ISSN : 0256-4602

TH

IETE

TELECOMMUNICATION ENGINEERS

The Institution of Electronics and Telecommunication Engineers

EL EC

TIO

OF

TR ON

ITU

IC

ST

SA

E IN

ND

IETE

Technical Review
Volume 28 No. 2 Mar-Apr 2011

www.ietejournals.org
Subscriber Copy : Not for Resale

A Survey of Wormhole-based Attacks and their Countermeasures in Wireless Sensor Networks

Majid Meghdadi, Suat Ozdemir1 and Inan Gler2
1

Department of Computer Engineering, Zanjan University, Zanjan, Iran, Department of Computer Engineering and 2Electronic & Computer Technology, Gazi University, Ankara, Turkey

Abstract
In wormhole attacks, attackers create a low-latency link between two points in the network. This can be achieved by either compromising two or more sensor nodes of the network or adding a new set of malicious nodes to the network. Once the link is established, the attacker collects data packets on one end of the link, sends the data packets using the low-latency link and replays them at the other end. Wormhole attacks result in alterations in network data flow thereby deceiving the base station. Although implementing a wormhole attack is relatively simple, detecting it is not a trivial task as the replayed information is usually valid. This paper focuses on wormhole attacks and presents the state-of-the-art in wormhole attack detection in wireless sensor networks. The existing wormhole detection protocols are presented in detail and, based on the existing research, the open research areas and future research directions in wormhole attack detection are provided. Keywords Ad-Hoc networks, Intrusion detection, MANET, Security, Sensor node, Wireless sensor networks, Wormhole attacks.

1.

Introduction

protocol design [5,6]. Security is another unique characteristic of WSNs and it is a fundamental concern in order to provide protected and authenticated communication between sensor nodes in mission critical applications, such as military or healthcare. As in any other wireless network (e.g. cognitive radio networks [7] or radio frequency identification networks [8,9]), basic security services of WSNs include authentication, confidentiality, integrity, anonymity and availability. However, in contrast to traditional wireless networks, in WSNs, physical security of sensor nodes are not granted as they are usually deployed in remote and hostile environments. Therefore, attackers can easily compromise sensor nodes and use them to degrade the networks performance. Due to lack of physical security, the existing security solutions that are developed for traditional wireless networks cannot be directly employed in WSNs. In addition, because of the unique properties of WSNs, their security mechanisms must be developed during system design process [1013]. This paper focuses on wormhole attacks and their countermeasures in WSNs. Our contributions in this paper are threefold: (i) Security attacks in WSNs are classified according to the OSI stack model. For each layer, attacks that exploit the characteristics of that layer are discussed. (ii) To the best of our knowledge,
89

Wireless Sensor Networks (WSNs) consist of spatially distributed autonomous small devices that cooperatively monitor environmental or physical conditions in remote and often hostile environments. Although WSNs as a special case of Mobile Ad-Hoc Networks (MANETs) are originally motivated by military applications such as border surveillance and battlefield monitoring; today WSNs can be used in many civilian applications, including home automation, healthcare, traffic control and habitat/environment monitoring [14]. Wireless Sensor Networks have several unique characteristics that make them distinguishable from traditional wireless networks. First of all, WSNs generally operate in unattended areas and contain a large number of sensor nodes, which can be in the order of thousands. These nodes have strictly limited resources in terms of energy, memory, communication and computation. Due to such resource constraints, reliability and precision of a single sensor node is significantly low thereby requiring collaborative data collecting and processing. In addition, because of the simple and unreliable hardware, sensor nodes may die earlier than their expected lifetime. Hence, the number of sensor nodes may be changed in the network lifetime in a dynamic topology. In order to use WSNs in real world applications, these unique characteristics must be carefully addressed during the
IETE TECHNICAL REVIEW | VOL 28 | ISSUE 2 | MAR-APR 2011

Meghdadi M, et al.: A Survey of Wormhole-based Attacks and their Countermeasures in Wireless Sensor Networks

this is the first paper that gives a broad overview of wormhole-based attacks and their countermeasures in WSNs. Wormhole-based attacks and their detection mechanisms are analyzed and each wormhole detection protocol is presented in detail. (iii) By reviewing the existing research, open research issues in wormhole detection are provided. The rest of the paper is organized as follows. Section 2 presents the significance of wormhole and other related security attacks. Section 3 provides a classification of the wormhole attacks, whereas in Section 4, we discuss different wormhole attack detection mechanisms and give the taxonomy of these mechanisms. The results and open research areas are discussed in Section 5. Finally, concluding remarks are made in Section 6.

2.1 Classification of Security Attacks on WSNs Due to their unattended nature and wireless communication, WSNs are open to variety of security attacks, which can be categorized in many ways. Classification of attacks helps researchers to better understand WSN security and design more optimistic security countermeasures for WSNs. In [20], authors determine several types of attacks that have been classified as active, passive, or hybrid. 'Active attacks' intend to impede the operation, disable services, modify message content or cut off the communication of other sensor nodes in the network. On the other hand, 'passive attacks' aim to steal or eavesdrop on the communicated information without being caught [20]. To execute 'active attacks', the attacker must be able to inject packets into the network. Another classification of attacks is the distinction between 'internal' and 'external' attacks. As discussed in [11], 'external attacks' are committed by parties that are not legally part of the network whereas 'internal attacks' are sourced from inside the network. In an internal attack, a malicious sensor node that can communicate with all other sensor nodes within its range poses a thread to the functional efficiency of the data collected in the network. Detection of 'internal attacks' is much harder compared to 'external attacks' and 'insider attacks' can result in significant damages to network [11]. Authors of [21] evaluate the efficiency of connection characteristics to classify different attack families; however, this work is not applicable in WSNs. In this section, we classify the attacks based on network protocol layers, namely physical, link, network/routing and transport. Based on the classification in [2224], Table 1 summarizes the attacks in each layer and their possible countermeasures. Common attacks that target the 'physical layer' of a WSN destroy the hardware of a certain node or tamper the transmission medium [22,23]. Medium access control (MAC) protocols operate at the 'link layer'. The link layer usually coordinates access to the physical communication medium among sensor nodes. In a WSN, MAC protocol dictates sensor nodes, when to transmit data frames or listen to the radio channel. In addition, WSN MAC protocols employ various techniques to save battery power by placing the radio in 'low-power modes' (sleep mode) when the radio is not actively sending or receiving data packets. The attacks against link layer include collision, exhaustion, unfairness, identity spoofing and traffic manipulation [23,24]. Packet replaying, spoofing, traffic altering and wormhole are the most common attacks on 'network layer' (especially on routing protocols). There is also 'flow-correlation attack' [25] that occurs in traditional networks rather than WSNs.
IETE TECHNICAL REVIEW | VOL 28 | ISSUE 2 | MAR-APR 2011

2.

Wormhole-based Attacks

The rest of this paper concentrates on wormhole-based attacks in WSNs. A typical wormhole attack requires two or more attackers malicious nodes who have better communication resources than regular sensor nodes. The attacker creates a low-latency link (i.e. high-bandwidth tunnel) between two or more attackers in the network. Attackers promote these tunnels as high-quality routes to the base station. Hence, neighboring sensor nodes adopt these tunnels into their communication paths, rendering their data under the scrutiny of the adversaries [1419]. Once the tunnel is established, the attackers collect data packets on one end of the tunnel, sends them using the tunnel (wired or wireless link) and replays them at the other end. A typical wormhole attack is shown in Figure 1. Wormhole attacks may result in serious damages in WSNs by interrupting or altering the information flow towards the base station. In addition, if the attackers do not modify or fabricate data packets, cryptographic solutions alone cannot detect wormhole attacks.

Figure 1: Example of wormhole attack in WSNs with two adversaries.

