) in local map G

then

6: 2d = distance(a, b) in local map G7: end if

8: end for9: end for

10: ifd > (1 + ) 1.4R then11: return FOUND WORMHOLE to sink

node.

12: end if

The total cost for this step is a computational

cost ofO(|Na|2

n) and a memory cost ofO(|Na|)

per node, with no communication cost in this

step.

5. Simulations Results

5.1 Simulation Environment Setup

Same as to the experiment setup in the previous

section, we implemented our whole detection al-

gorithm as a routing agent in NS-2 version 2.29

[11] with 802.15.4 MAC layer [19] and CMU

wireless [4] extensions. The configuration used

for NS-2 is RF range = 15 meters, propagation =

TwoRayGround, antenna = Omni Antenna. We

implemented a wormhole as a wired connection

with smaller latency that forwards packets from

one node to another node.

0 20 40 60 80 100 1200

20

40

60

80

100

120

Figure 8. A typical placement for simulation

(Constructed with n = 400, r = 4. greendashed ovals are holes and small blue circles

are islands.)

In our all experiments, we used uniform

placementn nodes are placed on a grid with

0.5r randomized placement error. Here r is the

width of a small square in the grid. We con-

structed a total of 60 placements with n = 400,

900, 1600 and 2500, and with r = 2, 4,6, 8, 10

and 12 meters, respectively. The reason we use


16/21

uniform placement with 0.5r error is that usu-

ally such placement produces both node holes and

islands in one placement, as demonstrated in Fig-

ure 8. The place of the wormhole is totally ran-

domized inside of the network.

5.2 Detection Simulation Result

5.2.1 Metrics

As we decrease the value of , we can increase

the accuracy of detecting wormhole attack, but

the possibility of fault alarm will be increased. In

order to evaluate the accuracy of our wormhole

attack detection under different values, we in-

troduce the following concepts:

False Detection Rate (FDR): the frequency

with which the detection system falsely recog-

nizes identical characteristics as being different,

thus failing to tolerate, for example, a normal lo-

calization error.

FDR = (number of normal localization errors

flagged as detected wormholes) / (total number of

trials).

In practice, we count the number of the nodes,

which send out FOUND WORMHOLE mes-

sages but are far away from the ends of a worm-

hole (We define that if a node is R = 15m away

from all ends of a wormhole, then this node ob-

viously has few impact of wormhole, and so we

say that such node is far away from the worm-

hole.), into the number of normal localization er-

rors flagged as detected wormholes. When FDR

= 0, it means that there is no wrong alarm in de-

tecting wormholes.

False Toleration Rate (FTR): the frequency

with which the detection system falsely recog-

nizes different characteristics as identical, thus

failing to detect a wormhole attack.

FTR = (number of wormhole attacks not de-

tected) / (total number of trials).

If there is a wormhole in a experiment, but there

is no node to send out FOUND WORMHOLE

messages, we will count this as wormhole at-

tacks not detects. So, if FTR = 0, it means that

our detection algorithm is successful in detecting


17/21

0

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0.08

0.09

0.1

0 2 4 6 8 10 12 15r(m)

FDR

(%)

0

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0.08

0.09

0.1

FTR

(%)

FDR

FTR

0

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0.08

0.09

0.1

0 2 4 6 8 10 12 15r(m)

FDR

(%)

0

0.01

0.02

0.03

0.04

0.05

0.06

0.07

0.08

0.09

0.1

FTR

(%)

FDR

FTR

(a) when = 0 (b) when = 0.1

Figure 9. False Detection Rate (FDR) and False Toleration Rate (FTR) for various node spacings.

wormholes in all experiments.

5.2.2 Simulation Result

We use the same experimental setup as in section

5.1, with one wormhole in each placement, again

implemented in NS-2 as a wired connection with

a latency far less than the latency of the wireless

connections. Results in terms of FTR and FDR

are shown in Figure 9. Our detection algorithm

has a low FTR with FDR=0 when = 0.0as in

Figure 9.a; when = 0.1as in Figure 9.b, our

detection algorithm can achieve a low FDR with

FTR=0.

