networks - amazon s3 · it is certified that phd thesis titled security attacks in wireless sensor...

SECURITY ATTACKS IN WIRELESS SENSOR

NETWORKS

A Thesis submitted to Gujarat Technological University

for the Award of

Doctor of Philosophy

in

Computer Engineering

by

Patel Manishkumar Manilal

[119997107007]

under supervision of

Dr. A. K. Aggarwal

under co-supervision of

Dr. Nirbhay Chaubey

GUJARAT TECHNOLOGICAL UNIVERSITY

AHMEDABAD

December-2018

DECLARATION

I declare that the thesis entitled “Security Attacks in Wireless Sensor Networks” submitted by

me for the degree of Doctor of Philosophy is the record of research work carried out by me

during the period from June 2011 to December 2018 under the supervision of Dr. A. K.

Aggarwal and under the co-supervision of Dr. Nirbhay Chaubey and this has not formed

the basis for the award of any degree, diploma, associateship, fellowship, titles in this or

any other University or other institution of higher learning.

I further declare that the material obtained from other sources has been duly acknowledged in the

thesis. I shall be solely responsible for any plagiarism or other irregularities, if noticed in the thesis.

Signature of the Research Scholar: …………………… Date:….……………… Name of Research Scholar: Patel Manishkumar Manilal Place: Ahmedabad

CERTIFICATE

I certify that the work incorporated in the thesis Security Attacks in Wireless Sensor

Networks submitted by Shri Patel Manishkumar Manilal was carried out by the

candidate under my supervision/guidance. To the best of my knowledge: (i) the

candidate has not submitted the same research work to any other institution for any

degree/diploma, Associateship, Fellowship or other similar titles (ii) the thesis submitted is

a record of original research work done by the Research Scholar during the period of study

under my supervision, and (iii) the thesis represents independent research work on the part of

the Research Scholar.

Signature of Supervisor: ……………………………………… Date: ……………………. Name of Supervisor: Dr. A. K. Aggarwal

Place: Ahmedabad

Course-work Completion Certificate

This is to certify that Mr. Patel Manishkumar Manilal enrollment no. 119997107007 is a PhD

scholar enrolled for PhD program in the branch Computer Engineering of Gujarat Technological

University, Ahmedabad.

(Please tick the relevant option(s))

He has been exempted from the course-work (successfully completed during M.Phil

Course)

He has been exempted from Research Methodology Course only (successfully completed

during M.Phil Course)

He has successfully completed the PhD course work for the partial requirement for the

award of PhD Degree. His performance in the course work is as follows-

Grade Obtained in Research Methodology

(PH001)

Grade Obtained in Self Study Course (Core Subject)

(PH002)

BB BB

Supervisor’s Sign

Dr. A. K. Aggarwal

Originality Report Certificate

It is certified that PhD Thesis titled Security Attacks in Wireless Sensor Networks by

Patel Manishkumar Manilal has been examined by us. We undertake the following:

a. Thesis has significant new work / knowledge as compared already published or are

under consideration to be published elsewhere. No sentence, equation, diagram, table,

paragraph or section has been copied verbatim from previous work unless it is placed

under quotation marks and duly referenced.

b. The work presented is original and own work of the author (i.e. there is no

plagiarism). No ideas, processes, results or wordans of others have been presented

as Author own work.

c. There is no fabrication of data or results which have been compiled / analysed.

d. There is no falsification by manipulating research materials, equipment or

processes, or changing or omitting data or results such that the research is not

accurately represented in the research record.

e. The thesis has been checked using <Turnitin> (copy of originality report attached)

and found within limits as per GTU Plagiarism Policy and instructions issued from

time to time (i.e. permitted similarity index <=25%).

Signature of the Research Scholar: ………………………………… Date: ….………………. Name of Research Scholar: Patel Manishkumar Manilal Place: Ahmedabad

Signature of Supervisor: …………………………………………… Date: …...……………… Name of Supervisor: Dr. A. K. Aggarwal Place: Ahmedabad

Submission author:Assignment t it le:Submission tit le:

File name:File size:

Page count:Word count:

Character count:Submission date:

Submission ID:

Digital ReceiptThis receipt acknowledges that Turnit in received your paper. Below you will f ind the receiptinf ormation regarding your submission.

The f irst page of your submissions is displayed below.

LCIT 029PG Project Report_37Security Attacks in Wireless Senso…thesis.pdf1.63M11328,736157,09620-Nov-2018 11:51AM (UTC+0530)958192960

Copyright 2018 Turnitin. All rights reserved.

6%SIMILARITY INDEX

0%INTERNET SOURCES

7%PUBLICATIONS

0%STUDENT PAPERS

1 3%

2 3%

Exclude quotes On

Exclude bibliography On

Exclude matches < 3%

Security Attacks in Wireless Sensor NetworksORIGINALITY REPORT

PRIMARY SOURCES

Manish Patel, Akshai Aggarwal, Nirbhay K.Chaubey. "Detection of wormhole attacks inmobility-based wireless sensor networks",International Journal of CommunicationNetworks and Distributed Systems, 2018Publicat ion

"Advances in Computer Communication andComputational Sciences", Springer NatureAmerica, Inc, 2019Publicat ion

PhD THESIS Non-Exclusive License to

GUJARAT TECHNOLOGICAL UNIVERSITY

In consideration of being a PhD Research Scholar at GTU and in the interests of the

facilitation of research at GTU and elsewhere, I, Patel Manishkumar Manilal

having Enrollment No. 119997107007 hereby grant a non-exclusive, royalty free and

perpetual license to GTU on the following terms:

a) GTU is permitted to archive, reproduce and distribute my thesis, in whole or in part, and/or

my abstract, in whole or in part (referred to collectively as the “Work”) anywhere in the

world, for non-commercial purposes, in all forms of media;

b) GTU is permitted to authorize, sub-lease, sub-contract or procure any of the acts

mentioned in paragraph (a);

c) GTU is authorized to submit the Work at any National / International Library, under the

authority of their “Thesis Non-Exclusive License”;

d) The Universal Copyright Notice (©) shall appear on all copies made under the authority of

this license;

e) I undertake to submit my thesis, through my University, to any Library and Archives. Any

abstract submitted with the thesis will be considered to form part of the thesis.

f) I represent that my thesis is my original work, does not infringe any rights of others,

including privacy rights, and that I have the right to make the grant conferred by this non-

exclusive license.

g) If third party copyrighted material was included in my thesis for which, under the terms of

the Copyright Act, written permission from the copyright owners is required, I have obtained

such permission from the copyright owners to do the acts mentioned in paragraph (a) above

for the full term of copyright protection.

h) I retain copyright ownership and moral rights in my thesis, and may deal with the

copyright in my thesis, in any way consistent with rights granted by me to my University in

this non-exclusive license.

i) I further promise to inform any person to whom I may hereafter assign or license my

copyright in my thesis of the rights granted by me to my University in this non-exclusive

license.

j) I am aware of and agree to accept the conditions and regulations of PhD including all

policy matters related to authorship and plagiarism.

Signature of the Research Scholar: ________________

Name of Research Scholar: Patel Manishkumar Manilal

Date: ____________________ Place: Ahmedabad

Signature of Supervisor: _________________________________________________ Name of Supervisor: Dr. A. K. Aggarwal

Date: __________________________ Place: Ahmedabad Seal:

Thesis Approval Form

The viva-voce of the PhD Thesis submitted by Shri Patel Manishkumar Manilal Enrollment

No. 119997107007 entitled Security Attacks in Wireless Sensor Networks was conducted on

…………………….………… (day and date) at Gujarat Technological University.

(Please tick any one of the following option)

The performance of the candidate was satisfactory. We recommend that he/she

be awarded the PhD degree.

Any further modifications in research work recommended by the panel after 3 months

from the date of first viva-voce upon request of the Supervisor or request of Independent

Research Scholar after which viva-voce can be re-conducted by the same panel again.

(briefly specify the modifications suggested by the panel)

The performance of the candidate was unsatisfactory. We recommend that he/she

should not be awarded the PhD degree.

(The panel must give justifications for rejecting the research work)

-----------------------------------------------------

Name and Signature of Supervisor with Seal

------------------------------------------------------

1) (External Examiner 1) Name and Signature

------------------------------------------------------- ------------------------------------------------------

2) (External Examiner 2) Name and Signature 3) (External Examiner 3) Name and Signature

ABSTRACT Wireless sensor networks are differing from other ad hoc networks. Sensor nodes are resource

limited devices in terms of energy, bandwidth, storage and computation. It is not desirable to run

the security algorithm which requires more computation and power on sensor nodes. Sensor nodes

are generally deployed in hostile or unattended environment. They are prone to failures. Their

topology often changes. They are remotely managed. An adversary can easily capture the nodes.

Due to this fundamental characteristics security is very crucial for wireless sensor networks.

Wireless sensor network is used in military applications, environment monitoring, forest fire

detection, health applications etc. It has received great attention due to the wide range of

applications.

Sensor nodes are vulnerable to many more attacks such as jamming, selective forwarding, Sybil,

wormhole, sinkhole etc. Wormhole is very dangerous among all attacks because after launching

wormhole an attacker can launch many more attacks. Research related to wormhole in sensor

network has received much interest recently. Launching the wormhole is very easy but detecting it

is very hard. To launch the wormhole, an attacker does not need to know the secret material used in

the network. It uses low latency out of band channel that is not visible to other sensor nodes. Two

far away located malicious nodes create a tunnel and disturb the routing process. A malicious node

attracts traffic from one area and tunnels to another malicious node located in different area.

By gathering the traffic it is possible to break security mechanism used in the network. Thus,

wormhole is a gateway to many more malicious attacks. We have discussed several existing

methods for wormhole detection with merits and demerits. Most of the methods in the literature

require additional hardware which increases the cost of the sensor node. In mobility based sensor

networks, two nodes located far away from each other becomes one hop neighbors. It creates an

illusion that wormhole has created. It is very challenging to differentiate the malicious and the

genuine nodes. We have presented wormhole detection mechanism for both static and mobility

based wireless sensor networks and both the approaches have good detection accuracy. We have

also discussed variants of wormhole attacks and their impact in wireless sensor networks.

Keywords: Wireless sensor network, Security, Wormhole, Mobility, Detection accuracy.

Acknowledgement

I thank the Almighty for showering the grace in completing this work. The eternal gratitude goes

to almighty for enlightening me to pursue this research work. Almighty has blessed me with

astounding persons during the tenure of my research. I would l i k e to thanks my family

members especially my parents, Raseelaben Manilal Patel and Manilal Jivanbhai Patel for

nurturing me, loving me and encouraging me at every step of my life.

I take this opportunity to express deep sense of gratitude to my Honourable guide, Dr. Akshai

Aggarwal, EX-Vice Chancellor, GTU for constant motivation, guidance and heartfelt support in

my quest for knowledge. He nurtured my skills to grow from immature Ph.D. scholar to

matured researcher. He has given me all freedom in doing research while ensuring that I will not

deviate from the core of my research. His insightful suggestions and comments have, I think, given

a commendable shape to my thesis.

I have a great pleasure to acknowledge my co-supervisor Dr. Nirbhay Chaubey for constant

support, inspiration and mentoring. I would also like to thank my foreign co-supervisor Dr.

Gaurav Sharma, University of Rochester, Rochester, N Y , U S A for his valuable insights and

rigorous reviews during research weeks. His guidance at every stage has helped me a lot to achieve

this milestone.

I would also like to thanks my Doctoral Progress Committee members Dr. Haresh Bhatt, IT

Security Officer, SAC, Indian Space Research Organization and Dr. Y. B. Acharya, Scientist,

Physical Research Lab, Ahmedabad for their valuable suggestions and timely constructive

critics on my work which help to complete research work in right direction and right time.

My sincere gratitude goes to Dr. Rajul Gajjar, Dean, Ph.D. programme, Dr. N. M. Bhatt, Dean,

Ph.D. programme, Mr. Bipin J. Bhatt, I/C Registrar along with staff members of my Ph.D.

section, GTU for administrative assistance and support.

Special thanks to a very special person, my wife, P r i ya n k a P a t e l for her continued love

and support. I greatly value her understanding during the entire duration of my Ph.D. program. The

words of appreciation go to my little boy Jainil and sweet daughter Nishka for compromising my

love during the phase of thesis writing.

Last but not the least; I would like to thank all my friends and colleagues who have directly and

indirectly helped me in completion of this study.

