Professional Documents
Culture Documents
The detection and defence of DoS attack for wireless sensor network
ZHANG Yi-ying1,2 (
), LI Xiang-zhen3, LIU Yuan-an1
Abstract
Due to the limitations of energy, computation and storage for sensors etc, although the wireless sensor networks (WSNs)
have been widely deployed in many applications, it is a critical challenge to present the effective and lightweight security
protocol to prevent various attacks for WSN, especially for the denial of service (DoS) attack. Normally, the adversaries
compromise sensors and launch the DoS attack by replaying redundant messages or making overdose of fake messages. In
this paper, we design a novel message observation mechanism (MoM) to detect and defense the DoS attack. Based on the
spatiotemporal correlation, MoM utilizes the similarity function to identify the content attack as well as the frequency
attack. And then the MoM adopts rekey and reroute countermeasures to isolate the malicious node. The security analysis
shows that our solution can not only detect and defense the DoS attack but also can reduce the energy consumption.
messages including the bogus messages and reduce the garbage data can reach the base station and affect the
energy consumption. result.
Compared with the previous works for DoS detection in
WSNs, the proposed MoM has the following scientific 3 System model
research contributions: 1) MoM utilizes the spatiotemporal
3.1 Network model
correlation activities as well as the statistical similarity,
which provides a heuristic methodology to detect the
Supposed the WSN is hierarchical network which
malicious sensor. 2) In MoM, there are two types of list for
consists of many clusters. In each cluster, there is a node
the judgment of messages, which can effectively reduce
named CH which manages member nodes, such as
computation and energy consumption. 3) The CH can
collecting information or release requirements etc.
authenticate and manage member nodes based on the
Meanwhile, the member nodes gather and submit
cluster architecture, which localizes the DoS attack and
information to the CH, and then the CH aggregate and
enhance the security.
forward the information to the base station. Once the
The rest of this paper is organized as follows: Sect. 2
cluster formed, all member sensors’ identities (IDs)
discusses previous work. In Sect. 3, we present the system
register in CH. After initial phase, the new node will be
model. Sect. 4 presents the attack model. In Sect. 5, we
authenticated by CH and neighbor nodes.
describe the detection and defence of DoS attack in detail.
And Sect. 6 analyzes the security of our solution. Finally,
in Sect. 7, we conclude our paper.
2 Related work
4 Attack model indicates the last time when the msg has been considered
as abnormal message.
In the attack model, the adversary controls the Moreover, the OM is used to analysis the incoming
compromised node remotely, called malicious node, and messages and then detect the DoS attack.
then launch DoS attack inside a cluster. Malicious node
tries to inject large numbers of bogus messages or replayed 5.2 Detection protocol
messages to interrupt communication as shown in Fig. 2.
To detect DoS attack, we normally consider two aspects:
the number of messages and the content of messages.
According to the spatio-temporal correlation, in WSN,
there should be several nodes (more than 1 node) which
can detect the event. And when a node catches a
phenomenon, it will send messages to CH to report the
event. Therefore, in the same cluster, there should be many
nodes to report the event. The malicious node uses this
feature to disperse bogus messages or replayed messages
Fig. 2 DoS attack model and then launch DoS attacks.
i n
Given M new {mnew | m1new ,..., mnew } is the set of
5 Detection and defence protocol
messages from member nodes during a certain time t,
i
Similar to nmi, mnew has format as <msg, timestamp,
In this section, we design a MoM to detect the DoS
counter, ID>, where ID indicates the node where the
attack, and then give the corresponding countermeasure, a
message from.
defence protocol in detail.
1
W
n
¦ mnew
i
.counter (1)
5.1 MoM mechanism
Algorithm 1 malicious node detection
Usually, the WSN is triggered by event, which means i
Input mnew
the network would only send messages to the base station
for i = 1 to ||{ //abnormal message
when the event happens. According to the sink-function in i
if mnew \ then
CH, we deploy the MoM in CH. The MoM consists of
{end; } // Bogus messages
three components: NML, AML, observation mechanism
}
(OM).
for i=1 to ||{
Definition 1 NML given is NML, and = i
if ( mnew and mnew
i
.counter ! W and > threshold) then
{nmi|nm1,…,nm||}, nmi is a representative message which {end; } //Replayed messages
has been submitted successfully. Before deployment, }
=˻. End
The nmi is a triple as <msg, timestamp, counter>, where
Furthermore, if new event happens, the report is
msg indicates the content of representative message;
different from any pre-messages, that is, the new message
timestamp indicates the last time when the msg has been
belongs to neither nor , and there should be more than
submitted, which can be used to determine whether the
1 node catching it. Then, we give the new message
expired; counter indicates the number of times the message
algorithm as follow.
is transmitted.
Algorithm2 new event detection
Definition 2 AML given is AML, and =
i j
{ami|am1,...,am||}, ami is a representative message which Input mnew , mnew
.msg and i z j and mnew .counterİW )
i j i
has been considered as bogus messages. Before if ( mnew .msg mnew
does not employ MoM. When the number of attackers is And then the MoM adopts rekey and reroute
over 20%, they can send more than 200% bogus packets or countermeasures to isolate the malicious node. The
relayed packets in-cluster. For WSN, it can make the result security analysis shows that our solution can not only
deviate from correct conclusion seriously. In spite of the detect and defense the DoS attack but also can reduce the
MoM schedule, the attackers can send more bogus packets energy consumption. In the future, we will integrate the
or relayed packets continually, which affect the loss rate of location information with the node, which can help locate
packets as shown in Fig. 4. the node by position for isolating the malicious node.
Acknowledgements
References