90

Meghdadi M, et al.: A Survey of Wormhole-based Attacks and their Countermeasures in Wireless Sensor Networks

Generally, link layer authentication is an effective way of preventing these attacks. At the 'transport layer', de-synchronization, packet injection attack [26], flooding [27], and even multi-hop flooding [28] attacks aim to consume sensor nodes resources such as bandwidth and energy [23]. In the de-synchronization attack, an attacker interrupts the active connection between two sensor nodes by transmitting forged packets with bogus sequence numbers or control flags that desynchronize endpoints so that they retransmit the data packets. Header or full packet authentication is shown to be effective against de-synchronization attacks. In a flooding attack, an adversary sends multiple connection requests without ever completing the connection, thus overwhelming the targets half-open connection buffer. Connectionless transport protocols are immune to this type of attack. In addition to above classification that puts wormhole attacks into network layer category, in [14], the term wormhole attack is used to describe an external attack. In [29,30], wormhole attacks are divided into two categories, namely 'hidden' and 'exposed' attacks, depending on whether malicious nodes put their identity into packet headers when tunneling and replaying packets. Moreover, authors of [31] and [32] proposed to call the external attacks hidden wormhole, and use the term exposed wormhole for internal version of this attack. 2.2 Variants of Wormhole Attacks Several attacks that are similar or related to wormhole attacks exist in WSNs. In what follows further, we briefly explain these variants of wormhole attacks. In spoofing (or impersonation) attacks, the attacker takes the identity of another node in the network and hence, all the messages directed to that victimized node are received by the attacker [33]. There are several types of spoofing attacks, such as Sybil [34], stolen identity [35] and invisible node attacks [36]. Spoofing attacks are similar in effect to hidden wormhole attacks, and can be detected by the same mechanisms such as multifactor authentication scheme [37] or radio fingerprint [38].

There are also other variants of wormhole attacks, namely blackhole, grayhole and sinkhole attacks. All of these attacks aim either to prevent the base station from obtaining complete data by misdirecting data flow or to deceive the base station by falsifying the collected data. In a black-hole attack, a malicious node makes itself a part of many routes and drops all data packets transmitted over those routes. In order to reduce the probability of detection, the malicious node can mount a more intelligent attack, called grayhole, in which it selectively drops the data packets. In sinkhole attacks, malicious nodes either change or do not relay the received data to its destination so that the performance of the network is reduced. If the sinkhole attack targets a specific source node, it may affect the availability of the victim node. In a sinkhole attack, the intruder usually attracts the network traffic by advertising itself as having the shortest path to the base station. For example, as shown in Figure 2, an intruder creates a high-quality single-hop link to the sink. Then, it advertises imitated routing messages about the highquality route, spoofing the surrounding nodes to create a sinkhole. Note that in order to create the single-hop link, the intruder must be equipped with much higher computation and communication power than regular sensor nodes.

Figure 2: Example of sinkhole attack in a WSN using an artificial high-quality route.

Table 1: Attacks on WSNs and their countermeasures (revised form of classification in [24])
Layer Physical layer Link/mac-layer Network/routing layer Attack Tampering, Eavesdropping, Jamming Collision, Exhaustion, Unfairness, Identity Spoofing, Traffic manipulation Spoofing, False routing, Packet replaying, Selective forwarding, Neglect and greed, Homing, Misdirection Blackhole, Grayhole, Wormhole, Sinkhole De-synchronization/ Forwarding, Clock Skewing, Data aggregation, Distortion, Selective message, Flooding Countermeasure Tamper-proofing, Hiding access restriction, Encryption spread-spectrum, Priority messages, Lower duty cycle, Region mapping, Mode change Error correcting code, Rate limitation, Small frames, Identity protection, Misbehavior detection Authorization, Redundancy, False routing Information detection, Routing access, Redundancy, Probing, encryption, Egress filtering, Authorization, monitoring Data Integrity Protection, Data Confidentiality Protection, Anti-replay protection, Client puzzles, Authentication

Transport layer

IETE TECHNICAL REVIEW | VOL 28 | ISSUE 2 | MAR-APR 2011

91

Meghdadi M, et al.: A Survey of Wormhole-based Attacks and their Countermeasures in Wireless Sensor Networks

A sinkhole attack can also be achieved using a wormhole tunnel. In this case, one malicious node collects data in one part of the network and then relays the data to the other malicious node, which is close to the base station. Again, the adversaries should have better communication resources (e.g. transmission range, power and bandwidth) than regular sensor nodes so that they can establish high-quality long distance 'communication channels' (tunnels) between each other. These adversaries record the data packets they overhear, forward these data packets to each other over the tunnel and replay the packets at the other end of the network. By replaying valid network messages at improper places, attackers can make far apart nodes believe they are immediate neighbors. The adversaries can also force their neighboring nodes to send their data over the wormhole tunnels by broadcasting false routing information. In general, wireless routing protocols fall into two categories: 'proactive' routing protocols and 'on-demand' routing protocols. Proactive routing protocols rely on periodic transmission of routing updates, whereas on-demand routing protocols search for routing update only when it is necessary. Studies show that wormhole attacks are successful in both proactive and on-demand routing protocols [39]. It is also shown that, when there are at least two wormholes in the network, more than 50% of the packets will be directed to the malicious nodes [40,41]. A wormhole attack is considered immune to cryptographic techniques as it is independent of MAC-layer protocols. The attacker does not need to understand the MAC protocol or be able to decode encrypted packets to be able to replay them. In its most sophisticated form, the wormhole can be launched at the physical layer or at the bit level [18,42]. In the former, as in cut-through routing [43], the replay is done bit by bit even before the entire packet is received. In the latter, similar to a physical layer relay [44], the actual physical layer signal is replayed. These attacks are even harder to detect due to the fact that such replays can happen quite fast and thus they cannot be detected easily by timing analysis. To distinguish these attacks from the simpler form of the wormhole attack, where the malicious nodes copy the entire packet before transmittal through the wormhole link, we refer to the simpler form of attack as store-and-forward attack following the terminology used in [45].

follows, wormhole attacks are classified based on their implementation technique and each method is explained with an example. 3.1 Wormhole Using Encapsulation

In encapsulation-based wormhole attacks, several nodes exist between two malicious nodes and the data packets are encapsulated between the malicious nodes. Since encapsulated data packets are sent between the malicious nodes, the actual hop count does not increase during the traversal [47]. Hence, routing protocols that use hop count for path selection are particularly susceptible to encapsulation-based wormhole attacks. For example, ad-hoc on-demand distance vector (AODV) routing protocol, a source initiated on on-demand routing protocol, is one of the most popular routing protocols in WSNs. In AODV protocol, in order to limit the amount of flooding, each node broadcasts only the first route request (RREQ) message it receives and drops any further copies of the same request. However, AODV protocol fails under encapsulation-based wormhole attacks. When a malicious node at one part of the network hears the RREQ, it transmits this RREQ to the other malicious node at a distant location near the destination. The second malicious node then rebroadcasts the RREQ. The neighbors of the second malicious node receive the RREQ and drop any further legitimate RREQs that are coming from legitimate multi-hop paths. As a result, the route between the source and the destination include the malicious nodes that form the wormhole. This prevents sensor nodes from discovering legitimate paths that are more than two hops away. Figure 3 presents an example of encapsulation-based attack. Consider that nodes S (source) and Sink (destination) try to discover the shortest path between each other, in the presence of the two malicious nodes M1 and M2. Node S broadcasts an RREQ, M1 gets the RREQ and encapsulates it in a packet destined to M2 through the path that exists between M1 and M2 (E-F-G). Node M2 turns the packet into its previous state, and rebroadcasts it again. Due to the encapsulation of the data packet, the hop count does not increase when RREQ travels between M1 and M2 (E-F-G). At the same time, another copy of the RREQ travels from S to Sink over the path that includes nodes A-B-C. Now, there are two routes from S to Sink: the first one is four hops long (S-A-B-C-Sink), and the sec-

3.

Wormhole Attack Taxonomy

Wormhole attacks can be achieved with the help of several techniques such as packet encapsulation, high transmission power, high-quality communication links, packet relaying and protocol distortion [46,47]. In what

Figure 3: Wormhole attack with use of packet encapsulation.