Manish Patel

Contents

1 Introduction 11.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Wireless Sensor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 Characteristics of WSNs . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.4 Architecture of WSNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.5 Applications of WSNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81.6 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.7 Original Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91.8 Organization of Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2 Wireless Sensor Network Security and Attacks 112.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2 Threats in WSNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.3 Generic Security Requirements . . . . . . . . . . . . . . . . . . . . . . . . 132.4 Physical Attacks on Sensor Nodes . . . . . . . . . . . . . . . . . . . . . . 142.5 Security Vulnerabilities in WSNs . . . . . . . . . . . . . . . . . . . . . . . 15

2.5.1 Attacks on Network Availability . . . . . . . . . . . . . . . . . . . 162.5.2 Stealthy Attack Against Service Integrity . . . . . . . . . . . . . . 192.5.3 Attacks on Secrecy and Authentication . . . . . . . . . . . . . . . 19

2.6 Significant of Wormhole Attack . . . . . . . . . . . . . . . . . . . . . . . 202.6.1 Wormhole Against Periodic Routing Protocols . . . . . . . . . . . 202.6.2 Wormhole Against On-Demand Protocols . . . . . . . . . . . . . . 212.6.3 Wormhole Attack Taxonomy . . . . . . . . . . . . . . . . . . . . . 22

3 Wormhole Attacks Countermeasures 243.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243.2 Using Distance and Time Information . . . . . . . . . . . . . . . . . . . . 25

3.2.1 Detection Using Packet Leashes . . . . . . . . . . . . . . . . . . . 253.2.2 Challenge Response Delay Measurement . . . . . . . . . . . . . . 263.2.3 Timing Based Measurement Approach . . . . . . . . . . . . . . . . 273.2.4 Distance Consistency Approach . . . . . . . . . . . . . . . . . . . 27

xvi

3.2.5 Using Rank Information . . . . . . . . . . . . . . . . . . . . . . . 283.2.6 Ranging Based Secure Neighbor Discovery Approach . . . . . . . 283.2.7 Range Free Anchor Free Localization Approach . . . . . . . . . . 293.2.8 Geographic Wormhole Detection in Wireless Sensor Networks . . . 293.2.9 Statistical Analysis and Time Constraint Based Approach . . . . . 303.2.10 Delay Per Hop Indication Detection Mechanism . . . . . . . . . . 313.2.11 RTT Based Approach in Multirate Ad hoc Networks . . . . . . . . 313.2.12 Wormhole Resistant Hybrid Technique . . . . . . . . . . . . . . . 32

3.3 Using Secure Neighbor Discovery . . . . . . . . . . . . . . . . . . . . . . 323.3.1 ACK Message Transmission Approach . . . . . . . . . . . . . . . 323.3.2 Statistical Analysis of Multipath (SAM) Approach . . . . . . . . . 333.3.3 Detection Using SeRWA . . . . . . . . . . . . . . . . . . . . . . . 343.3.4 Using Directional Antenna . . . . . . . . . . . . . . . . . . . . . . 353.3.5 Digital Investigation Based Approach . . . . . . . . . . . . . . . . 353.3.6 Radio Fingerprinting Approach . . . . . . . . . . . . . . . . . . . 36

3.4 Using Connectivity Information . . . . . . . . . . . . . . . . . . . . . . . 373.4.1 Detection Using Local Connectivity Tests . . . . . . . . . . . . . . 373.4.2 Detection Based on Forbidden Substructures . . . . . . . . . . . . 373.4.3 Detection Based on Neighbor Number Test and All Distances Test 383.4.4 Detection Based on Topology Deviations . . . . . . . . . . . . . . 383.4.5 Multi-Dimensional Scaling Visualization Based Approach . . . . . 393.4.6 MDS Based Detection Using Local Topology . . . . . . . . . . . . 403.4.7 Detection Using Ordinal MDS and RTT . . . . . . . . . . . . . . 403.4.8 Passive and Real Time Detection Approach . . . . . . . . . . . . . 413.4.9 Unit Disk Graph Model Based Approach . . . . . . . . . . . . . . 413.4.10 Detection Based on Data Analysis - EyeSim . . . . . . . . . . . . 423.4.11 Using Neighbor Node Monitoring . . . . . . . . . . . . . . . . . . 42

3.5 Using Location Information . . . . . . . . . . . . . . . . . . . . . . . . . 433.5.1 Graph Theoretic Framework Approach . . . . . . . . . . . . . . . 433.5.2 Mobile Beacon Based Detection . . . . . . . . . . . . . . . . . . . 443.5.3 Location Based Compromise Tolerant Security Approach . . . . . 443.5.4 Secure Localization and Key Distribution Approach . . . . . . . . 453.5.5 Secure Range Independent Localization Approach (SeRLoc) . . . . 453.5.6 High Resolution Range Independent Localization Approach (HiRLoc) 46

3.6 Summary of Existing Methods . . . . . . . . . . . . . . . . . . . . . . . . 46

4 Wormhole Detection in Static WSN 504.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504.2 Proposed Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

xvii

4.3 Mathematical Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534.4 Experimental Setup and Network Scenario . . . . . . . . . . . . . . . . . . 554.5 Result and Performance Analysis of Proposed Approach under Wormhole

Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564.5.1 Wormhole Attack in Dense Network . . . . . . . . . . . . . . . . 574.5.2 Wormhole Attack in Sparse Network . . . . . . . . . . . . . . . . 574.5.3 Detection Accuracy . . . . . . . . . . . . . . . . . . . . . . . . . 58

5 Wormhole Detection in Mobility Based WSN 605.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605.2 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605.3 Proposed Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625.4 Experimental Setup and Network Scenario . . . . . . . . . . . . . . . . . . 635.5 Result and Performance Analysis of Proposed Approach under Wormhole

Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

6 Wormhole and its Variants 676.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 676.2 Sinkhole Based Wormhole Attack . . . . . . . . . . . . . . . . . . . . . . 676.3 Denial of Service Based Wormhole Attack . . . . . . . . . . . . . . . . . . 686.4 Blackhole Based Wormhole Attack . . . . . . . . . . . . . . . . . . . . . . 686.5 Countermeasures Against Variants of Wormhole Attacks . . . . . . . . . . 686.6 Impact of Variants of Wormhole . . . . . . . . . . . . . . . . . . . . . . . 73

7 Conclusions and Scope for Future Research 75

xviii

List of Abbreviations

• WSN: Wireless Sensor Network

• MAC: Medium Access Control

• ADC: Analog to Digital Converter

• RREQ: Route Request

• RREP: Route Reply

• AODV: Ad hoc On Demand Distance Vector Routing

• DSR: Dynamic Source Routing

• MLE: Maximum Likelihood Estimation

• RPL: Routing Protocol for Low-Power and Lossy Networks

• RTT: Round Trip Time

• TT: Transmission Time

• PT: Processing Time

• PD: Propagation Delay

• TTL: Time To Live

• NNT: Neighbor Number Test

• ADT: All Distances Test

• GPS: Global Positioning System

• RCN: Rate of Change of Neighborhood

• UT: Upper Threshold

• LT: Lower Threshold

• TN: True Negative

• TP: True Positive

• FP: False Positive

• FN: False Negative

• PDF: Packet Delivery Fraction

xix

List of Figures

1.1 Sensor network communication structure [6, 8] . . . . . . . . . . . . . . . 41.2 Sensor node components [8] . . . . . . . . . . . . . . . . . . . . . . . . . 51.3 Current sensor node hardware: Mica2 [10] and Tmote sky [11] . . . . . . . 61.4 Protocol stack of WSNs [12] . . . . . . . . . . . . . . . . . . . . . . . . . 7

2.1 Wormhole attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202.2 Wormhole attack against distance vector routing protocol . . . . . . . . . . 212.3 Wormhole attack against on demand routing protocol . . . . . . . . . . . . 212.4 Wormhole through packet encapsulation . . . . . . . . . . . . . . . . . . . 232.5 Wormhole through tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.1 Radio fingerprinting process. . . . . . . . . . . . . . . . . . . . . . . . . . 36

4.1 Flow diagram of proposed methodology . . . . . . . . . . . . . . . . . . . 524.2 Alternate path length calculation. . . . . . . . . . . . . . . . . . . . . . . . 524.3 Common area shared by two neighbor nodes . . . . . . . . . . . . . . . . . 534.4 Wormhole attack in dense network . . . . . . . . . . . . . . . . . . . . . . 574.5 Wormhole attack in sparse network. . . . . . . . . . . . . . . . . . . . . . 584.6 False positive with varying threshold value. . . . . . . . . . . . . . . . . . 59

5.1 Relative locations of node i at different time . . . . . . . . . . . . . . . . . 615.2 Wormhole tunnel constructed between nodes M1 and M2 . . . . . . . . . . 615.3 Detection process flow diagram . . . . . . . . . . . . . . . . . . . . . . . . 625.4 User interface of simulation software showing nodes and their respective

neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

xx

List of Tables

1.1 Wireless sensor networks Vs. other ad hoc networks . . . . . . . . . . . . . 21.2 Specification of different types of sensor nodes . . . . . . . . . . . . . . . 6

2.1 Security services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.2 Different layer attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.1 Summary of existing methods . . . . . . . . . . . . . . . . . . . . . . . . 46

4.1 Summary of simulation setup . . . . . . . . . . . . . . . . . . . . . . . . . 564.2 Summary of network scenarios . . . . . . . . . . . . . . . . . . . . . . . 564.3 Accuracy analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

5.1 Summary of simulation setup . . . . . . . . . . . . . . . . . . . . . . . . . 645.2 Speed vs. time interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655.3 Accuracy analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

6.1 PDF and throughput for sinkhole based wormhole attack. . . . . . . . . . . 746.2 PDF and throughput for denial of service based wormhole attack. . . . . . . 746.3 PDF and throughput for black hole based wormhole attack. . . . . . . . . . 74

7.1 RCN value measured without wormhole attack . . . . . . . . . . . . . . . 937.2 RCN value measured in the presence of wormhole attack . . . . . . . . . . 94

xxi

Chapter 1

Introduction

1.1 Introduction

Sensor nodes are distributed in a given area for monitoring real world environmental or phys-ical conditions such as location, pressure,temperature, motion, sound etc. It is widely usedby military applications. Normally the environment is hostile or disaster area. Due to thepresence of malicious nodes in the sensor network, it has to face various security problems.Major research issues in wireless sensor networks include energy, self management, hard-ware and software issues, MAC layer issues, data collection and transmission, deployment,decentralized management, multimedia communication, synchronization and real time oper-ations. Due to the fundamental characteristics of sensor nodes, security is the important andcrucial issue. This study focuses on security attacks in wireless sensor networks.

1.2 Wireless Sensor Networks

Each node in the wireless sensor network contains power supply (battery), radio transceiver,analog-to-digital converter and microprocessor. Each node sends data to the neighboringnodes and the neighboring nodes forward it to the next neighboring nodes and at last itreaches to the sink node. Major applications of wireless sensor networks are divided intotwo parts: event detection applications and data collection applications. Sensor nodes aredeployed in the field. When any event occurs, the information is routed to the base station orsink node. User can access base station through internet or satellite.

Wireless sensor network is differing from other traditional networks in the following ways:

1. Traditional networks are used for general purpose design while wireless sensor net-works are used for single purpose design and serve one specific application.

1

CHAPTER 1. INTRODUCTION 2

2. Traditional networks are designed according to plans while wireless sensor networksare designed without planning, the deployment and network structure is ad hoc.

3. For traditional networks energy is not the main concern while energy is the primaryconcern for wireless sensor networks.

4. Traditional networks operate in controlled environment while sensor networks operatein hostile environments.

5. Traditional networks are easy to access while physical access to sensor nodes is diffi-cult.

A comparison of wireless sensor networks and wireless ad hoc networks is shown in Table1.1 [1-3].

Table 1.1: Wireless sensor networks Vs. other ad hoc networks

Wireless Sensor Networks Wireless Ad hoc Networks

Large no. of nodes. Medium no. of nodes.

Nodes are densely deployed. Nodes are scattered.

Nodes are prone to failures. Chances of node failures are very rare.

Topology changes very frequently. Topology changes rarely.

Broadcast communication is used. Point-to-Point communication is used.

Battery is not replaceable and notrechargeable. Battery is replaceable.

Aggregation is possible. Aggregation is not suitable.

Limited memory and computational capacities.Memory and computational capacities is notlimited.

Low data rate. High data rate.

High redundancy. Low redundancy.

There exist four categories of routing protocols for sensor networks [4]:

1. Routing based on flooding

2. Hierarchical routing

3. Routing based on location

4. Probabilistic routing


Some of the commonly used routing protocols include LEACH (Low Energy AdaptiveClustering Hierarchy), direct diffusion, AODV (Ad-hoc On Demand Distance Vector Rout-ing), GBR (Gradient Based Routing) and GPSR (Greedy Perimeter Stateless Routing) [5].

1.3 Characteristics of WSNs

Wireless sensor networks have several benefits including easy deployment, self organization,low cost and high fidelity sensing etc. In wireless sensor networks, hundreds or thousands ofnodes are deployed in a sensor field for monitoring physical environment. The cost of sensornetwork is reduced by reducing the cost of the sensor nodes as low as possible. Sensor nodesare distributed randomly or uniformly. Each sensor node collects the data and processesit. After processing, data are aggregated and send to the sink node. Sensor nodes must becapable of organizing themselves. Wireless sensor networks are application oriented. Theydiffer from conventional networks. Sensor nodes have to be fault tolerant because they aredeployed over a large and hostile environment. If a node needs to communicate with basestation or other node which is beyond its communication range, then it is forwarded by theintermediate node through multi-hop communication. Wireless sensor networks are subjectto various constraints and challenges. The most important design constraints are listed below[6, 7]:

1. Energy.

Energy is very crucial parameter for wireless sensor networks. Sensor nodes are pow-ered through batteries. Nodes will be discarded once their energy is depleted. Batterydetermines the lifetime of the sensor node.

2. Lack of a-priori knowledge of post deployment position.

Sensor nodes are deployed through airplane or vehicles. Therefore, the nodes comeinto communication range of which other nodes is not predefined. Nodes are scattered.

3. Unattended after Deployment.

Sensor nodes are generally deployed in disaster area or for military applications. Theyare not personally monitored. After deployment, the nodes operate without humanintervention.

4. Very limited resources.

• Limited memory

• Limited power


• Limited computation

5. Security.

Sensor nodes are remotely managed and they are unattended. Therefore, security isvery crucial for wireless sensor networks. They are vulnerable to attacks and maliciousintrusions. Wireless communication is also unreliable. The most challenging threatis denial of service attack in which the goal of an attacker is to disrupt the normaloperation of the wireless sensor network. Sensor nodes are resource limited devices.Traditional security algorithms are not applicable. Therefore, new security measuresare needed for wireless sensor networks.

6. Collisions and latency.

Sensor networks are densely deployed. Therefore, chances of collision and increase inlatency are more.

7. Remotely managed.

Sensor nodes are managed offsite. Therefore, it is difficult to detect physical temperingwith the sensor nodes in a network. Redeploying cryptographic keys and replacingbatteries are not possible to do remotely.

1.4 Architecture of WSNs

In wireless sensor networks, many sensor nodes cooperatively monitor large physical envi-ronments. They are differing in their communication capabilities.

Figure 1.1: Sensor network communication structure [6, 8]


Fig. 1.1 shows the sensor network communication structure. Wireless sensor nodes aredeployed in the sensor field. Each node collects the data and transmits to the next node andfinally data reaches to the base station. Base station is the data aggregation point. Throughsatellite or internet, one can monitor the given area. Hundreds to thousands of nodes are de-ployed in the given area. Sensor nodes are not personally monitored. The user can remotelyaccess, process and analyze the data.

