The Journal of China

Universities of Posts and

Telecommunications
October 2012, 19(Suppl. 2): 52–56
www.sciencedirect.com/science/journal/10058885 http://jcupt.xsw.bupt.cn

The detection and defence of DoS attack for wireless sensor network
ZHANG Yi-ying1,2 ( ), LI Xiang-zhen3, LIU Yuan-an1

1. Beijing University of Posts and Telecommunications, Beijing 100876, China

2. State Grid Information & Telecommunication Company Ltd. , Beijing 100761, China
3. State Grid Electric Power Research Institute, Nanjing 210003, China

Abstract
Due to the limitations of energy, computation and storage for sensors etc, although the wireless sensor networks (WSNs)
have been widely deployed in many applications, it is a critical challenge to present the effective and lightweight security
protocol to prevent various attacks for WSN, especially for the denial of service (DoS) attack. Normally, the adversaries
compromise sensors and launch the DoS attack by replaying redundant messages or making overdose of fake messages. In
this paper, we design a novel message observation mechanism (MoM) to detect and defense the DoS attack. Based on the
spatiotemporal correlation, MoM utilizes the similarity function to identify the content attack as well as the frequency
attack. And then the MoM adopts rekey and reroute countermeasures to isolate the malicious node. The security analysis
shows that our solution can not only detect and defense the DoS attack but also can reduce the energy consumption.

Keywords DoS attack, wireless multimedia sensor network, security, attack

1 Introduction  block the communication bandwidth, which makes the

Due to the limitations of energy, computation and
storage for sensors etc, even the WSNs have been widely
deployed in many applications, it is a huge challenge to
present the effective and lightweight security protocol to
prevent various attacks for WSN, especially for the DoS
attack [1–5]. Normally, in WSNs, many kinds of sensors
are distributed to monitor the temperature, vibration, sound
and video etc.
However, the adversaries can compromise some sensors
and launch the DoS attack by replaying redundant
messages or making overdose of fake messages. Under
this situation, DoS attack breaks off the wireless
communication channel and causes either unintentionally
in the form of interference, noise or collision between the
senders and the receivers, which can lead to a high
transmission power signal in a certain area and then
overwhelm sensors by flooding bogus or relayed packets.
The DoS attack can quickly exhaust the limited energy and
Received date: 29-06-2012
Corresponding author: ZHANG Yi-ying, E-mail: winzyy@163.com
DOI: 10.1016/S1005-8885(11)60444-5
network not work well even fail down.
In this paper, we design a novel MoM in the hierarchical
WSN based on spatiotemporal correlation [6]. In MoM, we
store several representative normal messages and abnormal
messages as referential data sets. The MoM is usually
deployed in the cluster head (CH).
As mentioned above, MoM includes two types of
lists normal message list (NML) and abnormal message
list (AML) which distinguish forge messages and
redundant messages (replayed attack) based on the lists
and frequency, also present a MoM to judge the new event
to avoid the adversary’s tampering with packets.
When the CHs identify DoS attacks, they will determine
the malicious nod and adopt the corresponding
countermeasures. Firstly, the CH broadcasts the malicious
node information to the member nodes. And then, they will
rekey and insulate the malicious node. We present an
avoidance function to make that the adversary’s node has
no chance to catch new key. The security analysis shows
that our solution can not only detect and defense the DoS
attack but also can effectively aggregate the redundant
Supplement 2 ZHANG Yi-ying, et al. / The detection and defence of DoS attack for wireless sensor network 53