92

IETE TECHNICAL REVIEW | VOL 28 | ISSUE 2 | MAR-APR 2011

Meghdadi M, et al.: A Survey of Wormhole-based Attacks and their Countermeasures in Wireless Sensor Networks

ond one appears to be three hops long (S-M1-M2-Sink), while in reality it is six hops long (M1-E-F-G-M2-Sink). The sink chooses the second route since it appears to be the shortest path. This mode of the wormhole attack is not difficult to launch since the two ends of the wormhole do not need to have any cryptographic information, or any special capabilities, such as a high-speed wire line link or a high-power source. One of the possible solutions to this mode of wormhole attack is presented by Hu et al., [15] in which sensor nodes choose the fastest route reply rather than the one which claims to have the smallest number of hops. 3.2 Wormhole Using High-quality/Out-of-band Channel In this mode, the wormhole attack is launched by having a high-quality, single-hop, out-of-band link (called tunnel) between the malicious nodes. This tunnel can be achieved, for example, by using a direct wired link or a long-range directional wireless link. This mode of attack is more difficult to launch than the packet encapsulation method since it needs specialized hardware capability [47]. Consider the scenario presented in Figure 4. Sensor nodes M1 and M2 are malicious nodes and they have an out-of-band channel between themselves. Let us assume that source node (S) sends a RREQ to sink node and nodes A and M1 are neighbors of S. Node M1 tunnels the RREQ to M2 and M2 broadcasts the packet to its neighbors, including the sink node. Sink node gets two RREQs: (S-M1-M2-Sink) and (S-A-B-C-Sink), the first route is both shorter and faster than the second one, thus it is chosen by the sink node. As we explain in Section 5, Khalil et al. [47] present a method for detecting packet encapsulation and out-of-band modes of wormhole attack. 3.3 Wormhole Using High-power Transmission Capability In this type of wormhole attack, only one malicious node with high-power transmission capability exists in the network and this node can communicate with other normal nodes from a long distance. When a malicious node receives an RREQ, it broadcasts the request at a high-power level. Any node that hears the high-power broadcast rebroadcasts the RREQ towards the destination. By this method, the malicious node increases its chance to be in the routes established between the source and the destination even without the participation of another malicious node. This attack can be mitigated if each sensor node is able to accurately measure the received signal strength. Khalil et al. [47] propose a local monitoring approach that detects this kind of wormhole attack.
IETE TECHNICAL REVIEW | VOL 28 | ISSUE 2 | MAR-APR 2011

Figure 5 presents an example of a wormhole attack using high-power transmission. Consider that sensor nodes S (source) and Sink (destination) try to discover the shortest path between them in the presence of the one malicious node M with high-power transmission capability. Node S broadcasts an RREQ, A and M1 receive the RREQ and rebroadcast it again. Node A can send the RREQ message to the sink in five hops (S-A-B-C-D-Sink), while the malicious node M is able to send it in four hops (S-M-CD-Sink). Hence, the sink chooses the second route since it appears to be the shortest path. This kind of attack is also called as blackhole attack in the literature. 3.4 Wormhole Using Packet Relay Packet-relay-based wormhole attacks can be launched by one or more malicious nodes. In this attack type, a malicious node relays data packets of two distant sensor nodes to convince them that they are neighbors [47]. This kind of attack is also called replay-based attack in the literature [48]. For example, in Figure 6a, sensor node A and sensor node B are two non-neighboring nodes with a malicious neighbor node M1. Node M1 can relay packets between sensor nodes A and B to make them believe that they are neighbors. As shown in Figure 6b, if there are several cooperating malicious sensor nodes, sensor nodes that are multiple hops away from each other can be victims of this attack. 3.5 Wormhole Using Protocol Distortion

In this mode of wormhole attack, one malicious node

Figure 4: Wormhole attack with use of tunnel between two nodes.

Figure 5: Malicious node increases its chance to be in the routes established by using high-power transmission.

93

Meghdadi M, et al.: A Survey of Wormhole-based Attacks and their Countermeasures in Wireless Sensor Networks

distance between them. Distance-bounding techniques can be based on message traveling time information, directional antennas or geographical information. These techniques generally require specialized hardware and therefore they may be considered impractical for certain networks. 4.1.1 Message Traveling Time Information Solutions Message travelling time information is usually expressed in terms of round trip time (RTT). One way to prevent wormhole attack, as used by Hu et al. [15], Tun and Maw [41] Chiu et al. [29], Tran et al. [30], Capkun et al. [51], Korkmaz [48] and Hong et al. [52], is to measure RTT of a message and its acknowledgement, estimate the distance between the nodes based on this travel time and determine whether the calculated distance is within the maximum possible communication range. Chiu et al. [29] measured the delay per hop while Tran et al. [30] measured the RTT for each successive node in the whole path [30]. If RTT of any sensor node on the path is higher than a certain threshold value, then the alarm is raised. 'Packet leashes' [15] and 'Neighbor number test' [53] methods are only used for detecting hidden attacks. 'Statistical analysis of multi-path' [54] method can only detect exposed attacks whereas Tran et al.s [30] technique is able to detect both hidden and exposed wormhole attacks. However, this technique requires the cooperation of all nodes on the path but does not properly work with dynamic source routing (DSR) and destination-sequenced distance-vector Routing (DSDV) protocols [55,56]. In [41], Tun and Maw propose a wormhole detection algorithm that is based on both the neighbor-numbersbased mechanism and RTT mechanism. The first consideration is based on the fact that by introducing new links into the network, the adversary increases the number of neighbors of the nodes within its radius. The second consideration is that the transmission time between two effected nodes is considerably higher than that between two normal neighboring nodes. This system does not require any specific hardware. Authors of [57] proposes a transmission-time-based mechanism (TTM) to detect wormhole attacks during the route setup procedure by computing transmission time between every two consecutive sensor nodes along the established path. Wormhole is identified based on the fact that the transmission time between two fake neighbors created by wormhole is considerably higher than that between two real neighbors, which are within radio range of each other. Similar to [41], there is no special hardware requirement for TTM mechanism. 4.1.2 Special Hardware-based Solutions
IETE TECHNICAL REVIEW | VOL 28 | ISSUE 2 | MAR-APR 2011

Figure 6: Replay based attack with using (a) one malicious node or (b) two malicious nodes.

tries to attract network traffic by distorting the routing protocol. Routing protocols that are based on the 'shortest delay' instead of the 'smallest hop count' is at the risk of wormhole attacks by using protocol distortion. In hop-count-based routing protocols, in order to reduce the number of MAC-layer collusions, sensor nodes typically wait for a random time before RREQ forwarding. In this wormhole mode, a malicious node can create a wormhole by not forwarding RREQs without back-off. The purpose is to let the RREQ packet arrive first at the destination and so that the malicious node is included in the path to the destination. This kind of wormhole by itself is harmless and it is also called rushing attack in the literature [49]. However, in many circumstances, attackers use this attack as an initial step to perform denial-of-service attacks, which can compromise the security of the entire network [31,50].

4.