In order to consider about the performance of

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

2 7 12 17 22 27 32 37Hop Distance Between Two Ends of a

Wormhole

FDR(%)

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

FTR(%)

FDRFTR

Figure 10. FTR/FDR vs Hop Distance Be-

tween Two Ends of a Wormhole ( = 0)

our algorithm to detect smaller wormholes (such

as two to three hops long), we plot the all FTR and

FDR experiment data( when = 0) on Figure 10

based on the number of hops between two ends of

a wormhole in one experiment. We can see that

if it is a long wormhole such as 3 hops long,


18/21

our detection algorithm archives almost 100% de-

tection rate (shown as FTR = 0). Even when fac-

ing shorter wormhols which are less than 3 hops

long, our algorithm can still make more than 80%

detection rate (shown as FTR < 20%).

6. Summary and Discussion

In this paper, we discuss how to detect worm-

hole attacks in distributed scheme. By assuming

that wormhole attacks are passive, we provide a

probe procedure to let some bootstrap node flood

a probe message to detect some possible worm-

holes in the network, the probe procedure pro-

duces a hop-coordinates to each node which rep-

resents the hop distance from that node to the

bootstrap node. Then each node will compute a

local map for its neighbors and itself with the hop-

coordinates collected in the previous step. Since

if there is a wormhole in the network, it causes

some distortions in some local maps of the nodes

which are close to the ends of the wormhole, so

we find a feature called diameter to detect such

distortion in distributed scheme, with the help of

that feature diameter, we propose a wormhole

detection procedure.

We test our Wormhole Geographic Distributed

Detection (WGDD) algorithm in simulation envi-

ronment under different placements of networks.

The extensive simulation result shows that our de-

tection algorithm can archive almost 100% over-

all detection rate (shown as FTR is around zero,

when = 0 in Figure 10.a). Even consider-

ing about the cases of shorter wormholes which

are less than 3 hops long, our algorithm can still

make more than 80% detection rate (shown as

FTR < 20% in Figure 10). We can run our de-

tection algorithm in stricter model by setuping

= 0.1, it this case, we can archive almost zero

wrong alarm rate (shown as FDR = 0 in Figure

10.b).

Since our algorithm is running under dis-

tributed scheme, it means that if there is a worm-

hole, then some nodes close to the wormhole will

detect the wormhole attacks, so such advantage


19/21

of our algorithm may help in defending against

wormholes. We may propose the idea of freez-

ing nodes that have detected wormhole attacks in

their vicinity, along with their neighbor nodes, in

order to isolate and negate the effect of a worm-

hole.

Suppose that the wireless range for a wormhole

attack equals k times the transmission range R of

a normal node; if this is the case, then it is possi-

ble that we can stop the transmission of a worm-

hole attack by freezing the nodes within k times

transmission range R of one detecting location.

Procedure 4 Defending against wormhole attacks

Require: triggered by DetectionProcedure

1: send message(freezing)to all neighbor nodes

in 1(k) hop(s)2: Broadcast message(relocalization) to the

bootstrap node and other nodes.

From a node (or nodes), which detects worm-

hole attack, a special message will flood out

to freeze neighboring nodes. If the bootstrap

node (x) receives this message, it will restart the

wormhole detection algorithm again, while other

nodes receive such message will clean the hop-

coordinate inside itself. Such process will be

ended until there is no node detects any wormhole

attack.

Right now, we are basing experiment to decide

the threshold and in deciding whether a diame-

ter measurement triggers an alarm for wormhole.

One future work may need to improve our algo-

rithm is how to decide such threshold and auto-

matically.

References

[1] I. Akyildiz, W. Su, Y. Sankarasubramaniam, and

E. Cayirci. A survey on sensor networks. Com-

munications Magazine, IEEE, 40(8):102114,

2002.

