Dealing with Wormhole Attacks in Wireless Sensor Networks Through Discovering Separate Routes Between Nodes

Rezai and Zahedi: Dealing with Wormhole Attacks in Wireless Sensor Networks Through Discovering …


INTRODUCTION
Today, wireless sensor networks have an increasing application in military, environment, urban services, discoveries and monitoring fields.Since, sensor nodes have very limited computational, memory and radio capabilities, and according to the application of such networks in critical regions especially military, establishing security in such networks is very essential and has attracted the attention of many researchers [1][2][3].One of the most dangerous known attacks against such networks is wormhole attack [4].In this attack, as shown in Figure 1, the enemy deploys two malicious nodes in the network and establishes a high-speed dedicated communication channel between these two nodes.These two nodes receive messages from a part of network from a low latency link and relay them in another part of the network.Thus, this attack greatly affects the routing algorithms [5].
Many algorithms have been provided to cope with this attack in wireless sensor networks until now.In [5], an algorithm is proposed based on probability distribution of the number of neighboring nodes called WAPN to cope with wormhole attacks.This algorithm requires no special hardware and simply attempt to identify the wormhole attack according to the number of neighbors.One of the well-known algorithms benefiting from beacon nodes to detect the wormhole attack is provided in [6].In this algorithm, in addition to the conventional sensors, a number of beacon nodes are released in the network constantly.These beacon nodes are aware of their location and detect the wormhole attack by sending a series of probe messages for each other.Since the wormhole attack causes these probe messages reach other beacon nodes with fewer steps, so beacon nodes use this to detect the wormhole attack.In [7], a general mechanism called packet leashes is proposed to cope with wormhole attack.A leash is in fact any type of information added to a packet to limit the allowed maximum transmission distance of packet.Two types of geographical and temporal leashes are introduced in this study.A geographical leash ensures that the packet receiver is in a determined distance from the transmitter.A temporal leash ensures that the packet has an upper bound on its' lifetime which limits the maximum moving distance, because the packet can move at a maximum speed of light.These two types of leashes ware used in [8] to provide a protocol to cope with wormhole attack.In [9], the impacts of wormhole attack on localization protocols based on DV-Hop have been analyzed.Also, a safe localization protocol based on label has been provided.The main idea of this protocol is to produce a list of quasi-neighbors for each beacon node and use all lists of quasineighbors receiving from neighboring beacon nodes to categorize all attacked nodes in a different group and then label all neighboring nodes (including all sensors and beacons).Based on the labels of neighboring nodes, each node will prevent from communication with its neighbors treated by wormhole attack.In [10], an algorithm based on another beacon called WRL was presented.WRL is a localization algorithm resistant to the wormhole attack benefiting from DV-Hop methods.In [11] a group-based expansion has been provided to cope with wormhole attack.In this method, sensor nodes are spread in the environment in group form and they are aware of the location of their group.During the establishment of the route, the location of group between sensors is exchanged and a link between two sensor nodes is created only when the location distance of the group of these two nodes are close enough.In [12], a clustering-based mechanism is proposed to cope with wormhole attack.In this algorithm, a series of beacon nodes is used between clusters in order to detect the wormhole attack.In [13,14] additional algorithms are provided to deal with wormhole attack which uses the connection information to search for forbidden infrastructures in the connection graph.These algorithms are completely local and require no special hardware.In [15], a lightweight IDS (Intrusion Detection System) framework called LIDeA has been proposed to cope with wormhole attack.In this system, the nodes hear the communication of their neighboring nodes and cooperate with each of them for successful infusion detection [16].In [17], a secure routing protocol called SeRWA has been provided to cope with wormhole attack.This algorithm also requires no specialized hardware such as directional antennas.This protocol takes advantage of discovering single-hop neighbors and also the original route to cope with this attack.In [18] also another algorithm has been presented which benefits from local and neighborhood information to detect the wormhole attack.This algorithm uses the message broadcasting to two-hop neighbors through special single-hop neighbors to detect the wormhole attack.Wormhole attack model In this article, a new distributed algorithm is presented to deal with the wormhole attack in order to solve the disadvantages of previous algorithms desirably.The main idea of the proposed algorithm is to discover separate paths between pairs of nodes.For instance, as shown in Figure 1, the existence of wormhole attack causes the N1 and N2 nodes wrongly think that they are neighbors, while these two nodes are much far from each other and they are real neighbors.In the proposed algorithm, node N1 can realize occurring of a wormhole attack between itself and node N2 which appears to be neighbor by discovering all separate routes with maximum stride length α (e.g. 2 or 3) between them.As there is only one path with maximum stride length 3 between these two nodes.This is while if these two nodes were real neighbors, then there would be more separate routes (depending on the destination of the network) between them.Thus, the proposed algorithm can easily estimate the possibility of wormhole attack and its' occurring location in the network with great accuracy.

II. SYSTEM ASSUMPTIONS
• A sensor network contains n sensor nodes which are randomly distributed in a two-dimensional region.
• The network is homogenous.
• After expansion in the network environment, the nodes remain constant in terms of location status.
• Each node has a unique identifier and not aware of their location status which means they don't need GPS.
• Radio range of nodes is constant and identical.
• Each node is aware of approximate density of the network or the average of the number of single-hop neighbors, d.
• The nodes communicate with each other via wireless radio channel and use broadcasting by Omni-directional method.
• It is also assumed that the sensor network is expanded in a hostile environment.So, the network is insecure and the enemy can start the wormhole attack.
• The two nodes setting up the wormhole attack are called malicious enemy nodes.