Wormhole Attack Detection Mechanisms

Wormhole attacks are difficult to detect as the malicious nodes replays valid data packets into the network. Moreover, majority of wireless sensor network routing protocols employ lightweight cryptographic solutions to prevent unauthorized nodes from injecting false data packets into the network. Hence, in wormhole attacks, the replayed data packets pass all cryptographic checks. Since wormhole attacks are easy to implement but hard to detect, wormhole prevention and detection has been an attractive research problem. Most proposed protocols to defend against wormhole attacks use positioning devices, synchronized clocks or directional antennas. In the rest of this section, important wormhole attack detection mechanisms are summarized. 4.1 Distance-bounding/Consistency-based Approaches The majority of researchers try to prevent wormholes using distance-bounding techniques, which allow two communicating sensor nodes to estimate the actual
94

Meghdadi M, et al.: A Survey of Wormhole-based Attacks and their Countermeasures in Wireless Sensor Networks

Directional antennas are employed for access restriction [5861] and neighbor discovery (ND) [40] in WSNs. In [40], neighboring nodes are identified by zones where each zones are defined by directional antennas. The zones around each sensor are numbered 1 to N clockwise starting with zone 1 facing east. When a sensor node receives a signal from a sensor node for the first time, the sensor node can get the approximate direction of the signal and identify the unknown sensor node by its zone. After that the sensor node cooperates with its neighboring nodes to verify the legitimacy of the unknown node, for example, by checking whether the unknown node is known by the neighboring nodes. Capkun et al. [51] proposed a protocol, called SECTOR, which relies on a special hardware. The main idea of the proposed protocol is that the distance between two sensor nodes can be measured accurately based on the speed of data transmitted between them. SECTOR does not require any clock synchronization and location information by using mutual authentication with distance bounding (MADB) protocol. The MADB protocol enables the nodes to determine their mutual distance at the time of encounter. The notion of distance-bounding protocols was first introduced by Brands and Chaum [62]. They proposed a technique that enables a party to determine a practical upper-bound on its physical distance to another party. By measuring the time between sending out the challenges and receiving the responses, the first party can compute an upper-bound on the distance to the other party. Capkun et al. modified the distancebounding protocol proposed by Brands and Chaum. The protocol allows both parties to measure the distance to the other party simultaneously. At the same time, it is considered that each pair of parties share a symmetric key, that the nodes are established before running the distance-bounding protocol between them. In Capkun et al.s protocol, sensor node A estimates the distance to sensor node B (which is in As transmission range) by sending a one-bit challenge that B responds to instantaneously. By using the time of flight, A detects whether or not B is a neighbor. However, this approach uses special hardware that can respond to a one-bit challenge without any delay. 4.1.3 Geographical Information-based Solutions In [14] and [15], the authors proposed a wormhole detection protocol that restricts the maximum transmission distance of data packets. It is assumed that a node can obtain a key for any other node. Authentication is applied to each data packet to introduce the concept of geographical and temporal packet leashes for detecting wormholes. In the geographic packet leash, when node A sends a packet to another node B, the node must include
IETE TECHNICAL REVIEW | VOL 28 | ISSUE 2 | MAR-APR 2011

its location information and sending time into the packet. Node B can estimate the distance between them. The geographic leash computes an upper-bound on the distance. In the temporal leashes, all nodes must have tight time synchronization. The temporal leash ensures that a packet has an upper-bound on its lifetime. The maximum difference between any two nodes clocks is bounded by a predetermined threshold and this threshold value must be known to all the nodes. By using the threshold value, sensor nodes are able to check the expiration time of data packets and determine whether there is a wormhole attack in place. If the receiving time of a packet exceeds the packet expiration time, the packet is discarded. 4.2 Synchronized Clock-based Solutions Synchronized clock-based solutions assume that all sensor nodes in the network are tightly synchronized and each data packet includes the time at which it is sent out. The main idea behind these solutions is that when a data packet is received, the receiver node compares the receiving time with the time at which the packet is sent out. As the receiver node has the knowledge of transmission distance and consumed time, it is able to detect if the packet has traveled too far. If the transmission distance is far beyond the maximum allowed travel distance, probably the network is under a wormhole attack. In order to avoid the problem of using special hardware for time synchronization, an RTT mechanism is proposed by Zhen and Srinivas [63]. The RTT is the time that extends from the RREQ sending time of a node A to route-reply message (RREP) receiving time from a node B by node A. When node B receives an RREQ, it will check the RTT. If the RTT exceeds a threshold, the RREQ will be dropped. However, it implies that the routing messages cannot be altered and all nodes are time synchronized, and a key pair exists between any node pair. A will calculate the RTT between A and all its neighbors. Because the RTT between two fake neighbors is higher than two real neighbors, node A can identify both the fake and real neighbors. In this mechanism, each node calculates the RTT between itself and all its neighbors. This mechanism does not require any special hardware and it is easy to implement; however, it cannot detect exposed attacks because fake neighbors are created in exposed attacks. 4.3 Multi-dimensional Scaling-Visualization-based Solutions Multi-dimensional scaling-visualization of wormhole (MDS-VOW) is adopted in Wang and Bhargava [64] to detect wormhole attacks in WSNs. The approach is based on the observation that the network with malicious nodes has different visualization from that with normal nodes. In this method, the authors first
95

Meghdadi M, et al.: A Survey of Wormhole-based Attacks and their Countermeasures in Wireless Sensor Networks

construct the layout of the sensor nodes using MDS. Then the layout of the network can be reconstructed and visualized. In their approach, wormhole attack can be detected by visualizing the anomalies introduced by the attack. In this method, each sensor node estimates the distance to its neighbors using the received signal strength. All sensor nodes send this distance information to the base station (sink), which calculates the networks physical topology based on individual sensor distance measurements. Otherwise it requires that the distance for all node pairs can be obtained by base station (with more power and capacity). If wormhole attackers exist, the shape of the constructed network layout will show some bent/distorted features and detects the wormhole by visualizing the anomalies introduced by the attack [Figure 7a]. With no wormholes present, the network topology should be more or less flat [Figure 7b], while a wormhole would be seen as a string pulling different ends of the network together. To compensate the distortions caused by distance measurement errors, a surface smoothing scheme is adopted. MDS-VOW then detects the wormhole by visualizing the anomalies introduced by the attack. 4.4 Trust-based Solutions Wormhole attacks can be detected using the trust information among the sensor nodes [65]. Sensor nodes can monitor the behavior of their neighboring nodes and rate them. In trust-based systems, each source node uses its trust information to compute the most trustworthy path to a particular destination by circumventing intermediary malicious nodes. Assuming that a wormhole drops all the packets, a wormhole in such a system should have the least trust level and can be easily eliminated. Similarly, a neighboring node of a source node will have the highest trust level if all the packets sent reach the destination. Ozdemir et al. [65] proposed a time and trust-based

wormhole detection mechanism. The proposed technique combines a time-based module with a trustbased module to detect compromised nodes that send false information. These two systems run in parallel. Time-based module acts in three steps: in the first step, neighboring nodes are specified for each node. In the second step each node finds the most appropriate path to the base station. Finally, in the third step, the algorithm investigates whether there is wormhole in the network. Malicious nodes on the path can mislead the time-based module by providing incorrect information. To prevent this problem, trust-based module constantly observes the first module and calculates trust values of neighbor nodes. These values are used to modify the path next time. Overall system structure is shown in Figure 8. Pirzada and Mcdonald [66] deviate from the customary strategy of using cryptography and instead use a trustbased scheme that is influenced by the human behavioral model. They applied a trust scheme to the DSR protocol [55] to detect sinkhole and wormhole attacks in a sensor network. This system requires the nodes to operate in a promiscuous mode. They use inherent features of DSR protocol to compute trust level in neighbor nodes. In this system, each node must execute the trust model, measures the sincerity of its neighbor nodes by monitoring their participation in the packet forwarding mechanism. The source node verifies the different fields in the forwarded IP packet for requisite modifications through a sequence of integrity checks. If the forwarding node does not transmit the packet at all, its trust measure is decremented. Similarly, if the integrity checks succeed, it confirms that its direct trust counter is incremented. 4.5 Localization-based Solutions Most of the localization-based systems are vulnerable to wormhole attacks as they can disturb the localization procedure. Chen et al. [67] proposed secure localization schemes against wormhole attacks in WSNs. To prevent

Figure 7: Visualization of wormhole in a network [64] (a) A wormhole between nodes B and C (b) Network without wormhole.