Figure 1.2: Sensor node components [8]

Fig. 1.2 shows sensor node components. The main components of a sensor node includesthe following:

1. Sensing unit.

It consists of different types of sensors. Selection of sensors depends on application.The output of the sensor node is an electric signal which is analog. It is converted intodigital form by analog to digital converter and given to the processor.

2. Processing unit.

The processor executes instructions pertaining to sensing, communication and self-organization. It consists of a processor chip, a nonvolatile memory for storing programinstructions, an active memory for temporarily storing the sensed data and an internalclock. Most existing sensor nodes at present use microcontrollers. The functionalityof the processor is to collect the data for processing and store it.

3. Communication unit.

Radio transceiver is used for communication purpose. It consists of a receiver as wellas a transmitter. Depending on the application requirements, an appropriate method isused for communication such as infrared, optical or radio communication.


4. Power unit.

Energy is provided to the sensor nodes by using power unit. The life of the sensor nodedepends on battery. Mobilizer is used for mobility purpose. Location finding systemis used to know the node’s location. Power generator is used for recharging sensornodes.

Sensor node consists of hardware having low power consumption. Each node consists ofsensors, a radio chipset used for wireless communication, a serial port used for node to hostcommunication and a microcontroller. Microcontroller contains RAM and flash memory.RAM is used for program execution and flash memory is used for program storage. Micro-controller is the most interesting part for an attacker. Fig. 1.3 shows the current sensor nodehardware.

Figure 1.3: Current sensor node hardware: Mica2 [10] and Tmote sky [11]

The specification of different types of sensor nodes is given in Table 1.2.

Table 1.2: Specification of different types of sensor nodes

Specifications MICA2 TMote mini

Processor8Mhz, Atmel ATMega128microcontroller MSP430 F1611 microcontroller

RAM 4 Kbytes 10 Kbytes

Max. Data Rate 76.8 Kbps 250 Kbps

Program Flesh Memory 128 Kbytes 48 Kbytes

Transmit Power 87.90mW 57mW

Receive Power 36.81mW 57mW

Sleep Power 0.048mW 0.003mW


Protocol stack of wireless sensor network is shown in Fig. 1.4.

Figure 1.4: Protocol stack of WSNs [12]

Wireless sensor network can be configured as a layered architecture [12]. The five layersare as follows:

1. Physical Layer.

• Modulation.

• Data encryption.

• Frequency selection.

2. Data Link Layer.

• Medium access control.

• Error control.

• Data frame selection.

3. Network Layer.

• Route the data between sensors nodes and the sink using multi-hop wireless rout-ing protocols.

4. Transport Layer.

• Maintaining the data flow.


5. Application Layer.

• Makes the hardware and software transparent to the end user.

1.5 Applications of WSNs

Applications of wireless sensor networks include military, medical, environmental and habi-tat monitoring, industrial and infrastructure protection, disaster detection and recovery, agri-culture etc [9]. Some common applications are listed below:

1. Area/Habitat Monitoring.

A common application of wireless sensor network is an area monitoring. Sensor nodesare deployed in large area to monitor some phenomenon. In military, sensor nodes areused for enemy intrusion detection. Wireless sensor networks are used for monitoringof water, oil and gas pipelines. It requires unobtrusive and continuous monitoring.The possible reasons for Leakages can be internal damage, earthquakes, corrosionetc. When the sensor nodes detect the event (pressure, heat), it is reported to the basestation.

2. Earth/Environmental Monitoring.

Environmental sensor network covers many applications of wireless sensor networksincluding volcano monitoring, human activity monitoring, monitoring temperature andhumidity.

3. Critical Events/Forest Fire Detection.

Wireless sensor network is used to detect fire in the forest. The sensor nodes are usedto measure humidity, gases and temperature produced by the fire.

4. Health Applications.

Use of sensors allow to continuously monitoring health of patients and help in criti-cal situation like calling doctors or staff through sending certain signals or message inemergency. Sensor nodes used for health monitoring include electrocardiogram, sen-sors for monitoring blood flow, blood pressure sensors, sensors for monitoring bodyand skin temperature etc.

5. Precision Agriculture.

It is useful for farmers for managing the farm and for efficient production. It providesa decision support system by encompassing climate change and monitoring of cropand soil. Radar, GPS and aerial images are used for diagnose purpose.


1.6 Motivation

Security is very crucial for resource constrained wireless sensor networks due to their funda-mental nature. Wireless sensor networks are vulnerable to many attacks including sinkhole,wormhole, sybil, selective forwarding, blackhole etc. Wormhole is very dangerous amongall these attacks. It is a gateway of many more attacks. Launching the attack is easy, butdetecting it is very hard. For launching the attack, it is not required to know the crypto-graphic material or protocols used in the network. A malicious node attracts the traffic fromone location and tunnels to another location and disturbs the whole routing process [13-15].Research related to wormhole in sensor network has received much interest recently. Inmobility based sensor networks, two nodes located far away from each other becomes onehop neighbors. Therefore, it creates an illusion that wormhole may be launched. It is verychallenging to differentiate the malicious and the genuine nodes.

1.7 Original Contribution

Our main contribution includes the following:

1. Survey of various security attacks and their countermeasures.

2. Identifying merits and demerits of existing techniques for wormhole detection.

3. Wormhole detection mechanism in static wireless sensor networks with low resourcerequirements and high detection accuracy.

4. Wormhole detection mechanism in mobility based wireless sensor networks with lowresource requirements and high detection accuracy.

5. Impact of variants of wormhole and their countermeasures in WSNs.

To summarize, this thesis attempts to address the security attacks in wireless sensor networkssuch as blackhole, selective forwarding, jamming, sinkhole, wormhole etc. Among all pos-sible attacks, wormhole is a gateway of many more attacks. Therefore, our main focus is ondetection of wormhole attacks in static and mobility based wireless sensor networks.

1.8 Organization of Thesis

The rest of the thesis is organized as follows. Chapter 2 presents sensor network security andattacks.


Chapter 3 presents wormhole attack countermeasures.

Chapter 4 presents wormhole detection methodology in static WSNs.

Chapter 5 presents wormhole detection methodology in mobility based WSNs.

Impact of variants of wormhole is presented in chapter 6.

The thesis concludes with conclusions and further scope of this work in chapter 7, with somekey references listed in bibliography section.

Chapter 2

Wireless Sensor Network Security andAttacks

2.1 Introduction

For applications such as target tracking, battlefield surveillance and assessment, disasterzones assessment, monitoring tunnels and bridges (civil infrastructure), any compromiseof information can have very serious consequences. Providing security in wireless sensornetwork is very difficult task due to several constraints. The nodes are resource limited interms of energy, bandwidth, storage and computation. It is not desirable to run the securityalgorithm which requires more computation and power on senor nodes. Sensor nodes aregenerally deployed in hostile or unattended environment. In such environment, an attackercan easily capture a few nodes. Once the nodes are compromised or captured then the at-tacker can access the secret material stored on sensor nodes and launch variety of attacks[16-21]. Sensor network applications are mostly based on local communication and compu-tation. In comparison to the sensor nodes, adversaries are much more powerful. Public keycryptography requires high power computation and therefore it is not applicable to wirelesssensor nodes.

Section 2.2 presents various threats in WSNs. Generic security requirements are presentedin Section 2.3. Background on physical attacks on sensor nodes is discussed in Section2.4. Section 2.5 presents security vulnerabilities in wireless sensor networks. Significant ofwormhole attack is discussed in Section 2.6.

11

CHAPTER 2. WIRELESS SENSOR NETWORK SECURITY AND ATTACKS 12

2.2 Threats in WSNs

Sensor nodes use broadcast transmission medium. Therefore, wireless sensor networks aremore susceptible to security attacks. Sensor nodes are deployed in hostile environment.Therefore, an attacker can easily attack on the sensor networks [22]. Attacking classes aremainly of two types [23-25]: (1) based on the location of an attacker and (2) based on thestrength of an attacker.

1. Attacks Based on Location of an Attacker.

Attacks can be either internal or external attacks. Internal attack refers to attack createdby any genuine node of the network. External attack refers to attack created by anexternal entity.

• Internal Attacks.

An attack is considered as internal attack if any genuine node of the network actsabnormally. An attacker can compromise any legitimate node. An attacker canphysically capture the node and obtain its secret key material.

• External Attacks.

An attack is considered as external attack if it is performed by an external node.In this case, an attacker does not have any cryptographic information or any in-ternal network information.

• Passive Attacks.

Passive attacks do not disturb the communication between nodes. The goal ofan attacker is to monitor packets exchanged within wireless sensor networks.Eavesdropping is also a kind of passive attack. For draining the receiver’s battery,an attacker can inject useless packets. The goal of an attacker is to run somemalicious code and disturbs the normal functionality of the network.

• Active Attacks.

An active attacker can do traffic monitoring, traffic analysis, information inter-ruption and modification. Active attacks disturb the normal communication be-tween nodes. Example of active attacks include denial of service, jamming, mes-sage replay and impersonating.

2. Attacks Based on Attacker’s Strength.

Devices used by an attacker may have high capabilities in terms of antenna and com-putation power. Karlof and Wagner [26] have identified two categories: (1) laptopclass attacker and (2) mote class attacker.


• Laptop Class.

This type of attacker may have powerful devices such as high power radio trans-mitter, large battery power, faster CPU and bigger memory space. The goal ofan attacker is to run malicious code and disturb the normal functionality of thenetwork. Attacker may tries to steal the secret cryptographic material from thesensor node.

• Mote Class.

Mote class attackers have the same capabilities as the sensor nodes. Attackersobtain access to one or more sensor nodes for launching an attack. The goal ofan attacker is to disturb the network using only the capabilities of a sensor node.Therefore, these types of attacks are limited.

2.3 Generic Security Requirements

Wireless sensor network’s general security goals are confidentiality, authentication, avail-ability, integrity and freshness as described in Table 2.1.

Table 2.1: Security services

Confidentiality Only authorized users can view the information.

IntegrityContents of the message are not modified inbetween transmission.

Device Authentication Device identity justification.

Message Authentication Justification of the information source node.

Access Control Restricting access to resources.

NonrepudiationSender and receiver can not deny its role inthe communication.

AvailabilityService should be available at all times toprevent service disruptions.

Data FreshnessMessages have not been reused and are inproper order.

These security issues are called outside security. It belongs to anti-jamming services [27],access control [28] and query processing [29, 30, 31]. Inside security is based on interactionbetween the internal system components. It includes routing [32, 33], data aggregation [34,35], in-network data storage [36, 37] and query processing [38, 39, 40].


2.4 Physical Attacks on Sensor Nodes

Tampering refers to modification of the internal structure of a single chip. Physical attackrefers to direct physical access to the sensor node. Depending on the effort, physical attacksare categorized into three types:

1. Easy Attacks.

These types of attacks can be mounted quickly and with cheap equipment. It influencessensor readings. The attacker has an access to the memory of the sensor node.

2. Medium Attacks.

These attacks require preparing non-standard laboratory equipment outside the sensorfield. An attacker can access the RAM of the microcontroller and flash memory. Thegoal of an attacker is to access cryptographic keys.

3. Hard Attacks.

These attacks require non-standard laboratory equipment in the field. An attacker hasan access to the microcontroller for read/write. An attacker can analyze the programand change it as per needs.

An attacker can be classified as per three parameters: (1) Goals, (2) Presence, and (3)Intervention.

1. Goals.

Identifying the goals of an attacker is the most difficult aspect of security in WSNs.The attacker tries to violate three classical security requirements:

• Confidentiality.

An attacker try for unauthorized access if the data are privacy relevant and valu-able.

• Integrity.

An attacker try to modify the data if the data are critical.

• Availability.

It indicates that network should be available at all the times. An attacker canviolate availability property by launching the denial of service attack.

2. Presence.

It indicates where the attacker can act in a network. An attacker can be local, global ordistributed. A local attacker has one receiver which can manipulate the closest node.Attacker nodes are distributed over the entire network. The global attacker can analyzethe complete network. It is the most powerful level of an attacker.


3. Intervention.

It indicates what an attacker can do. Different types of attackers are described asbelow:

• Eavesdrop.

An attacker can only listen to network traffic and analyze it, do nothing else.

• Crashing.

An attacker can destroy sensor nodes. An attacker attacks such that the sensornodes completely break down.

• Disturbing.

An attacker can upset sensors by measuring fake data. An attacker can selectivelyjam the network.

• Limited Passive.

An attacker can open the node and use its secret materials.

• Passive.

An attacker can steal the secret material of the node. An attacker can modify thenode’s data.

• Reprogramming.

An attack can reprogram the node to act in arbitrary ways.

2.5 Security Vulnerabilities in WSNs

The attacks on wireless sensor networks can be categorized as follow [42]:

1. Attacks on Network Availability.

The goal of an attacker is to deny the network services. It is referred to as Denial ofService attack. This attack may be created at any layer.

2. Attacks on Secrecy and Authentication.

Secrecy and authentication attacks include packet relay attacks, eavesdropping andspoofing of packets.

3. Stealthy Attack Against Service Integrity.

The goal of an attacker is to inject a false data value after compromising the sensornode.


Sensor networks are vulnerable to many more attacks including selective forwarding, rush-ing, denial-of-service, sinkhole, wormhole, Sybil, flooding, desynchronization etc. Theseattacks attempt to compromise the data generated by sensor nodes and the network’s oper-ation. Table 2.2 describes layer based attacks [41]. The various categories of an attack aredescribed as follow:

Table 2.2: Different layer attacks

Physical LayerJammingTampering

Data Link Layer

CollisionSpoofingAlteringReplay AttackAttacks on Routing

Network Layer

BlackholeSybilSelective ForwardingWormholeHello Flood

Transport LayerFloodingDesynchronization

Application Layer

False Data InjectionSpoofingAlteringRouting Attacks

2.5.1 Attacks on Network Availability

The goal of an adversary is to disrupt network services or to stop a network from functioning.The different forms of Denial of service attacks in wireless sensor networks are as follow:

1. Attacks on Physical Layer .

This type of attacks can be categorized into two types:


• Jamming.