messages including the bogus messages and reduce the garbage data can reach the base station and affect the
energy consumption. result.
Compared with the previous works for DoS detection in
WSNs, the proposed MoM has the following scientific 3 System model
research contributions: 1) MoM utilizes the spatiotemporal
3.1 Network model
correlation activities as well as the statistical similarity,
which provides a heuristic methodology to detect the
Supposed the WSN is hierarchical network which
malicious sensor. 2) In MoM, there are two types of list for
consists of many clusters. In each cluster, there is a node
the judgment of messages, which can effectively reduce
named CH which manages member nodes, such as
computation and energy consumption. 3) The CH can
collecting information or release requirements etc.
authenticate and manage member nodes based on the
Meanwhile, the member nodes gather and submit
cluster architecture, which localizes the DoS attack and
information to the CH, and then the CH aggregate and
enhance the security.
forward the information to the base station. Once the
The rest of this paper is organized as follows: Sect. 2
cluster formed, all member sensors’ identities (IDs)
discusses previous work. In Sect. 3, we present the system
register in CH. After initial phase, the new node will be
model. Sect. 4 presents the attack model. In Sect. 5, we
authenticated by CH and neighbor nodes.
describe the detection and defence of DoS attack in detail.
And Sect. 6 analyzes the security of our solution. Finally,
in Sect. 7, we conclude our paper.

2 Related work

WSNs are vulnerable to the DoS attacks since they are

energy-constrained devices without a central powerful
monitoring point [1–4]. Meanwhile, there are deferent
types of DoS attack in the layers protocol of sensor
network [2]. Many solutions of different sensor network
routing protocols are designed to enhance the security of
sensor network [7–8]. Fig. 1 The considered hierarchical WSN
In Ref. [7], the authors designed a one-way hash
chain (OHC) to protect end-to-end communications in 3.2 Notations
WSNs from path-based DoS attacks. The OHC deploys an
OHC in each intermediate node of path to detect a PDoS In Table 1, we list some notations used in this paper.
attack. OHC put a new OHC number for every message Table 1 Notations
from source. Therefore, the messages, which can be  The set of normal representative messages.
authenticated correctly in the chain, can only be transferred.  The set of abnormal messages.
Mnew The set of new message a certain time t
However, OHC did not provide any protection for the data i
mnew The new message
transmission between the member nodes and the CH,  The mean value of frequency
which is threatened by the attacks. F The filter function
In Ref. [8], the authors presented a reputation-based
client puzzle mechanism to enhance the security and 3.3 Assumptions
against DoS attacks. The mechanism can control the
In our network, all sensor nodes are deployed in the
difficulty level of puzzle with reputation value, and the
network uniformly and randomly and are static. Each
malicious nodes will get low reputation and have to solve
sensor has a unique ID. If a node is compromised, all of
the harder puzzle. Thus, the adversaries have few chances
the information in this node will be compromised
to lunch the DoS attack. However, if the puzzle is not hard
including the key materials [9]. The sensors in network
enough or the malicious node, the spurious packet or
should be in at least one cluster.
54 The Journal of China Universities of Posts and Telecommunications 2012

4 Attack model indicates the last time when the msg has been considered
as abnormal message.
In the attack model, the adversary controls the Moreover, the OM is used to analysis the incoming
compromised node remotely, called malicious node, and messages and then detect the DoS attack.
then launch DoS attack inside a cluster. Malicious node
tries to inject large numbers of bogus messages or replayed 5.2 Detection protocol
messages to interrupt communication as shown in Fig. 2.
To detect DoS attack, we normally consider two aspects:
the number of messages and the content of messages.
According to the spatio-temporal correlation, in WSN,
there should be several nodes (more than 1 node) which
can detect the event. And when a node catches a
phenomenon, it will send messages to CH to report the
event. Therefore, in the same cluster, there should be many
nodes to report the event. The malicious node uses this
feature to disperse bogus messages or replayed messages
Fig. 2 DoS attack model and then launch DoS attacks.
i n
Given M new {mnew | m1new ,..., mnew } is the set of
5 Detection and defence protocol
messages from member nodes during a certain time t,
i
Similar to nmi, mnew has format as <msg, timestamp,
In this section, we design a MoM to detect the DoS
counter, ID>, where ID indicates the node where the
attack, and then give the corresponding countermeasure, a
message from.
defence protocol in detail.
1
W
n
¦ mnew
i
.counter (1)
5.1 MoM mechanism
Algorithm 1 malicious node detection
Usually, the WSN is triggered by event, which means i
Input mnew
the network would only send messages to the base station
for i = 1 to ||{ //abnormal message
when the event happens. According to the sink-function in i
if mnew \ then
CH, we deploy the MoM in CH. The MoM consists of
{end; } // Bogus messages
three components: NML, AML, observation mechanism
}
(OM).
for i=1 to ||{
Definition 1 NML given  is NML, and = i
if ( mnew   and mnew
i
.counter ! W and  > threshold) then
{nmi|nm1,…,nm||}, nmi is a representative message which {end; } //Replayed messages
has been submitted successfully. Before deployment, }
=˻. End
The nmi is a triple as <msg, timestamp, counter>, where
Furthermore, if new event happens, the report is
msg indicates the content of representative message;
different from any pre-messages, that is, the new message
timestamp indicates the last time when the msg has been
belongs to neither  nor , and there should be more than
submitted, which can be used to determine whether the
1 node catching it. Then, we give the new message
expired; counter indicates the number of times the message
algorithm as follow.
is transmitted.
Algorithm2 new event detection
Definition 2 AML given  is AML, and =
i j
{ami|am1,...,am||}, ami is a representative message which Input mnew , mnew
.msg and i z j and mnew .counterİW )
i j i
has been considered as bogus messages. Before if ( mnew .msg mnew