96

IETE TECHNICAL REVIEW | VOL 28 | ISSUE 2 | MAR-APR 2011

Meghdadi M, et al.: A Survey of Wormhole-based Attacks and their Countermeasures in Wireless Sensor Networks

the effect of wormhole, they propose a 'distanceconsistency-based secure location' scheme including: wormhole attack detection, valid location identification and self-localization. Moreover, to achieve secure localization in a WSN and defend against wormhole attack, Chen et al. [68] make a 'conflicting-set' for each node so that the node can use all conflicting sets of its neighboring locators to filter out incorrect distance measurements of its neighboring locators. The limitation of this method is that it only works properly when the system has no packet loss. As the attackers may drop the packets purposely, the packet loss is inevitable when the system is under a wormhole attack. Lazos and Poovendran [69] developed a graphtheoretical approach to wormhole attack prevention in WSNs. The proposed protocol is based on the use of limited location-aware guard nodes (LAGNs) which are nodes with known location and origination and can be acquired through GPS receivers. LAGNs use local broadcast keys that are valid only between immediate one hop neighbors. In the proposed protocol, in order to defy wormhole attackers, a message encrypted with a local key encrypted with the pair-wise key at one end of the network cannot be decrypted at another end. The authors propose it to use hashed messages from LAGNs to detect wormholes during the key establishment. A node can detect certain inconsistencies in messages from different LAGNs if a wormhole is present. Without a wormhole, a node should not be able to hear two LAGNs that are far from each other, and should not be able to hear the same message from one guard twice. 4.6 Secure Neighbor Discovery Approaches Securely discovering ones neighbors is an effective technique for countering wormhole attacks. Khalil et al. [36] have presented detection and isolation protocol against wormhole attacks. They present a method

that can be applied for detecting each mode of the wormhole attack except the protocol deviation. Proposed algorithm has two steps. In the first step, neighboring list of each node is being built. In the second step, a collaborative detection strategy for wormholes is used, where a node monitors the traffic going in and out of its neighbors. The fundamental mechanism used is local monitoring. A sensor node monitors the traffic in and out of its neighboring nodes and uses a data structure for the first and second hop neighbors. This protocol isolates the malicious node and removes its ability to cause future damage. Shokri et al. [70] proposed a secure and practical protocol for wormhole detection on WSNs. The main idea of the algorithm is the use of consistency tests. This algorithm acts in three stages: ranging, exchanging the neighbor tables and neighbor verification. Khalil et al. [71] use a secure central authority for global tracking of node positions, local monitoring to detect and isolate malicious nodes locally and a global isolation to isolate the malicious node from the whole network. In [40], Hu and Evans use a method for secure ND using the directionality of the antennas on each node with precise alignment of the nodes. However, most of the existing work on secure ND has limitations in accuracy, resource requirements and applicability to ad-hoc and sensor networks. Papadimitratos et al. [72] provide secure ND literature survey and also secure ND protocols properties; also, specification of a basic variant of the ND problems is presented by Poturalski et al. [73]. 4.7 Connectivity-based Approaches As connectivity is not expected to change frequently in static sensor networks, making connectivity (or topology)-based approaches seems quite practical in this kind of networks. But authors in [74] show that it is impossible for these approaches to detect some worm-

Figure 8: Time and trust based wormhole detection mechanism [65].

Figure 9: Some wormhole attacks are not detected by connectivity based wormhole detection approaches. These two network topology one contains a wormhole and the other does not [74].

IETE TECHNICAL REVIEW | VOL 28 | ISSUE 2 | MAR-APR 2011

97

Meghdadi M, et al.: A Survey of Wormhole-based Attacks and their Countermeasures in Wireless Sensor Networks

hole attacks. For example, in Figure 9 one network topology contains a wormhole and the other does not; however, it is indistinguishable. Additionally, a wormhole that can decode packets can choose to tunnel only traffic between two select nodes over a short distance; such wormholes have a minimal impact on network topology and may not be easily detected by such approaches. In [18] and [74], the authors proposed a wormhole detection protocols that use only connectivity information in the connectivity graph. In [18], the proposed approaches are localized and do not use any special hardware or location information for attack detection. The detection algorithm looks for 'forbidden substructures' in the connectivity graph that should not be present in a legal connectivity graph. They use unit desk graph (UDG) model that have long been used to create an idealized model of multi-hop wireless networks. They run an extra search procedure to determine a critical parameter for the detection algorithm. However, these topology-based approaches alone cannot detect all wormhole attacks in the network. 4.8 Radio Fingerprinting Approaches The most important aim of these approaches is the detection of device (or signal) characteristics that form a valid device fingerprint, based on which associations between observed messages and their senders can be organized. In 2007, Rasmussen and Capkun [38] have explored device fingerprinting for the identification of nodes in a sensor network. In this research, the radio signal first is received by the fingerprinting device and then converted to its digital format. The signal transient is then located and its features are extracted. A set of features form a fingerprint that can later be used for device identification. Researchers in [38] demonstrate that device fingerprinting can be successfully performed on sensor nodes, which use Chipcon 1000, 433 MHz radios even if message contents and device identifiers were hidden. They only scratched the surface of radio fingerprinting and its implications on WSNs. A number of issues are still left open in this investigation, from the formations of better fingerprints to the impact of noise and mobility on the fingerprinting process.

hardware increases the manufacturing cost of per sensor node, researchers focused on software-based wormhole detection techniques lately. However, majority of the proposed software-based solutions have some special requirements or assumptions to detect wormhole attacks and hence may have feasibility problems in the realworld applications [40,51,5862]. Among software-based solutions, distance-bounding techniques and time-based techniques are widely accepted as they are promising in terms of detecting wormhole attacks without requiring additional hardware. These techniques generally assume that time or distance data that is used for wormhole detection cannot be changed. However, since malicious nodes are able to change any type of data they receive, distance-bounding and time-based wormhole detection techniques must be supported by cryptographic authentication mechanisms so that authenticity of the information can be verified over the path. On the other hand, cryptographic authentication mechanisms require the existence of shared keys among non-neighboring sensor nodes, which may not be possible all the time [7579]. Another possible technique that can be combined with distance-bounding and time-based wormhole detection solutions is to use reputation and trust-based systems [65]. The efficiency of reputation and trust-based systems in detecting abnormal activities in WSNs is proven [80]. By employing a trust establishment mechanism among sensor nodes, malicious nodes that change the time or distance information to perform a wormhole attack can be detected [65]. Although integration of trust-based systems and time or distance-bounding wormhole detection techniques is a promising research area there is limited research [65]. Hence, it is a good research direction for wormhole detection. The exploration of authentication mechanisms that can be integrated with time or distance-bounding wormhole detection techniques is another promising research direction. Data and source authentication protocols may prevent malicious nodes to change time or distance information of data packets thereby mitigating the deficiencies of time or distance-bounding wormhole detection techniques. Wormhole attacks are strictly related to routing protocols. As new routing protocols are proposed for WSNs, it is important to identify possible vulnerabilities of these new routing protocols, and to investigate the effectiveness of the existing wormhole detection techniques on these protocols. Hence, there is a scope for further research in terms of validating existing wormhole detection techniques on new routing protocols.
IETE TECHNICAL REVIEW | VOL 28 | ISSUE 2 | MAR-APR 2011

5.

Discussion and Open Research Issues

In previous sections, we presented several wormhole attack types and their countermeasures in WSNs. This section summarizes the wormhole detection techniques and identifies the open research issues in this area. In Table 2, the most important works in combating wormhole attacks are enumerated chronologically. As seen from Table 2, early wormhole detection techniques were based on the employment of additional hardware. However, due to the fact that additional
98

Meghdadi M, et al.: A Survey of Wormhole-based Attacks and their Countermeasures in Wireless Sensor Networks

Table 2: Chronological summary of some important wormhole attack detection mechanisms