A malicious entity interferes the frequencies of radio of WSNs for creating jam-ming attack [42, 44]. A single malicious node can disable the entire network.The resistance to jamming attack is to use frequency hopping spread spectrum.As per the hopping sequence, communicating devices frequently hop betweenfrequencies.

• Tempering.

Sensor nodes are unattended after deployment. Therefore, they are susceptibleto physical attacks [46]. An attacker can physically damage or modify the de-vice for gaining access to cryptographic keys [43]. The resistance to tamperingis to use temper proof materials and a device deletes its information once an at-tack is detected. In [45], authors have shown that MICA2 sensor node can becompromised in less than 1 minute.

2. Attacks on Link Layer.

Link layer attacks can be categorized into three types:

• Collisions.

Packets are colliding when two sensor nodes tries to transmit on the same fre-quency simultaneously. Packets need to retransmit after collisions. The goal ofan attacker is to continuously transmit messages to generate collisions.

• Resource Exhaustion.

Repeated collisions may lead to resource exhaustion [44]. An attacker may con-tinuously retransmit the corrupted packets.

• Unfairness

The goal of an attacker is to disrupt the frame transmission and therefore to causedegradation of performance of applications running on the sensor nodes [44].

3. Attacks on Network Layer.

• Selective Forwarding Attack.

An attacker forwards selective packets while dropping the remaining packets. Anattacker can periodically drop certain packets or can drop packets coming fromthe certain node [50].

• Sybil Attack.

A malicious node spoofs the identity of other legitimate nodes [48]. One nodepresents multiple identities simultaneously. Encryption and authentication mech-anism can prevent an attacker for launching a sybil attack. Sybil attack can be


avoided by using public key cryptography but it is too costly for resource con-strained wireless sensor nodes.

• Hello Flooding Attack.

Using high powered transmitter, the attacker node falsely broadcast that it hasshorter path to reach to the base station [50]. When the nodes receive the HELLOpackets, they start to transmit. These nodes are not in the transmission range ofthe malicious node.

• Sinkhole Attack.

The attacker’s goal is to attract traffic from a particular area through compromisednode [44, 47, 50]. The attacker node is equipped with powerful hardware. Acompromised node looks attractive with respect to routing algorithm and it isplaced near to the sink node or placed such that it covers the whole part of thenetwork.

• Blackhole Attack.

An attacker falsely advertise good path. To establish the path from source tothe destination, the source node broadcasts route request packet to the neigh-boring nodes. Every intermediate node broadcasts the route request packet toits neighbors. When the unauthorized node receives the route request packet, itimmediately sends route reply packet. In this way, the path is established fromsource to the malicious node. The goal of an attacker is to drop all the packets.

• Byzantine Attack.

These types of attacks are very difficult to detect. A set of malicious nodes workin collusion to create routing loops, selective dropping packets and forwardingpackets in non optimal routes [49].

• Information Disclosure.

The unauthorized node may access confidential information such as geographiclocation of nodes, secret keys and network topology information by compromis-ing one or more sensor nodes.

• Resource Depletion Attack.

An attacker deplete the resources of other nodes such as bandwidth, batterypower and computational power. An attacker sends unnecessary requests forroutes.

• Acknowledgement Spoofing.

An attacker node overhears packet transmissions and spoofs the acknowledge-ments. Therefore, it provides false information to the nodes [50].


4. Transport Layer Attacks.

Transport layer attacks can be categorized into two types:

• Flooding.

The goal of an attacker is to make new connection requests and thereby exhaust-ing the resources [44]. The attacker sends requests until it reaches to a maximumlimit. Therefore, the genuine requests are ignored.

• Desynchronizaion.

The goal of an attacker is to disrupt the connection [44]. The attacker repeatedlyforges messages to both the end points. The countermeasure to this attack isauthenticates all exchanged packets.

2.5.2 Stealthy Attack Against Service Integrity

The attacker copies the existing node’s identifier and adds that node to the existing wirelesssensor networks [51]. This replicated node can cause several disruptions by corrupting andforwarding the packets to the false routes. It leads to false sensor readings and networkpartitioning. This type of attack is called node replication attack.

2.5.3 Attacks on Secrecy and Authentication

Privacy preservation in a WSNs is a challenging issue. The attacker systematically monitorsthe traffic and derives sensitive information. Following are some attacks on sensor dataprivacy:

1. Eavesdropping and Passive Monitoring.

If cryptographic mechanism is not applied on the messages, an attacker can easilyunderstand it. An adversary can eavesdrops and passively monitors the messages.

2. Traffic Analysis.

Through traffic analysis, an adversary can identify some nodes whose role is special.An adversary can also identify the activities and events in wireless sensor networks[52].


2.6 Significant of Wormhole Attack

Wormhole attack can be launched by placing one malicious node in one part of the networkand other malicious node in another location which is far away in other part of the networkby creating high speed tunnel.

Figure 2.1: Wormhole attack

As shown in Fig. 2.1, location of malicious node M1 is far away from location of themalicious node M2. First malicious node receives traffic from one part and tunnels it to thesecond malicious node which replies the traffic to another part of the network. Therefore,routing process in the network is disturbed. As shown in fig. 2.1, nodes Y and Z become onehop neighbors of node W and vice versa. There is no need to know the cryptographic mech-anism used in the network and protocols or services offered in the network for launching theattack. The packets pass through the wormhole can propagate faster compared to the normalpath.

2.6.1 Wormhole Against Periodic Routing Protocols

In distance vector routing algorithm [53], every node periodically sends its routing table toall its neighbors. Every node receives routing table from all its neighbors and updates its ownrouting table as per the entries in the neighbor’s routing table. The routing table contains theentries of distance from itself to the other nodes in the network.

In Fig. 2.2, node S9 broadcasts its routing table. All the neighbor nodes of node S9 hearit. Node S2 is not a real neighbor, it is connected through wormhole. Therefore, node S2also hears it. Node S2 updates its routing table and makes entry in the routing table that nodeS9 is one hop away and the nodes S8, S10, S11, S12, S13 are two hops away.


Figure 2.2: Wormhole attack against distance vector routing protocol

2.6.2 Wormhole Against On-Demand Protocols

The examples of on demand routing protocols are Dynamic source routing (DSR) [54] andAd hoc on demand distance vector routing (AODV) [55]. In on demand routing protocols,source node broadcasts RREQ (Route Request) packet. The neighboring nodes forward theRREQ packet and finally it reaches to the destination. After receiving the RREQ packet,the destination node sends the RREP on the reverse path. When the source node receivesthe RREP, the path is established from source to the destination and all the data packetstransferred from source to the destination follow the same route.

Figure 2.3: Wormhole attack against on demand routing protocol

Fig. 2.3 shows the wormhole attack against on demand routing protocol. To establish apath to node S2, node S9 broadcasts route request packet. The RREQ is received by nodeS8 and it is forwarded to node S6 and finally it reaches to the destination S2. Before the


RREQ packet reaches to S2 via the normal path S9-S8-S6-S5-S2, it immediately reaches tonode S2 via tunnel. Nodes S2 and S9 are connected through tunnel. Therefore, when S9broadcasts a RREQ packet, it is captured by the unauthorized node located at one end of thetunnel and it passes to the malicious node located at another end of the tunnel. The secondmalicious node replies it to node S2. In this way, path is established between S9 and S2through tunnel. All the traffic passes from S9 to S2 follows this route via malicious nodes.Malicious nodes located at each end of the tunnel can drop the packet, analyze the traffic orselectively forward the packets.

2.6.3 Wormhole Attack Taxonomy

There are two modes to create the wormhole [56-57]:

1. Hidden Mode Attack.

In this mode of an attack, both the malicious nodes are hidden from the rest of thenodes in the networks. Malicious nodes act as simple transceivers without using theiridentities. One malicious node captures the message at one end of the tunnel andsends to the second malicious node at another end of the tunnel. By creating a tunnel,malicious nodes capture traffic from one area and reply it to the other area. For hiddenmode wormhole attack, the attackers do not require any cryptographic keys.

2. Participation Mode Attack.

This mode of attack is more powerful. It can be launched by valid cryptographic keys.The malicious nodes participate in the network as legitimate nodes and deliver packetswith smaller no. of hop counts.

Wormhole attack can be created using encapsulation based method or using out-of-band tunnel.

1. Wormhole Using Encapsulation.

In Fig. 2.4, node S broadcasts a packet which is received by its neighbor node A and itis also captured by malicious node M1. Node S forwards the packet to node A and thepacket reaches to destination node D through the legitimate path S-A-B-C-D. On theother way, malicious node M1 forwards the packet to the next node and it reaches tosecond malicious node M2 which sends the packet to the destination node. Hop countdo not increase in between M1 and M2. The path through the malicious nodes hasshorter hop count compared to the legitimate path and therefore, the path through themalicious nodes is selected for transmission.


Figure 2.4: Wormhole through packet encapsulation

2. Wormhole Using Out-of-Band Channel.

Fig. 2.5 shows wormhole attack using out of band channel. The packet broadcasted bysource node S is captured by the first malicious node M1. Both the malicious nodes areconnected through high speed tunnel. First malicious node M1 tunnels the packet tothe second malicious node M2. Malicious node M2 sends the packet to the destinationD. The legitimate path is S-W-X-Y-Z-D. The time required to reach the packet to thedestination via tunnel is less compared to the genuine path. Therefore, the path throughthe tunnel is selected for transmission. Node M1 attracts the traffic from one part ofthe network, tunnels to the other node and node M2 replies it to another part of thenetwork.

Figure 2.5: Wormhole through tunnel

Chapter 3

Wormhole Attacks Countermeasures

3.1 Introduction

In this chapter, a review of wormhole attack detection approaches proposed in the literaturefor securing WSNs is presented. Existing approaches for wormhole detection are classifiedinto four categories:

1. Using Distance and Time Information.

A path through wormhole contains smaller no. of hop counts. The route in the attackhas greater than average time per hop compared to a normal route.

2. Using Secure Neighbor Discovery.

Some approaches presented in the literature maintain neighbor information to detectwormhole.

3. Using Connectivity Information.

Network connectivity is examined for attack detection and any fundamental topologydeviation indicates the presence of the wormhole.

4. Using Location Information.

Detecting wormhole attack using location information requires GPS or location awareguard nodes.

Section 3.2 presents existing detection approaches using distance and time information. Sec-tion 3.3 presents existing detection approaches using neighbor discovery. Existing detectionapproaches using connectivity information are presented in Section 3.4. Section 3.5 presentsdetection approaches using location information.

24

CHAPTER 3. WORMHOLE ATTACKS COUNTERMEASURES 25

3.2 Using Distance and Time Information

3.2.1 Detection Using Packet Leashes

Authors have proposed packet leashes approach for detection of wormhole attack in [58, 59].A leash is the information that restricts packet’s maximum allowed transmission distance.Authors have discussed geographical and temporal leashes.

1. Geographical Leash Approach.

The requirement for geographical leash approach is that every node must be awareabout its location and every node is equipped with loosely synchronized clock. Itrequires location finding mechanism. While sending the packet, the sender node addsits own location in the packet header. It also adds the time in the packet header whenit has sent the packet. When the receiver node receives the packet, it calculates twoparameters: (1) the distance from the sender to the receiver and (2) the packet traversaltime. These two parameters are used to identify the presence of the wormhole. Thelarge distance with less traversal time indicates that the packet has passed through thewormhole.

• Merits.

Geographical packet leash approach does not require tight clock synchronizationfor calculating packet traversal time.Every node is equipped with loosely synchronized clock.By associating radio propagation model with geographical packet leash approach,wormhole can be detected through obstacles.

• Demerits.

Network overhead is increased due to broadcast authentication mechanism.More bits are required to represent location information.

2. Temporal Leash Approach.

Temporal packet leash approach requires every node is equipped with tight synchro-nized clock. The difference between two node’s clocks is either in the order of mi-croseconds or nanoseconds. When a node sends a packet, it adds authenticated times-tamp to the packet header. When the receiving node receives the packet, it compares itwith the receiving time. The distance between sender and receiver is computed as theproduct of time required for signal propagation and the speed of light. If the distanceis too large, it indicates the presence of the wormhole. Authors have presented an effi-cient authentication protocol called TESLA with Instant Key disclosure. TIK protocolis based on temporal leash approach.


• Merits.

Temporal packet leash approach is highly efficient.

• Demerits.

Physical layer wormhole may not be detected using this approach.

3.2.2 Challenge Response Delay Measurement

The authors have proposed distance based wormhole detection approach called SECureTracking Of node encounteRs (SECTOR) [60]. The detection is based on Merkle hash treesand one way hash chains. The nodes are mobile and the base stations are fixed. Each nodeis equipped with a local clock and the clocks are loosely synchronized. It is assumed thatfor secure communication each node can generate cryptographic keys. All network nodesshare pair wise secret key. At the time of encounter the nodes calculate their mutual distanceusing mutual authenticated distance bounding protocol. Bit exchanges occurs between twonodes. As a challenge, node A sends bit αi to node B. As a response, node B immediatelysends βi to node A. Both the nodes A and B measure the time and compute an upper boundon their distance. Node A measures the time between sending bit αi and the receiving bitβi. Node B measures the time between sending bit βi and receiving bit αi+1. A shared keybetween two nodes is used to generate message authentication code. Message authentica-tion code is used for verifying the authenticity of the message exchanges. For guaranteeingthe freshness of node encounters, the authors have proposed two mechanisms: GEF-Ce andGTE-CeCl. Guaranteeing Encounter Freshness, (GEF-Ce) has the lowest cost but it pro-vides lowest level of security. It provides only freshness guarantees. Guaranteeing the Timeof Encounter, GTE-CeCl has higher cost in comparison with GEF-Ce but it provides exacttime guarantees and highest level of security. Both the mechanisms are used for any to anyverification.

• Merits.

It does not require location information or clock synchronization.

• Demerits.

Due to multiple hash chains, the storage requirement increases as the no. of nodesincreases.