[2] S. Capkun, L. Buttyan, and J. Hubaux. SEC-

TOR: secure tracking of node encounters in

multi-hop wireless networks. Proceedings of the

1st ACM workshop on Security of ad hoc and

sensor networks, pages 2132, 2003.

[3] W. Du, L. Fang, and N. Peng. LAD: Localization

anomaly detection for wireless sensor networks.


20/21

Journal of Parallel and Distributed Computing,

66(7):874886, 2006.

[4] T. C. M. Group. Wireless and Mo-

bility Extensions to ns-2. obtain from

http://www.monarch.cs.cmu.edu/cmu-ns.html.

[5] L. Hu and D. Evans. Using Directional Anten-

nas to Prevent Wormhole Attacks. Proceedings

of the 11th Network and Distributed System Se-

curity Symposium, pages 131141, 2004.

[6] Y. Hu, A. Perrig, and D. Johnson. Wormhole de-

tection in wireless ad hoc networks. Department

of Computer Science, Rice University, Tech. Rep.

TR01-384, June, 2002.

[7] Y. Hu, A. Perrig, and D. Johnson. Packet

Leashes: A Defense against Wormhole Attacks

in Wireless Ad Hoc Networks. Proceedings of

INFOCOM, 2003, 2003.

[8] J. Kong, Z. Ji, W. Wang, M. Gerla, R. Bagro-

dia, and B. Bhargava. Low-cost attacks against

packet delivery, localization and time synchro-

nization services in under-water sensor net-

works. Proceedings of the 4th ACM workshop

on Wireless security, pages 8796, 2005.

[9] L. Lazos and R. Poovendran. SeRLoc: secure

range-independent localization for wireless sen-

sor networks. Proceedings of the 2004 ACM

workshop on Wireless security, pages 2130,

2004.

[10] D. Liu, P. Ning, and W. Du. Attack-resistant lo-

cation estimation in sensor networks. Informa-

tion Processing in Sensor Networks, 2005. IPSN

2005. Fourth International Symposium on, pages

99106, 2005.

[11] S. McCanne and S. Floyd. ns-2 Network Simu-

lator. Obtain via: http://www. isi. edu/nsnam/ns.

[12] J. Newsome, E. Shi, D. Song, and A. Perrig. The

sybil attack in sensor networks: analysis & de-

fenses. Proceedings of the third international

symposium on Information processing in sensor

networks, pages 259268, 2004.

[13] P. Papadimitratos and Z. Haas. Secure routing

for mobile ad hoc networks. SCS Communica-

tion Networks and Distributed Systems Model-

ing and Simulation Conference (CNDS 2002),

2002.

[14] R. Poovendran and L. Lazos. A Graph Theoretic

Framework for Preventing the Wormhole Attack


21/21

in Wireless Ad Hoc Networks. ACM Wireless

Networks (WINET).

[15] M. Vieira, C. Coelho Jr, D. da Silva Jr, and

J. da Mata. Survey on wireless sensor network

devices. IEEE Emerging Technologies and Fac-

tory Automation, pages 537544, 2003.

[16] W. Wang and B. Bhargava. Visualization of

wormholes in sensor networks. Proceedings of

the 2004 ACM workshop on Wireless security,

pages 5160, 2004.

[17] A. Wood and J. Stankovic. Denial of service

in sensor networks. Computer, 35(10):5462,

2002.

[18] Y. Xu, J. Ford, and F. S. Makedon. A Varia-

tion on Hop-counting for Geographic Routing.

Embedded Networked Sensors, 2006. EmNetS-

III. The third IEEE Workshop on, 2006.

[19] J. Zheng and et.al. 802.15.4 exten-

sion to NS-2. Obtain via: http://www-

ee.ccny.cuny.edu/zheng/pub.

Distributed wormhole attack detection in wireless sensor networks

Documents