Researchers Hu et al. [15] Year 2003 Method Geographic and temporal leashes Packet leashes, end-to-end Network visualization Localization LISP Directional antennas Requirements/Commentary GPS coordination of every node; Loosely synchronized clocks (ms); Robust, straightforward solution; Inheritance of general limitations of GPS technology GPS coordination of every node; Loosely synchronized clocks (ms); Inheritance of limitations of GPS technology Centralized Controller; Works best on dense networks; Mobility is not studied; Varied terrains are not studied Location-aware; use of guard Nodes; Not readily applicable to mobile networks Applicable only to static stationary networks; Impractical Directional antennas on all nodes; Good solutions for networks relying on directional antennas, but not directly applicable to other networks Several nodes equipped with both GPS and directional antennas Hardware enabling one-bit message and immediate replies without CPU involvement; Impractical; Likely to require MAC-layer modifications Works only with multi-path on-demand protocols Static topology for network; Pre-distribution pair-wise key management protocol; not applicable for protocol deviation mode Require connectivity information; Tightly synchronized clocks (ns); Impractical (required time synchronization level not currently achievable in sensor networks) Requires knowledge of location information; Loosely synchronized clocks; The mechanism uses geographic information and authentication to detect anomalies in neighbor relation Authentication mechanism; Time-based mechanism; Works only with standard IEEE 802.11 hardware with a minor backwards compatible firmware update Cooperation of all nodes in the path; Transmission time-based mechanism Require fingerprinting device; Chipcon 1000, 433 MHz radio was used Connectivity information is required; To be independent to wireless communication models Time- and trust-based mechanism Loosely synchronized clocks (ms); maximum limit on the number of nodes that an attacker can capture Secure neighbor discovery Suitable for proactive protocols; Adjacency matrix of network and graph-based mechanism; impractical Local geometric consistency tests; Secure neighbor discovery No packet loss in the System; Conflicting-set-based resistant localization system Conflicting-set-based resistant localization Distributed detection system

Capkun et al. [51] Wang and Bhargava [64] Lazos and Poovendran [69] Park and Shin [75] Hu and Evans [40] Lazos et al. [17] Baruch et al. [76]

2003 2004 2004 2004 2004 2005 2005

Time of flight

Song et al. [54] Khalil et al. [47] Hu et al. [74]

2005 2005 2006

Statistical analysis LITEWORP Connectivity-based approaches End-to-end mechanism

Weichao et al. [77]

2006

Eriksson et al. [42]

2006

True-link

Tran et al. [30], Phuong et al. [57] Rasmussen and Capkun [38] Maheshwari et al. [18] zdemir et al. [65] Khalil et al. [71] Papadimitratos et al. [72] and Poturalski et al. [73] Venkataraman et al. [31] Shokri et al. [70] Chen et al. [68] Chen et al. [67] Graaf 2010 [78]

2007 2007 2007 2008 2008 2008 2009 2009 2009 2010 2010 2010

TTM Radio fingerprinting Connectivity graph TTBM MOBIWORP Secure neighbor discovery GTA Neighbor verification protocol CSB Secure localization

In addition, in the current wormhole detection research usually static WSNs are considered. Hence, wormhole detection in a dynamic WSN setting is an open research area. In a dynamic WSN, any two legitimate sensor nodes that were previously many hops away from each other may become one hop neighbors, and then the base station may think that a wormhole attack has been launched. Hence, it is a challenging problem to distinguish such legitimate nodes from malicious nodes while detecting wormhole attacks.

6.

Conclusion

Wormhole attacks in WSNs can significantly degrade

IETE TECHNICAL REVIEW | VOL 28 | ISSUE 2 | MAR-APR 2011

network performance and threaten network security. In wormhole attacks, as adversaries usually replay the legitimate data packets, detection of these attacks is quite complicated. In this paper, we presented the existing wormhole attack types and their countermeasures. After describing wormhole attack types, we analyzed the state-of-the-art in wormhole detection and provided a classification of these techniques. It is shown that, while a number of wormhole detection techniques have been proposed, each technique has its own weakness and there is no wormhole detection technique that can detect wormhole attacks completely. Finally, by analyzing pros and cons of the existing techniques, we presented the open research issues in the wormhole detection area.
99

Meghdadi M, et al.: A Survey of Wormhole-based Attacks and their Countermeasures in Wireless Sensor Networks

References
1. 2. A. Akyildiz, I.F. Su, W. Sankarasubramaniam, and E. Cayirci. A survey on sensor networks, IEEE Communications Magazine, vol. 40, no. 8, pp. 102114, Aug. 2002. S. Hadim and S.N. Mohamed. Middleware challenges and approaches for wireless sensor networks, IEEE Distributed Systems, vol. 7, no. 3, pp. 123, Mar. 2006. T. Haenselmann. Sensor networks. Published under the Free Documentation License (GND FDL). Available from: http://www. pi4.informatik.uni-mannheim.de/~haensel/sn_book/ [last cited in 2006]. H. Mohammadi, E.N. Oskoee, M. Afsharchi, N. Yazdani, and M. Sahimi. A percolation model of mobile ad-hoc networks, International Journal of Modern Physics C (IJMPC), vol. 20, no. 12, pp. 1871902, 2009. K. Xing, S. Srinivasan, M. Rivera, J. Li, and X. Cheng. Attacks and countermeasures in sensor networks: A survey, The George Washington University Technical Report GWU-CS-TR-010-05, 2005. Y. Xiao, V.K. Rayi, B. Sun, X. Du, F. Hu, and M. Galloway. A Survey of key management schemes in wireless sensor networks, Computer Communications Journal, Special issue on security on wireless ad-hoc and sensor networks, vol. 30, no. 1112, pp. 231441, Sep. 2007. F. Hu, D. Dong, and Y. Xiao. Attacks and countermeasures in multi-hop cognitive radio networks, International Journal of Security and Networks, vol. 4, no. 4, pp. 26371, 2009. G.C. Dalton II, K. S. Edge, R. F. Mills, and R.A. Raines. Analysing security risks in computer and radio frequency identification (RFID) networks using attack and protection trees, International Journal of Security and Networks, vol. 5, no. 2/3, pp. 8795, 2010. M. Hutter, T. Plos, and M. Feldhofer. On the security of RFID devices against implementation attacks, International Journal of Security and Networks, vol. 5, no. 2/3, pp. 10618, 2010. V. Karyotis, S. Papavassiliou, M. Grammatikou, and V. Maglaris. A novel framework for mobile attack strategy modeling and vulnerability analysis in wireless ad-hoc networks, International Journal of Security and Networks, vol. 1, no. 3/4, pp. 25565, 2006. M. Meghdadi, S. zdemir, and . Gler. "Security wireless sensor networks: Problems and solutions," (manuscript in Turkish), Journal of HInformatics Technologies, Gazi University, Ankara, Turkey, vol. 1, no. 1, pp. 3542, Jan. 2008. M. Meghdadi, S. zdemir, and . Gler. An algorithm for defending blackhole attacks in wireless sensor networks, (manuscript in Turkish), Proc. of HABTEKUS 08, pp. 716, Oct. 2008. H. Yang, H. Luo, F. Ye, S. Lu, and L. Zhang. Security in mobile ad-hoc networks: Challenges and solution, IEEE Wireless Communications, vol. 11, no. 1, pp. 3847, Feb. 2004. Y.C. Hu, A. Perrig, and D.B. Johnson, Wormhole detection in wireless ad-hoc networks, Department of Computer Science, Rice University, Technical Report TR01-384, Jun. 2002. Y.C. Hu, A. Perrig, and D.B. Johnson. Packet leashes: A defense against wormhole attacks in wireless ad-hoc networks, Proceedings of 22nd IEEE INFOCOM, pp. 197686, Apr. 2003. R. Poovendran and L. Lazos. A graph theoretic framework for preventing the wormhole attack in wireless ad-hoc networks, Wireless Networks, vol. 13, no. 1, pp. 2759, Jan. 2007. L. Lazos, R. Poovendran, C. Meadows, P Syverson, and L.W. Chang. . Preventing wormhole attacks on wireless ad-hoc networks: A graph theoretic approach, in Preceding of Wireless Communications and Networking Conference, vol. 2, pp. 11939, Mar. 2005. R. Maheshwari, J. Gao, and S.R. Das. Detecting wormhole attacks in wireless networks using connectivity information, Proceeding of IEEE International Conference on Computer Communication, pp. 10715, May 2007. M. Khabbazian, H. Mercier, and V.K. Bhargava. Severity analysis and countermeasure for the wormhole attack in wireless ad-hoc 20.

21.

3.

22.

4.

23.

5.

24.

25.

6.

26.

7.

27.

8.

28.

9.