3.2.3 Timing Based Measurement Approach

The approach presented in [61] requires two steps of communication: During the first step,every node sends a signed Hello message and records the message sending time. This mes-sage contains the node’s ID and a nonce. At the end of first step, every node knows about allits neighbors. During the second step, every node sends a signed follow-up message. Thisfollow-up message contains three things: (1) the time when the Hello message was sent dur-ing the first round (2) the IDs of neighboring nodes with their corresponding nonce and (3)the time when the IDs of all neighboring nodes were received. After sending its own Hellomessage node P receives the message of node Q. After receiving follow up packet from nodeQ, node P checks its nonce and verifies Q’s signature. Node P accept node Q as its neighborif, ((TP,Q − TP ) − (TQ − TQ,P ) ∗ C)/2 ≤ Tmax, Where Tmax represents maximum trans-mission range, TP represents the sending time of P’s Hello message which is recorded byP, TP,Q is the receiving time of Q’s Hello message which is recorded by P and (TP,Q − TP )

represents the time required for getting the response. The delay at node Q is (TQ − TQ,P ).Therefore, the node P subtracts it from (TP,Q − TP ).

Suppose after receiving Q’s Hello message, node P sends its own message. Node P considernode Q as neighbor if ((TQ,P − TQ)− (TP − TP,Q) ∗ C)/2 ≤ Tmax.

At the end of the second round, each node has its two hop neighbor list. Maheshwari’salgorithm [62] can be used for detecting presence of wormhole.

• Merits.

It does not require verifying the vicinity of each neighbor one by one.The nodes do not require synchronized clocks.One to one communication is not needed for all the nodes.

• Demerits.

The authors have taken the assumption that a node is able to record time when it sentor received a packet.

3.2.4 Distance Consistency Approach

Authors have proposed a distance consistency based secure localization approach in whichthree different types of nodes, locators, sensors and attackers are deployed [63]. The locatorsknow their own locations. The proposed approach consists of three phases: (1) Wormholeattack detection (2) Valid locators identification and (3) Self localization. Periodically ev-ery locator broadcasts a beacon message. This message contains the ID and location of the


source locator. With the presence of the wormhole, the affected locators will detect by ex-changing message. Some of the abnormal scenarios include the following: (1) if the locatorreceives the same copy of the message sent by its own, (2) if it receives more than one copyof the same message via different paths from different locator and (3) if a locator receives amessage from another locator which is not in the the transmission range. Valid locators areidentified using different identification approaches. Authors have used the RSSI (ReceivedSignal Strength Indicator) method to measure the distances to their neighboring locators.Maximum Likelihood Estimation (MLE) method is used to estimate the sensor’s location.

• Merits.

Simplex and duplex wormhole attack can be distinguished.It achieves good performance even when the malicious locators are more than thenormal ones.

• Demerits.

The authors have taken the assumption that all nodes have the same transmission range.

3.2.5 Using Rank Information

The detection mechanism presented in [64] is based on unreasonable rank value. “Rank”value in RPL (Routing Protocol for Low-Power and Lossy Networks) represents the positionof a node. The root node has rank value zero. The rank value of any node is the number ofhops to the root plus one. The rank value is used to estimate the distance to root node.

In RPL, periodically every node sends DIO (DODAG Information Objects) messages. Oncethe nodes receive the message, they update their routing table. Initially the DIO messages arecollected and the rank value is extracted. Using extracted rank values, the algorithm detectthat the received DIO message is from malicious node or not. Suspicious DIO messagesare found using rank threshold and rank difference value. Rank threshold represents thedifference between the parent node and the node itself. Rank difference value represents therank difference between the source node and the node itself.

3.2.6 Ranging Based Secure Neighbor Discovery Approach

In [65], the authors have proposed secure neighbor verification protocol which consists ofthree phases: (1) Ranging (2) Neighbor table exchange and (3) Link verification. Usingranging protocol, every node computes its distance from all its single hop neighbors. Rang-ing is done simultaneously for all neighbors by broadcasting an ultra sound message. Using


authentication, every node shares the neighbor table including calculated distance. In thelast phase, each link is verified by a number of security tests in order to detect topology dis-tortions. The nodes which successfully pass the tests are considered to be actual neighbors.Every node runs this three steps ranging protocol.

• Merits.

An adversary has very negligible chances to create a tunnel.

• Demerits.

Each node is equipped with a radio frequency interface, microsecond precision clockand a sound interface.

3.2.7 Range Free Anchor Free Localization Approach

The authors have presented range free anchor free wormhole detection approach that is basedon connectivity and hop-counting information [66]. Anchor free techniques do not use ref-erence nodes with known physical coordinates. Range free techniques do not use distancemeasurements. The first step is measurement or probe procedure. In the second step, eachnode will compute a local map for all its neighbors. These neighbors are considered basedon the measurement procedure. After receiving hop coordinate from all its neighbors, eachnode will calculates shortest path between all pair of nodes. In the third step, wormholedetection procedure is introduced. The diameter feature is used to identify the presence of awormhole. If the diameter of the local map is larger than the physical one, then wormholeattack is presence in the network. If the value of diameter is greater than ((1 + λ) ∗ 1.4 ∗R),then wormhole attack is presence in the network. The value of λ is between 0 and 1. Afterdetection of the wormhole, a special message is send to all neighbor nodes to freeze.

• Merits.

This approach has good accuracy and low false toleration rate.

• Demerits.

For improvement of detection method, threshold should be decided automatically.

3.2.8 Geographic Wormhole Detection in Wireless Sensor Networks

Geographic wormhole attack detection approach is presented in [67]. A pair wise key pre-distribution protocol is used for detecting malicious nodes. One way hash function is used to


generate public and private keys. Every node periodically updates its neighborhood table af-ter receiving the beacon packets from the neighboring nodes. After receiving the packet, thedestination node computes the distance between source and destination. If an attack is de-tected, then the source node sends a request to send packet on another path to the destinationnode.

• Merits.

This approach does not require any special guard nodes, additional hardware or net-work synchronization.

• Demerits.

Each node requires a public and a private key for communication.

3.2.9 Statistical Analysis and Time Constraint Based Approach

The proposed algorithm in [68] includes three steps: (1) Statistical routing analysis, (2)Identification of suspicious link and (3) Validating using time constraints. Suspicious link isfound if routing statistics may vary from the normal status. This suspicious link is furthervalidates using time constraints. In sensor networks, nodes can be considered as verticesand set of all links can be considered as edges. The link indicates the wireless connection ofthe node to its neighbor. The base station initiates the statistical analysis process. It collectsrouting information from all nodes. The link which attracts more traffic is investigated first.Those links with routing statistics higher than the normal is added into suspicious set. Dueto wormhole, the transmission delay between two sensor nodes will be increased. Suppose,link Luv is a suspicious link. The base station will ask node u to perform neighbor validation.Sensor node u sends a probe message to sensor node v. Node v makes a reply immediatelywhen it receives the message. The node u measures the round trip time and compares it withstandard time delay T to identify the fake neighbors.

• Merits.

No requirement for clock synchronization or extra hardware.

• Demerits.

The RTT may be higher due to queuing or processing delay at intermediate node. Itleads to false positive.


3.2.10 Delay Per Hop Indication Detection Mechanism

The approach presented in [69] uses two parameters of disjoint paths for wormhole detection:hop count and delay. This information is used to calculate delay per hop value. The delayper hop value of legitimate path is smaller in comparison with the path through tunnel. Thesender node collects information and performs detection process. Two types of messages areused: DelPHI Request and DelPHI Reply. These two messages are same as AODV requestand reply message. The sender broadcast DelPHI Request message to the receiver. Everyintermediate node adds its timestamp value and hop count field is incremented by 1. Whenthe receiver receives the packet, the packet is unicasted on the reverse path. It adds its nodeID, timestamp and set hop count field to one in the DelPHI Reply message.

• Merits.

Mobile nodes do not require being equipped with any special hardware.No need for clock synchronization or position information.

• Demerits.

The detection approach is based on the time difference per hop between genuine pathand the path connected through the tunnel. Therefore, it is not suitable when all thepaths are under attacks.

3.2.11 RTT Based Approach in Multirate Ad hoc Networks

The approach presented in [70] uses round trip time for wormhole detection. The authorshave focused on multi rate transmission problem. While calculating the round trip time,the authors have also considered queuing delay and processing time at each intermediatenode. Round trip time is calculated as, RTT = TTNi + PTNi + PD where, TT representsthe transmission time, PT represents the processing time and PD represents the propagationdelay. This calculated value is compared with expected value. If the difference betweenactual round trip time and the expected round trip time is greater than threshold, it indicatesthe presence of the wormhole attack.

• Merits.

Multi rate transmission problem is covered.No need of special hardware.It does not require any complex calculations.Processing time and propagation time is considered.


• Demerits.

Additional memory space is required for storing the RTT.

3.2.12 Wormhole Resistant Hybrid Technique

The authors have proposed hybrid technique for wormhole detection in [71], which is basedon Delphi and watchdog mechanism. The limitations of watchdog technique includes un-certain collision, collision of receiver, limitation of power transmission, detection of fakemisbehavior, collusion and partial packets dropping. The limitation of Delphi technique isthat it does not work well when all paths are under attacks. The proposed hybrid approachuses the advantages of both the techniques. It makes use of the packet drop and the delayper hop. Time delay probability and packet loss probability is considered for wormhole at-tack detection. Decision table is prepared from these two parameters and each node is giventhe rank. Ranking 1 indicates that no wormhole attack present in the network. Ranking 2indicates that the node is suspected to be under wormhole attack. Ranking 3 indicates thatthe node is malicious. The source node waits for an acknowledgement from the destinationnode after every 10th packet. If acknowledgement is received, then normal process contin-ues. If no acknowledgement is received, then that will be tested and malicious nodes will beisolated. First, Delphi method is applied for detection of wormhole attack. If Delphi methodis failed to detect the wormhole due to the presence of the wormhole on several paths, thewatchdog technique is applied for monitoring the neighbors’ behavior and observing packetdropping.

• Merits.

No requirement for high computation and additional hardware.Almost all categories of wormhole attacks are detected.The approach has good detection accuracy.

3.3 Using Secure Neighbor Discovery

3.3.1 ACK Message Transmission Approach

The authors have presented acknowledgement message based transmission approach forwormhole detection in [72]. It removes the problems occur with LITEWORP and SEF meth-ods such as false alarms to isolate normal nodes and energy consumption. Using acknowl-edgement message, the proposed approach solves these problems. The proposed approach


consists of three steps. The first step is initialization. This step is performed before nodedeployment. Each node stores k keys randomly from the key pool. After deployment, eachnode sends hello messages to their neighbors. The second step is en-route filtering. Once anevent occurs, surrounding nodes generate reports. After verifying, each intermediate nodedrops the false reports. The node which sends the report waits for an acknowledgement. Ifnode does not receive the message, the next node is a wormhole node. The acknowledgementmessages are used for wormhole attack detection. These messages must be transmitted be-tween two hops separated nodes. They cannot be transmitted on the path where the originalreport is sent. If the acknowledgement message is not delivered to the previous node withinthe time to live hop limit, then it indicates the presence of the wormhole.

• Merits.

It reduces energy consumption and false alarms.

• Demerits.

If TTL (time to live) is not set, then acknowledgement messages would flood in thenetwork and consume network energy.For large TTL value, acknowledgement send by one node is delivered to another nodeeven if the data passes through the wormhole.For small TTL value, the acknowledgement may not be delivered even if the data arenot passed though the wormhole.

3.3.2 Statistical Analysis of Multipath (SAM) Approach

An approach based on statistical analysis of multi-path (SAM) is proposed in [73] for worm-hole detection. The proposed method consists of three steps. During the first step, statisticalanalysis of the routes is done. If any suspicious activity found then second step is executed,otherwise it gives feedback to the source node through several paths. During the secondstep, suspicious path is tested by sending probe packets and wait for acknowledgement. Ifthe presence of an attack is identified, then inform to the source node and neighboring nodesto isolate attackers from the network. For different node transmission range, the proposedapproach can successfully detect wormhole attack.

• Merits.

Route information is collected by route discovery and only the destination node runsthe SAM algorithm. Therefore, overhead required is less.It has good performance for different node transmission range and different networktopologies.


• Demerits.

SAM cannot detect the malicious node if it behaves normally during routing.Low mobility is assumed for each node.

3.3.3 Detection Using SeRWA

The proposed protocol for wormhole detection consists of four steps [74]. The first step is todiscover the one-hop neighbors. After deployment, each node broadcasts hello message forgetting the neighbor list. The node which receives the hello message sends a reply. In thisway, every node builds its own neighbor table. The neighbor list is exchanged between neigh-boring nodes. Every node compares the neighbor information with its neighbor’s neighborinformation to find whether these two nodes are genuine neighbors or two nodes are con-nected through the tunnel. The second step is to discovery the initial route. The base stationinitiates the route discovery mechanism. It broadcasts a routing beacon. The node acceptsfirst routing beacon form the neighbors and record the node as its parent. This steps recur-sively continues for marking the first neighboring node as parent node. The third step isdissemination of data and detection of wormhole. Before sending the packet the node signsit. The sender node then monitors the behavior of its parent to verify whether the parent nodeforwards the packet or not. If the node detects that a packet is dropped then it identify that itis connected to its neighbor through tunnel. The fourth step is to find the secure wormholefree route. After detection of the wormhole, the base station starts to find the route which issame as initial route discovery process. This new route can avoid the presence of the remoteneighbors. This route only considers the real neighbors while establishing the path.

• Merits.

Less false positives occur.Symmetric key cryptography is used which is suitable to resource constrained wirelesssensor nodes.No requirement for any special hardware.

• Demerits.

The sensor nodes are considered static.It is assumed that sensor nodes use reliable channel.