III. THE PROPOSED ALGORITHM
The main idea of the proposed algorithm is to discover separate paths between each pairs of nodes u and v to detect the wormhole attack.Since the existence of wormhole attack causes the two legal nodes u and v, which are far from each other, to consider to be two-hop neighbors, so there would be only one unique route with stride length of 2 or even 3 between these two legal nodes.Hence, the wormhole attack can be detected by discovering separate routes between these two nodes.The proposed algorithm is made of three phases of 1: discovering single-hop neighbors, 2: discovering two-hop neighbors and 3: discovering separate routes which will be described in continue.

A. Discovering single-hop neighbors
After expansion of nodes in environment, each u node releases a "Hello" message.All nodes located in radio range u will receive its' Hello message and consider the u node as their single-hop neighbor.The first phase is carried out simultaneously by all nodes in the network.

B. Discovering two-hop neighbors
After the phase of discovering one-hop and two-hop neighbors, the third phase is implemented.As mentioned earlier, the wormhole attack in a specific area of the network causes the number of two-hop neighbors of legal nodes located in that region become much more than normal.Thus, in this phase, if each u node find that the number of two-hop neighbors is more than the threshold T 1 , it will doubt to the existence of a wormhole attack in its' neighborhood and consequently, it runs the third phase.The threshold T 1 =β•d is set up.The parameter βis a constant value larger than 1.In this status, the u node send a route discovery message for v destination to its' one-hop neighbors per each v existing in its' two-hop-neighbor so that to discover the possible routes to v node.Figure 2 has indicated the form of discovery packets.In source field, there is the ID of each source or the same node producing the packet of route generation, in destination field, there is the ID of destination node or the same node of two-hop neighbor, in intermediate field, there is the ID of intermediate nodes from source to destination route and the lifetime is in TTL field.
The u node produce and publish a route generation packet with <<u,v,{},2>> value.Each W node receiving this message, first reduce a unit from TTL, add its' ID in intermediate part and then publish the packet.But if TTL is equal to zero, the W node ignores the received packet.The v node returns a confirmation message (containing the ID of intermediate nodes) with TTL=2 per each received route discovery packet to reach the u source node.If the source node receive only one separated confirmation message with completely different intermediate, it will add a unit to its' counter field.The u node repeats this process per all its' two-hop neighbors.After that, if the u node find its' counter value higher than the threshold T 2 , it will realize that a wormhole attack is set up in its' neighborhood.Hence, it will release a warning message in the network and turn off its' radio and stop its' operation.The value of the threshold T 2 =d-a will be calculated; 0≤a<d will be set up.

IV. SIMULATION RESULTS
The proposed algorithm has been implemented by the C ++ language.Then, its efficiency was evaluated by performing several tests in form of true and false detection rates.Also, the efficacy of the proposed method has been compared with the base algorithm [5].
• True detection rate: a percentage of legal nodes is the neighbor of malicious nodes of wormhole attack which have succeed to detect an attack in their neighborhood.
• False detection rate: a percentage of legal nodes that have wrongly detected a wormhole attack in their neighborhood.
In tests implementation, the network contains n nodes distributed randomly in an area of 1000 x 1000 m.The radio range of nodes is set to R=40 m.The proposed algorithm has been implemented by the C ++ language.Then, its' efficiency was evaluated by performing several tests in form of true and false detection rates.Also, the efficacy of the proposed method has been compared with the base algorithm [5].
• True detection rate: a percentage of legal nodes is the neighbor of malicious nodes of wormhole attack which have succeed to detect an attack in their neighborhood.
• False detection rate: a percentage of legal nodes that have wrongly detected a wormhole attack in their neighborhood.
In tests implementation, the network contains n nodes distributed randomly in an area of 1000 x 1000 m.The radio range of nodes is set to R=40 m.The parameter β=2 and α=0~5 are set.Each test has been repeated 500 times and the final results is obtained from the average of the results of this 500 iterations.It is assumed that there is a wormhole attack in the network so that the distance of its' two malicious nodes is 500 m from each other.

A. First test
In this test, we want to evaluate the efficacy of the proposed algorithm per change in the parameter α.In this test, we will have n=2000 in the network and the parameter α=0~5 has changed.The result of this test is given in figure 3 in form of true and false detection rates.The results of this test show that the threshold T2 is reduced.Consequently, if a legal node has less two-hop neighbors and has discovered only one separate route to them, it reports the wormhole attack with lower value for counter.This will increase both criteria.As can be seen from the results of this test, a suitable value for this parameter is α=1 which leads to true detection rate of 95% and false detection rate of 7%.

B. Second test
This test aims to evaluate the parameter n on efficacy of the proposed algorithm and compare the results with algorithm [5].In this test, the parameters α=1 and n=500~3000 have been changed.Figure 4 has indicated the results of this test in form of respectively true and false detection rates.The results of this test show that the true detection rate of both algorithms is increased by increasing the number of nodes in the network.Because, by increasing this parameter, there would be the possibility of increasing the number of legal nodes neighboring malicious nodes.As a result, the detection rate will be increased.However, the false detection rate of the proposed algorithm is a bit higher than the base algorithm, but it is tolerable compared with the improvement rate obtained in true detection rate.