29.

10.

30.

11.

31.

12.

32.

13.

33.

14.

15.

34. 35.

16.

17.

36. 37.

18.

19.

38.

networks, IEEE Transactions on Wireless Communications, vol. 8, no. 2, pp. 73645, Feb. 2009. A. Burg. Ad-hoc network specific attacks, Seminar in Ad-hoc Networking: Concepts, Applications, and Security, Technische University Mnchen, 2003. R. Berthier and M. Cukier. An evaluation of connection characteristics for separating network attacks, International Journal of Security and Networks, vol. 4, no. 1/2, pp. 11024, Feb. 2009. J.P Walters, Z. Liang, W. Shi, and V. Chaudhary, Wireless . sensor network security: A survey, Security in Distributed, Grid, and Pervasive Computing In Y. Xiao, editor, London, pp. 350, Auerbach Publications, 2006. D.R. Raymond and S.F. Midkiff. Denial-of-service in wireless sensor networks: Attacks and defenses, IEEE Pervasive Computing, vol. 7, no. 1, pp. 7481, 2008. A.D. Wood and J.A. Stankovic. Denial-of-service in sensor networks, IEEE Computer Society Press, vol. 35, no. 10, pp 5462, Oct. 2002. Y. Zhu, X. Fu, R. Bettati, and W. Zhao. "Analysis of flow-correlation attacks in anonymity network," International Journal of Security and Networks, vol. 2, no. 1/2, pp. 13753, 2007. H.Y. Hsu, S. Zhu, and A.R. Hurson. "LIP: A lightweight interlayer protocol for preventing packet injection attacks in mobile ad-hoc network," International Journal of Security and Networks, vol. 2, no. 3/4, pp. 20215, 2007. S. Ehlert, Y. Rebahi, and T. Magedanz. "Intrusion detection system for denial-of-service flooding attacks in SIP communication networks," International Journal of Security and Networks, vol. 4, no. 3, pp. 189200, 2009. J. Deng, R. Han, and S. Mishra. "Limiting DoS attacks during multi-hop data delivery in wireless sensor networks," International Journal of Security and Networks, vol. 1, no. 3/4, pp. 16778, 2006. H.S. Chiu and K.S. Lui. DelPHI: Wormhole detection mechanism for ad-hoc wireless networks, 1st International Symposium on Wireless Pervasive Computing, 6 pp. 16, Jan. 2006. P Tran, L.X. Hung, Y.K. Lee, S. Lee, and H. Lee. TTM: An .V. efficient mechanism to detect wormhole attacks in wireless ad-hoc networks, 4th IEEE Consumer Communication and Networking Conference (CCNC07), pp. 5938, May 2007. R. Venkataraman, M. Pushpalatha, T.R. Rao, and R. Khemka. A graph-theoretic algorithm for detection of multiple wormhole attacks in mobile ad-hoc networks, International Journal of Recent Trends in Engineering, vol. 1, no. 2, May 2009. P Papadimitratos and Z.J. Haas. Secure routing for mobile ad. hoc networks, SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002), pp. 2731, Jan. 2002. S. Pal, A.K. Mukhopadhyay, and P . Bhattacharya. Defending .P mechanisms against sybil attack in next generation mobile adhoc networks, ITEE Technical Review Journal, vol. 25, no. 4, pp. 20914, Jul-Aug. 2008. J.R. Douceur. The sybil attack, Proceedings of the International Workshop on Peer-to-Peer Systems, pp. 25160, Mar. 2002. D. Glynos, P Kotzanikolaou, and C. Douligeris. "Preventing . impersonation attacks in MANET with multi-factor authentication," Proceedings of the Third International Symposium on Modeling and Optimization in Mobile, Ad Hoc and Wireless Networks, pp. 5964, Apr. 2005. T.R. Andel and A. Yasinsac. The invisible node attack revisited, proceeding of IEEE, pp. 68691, Mar. 2007. S. Pal, A.K. Mukhopadhyay, and P . Bhattacharya. Defending .P mechanisms against sybil attack in next generation mobile ad-hoc networks, IETE Technical Review, vol 25, no 4, pp. 20914, JulAug. 2008. K.B. Rasmussen and S. Capkun. Implications of radio fingerprinting on the security of sensor networks, Third International Conference on Security and Privacy in Communication Networks and the