3.3.4 Using Directional Antenna

The authors have presented directional antenna based approach in [75] for detection of worm-hole attack. Each sensor node is equipped with directional antenna. This antenna is used forgetting approximate direction which is based on received signals. The authors have discussedthree different protocols. The first protocol is directional neighbor discovery. This protocoldoes not require any cooperation between nodes. All types of wormhole attacks cannot beprevented. The second protocol is verified neighbor discovery. This protocol shares informa-tion among neighboring nodes. An attacker controls endpoints of the communication. Thethird protocol is strict neighbor discovery. This protocol prevents wormhole when the attackis launched for short distance.

• Merits.

This approach provides not only security, but also provides efficient use of bandwidthand energy.Network connectivity loss is minimum while removing the wormhole.

• Demerits.

Each node is equipped with directional antenna.

3.3.5 Digital Investigation Based Approach

The authors have presented digital investigation based wormhole detection approach in [76].A set of observer nodes are distributed in the network to monitor network activity. Theseobserver nodes form an observation network. The observer nodes are resource rich. Theyhave enhanced transmission, reception and processing capabilities. Observer nodes shouldbe deployed in such a way that network area is fully covered. The main functionality ofobserver nodes include the following: (1) Collecting information of network topology (2)Generate and send evidences to base station and (3) Exchange information and evidenceswith other observer nodes.

The set of evidences collected by observer nodes are executed by the base station for gener-ating decisions. A set of observer nodes and base station forms a virtually separate wirelesssensor network called observation network. Communication of observer nodes with the basestation that is supported by different frequency band and it is unnoticeable by sensor nodes.The observation network is secured so that each observer node can send and receive mes-sages securely.


• Merits.

The network is fully covered by observer nodes, so all forms of wormhole attacks aredetected.

• Demerits.

False positive occurs if(1) The damage sensor node is treated as malicious node;(2) Less battery power nodes can no longer send data and treated as malicious nodes;(3) The unobserved path is treated as a tunnel.

3.3.6 Radio Fingerprinting Approach

The authors have presented radio fingerprinting approach for wormhole detection in [77].The central authority stores all the reference fingerprints of all the nodes in the network. Thecentral authority also knows the keys of all nodes in the network. These keys are used forverifying the integrity of the message.

Figure 3.1: Radio fingerprinting process.

When the fingerprinting device receives the radio signal, it is converted into digital formas shown in figure 3.1. The signal transients are located and features are extracted to formsa fingerprint. This fingerprint can be used for device identification.

• Merits.

The message origin is identified by the receiver even though the device identificationand the contents of the message are hidden.


• Demerits.

The fingerprinting device is not always able to separate the signals from differentnodes.A weak signal transmitted by the malicious node alters the signal characteristics.

3.4 Using Connectivity Information

3.4.1 Detection Using Local Connectivity Tests

Authors have presented wormhole detection based on local connectivity test [78]. It is basedon graph connectivity. It is used to verify that the neighborhoods will result into multipleconnected components. The authors have proposed [α, β] ring connectivity test for wormholedetection. The values of α and β can be varied. Using suitable values of α and β, thedetection is guaranteed. The test starts with small value of α and β. More tests with largervalue will perform only if some suspicious nodes found.

• Merits.

Communication cost is low.The approach is also applicable to large network size.It can detect multiple wormhole attacks occur simultaneously.

• Demerits.

Few false positives occur during detection process.

3.4.2 Detection Based on Forbidden Substructures

The authors have presented wormhole detection approach based on network connectivity[62]. It does not use any location information. Each node X maintains its two hop neighborslist. For each non neighboring node, say node Y, the set of common neighbor nodes betweennode X and node Y is calculated. To do this, the nodes exchange their neighbor lists. NodeX calculates the maximum independent set and if the size of the maximal independent set isgreater or equal to forbidden parameter, then node X declares the presence of a wormholeand all future communication from such blacklisted nodes will be ignored. The detectionapproach is based on finding independent common neighbors between two non-neighboringnodes. Evaluation shows that testing for 1-hop is enough for good detection accuracy. For


irregular or sparse network, testing for 2-hops is required. The time complexity of the al-gorithm depends on forbidden parameter. The algorithm is independent on communicationmodels and node distributions.

• Merits.

The proposed approach does not require node’s location information.With sufficient node density, it gives 100 percentage detection accuracy.

• Demerits.

Detection accuracy decreases for low density networks.

3.4.3 Detection Based on Neighbor Number Test and All Distances Test

The authors have presented wormhole attack detection approach based on neighbor numbertest and all distances test in [79]. Every sensor node sends their neighbor information tothe base station. After receiving the neighbor information from all the nodes, base stationinitiates two types of tests for wormhole detection: (1) Neighbor Number Test (NNT) and(2) All Distances Test (ADT). When the malicious node creates fake links, then the numberof neighbors of the node increased. This refers to the Neighbor Number Test (NNT). Thebase station calculates the genuine neighbor no. histogram and the expected neighbor no.histogram. These two are compared with the χ2–test. If the computed χ2 value is greater thanthe threshold value, then it indicates the presence of a wormhole. Because of the presence ofthe wormhole the path becomes shorter. This refers to the All Distances Test (ADT).

• Merits.

The ADT has good performance compared to NNT when the radius of the wormholeis small. Both NNT and ADT have low false alarms.It does not require any additional hardware.

• Demerits.

Both the tests do not pinpoint the location of wormhole.

3.4.4 Detection Based on Topology Deviations

The authors have presented topological deviations on wormholes in sensor networks in [80].The wormhole is identified by finding the topology deviations. The authors have consideredfour categories of wormholes. The four categories are determined based on the impacts on


topology. In the Class I category wormhole attack, the location of both the end points of thewormhole are inside the surface. In the Class II category wormhole attack, one communica-tion end point is located inside the surface and the other communication end point is on theboundary of the surface. In the Class III category wormhole attack, both the communicationend points are on two different boundaries. In the Class IV category wormhole attack, boththe communication end points are on the same boundary. A complex wormhole is consideredas a finite combination of these different categories. Global properties of wormhole from lo-cal information are identified using homology and homotopy. The attackers are located afterdetection of non-separating pairs.

• Merits.

No additional hardware is required.

• Demerits.

This approach is not able to detect a candidate loop formed by the Class IV categorywormhole.

3.4.5 Multi-Dimensional Scaling Visualization Based Approach

The authors have presented visualization based wormhole detection approach in wirelesssensor networks [81]. Using received signal strength, every sensor node computes the dis-tance to its neighbors. The base station collects distance information from all sensor nodes.

The base station computes the network topology using distance information received fromall the sensor nodes. If the resulting network topology is flat, it indicates that there is nopresence of wormhole attack. If the resulting network topology has some distorted or bentfeatures, it indicates that there is a presence of the wormhole attack. The attack is detectedby visualization. Once the attack is detected, all nodes are informed about the fake links.

• Merits.

No requirement for special hardware.

• Demerits.

The sensor nodes are deployed on a flat plane. In a real scenario, it needs to considercomplex situation.


3.4.6 MDS Based Detection Using Local Topology

The authors have presented multidimensional scaling visualization based wormhole detec-tion in wireless sensor networks [82]. Wormhole creates abnormal structure. An estimationdistance matrix is collected by collecting neighborhood information using local topology.Multidimensional scaling is used to reconstruct the neighborhood graph. The node is sus-pected as a wormhole if the distortion factor is exceeding than the threshold value. Refine-ment process is used to filter out the suspected nodes.

• Merits.

The proposed approach is suitable for wireless sensor networks because of its lowoverhead.It has very few false positives.

• Demerits.

It fails to detect wormhole in case where both ends of two wormhole attacks are veryclose to each other.

3.4.7 Detection Using Ordinal MDS and RTT

The authors have presented wormhole detection approach using range based topology com-parison [83]. For each node pair, round trip time (RTT) is calculated for generating neighborinformation. Using RTT value, distance from a node to all its neighbors is calculated. Shorterdistance matrix between all pairs of node is constructed. Ordinal multidimensional scaling isused to reconstruct the network. Ordinal MDS generates virtual node positions. Wormholeattack can be detected using shorter distance matrix and reconstructed distance matrix.

• Merits.

It can detect both long and short path wormhole links.For both dense and sparse network, false negative is reduced to zero.There are almost no false positives for long path wormhole.

• Demerits.

Some true nodes are suspected as wormholes while detecting short path wormholelinks.


3.4.8 Passive and Real Time Detection Approach

The authors have discussed passive and real time approach for wormhole in [84]. Wormholereduces path length significantly. Once the node marks the packet, it registers its sourceID, sequence no. and hop count. Once the node receives the next packet, it searches in thecache. If source ID and hop count is same and sequence number is consistent, then the nodedon’t mark the packet but it updates the sequence and hop number. The node marking isdone as per neighborhood proximity rule. The sink node receives the packet with emptymark ID field if the entire nodes have marked the packet. If it is filled, then it indicates thepresence of the wormhole. The base station passively collects network path information fordetection process. The base station reconstructs the topological diagram based on markinginformation. The task of the parsing module is to check the message authentication code forthe marked packet. An attacking report is generated if the value of message authenticationcode is modified.

• Merits.

Detection process is performed at the base station not at the sensor nodes.The approach is real time and finds the attackers quickly.

• Demerits.

Attack may not be detected if less traffic is attracted. This method is probabilistic.

3.4.9 Unit Disk Graph Model Based Approach

Authors have proposed unit disk graph model based approach for wormhole avoidance in[85]. Most of the detection approach presented in the existing literature initiates after packetloss occurs. This approach identifies the route requests that traverse through the tunnel andsuch routes are not allowed to be established. The nodes monitor the two hop sub path. Aroute request traversing via tunnel can be detected at the neighboring nodes of the wormhole.For each sub path length 2R, if there exist the alternate route having maximum length 4R,then the path is considered without tunnel. Every node maintains two hop routing informa-tion of the neighborhood. Existing routing entries are compared with the two hop addresspresent in the route request. If any match found, then it is updated with better metric. Ifmatch is not found, then comparison is done with three and four hop address. If no matchfound, then new entry is created.


• Merits.

No cryptography mechanisms or additional hardware is required for wormhole detec-tion.Byzantine and hidden wormholes are prevented.

• Demerits.

It leads to high false positives for node degree equals to 3. For better performance, themin. average node degree required is 3.The amount of false positives is high for lower density value.

3.4.10 Detection Based on Data Analysis - EyeSim

EyeSim is a visual based anomaly detection system for mobile nodes [86]. Based on dynamicrouting, it conducts data analysis. It consists of two main components: (1) WAD (WormholeAnomaly Detection) and (2) Visualization. The input of the algorithm is no. of sensor nodes,the neighbor list of all nodes, the time period, routing path of all nodes and the next hop listof all nodes. The output of the algorithm is the detected malicious nodes. The algorithm runsperiodically and identifies the unconnected nodes by checking the data traffic. It calculatesthe intersection of all the neighbor list of the unconnected nodes. If any common element isfound, then wormhole link is identified and an alarm is triggered. The visualization engineis used to project the outcome of wormhole anomaly detection engine effectively.

• Merits.

In dynamic traffic conditions, it is capable of detecting multiple wormhole attacks.Detection capabilities are maximized when the sensor network becomes dense.

• Demerits.

An unconnected node may trigger a false alarm.

3.4.11 Using Neighbor Node Monitoring

This approach detects neighbors which are not within the transmission range but are remotelyconnected [87]. When node A sends RREQ packet to the next node, that is node B, it promis-cuously monitors the behavior of node B. If node A overhears the packet transmitted by nodeB, then it identifies that RREQ is not affected by wormhole. If node A does not overhear thepacket transmitted by node B, then it identifies that RREQ is affected by wormhole. If the


RREQ is affected by wormhole, the count value is increased by 1. If the count value exceedsthan the threshold, the node is declared as a malicious node.

• Merits.

It does not require any hardware and location based information.It can detect both hidden and exposed wormhole attacks.

• Demerits.

It suffered from false positive problem.

3.5 Using Location Information

3.5.1 Graph Theoretic Framework Approach

The authors have presented graph theoretic framework approach for wormhole link identifi-cation in wireless sensor network [88]. Guard nodes are those nodes that are location awareand help other nodes for establishing neighbor relation. For transmission range r, if the graphcontains at least one edge e(x, y) such that e(x, y) = 1 for ‖x− y‖ > r, then wormhole ispresent in the network.

A communication graph is prepared in such a way that all the links in the graph are not longerthan r. A cryptographic mechanism is also proposed to prevent wormhole. This mechanismis based on local broadcast keys. Centralized method is used when location of all the sensornodes is known.

• Merits.

Time synchronization is not required.Proposed approach uses symmetric cryptographic. Therefore, it is computationally ef-ficient.Each node needs to broadcast small no. of messages. Therefore, communication over-head is very small.

• Demerits.

Special network operations are assigned to guard nodes.


3.5.2 Mobile Beacon Based Detection

The authors have presented mobile beacon based wormhole detection in wireless sensornetworks [89]. Attackers are localized accurately and eliminated. The intersection point ofthe chords’ perpendicular bisector is found when the communication properties are violatedbetween mobile and static beacon. The wormhole attacker is localized as the center of thecommunication disk. For communication with the static beacon, mobile beacon moves inthe network. A request message is broadcasted to the neighboring static beacon when themobile beacon stops. If a mobile beacon receives a reply message more than once from astatic beacon, then it identifies the presence of the wormhole in its transmission range. Ifnot, then it computes the Euclidean distance from all its neighbors. Wormhole is detected ifthe computed distance is greater than the communication range.

• Merits.

Detection probability and accuracy is high.

• Demerits.

The positioning scheme consumes more energy.

3.5.3 Location Based Compromise Tolerant Security Approach

The authors have presented location based compromise tolerant security approach whichuses location based keys for wormhole detection [90]. Each node has a unique private keywhich is bound to both location and ID of the node. A node to node authentication protocolis presented in [90]. It is based on location based keys. It is an efficient countermeasure forwormhole. If the node is within the communication range and has the location based keys,then it is accepted as a real neighbor. If the node is outside the communication range, thenthe authentication process is denied. In this way, the wormhole is prevented.

• Merits.

Communication and computation overhead is very low.This approach requires low memory.

• Demerits.

This method assumes that the sink node is unassailable and trustworthy.Range based localization approach needs group of mobile robots equipped with GPS.