deployment, =˻. then {

i
The ami is a tuple as <msg, timestamp >, where msg mnew is new message;
i
Add mnew into ;
indicates the content of abnormal message; timestamp
Supplement 2 ZHANG Yi-ying, et al. / The detection and defence of DoS attack for wireless sensor network
} then drop them, which erases the forged packets and
End
5.3 Defence protocol
Once detecting the malicious node, CH would announce
the ID of malicious node and refuse to forward its
messages [10].
Step 1 Announce malicious node.
The CH sends the alert message containing the ID of
malicious node to its member nodes. Once the member
nodes ensure the alert message, they remove the ID from
neighbor node list and add the ID to the black list to
insulate the malicious node and break off the path.
Step 2 Change key things.
The adversaries can get key things from the
compromised node. Thus, when we detect the DoS attack,
it is very necessary to change key things including the
cluster key and session key, even the pairwise key. Due to
the announce is broadcast model, we adopt the filter
function F() to avoid the malicious node as follow.
F ( IDmalicious ) – ( IDmalicious  IDi ) (2)
i 1
The node IDmalicious cannot recover the new key because
F ( IDmalicious ) 0 , and then it has no the ability to decrypt
new key and loses the chance to rekey.
Step 3 Build new route to CH.
Due to the multi-hop transmission model in WSN, the
malicious node is usually in the path which other node
transfers messages to the CH. Therefore, we should build a
new route for normal.
6 Performance analysis
In this section, we analyze the performance of MoM in
security and energy consumption. To analytically evaluate
the performance of MoM in these two aspects, we also
give some simulations.
6.1 Security analysis
Comparing with previous works, we focus on the DoS
attack detection in WSN based on the spatio temporal
correlation, and present corresponding countermeasures to
defend against the attack.
Firstly, we establish a MoM to filter not only the
redundant messages but also the bogus messages. Through
the AML, the abnormal messages can be distinguished and
55
reduces the energy consumption. Furthermore, according
to Algorithm 2, we can identify a new message or
exception messages, which avoids misjudgment of new
message. The AML mechanism can effectively defense the
bogus message-based DoS attack.
Secondly, in MoM, the NML mechanism is used to
judge the DoS attack by abnormal message frequency.
When DoS happens, a notable feature is that the network
bandwidth is filled with meaningless repetition messages
and the communication channel is blocked. In NML, CH
employs the spatiotemporal correlation to prevent lots of
fake messages from malicious nodes. By adjusting the
threshold value, NML can distinguish the messages in
different granularities. Comparing with the history
messages and current messages respectively, NML can
avoid those new messages considered as exceptional
message, which improves the reliability.
Finally, MoM can locate the DoS attack and then invoke
the rekey and reroute mechanisms. To avoid the malicious
node, we build a filter function to isolate the source of DoS
attack, which can both localize the attack and enhance the
security. MoM can reduce the bogus messages as well as
redundant messages, which makes the network high
security and low energy-consumption.
6.2 Simulation
We evaluate the performance of MoM via simulations
by using VC++. In order to set the simulation environment
realistically, our simulations are injected in the cases of
message loss and replay attack. Under normal
circumstances, MoM performs much better not only in
security but also in energy consumption than OHC from