100

IETE TECHNICAL REVIEW | VOL 28 | ISSUE 2 | MAR-APR 2011

Meghdadi M, et al.: A Survey of Wormhole-based Attacks and their Countermeasures in Wireless Sensor Networks Workshops, pp. 33140, Sep. 2007. Y.C. Hu and A. Perrig. A survey of secure wireless ad-hoc routing, Security and Privacy Magazine, IEEE, vol. 2, no 3, pp. 2839, May 2004. L. Hu and D. Evans. Using directional antennas to prevent wormhole attacks, Proceedings of Network and Distributed System Security Symposium, pp. 13141, Feb. 2004. Z. Tun and A.H. Maw. Wormhole attack detection in wireless sensor networks, Proceedings of World Academy of Science Engineering and Technology, vol. 46, pp. 54550, Dec. 2008. J. Eriksson, S. Krishnamurthy, and M. Faloutsos. Truelink: A practical countermeasure to the wormhole attack, International Conference on Network Protocols, pp.7584, Nov. 2006. L.M. Ni and P .K. McKinley. A survey of wormhole routing techniques in direct networks, IEEE Computer, vol. 26, no. 2, pp. 6276, Feb. 1993. A. Scaglione and Y.W. Hong. Opportunistic large arrays: Cooperative transmission in wireless multi-hop ad-hoc networks to reach far distances, IEEE Transactions on Signal Processing, vol. 51, no. 8, pp. 208292, Aug. 2003. K. Sanzgiri, B. Dahill, B. Levine, and E. Belding-Royer. A secure routing protocol for ad-hoc networks, Proceedings of the 10th IEEE International Conference on Network Protocols (ICNP 02), pp. 7887, Nov. 2002. S. Han, E. Chang, L. Gao, and T. Dillon. Taxonomy of attacks on wireless sensor networks, Proceeding of the First European Conference on Computer Network Defense School of Computing, pp. 97105, Dec. 2005. I. Khalil, S. Bagchi, and N.B. Shroff. LITEWORP: A lightweight countermeasure for the wormhole attack in multi-hop wireless networks, Proceedings of the International Conference on Dependable Systems and Networks, pp. 61241, 2005. T. Korkmaz. Verifying physical presence of neighbors against replay-based attacks in wireless ad-hoc networks, International Conference On Information Technology: Coding and Computing 2005(ITCC 2005), pp. 7049, 2005. Y.C. Hu, A. Perring, and D. Johnson. Rushing attacks and defense in wireless ad-hoc network routing protocols, ACM Workshop on Wireless Security, pp. 3040, 2003. L. Buttyan and J.P Hubaux. Security and cooperation in wireless . networks, Cambridge University Press Textbook, Draft Ver.1.5.1, 2007. S. Capkun, L. Buttyn, and J.P Hubaux, SECTOR: Secure tracking . of node encounters in multi-hop wireless networks, Proceedings of the 1st ACM workshop on Security of ad-hoc and sensor networks (SASN 03), pp.2132, Oct. 2003. F. Hong, L. Hong, and C. Fu. Secure OLSR, 19th International Conference On Advanced Information Networking and Applications (AINA 2005), vol. 1, 25-30, pp. 7138, Mar. 2005. L. Buttyan, L. Dora, and I. Vajda. Statistical wormhole detection in sensor networks, Second European Workshop on Security and Privacy in ad-hoc and Sensor Networks (ESAS 2005), pp. 12841, Jul. 2005. N. Song, L. Qian, and X. Li. Wormhole attack detection in wireless ad-hoc networks: A statistical analysis approach, Parallel and Distributed Processing Symposium, Proceedings of 19th IEEE, Apr. 2005. D.B. Johnson, D.A. Maltz, and Y. Hu. The dynamic source routing protocol for mobile ad-hoc networks, IETF MANET, Internet Draft. Available from: http://www.cs.cmu.edu/~dmaltz/internetdrafts/draft-ietf-manet-dsr-09.txt [last cited in 2003]. K.U. Khan, A.V. Reddy, R.U. Zaman, K.A. Reddy, and T.S. Harsha. An efficient DSDV routing protocol for wireless mobile ad-hoc networks and its performance comparison, Second UKSIM European Symposium on Computer Modeling and Simulation, pp. 50611, Sep. 2008. T.V. Phuong, N.T. Canh, Y.K. Lee, S. Lee, and H. Lee. Transmission time-based mechanism to detect wormhole attacks, IEEE AsiaPacific Services Computing Conference, pp. 1728, 2007. R.R. Choudhury, X. Yang, N.H. Vaidya, and R. Ramanathan. Using directional antennas for medium access control in adhoc networks, MobiCom02: Proceedings of the 8th annual international conference on Mobile computing and networking, pp. 5970, 2002. S. Yi, Y. Pei, and S. Kalyanaraman. On the capacity improvement of ad-hoc wireless networks using directional antennas, MobiHoc 2003, Proceedings of the 4th ACM international symposium on Mobile ad-hoc networking and computing. New York, NY, USA: ACM Press; pp. 10816, 2003. M. Takai, J. Martin, R. Bagrodia, and A. Ren. Directional virtual carrier sensing for directional antennas in mobile ad-hoc networks, MobiHoc02, Proceedings of the 3rd ACM international symposium on Mobile ad- hoc networking and computing, pp.18393, 2002. R. Ramanathan. On the performance of ad hoc networks with beam forming antennas, MobiHoc01: Proceedings of the 2nd ACM international symposium on Mobile ad-hoc networking and computing: ACM Press, pp. 95105, 2001. S. Brands and D. Chaum. Distance-bounding protocols, In Theory and Application of Cryptographic Techniques, pp. 34459, 1993. J. Zhen and S. Srinivas. Preventing replay attacks for secure routing in ad-hoc networks, Proc. of 2nd Ad Hoc Networks and Wireless, pp. 14050, 2003. W. Wang and B. Bhargava. Visualization of wormholes in sensor networks, WiSe 04, Proceedings of the 2004 ACM workshop on Wireless security. ACM Press, pp. 5160, 2004. S. zdemir, M. Meghdadi, and . Gler. A time and trust based wormhole detection algorithm for wireless sensor networks, (manuscript in Turkish), in 3rd Information Security and Cryptology Conference (ISC08), pp. 1394, 2008. A.A. Pirzada and C.S. McDonald. Circumventing sinkholes and wormholes in ad-hoc wireless networks, Proceedings of International Workshop on Wireless Ad-hoc Networks, London, England, Kings College, London, 2005. H. Chen, W. Lou, X. Sun, and Z. Wang. A secure localization approach against wormhole attacks using distance consistency, EURASIP Journal on Wireless Communication and NetworkingSpecial Issue on Wireless Network Algorithms, Systems, and Applications, pp. 2232, 2010. H. Chen, W. Lou, and Z. Wang. Conflicting-set-based wormhole attack resistant localization in wireless sensor networks, Book Chapter Lecture Notes in Computer Science Ubiqitous Intelligence and Computing, vol. 5585/2009, pp. 296309, 2009. L. Lazos and R. Poovendran, Serloc: Secure range-independent localization for wireless sensor networks, Proceedings of the ACM Workshop on Wireless Security, pp. 2130, Oct. 2004. R. Shokri, M. Poturalski, G. Ravot, P Papadimitratos, and J.P . . Hubaux. "A practical secure neighbor verification protocol for wireless sensor networks, ACM WiSec, 2009. I. Khalil, S. Bagchi, and N.B. Shroff. MOBIWORP: Mitigation of the wormhole attack in mobile multi-hop wireless networks, Elsevier Ad Hoc Networks, vol. 6, no. 3, pp. 34462, 2008. P Papadimitratos, M. Poturalski, P Schaller, P Lafourcade, D. Basin, . . . S. Capkun, and J.P Hubaux. "Secure neighborhood discovery: . A fundamental element for mobile ad-hoc networking, IEEE Communications Magazine, Feb. 2008. M. Poturalski, P Papadimitratos, and J.P Hubaux. "Secure neighbor . . discovery in wireless networks: Formal investigation of possibility, ACM ASIACCS2008, pp. 189200, 2008. Y.C. Hu, A. Perrig, and D.B. Johnson. Wormhole attacks in wireless networks, IEEE Journal on Selected Areas of Communications, vol. 24, no. 2, pp. 37080, 2006. T. Park and K. Shin. LISP: A lightweight security protocol for wireless sensor networks, Proceedings of ACM transaction on Embedded Computing systems, vol. 3, no. 3, pp. 63460, 2004. A. Baruch, R. Curmola, C. Nita- Rotaru, D. Holmer, and H. Rubens.

39. 40. 41. 42. 43. 44.

58.

59.

60.

61.

62. 63. 64. 65.

45.

46.

47.

48.

66.

49. 50. 51.

67.

68.

69. 70. 71. 72.

52. 53.

54.

55.

73. 74. 75. 76.

56.

57.

IETE TECHNICAL REVIEW | VOL 28 | ISSUE 2 | MAR-APR 2011

101

Meghdadi M, et al.: A Survey of Wormhole-based Attacks and their Countermeasures in Wireless Sensor Networks On the survivability of routing protocols in ad-hoc wireless networks, First International Conference on Security and Privacy for Emerging Areas Communications, pp. 32738, 2005. W. Weichao, B. Bharat, Y. Lu, and X. Wu. Defending against wormhole attacks in mobile ad-hoc networks, Wireless Communication and Mobile Computing, vol. 6, no. 4, pp 483503, 2006. R. Graaf, I. Hegazy, J. Horton, and R. Safavi-Naini. Distributed Detection of wormhole attacks in wireless sensor networks, Springer book chapter Ad Hoc Networks, vol. 28, pp. 20822, 2010. D. Liu, P Ning, and R. Li. Establishing pair-wise keys in distributed . sensor networks, ACM Transactions on Information and System Security, vol. 8, no.1, pp. 4177, 2005. S. Ozdemir, "Functional reputation based reliable data aggregation and transmission for wireless sensor networks, Computer Communications, Elsevier, vol. 31, no. 17, pp. 394153, 2008.

77. 78.

79.

80.

AUTHORS
Majid Meghdadi was born in Zanjan, Iran in 1965. He received the B.S. degree in Mathematics and Applied Computer from the University of Tehran, Iran in 1991, the M.S. degree in Computer Engineering from the University of Sharif, Iran in 1994 and PhD degree in Electronic and Computer Education in 2010 from Gazi University, Turkey. His current research interests include security in wireless sensor networks. E-mail: meghdadi@znu.ac.ir Suat Ozdemir has been with the Computer Engineering Department at Gazi University, Ankara, Turkey since 2007. He received his MSc degree from Syracuse University and his PhD degree from Arizona State University, both in Computer Science. Dr. Ozdemirs research areas mainly include sensor networks, wireless

networks, network security, and data mining. He is a member of IEEE and currently serving as editor/TPC member/reviewer for various leading IEEE and ACM journals and conferences. E-mail: suatozdemir@gazi.edu.tr Inan Gler was born in Duzce, Turkey in 1956. He graduated from Erciyes University in 1981. He took the M.S. degree from Middle East Technical University in 1985 and the Ph.D. degree from Istanbul Technical University in 1990, both in electronic engineering. He is a Professor at Gazi University also a head of department. His interest areas include biomedical instrumentation, biomedical signal processing, electronic instrumentation, neural networks, and artificial intelligence. He has written more than 150 articles relating to with his interest areas. E-mail: iguler@gazi.edu.tr

DOI: 10.4103/0256-4602.78089; Paper No TR 116_10; Copyright 2011 by the IETE

102

IETE TECHNICAL REVIEW | VOL 28 | ISSUE 2 | MAR-APR 2011