3.5.4 Secure Localization and Key Distribution Approach

The authors have proposed mitigation of wormhole in mobile multi hop wireless networksusing secure localization and key distribution approach [91]. Communication keys are loadedin every sensor node. If two sensor nodes are within the communication range of each other,then they can share a communication key. If the nodes are not within the communicationrange, then they cannot share a communication key. A node does not process the messagereceived from the neighbor connected through tunnel because the node does not have theshared key used for decryption. If the nodes are connected through wormhole, then theycannot have the shared key. Therefore, communication through wormhole can be prevented.

• Merits.

This approach requires minimal human interaction during deployment. It requires lowcost and is practical.This approach is scalable for large scale sensor network.

• Demerits.

The assumption taken is that the master node cannot be compromised.

3.5.5 Secure Range Independent Localization Approach (SeRLoc)

The authors have presented secure range independent localization approach for wormholedetection in [92]. The locators transmit the beacon information. Based on the beacon in-formation, each sensor node computes its location. This method is range independent anddistributed. Wormhole is detected if the transmission range violation property and the sec-tor uniqueness property are satisfied. Directional antenna is used for this purpose. For thecommunication range R, a wormhole is detected either one of two conditions is satisfied:(1) the node receives two messages authenticated with the same hash value and (2) the nodereceives messages from two locators more than 2R apart.

• Merits.

Low communication cost.Higher accuracy.Require fewer reference points.

• Demerits.

Wormhole is not detected when anchor nodes are compromised.Simplex and duplex wormhole attacks are not distinguished.


3.5.6 High Resolution Range Independent Localization Approach (HiRLoc)

The authors have proposed high resolution robust localization approach for wireless sensornetwork [93]. It provides efficient performance by utilizing antenna rotations. It also usesmultiple transmit power levels. For increasing accuracy of localization, this approach givesmore information. Multiple reference points transmit beacons. Each sensor node calculatesits location. This location depends on the intersection of the areas covered by the beacons.For calculating the sensor’s location, range measurements are not required. Without increas-ing the no. of reference points, every sensor node can determine its location.

• Merits.

Fewer locators are required. Therefore, communication cost is low.Even in the presence of security threats, robust location computation is possible.

• Demerits.

This approach is vulnerable to jamming attack.

3.6 Summary of Existing Methods

The summary of existing methods is shown in Table 3.1.

Table 3.1: Summary of existing methods

Methods Requirements Comments

GeographicalLeashes [58,59]

Loosely synchronizedclocks

Location information mayrequire more bits to

represent and therebyincreasing the network

overhead.

TemporalLeashes [58,59]

Tightly synchronizedclocks.

Required timesynchronization leveland may not detect

physical layer wormholes.

Challenge ResponseDelay Measurement [60]

A Symmetric keyis shared by

each pair of nodes.

It uses distance boundingtechniques and one way

hash chains.


Timing BasedMeasurement [61]

Does not requiresynchronized

clocks.

The assumption is whennode sends or receives

packets, it records the time.

Distance ConsistencyApproach [63]

Locators, sensors,and attackersare deployed

in the network.

Even when the maliciouslocators are more thanthe normal, it has good

performance.

Using RankInformation [64]

Easy to implement,Does not

need complex computing

Malicious nodes aredetected when

unreasonable rankvalues are found.

Ranging BasedNeighbor

Discovery [65]

Each node requiresa microsecond

precision clock.

Very negligible chancesof creating wormhole by

the adversary.

Range FreeAnchor Free

Localization [66]

No reference nodesare needed.

No distance measurement.

Diameter feature is usedto detect wormhole.

GeographicWormhole

Detection [67]

A pair of public andprivate keys is requiredby each sensor node.

A pair wise key predistribution protocolis used for detection.

Statistical Analysisand Time Constraintbased Approach [68]

Does not requireadditional hardware

or synchronized clock.

Round trip time maybe longer due to

processing or queuingdelay at any intermediate

node without presenceof tunnel.

Delay per HopIndicator [69]

Position informationand clock synchronization

is not required.

Path suffers fromwormhole attack ifper hop delay value

is high.

RTT BasedApproach [70]

To store RTT, additionalmemory is required.

The approach is basedon RTT and covers themulti rate transmission

problem.

Wormhole ResistantHybrid Technique [71]

No requirement forhigh computation

and additional hardware.

It is based on Delphi andwatchdog mechanism.


ACK MessageTransmission

Approach [72]

It does not requireany special hardware.

It reduces both falsealarms and energy

consumption.

Statistical Analysisof Multipath

Approach [73]

The overhead requiredis very limited.

The nodes are assumedto have low mobility.

Detection usingSeRWA [74]

Symmetric key cryptographyis used which is suitable

to WSNs.

Less false positives.

DirectionalAntenna [75]

Nodes use specific sectorsof their antennas to

communicate with each other.

It gives efficient use ofbandwidth and energy.

Using DigitalInvestigation [76]

Observer nodes aredeployed for

monitoring the network.

All forms of wormholeattacks are detected

because whole networkis covered.

Radio FingerprintingApproach [77]

It requires radiofingerprinting device.

The assumption that thefingerprinting device is

able to separate thesignals from the

different nodes willnot always true.

Local ConnectivityTests [78]

It does not requirespecial hardware

and synchronization.

The communication costfor the test is low. Ifthere is a wormhole,the connectivity test

always detects it.

Using ForbiddenSubstructures [62]

It does not requireany hardware or node’slocation information.

For low density network,detection probability

does decrease.

NNT and ADT [79]Additional hardware

is not required.

ADT performs betterthan NNT when the

wormhole radius is small.

Using TopologyDeviations [80]

It does not require anyspecial hardware devices.

It is based on networkconnectivity information.


MDS Visualizationbased Approach [81]

No requirement forspecial hardware.

The sensor nodes aredeployed on a flat plane.

In a real scenario, itneeds to considercomplex situation.

MDS Using LocalTopology [82]

Additional hardware isnot required,

Low overhead.

When both ends of twowormholes are very

close, the approach failsto detect the attack.

Detection basedon Ordinal MDSusing RTT [83]

It does not require anydeterministic thresholdfor wormhole detection.

Some true nodes aresuspected as wormholes

while detecting shortpath wormhole links.

Passive and RealTime Detection

[84]

Network overhead andcomputation is minimal.

If the attackers attract lesstraffic, attack may not be

detected.

Unit Disk Graphbased

Approach [85]

It does not require anyextra hardware or any

computational cryptographicmechanisms.

Minimum average nodedegree required is 3. Fora node degree of 3, the

percentage of falsepositives is high.

Detection UsingEyeSim [86]

Detection capabilities aremaximized when the

sensor network becomes dense.

An unconnected node maytrigger a false alarm.

Using NeighborNode

Monitoring [87]

It does not require anyhardware and location

based information.

It suffered from false positiveproblem.

Chapter 4

Wormhole Detection in Static WSN

4.1 Introduction

Some of the wormhole detection approaches presented in the literature require extra hard-ware such as GPS, directional antenna, synchronized clock and fingerprinting device. Someapproaches are based on cryptography mechanism in which sensor node requires public andprivate keys for secure communication. For some approaches, a set of investigator nodesare distributed over the network to monitor network topology. Existing detection approachesare resource hungry. Sensor nodes are resource limited devices. There is a need to developlightweight algorithm with high detection accuracy and low overhead. In this chapter, wehave proposed wormhole detection mechanism for static WSNs using neighborhood infor-mation.

The proposed approach is presented in Section 4.2. In Section 4.3, we have shown thattwo genuine neighbor nodes always share common one hop neighbors. Section 4.4 presentsexperimental setup and network scenario. Result and performance analysis of proposed ap-proach under wormhole attack is presented in Section 4.5.

4.2 Proposed Approach

All sensor nodes are assumed to be static. It is also assumed that for some initial intervalmalicious nodes are not present and every node safely establishes neighbor information.Two malicious nodes create high speed tunnel. One malicious node is located in one areaand second malicious node is located in different area. One malicious node attracts trafficfrom one part and tunnels the traffic to another malicious node located in different area.The goal of an adversary is to disturb routing. After creating the tunnel, malicious nodes

50

CHAPTER 4. WORMHOLE DETECTION IN STATIC WSN 51

can drop the packets and also modify the packets. Malicious nodes can analyze the traffic.During some initial interval malicious nodes do not participate in the network. Each nodesends hello message to all its neighbors. When any node receives the hello message, itimmediately sends reply message. In this way, every node forms its neighborhood list. Eachnode sends its 1-hop neighborhood list to all its neighbors. In this way, every node formsits 2-hop neighborhood list (neighbor’s neighbor list). At some point of time, suppose nodeA overhear packets from the new node, say node B. Every node maintains two lists: trueneighbor list and suspected neighbor list. Node B is added into suspicious list of node A andnode A executes the procedure shown in Fig. 4.1.

Node A first verifies that one of its neighbors is included in the neighbor list of nodeB. To do this, node A finds the intersection of neighbors of its own with the neighbors ofnode B. If any common neighbor is found, then attack is not present. If not found, thennode A verifies that one of its one hop neighbors is directly connected to one of the one hopneighbors of node B. To do this, node A finds the intersection of its one hop neighbor listwith the one hop neighbor list of node B. If any common neighbor is found, then no attackis present in the network. If not found, then node A asks all its one hop trusted neighbors tofind shortest path to node B. This path can not be direct path and does not pass through nodeA and report the number of hop count. If for any path, no of hop count is less than or equalto the threshold value then attack is not present in the network.

The steps of the proposed protocol are as follow:

• Step 1.

Node A verifies that whether node A and node B share any one hop common neighbor.Two fake neighbor nodes can not share a common one hop neighbor node. Two gen-uine neighbor nodes generally share a common one hop neighbor node among them.If found then go to step (4), otherwise go to the next step.

• Step 2.

Node A verifies that any neighbor of A is directly connected to any neighbor of node B.Node A visits its entire neighbor’s neighbor table to verify that if any of B’s neighboris present. If found then go to step (4), otherwise go to the next step.

• Step 3.

Node A’s trusted neighbors computes the shortest path to the suspicious node B. Thispath can not be direct. Also, it does not pass through node A. If any of the computedpath length is less than or equal to the threshold value then go to next step, otherwisego to step (6).


Figure 4.1: Flow diagram of proposed methodology

Figure 4.2: Alternate path length calculation.


• Step 4.

Delete node B from suspicious entry and add it to the list of trusted entry. The routefrom A to B is identified as safe route. No wormhole attack is present in the network.

• Step 5.

Stop.

• Step 6.

The route from A to B is identified as fake route and presence of wormhole attack isfound.

• Step 7.

Stop.

4.3 Mathematical Analysis

Mathematically we have shown that two genuine neighbor nodes always share common onehop neighbors.

Figure 4.3: Common area shared by two neighbor nodes

In Fig. 4.3, the distance between nodes P and Q is D and the radius is R. We havecalculated the probability of occurrence of the other node in the overlapped transmissionregion.


SectorArea(PASB) = (1/2) ∗R ∗ S = (θ/2) ∗R2......(1)

cos(θ/2) = (D/2)/R = D/2R

(θ/2) = cos−1(D/2R).......(2)

From (1) and (2),PASB = R2 ∗ cos−1(D/2R).......(3)

Areaoftriangle(PAB) = (1/2) ∗ AB ∗ PO = (1/2) ∗OA ∗D/2.......(4)

R2 = PO2 +OA2 = D2/4 +OA2

OA2 = R2 − (D2/4)

OA =√R2 − (D2/4).......(5)

From (4) and (5),

PAB =√R2 − (D2/4) ∗ (D/2).......(6)

OverlappingAreaA(D) = 2(PASB − PAB)

A(D) = 2 ∗ ((R2cos−1(D/2R))− (√R2 − (D2/4) ∗ (D/2))).......(7)

The probability that there is a node in the overlapping area is:

= e−δ.A(d).......(8)

The maximum distance between nodes P and Q is R,

P (D) = (1/R2) ∗ (∂D2

∂D) = 2D/R2.......(9)


From (8) and (9), the probability that none of the nodes exists in the common area is,

P =

∫ R

0

(2D/R2) ∗ e−δ.A(d) ∗ dD = e−1.18∗δ∗R2

If we take density = 100 nodes per km2 and R = 250m, then P < 0.1.

4.4 Experimental Setup and Network Scenario

This section explains the complete evaluation methodology along with simulation environ-ment and network scenario in detail. Simulation has proved to be a valuable tool in manyresearch areas where analytical methods are not applicable and experimentation is not feasi-ble. To conduct performance analysis of our proposed solutions presented in this thesis, thepopular NS2 simulator [129] chosen primarily because it is a proven simulation tool utilisedin many previous research studies and obtained results have been validated and verified in[130, 131]. Dense and sparse networks are considered in the area of 1000m x 1000m, CBRtraffic model, packet size 512 byte, network size of 14, 25, 50, 100 (at first instance we cre-ated network having arbitrary number of 14 nodes and then network size is increased double25, 50, 100 nodes). Simulation was performed using Network Simulator (NS-2) for 500sto measure the performance of proposed approach and to be able to compare it with that ofPworm [84] and RTT Based MDS [83].

The performance of AODV protocol with other routing protocols is analyzed with respectto Average End-to-End Delay, Normalized Routing Load (NRL), Packet Delivery Fraction(PDF) and Throughput as in [132-133]. Simulation results verify that AODV gives betterperformance as compared to other protocols. AODV is widely used by the research com-munity for real time implementations [134]. Wormhole attack can be more dangerous innetworks which use on demand protocol AODV [135-136].

For simulation we have taken limited no. of nodes. In 4.3, mathematically we haveshown that two genuine neighbor nodes always share common one hop neighbors for 100nodes deployment. Our proposed approach is based on finding at least one common onehop neighbor. Applications of this type of networks include traffic monitoring, environmentmonitoring, track movement of an animal and military operations etc. One can deploy moreno. of nodes (200, 300 etc). But if more no. of nodes are considered for deployment thenno. of neighbors of all nodes increase. It will increase the size of neighborhood table andincrease the storage cost and also creates an overhead. If no. of neighbors of all nodesincreases, then it will also consume more energy for route request packet broadcasting.