simulation results.
Fig. 3 shows the situations with/without attackers, which
Fig. 3 The number of packets with/without attackers
56 The Journal of China Universities of Posts and Telecommunications
does not employ MoM. When the number of attackers is
over 20%, they can send more than 200% bogus packets or
relayed packets in-cluster. For WSN, it can make the result
deviate from correct conclusion seriously. In spite of the
MoM schedule, the attackers can send more bogus packets
or relayed packets continually, which affect the loss rate of
packets as shown in Fig. 4.
Fig. 4 The comparison with/without MoM in operation
As shown in Fig. 4, our approach can efficiently detect
and defend against the DoS attacks. With the MoM, the
network can detect the all malicious nodes, filter the
replayed or fake messages out and keep a low packet loss
rate. Without considering the inherent loss rate of packet,
almost 100% of the malicious nodes can be detected and
excluded by using our scheme. However, without MoM,
the loss rate of packets increases evidently with the
increase of amount of attackers.
7 Conclusions
Comparing with previous works, we focus on the DoS
attack detection and defense and present the corresponding
countermeasures. We design a novel MoM to detect and
defense the DoS attack. Based on the spatiotemporal
correlation, MoM utilizes the similarity function to
identify the content attack as well as the frequency attack.
2012
And then the MoM adopts rekey and reroute
countermeasures to isolate the malicious node. The
security analysis shows that our solution can not only
detect and defense the DoS attack but also can reduce the
energy consumption. In the future, we will integrate the
location information with the node, which can help locate
the node by position for isolating the malicious node.
Acknowledgements
This work was supported by China Postdoctoral Science
Foundation Funded Project (2012M510367) and the National Basic
Research Program of China (2011CB302900).
References
1. Raymond D R, Midkiff S F. Denial-of-service in wireless sensor networks:
attacks and defenses. IEEE Pervasive Computing, 2008, 7(1): 7481
2. Li M, Koutsopoulos I, Poovendran R. Optimal jamming attacks and network
defense policies in wireless sensor networks. Infocom, May 2007
3. Zhou Y. Securing wireless sensor networks: a survey. IEEE
Communications Surveys & Tutorials, 2008: 628
4. Han G J, Shen W, Trung Q D, et al. A proposed security scheme against
denial of service attacks in cluster-based wireless sensor networks. Security
and Communication Networks, 2011
5. Nanda R, Krishna P V. Mitigating denial of service attacks in hierarchical
wireless sensor networks. Network Security, 2011: 1418
6. Bandyopadhyay S, Tian Q J, Coyle E J. Spatio-temporal sampling rates and
energy efficiency in wireless sensor networks. Journal IEEE/ACM
Transactions on Networking (TON) archive, 2005, 13(6)
7. Deng J, Han R, Mishra S. Defending against path-based DoS attacks in
wireless sensor networks. SASN’05, ACM New York, NY, USA, 3rd ACM
workshop on Security of Ad Hoc and Sensor Networks Table of Contents
Alexandria, VA, USA, Nov 7, 2005: 8996
8. Cao Z, Zhou X, Xu M X, et al. Enhancing base station security against DoS
attacks in wireless sensor networks. 2006 IEEE Wireless Communications
(WiCOM 2006), Networking and Mobile Computing. 2006: 14
9. Zhu S, Setia S, Jajodia S. LEAP+: efficient security mechanisms for
large-scale distributed sensor networks. ACM Transactions on Sensor
Networks, 2006: 500528
10. Zhang Y Y, Park M S, Chao H C, et al. Outlier detection and
countermeasure for hierarchical wireless sensor networks. IET Information
Security, 2010: 361373