Table 4.1: Summary of simulation setup

Simulator NS-2(ver. 2.35)

No. of Nodes 14, 25, 50, 100

Simulation Time 500s

Area 1000 *1000 m2

Routing Protocol AODV

Mobility Model None (Static)

Attacker 1 pair

Traffic Model CBR(UDP)

Channel Type Wireless

Packet Size 512 bytes

MAC Protocol IEEE 802.11

Antenna Type Omni Antenna

Table 4.2: Summary of network scenarios

Sr. No. Network Scenario Description

1. Attack in dense network 1 pair of an attacker

2. Attack in sparse network 1 pair of an attacker

4.5 Result and Performance Analysis of Proposed Approachunder Wormhole Attack

The average number of neighbors is represented by NAV . The total number of nodes isrepresented by NT . The size of ID is represented by SID. The storage cost required forstoring the neighbor information is SIDNAV . To store the neighbors’ neighbor list, the stor-age cost required is SIDNAV . For each node, the total storage cost required is (SIDNAV +

SIDNAVNAV ).

If the ID size is 4 bytes and avg. no. of neighbors of a node are 10, then the storagecost is 440 bytes for each node. Proposed protocol uses very less memory and therefore it isapplicable to resource constrained wireless sensor networks.

The simulation results of the proposed approach according to the network scenario de-scribed in Table 4.2 are presented below. To test and compare the performance of proposedapproach against Pworm [84] and RTT Based MDS [83], we used NS-2 and AWK programs


to post-process the output trace files.

4.5.1 Wormhole Attack in Dense Network

Figure 4.4: Wormhole attack in dense network

Figure 4.4 represents the wormhole attack in dense network. PDF (in percentage) andthroughput (in KBPS) is measured for dense network. For dense network, PDF count is99.78 (without attack), 56 (in the presence of an attack) and 98.10 (after applying proposedapproach). Throughput count is 86 KBPS (without attack), 54 KBPS (in the presence of anattack) and 84.70 KBPS (after applying proposed approach).

4.5.2 Wormhole Attack in Sparse Network

Figure 4.5 represents the wormhole attack in sparse network. PDF (in percentage) andthroughput (in KBPS) is measured. For sparse network, PDF count is 98.50 (without at-tack), 54.60 (in the presence of an attack) and 96.30 (after applying proposed approach).Throughput count is 83.40 KBPS (without attack), 52.70 KBPS (in the presence of an attack)and 82.10 KBPS (after applying proposed approach). Packet delivery ratio and throughputsharply decreases in the presence of an attack. After applying the proposed protocol bothpacket delivery ratio and throughput have significant improvement.


Figure 4.5: Wormhole attack in sparse network.

4.5.3 Detection Accuracy

Detection accuracy of Pworm [84], RTT Based MDS [83] and our proposed approach for1 pair of an attacker node is presented in Table 4.3. Detection accuracy of our proposedapproach is consistently maintained between 0.97 to 0.99 whereas that of Pworm falls downto 0.80 to 0.91 and RTT Based MDS to 0.93 to 0.98.

Table 4.3: Accuracy analysis

No. of Nodes Pworm [84] RTT Based MDS [83] Proposed Approach

14 0.80 0.93 0.97

25 0.82 0.95 0.98

50 0.86 0.96 0.99

100 0.91 0.98 0.99

The proposed algorithm has 99 percentage detection accuracy in dense network. Falsepositives are totally reduced. False negatives occur when wormhole launched for short dis-tance. We have not found any formula based calculation for computing threshold. Herethreshold represents hop count. The suitable value is decided based on trade-off between thefalse positives and detection rate. We can detect short wormholes with λ =1 or λ =2, but itwill increase false positives. Wormhole attack is created between two far away located nodesto disturb the routing process. The false positives are reduced with λ =4 or λ =5 but shortwormholes are not detected. Therefore, to reduce false positives and to increase detection


accuracy, the threshold value λ taken is 3. Fig. 4.6 shows that λ = 3 is the best suitable valuefor trade-off between the false positives and detection rate.

Figure 4.6: False positive with varying threshold value.

Chapter 5

Wormhole Detection in Mobility BasedWSN

5.1 Introduction

Detecting wormhole attack in a mobility based wireless sensor network is a challenging task.In mobile wireless sensor networks, it is possible that two far away located nodes become onehop neighbors after some time. Therefore, it creates an illusion that wormhole attack may belaunched. Differentiating these genuine nodes from the unauthorized nodes is a challengingresearch issue. In this chapter, we have presented wormhole detection mechanism usingneighbors changing rate in mobility based wireless sensor networks.

Section 5.2 presents the problem formulation. Proposed detection methodology is presentedin Section 5.3. Section 5.4 presents experimental setup and network scenario. Section 5.5presents result and performance analysis of proposed approach under wormhole attack.

5.2 Problem Formulation

The problem is defined as shown in Fig. 5.1. At time t, the location of node i is denoted asLi(t) and the velocity is denoted as Vi(t). At time (t + ∆t), the future location of node iis Li(t + ∆t) = Li(t) + Vi(t).∆(t). The connectivity of two nodes depends on the relativemobility of the two nodes such as the relative locationL(i,j)(t) = Li(t)−Lj(t) and V(i,j)(t) =

Vi(t)− Vj(t).

Hence, the estimated distance between nodes i and j at time ∆t can be, D(i,j)(t + ∆t) =

|Li(t+ ∆t)− Lj(t+ ∆t)| =∣∣L(i,j)(t) + V(i,j)(t).∆t

∣∣.Only if the distance between the two nodes is less than or equal to their transmission range is

60

CHAPTER 5. WORMHOLE DETECTION IN MOBILITY BASED WSN 61

Figure 5.1: Relative locations of node i at different time

the link between the two nodes connected. Hence, the estimated link duration while the linkbetween nodes i and j is connected is denoted as, LDTi,j and is defined by, LDTi,j = min∆t

subject to D′(i,j)(t+ ∆t) ≤ r, where r is the transmission range.

The mean expected link duration is (1/j)∑min∆t.

Figure 5.2: Wormhole tunnel constructed between nodes M1 and M2

If two nodes are within transmission range of each other, they are considered neighbors.In Fig. 5.2, nodes W and Y are not genuine neighbors. They are one-hop neighbors con-nected through the tunnel.


5.3 Proposed Approach

In a WSN consisting of n sensor nodes, the distance between two neighboring sensor nodes iswithin the transmission range R. Our model assumes that the nodes are mobile. The modelalso assumes that the malicious entity can launch a high-speed tunnel. A malicious nodeattracts traffic from one part of the network and tunnels it to the malicious node located indifferent area. The unauthorized nodes can drop the packet without forwarding as well asmodify the data packets.

Figure 5.3: Detection process flow diagram

The detection process flow diagram is shown in Fig. 5.3. At specific time intervals,every node computes the changing rate of its neighbors. The RCN (Rate of Change ofNeighborhood) of a node X at time t is computed as follow:

RCN(t) = 1− (N(t2)− P (t2, t1))/max(N(t2), N(t1))

where N(t2) is the no. of neighbor nodes of X at time t2, N(t1) is the no. of neighbornodes of X at a previous time t1, and P(t2,t1) represents the no. of new neighbor nodes at


time t2 in comparison to time t1. For example, node X had five neighboring nodes at timet1. Suppose at time t2, it had ten neighboring nodes and six of them were not present at timet1.

RCN(t) = 1− (10− 6)/10 = 0.60.

If the value of RCN is greater than the upper threshold value, then it indicates the pres-ence of a wormhole attack. Conversely, if RCN is less than the value of the lower threshold,then attack is not present in the network. If the value of the RCN lies in between upper andlower thresholds, then all the new neighbors of node X are added to the suspicious list.

All the trusted neighbors of node X find the shortest indirect path to suspected node Yand avoid the 1-hop neighbors of node X. Here, the direct route from X to Y is not included.The length of all paths is recorded. For all paths if length is greater than the threshold value,then the link X to Y is declared as wormhole link.

5.4 Experimental Setup and Network Scenario

This section explains the complete evaluation methodology along with simulation environ-ment and network scenario in detail. Various scenarios are considered under standard net-work in the area of 1000m x 1000m, packet size 512 byte, network size of 50, 100,150,200nodes with varying speed 1m/s, 5m/s and 10m/s. Simulation was performed using NetworkSimulator (NS-2) [132] for 500s to measure the performance of proposed approach and to beable to compare it with that of EyeSim [86], WADP [87] and WRHT [71]. The simulationsetup is summarized in Table 5.1. User interface of simulation software showing nodes andtheir respective neighbors is shown in fig. 5.4.


Table 5.1: Summary of simulation setup

Simulator NS-2(ver. 2.35)

No. of Nodes 50, 100, 150, 200

Simulation Time 500s

Area 1000 *1000 m2

Routing Protocol AODV

Mobility Model Random Way Point

Attacker 1 pair

Speed 1,5,10 [m/s]

Traffic Model CBR(UDP)

Channel Type Wireless

Packet Size 512 bytes

MAC Protocol IEEE 802.11

Figure 5.4: User interface of simulation software showing nodes and their respective neigh-bors


5.5 Result and Performance Analysis of Proposed Approachunder Wormhole Attack

A node may possibly have very few neighbors, in which case the value of RCN would behigh without the presence of a wormhole attack. If the time interval is longer, then theRCN value is higher for highly dynamic networks. Hence, the value of the time intervalshould be optimal. An optimal time interval value results in the value of RCN lying between0.40 and 0.50. Using RCN=0.46, we fixed the time interval for mobile nodes moving atdifferent speeds. If the speed of the nodes increases, then the value of time interval shouldbe decreased.

Table 5.2: Speed vs. time interval

Speed [m/s] 1 5 10

Time Interval [s] 52 27 11

The value of upper threshold (UT) is set to 1.50 × RCN . The value of lower threshold(LT) is set to 0.46. We then define

DetectionAccuracy = (TP + TN)/(TP + FP + TN + FN)

Here TP represents the actual wormhole nodes that are correctly detected as attackers,FP represents the legitimate nodes that are detected as wormhole nodes, TN represents thelegitimate nodes that are successfully evaluated, and FN represents the legitimate nodes thatare detected as attackers’ nodes.

For path length, we have fixed the threshold value λ = 3. For λ = 1, short wormholescan be detected, but it will increase number of false positive. Using λ = 5, false positive willreduced but short wormhole may not be detected. Detection accuracy of EyeSim [86], WADP[87], WRHT [71] and our proposed approach for 1 pair of an attacker node is presented inTable 5.2. Detection accuracy of our proposed approach is consistently maintained between0.97 to 0.99 whereas that of EyeSim falls down to 0.87 to 0.90, WADP to 0.87 to 0.93 andWRHT to 0.95 to 0.99.

Our proposed wormhole attack detection technique is based on the rate of change ofneighboring nodes and the length of an alternative path. The simulation results show that thedetection accuracy of our method is high in dense network. A node may possibly have veryfew neighbor nodes then false positive increase.


Table 5.3: Accuracy analysis

No. of Nodes EyeSim [86] WADP [87] WRHT [71] Proposed Approach

50 0.87 0.87 0.95 0.97100 0.88 0.89 0.97 0.98150 0.88 0.91 0.98 0.99200 0.90 0.93 0.99 0.99

Chapter 6

Wormhole and its Variants

6.1 Introduction

Wormhole is very dangerous attack because it is a gateway of many more attacks. Aftercreating the wormhole tunnel, an attacker can attract the traffic, analyze it, drop the packetsand modify the contents of the packet.

This chapter provides analysis of variants of wormhole and their impact in wireless sensornetworks. It also provides summary of existing countermeasures against variants of worm-hole such as sink-hole, denial of service, blackhole etc. Section 6.1 discusses sinkhole basedwormhole attack. Section 6.2 discusses denial of service based wormhole attack. Section6.3 discusses blackhole based wormhole attack. In section 6.4, we have discussed existingcountermeasures against variants of wormhole attacks. The impact of variants of wormholeattack is presented in section 6.5.

6.2 Sinkhole Based Wormhole Attack

In sinkhole based wormhole attack, an attacker attracts the traffic towards it and then se-lectively forwards the packets. One malicious node is located nearer to the destination andsecond malicious node is located nearer to the source. The route reply packet sent by the des-tination node is captured by one malicious node and tunnels to the another malicious node.In this way, path is established through malicious nodes.

67

CHAPTER 6. WORMHOLE AND ITS VARIANTS 68

6.3 Denial of Service Based Wormhole Attack

A malicious node M1 tunnels route request packet to another malicious node M2. The ma-licious node M2 broadcasts to its neighboring nodes and through the neighboring nodes, itreaches to the destination. The neighboring nodes also receive the route request through thelegitimate path. It is a duplicate packet received by neighboring nodes and will be dropped.Therefore, it can not reach to the destination. When the neighboring nodes receive the routereply packet sent by the destination, the neighboring nodes can not forward the route replypacket because they will not have the reverse route.

6.4 Blackhole Based Wormhole Attack

Source node broadcast route request packet to establish the path to the destination. Thispacket is immediately captured by the malicious node M1and through the tunnel; it is for-warded to the malicious node M2. Malicious node M2 sends it to the destination. Thedestination node sends route reply packet. Source node receives this route reply packet viathe tunnel and path is established between source and destination through the tunnel. Datapackets sent by the source node will be dropped without forwarding to the destination by themalicious node. It forms a black hole attack.

In indirect black hole attack, malicious node captures route reply packet and forwards to thetarget node T. The target node forwards it to the source node. The source and other neighbor-ing node consider the target node as the one hop neighbor. The target node has not completeroute towards the destination. Therefore, packet dropping occurs.

6.5 Countermeasures Against Variants of Wormhole At-tacks

The authors have proposed unmanned aerial vehicles (UAVs) based blackhole attack detec-tion method in [94]. Sequential Probability Ratio Test method is used to decide whether anode is blackhole or not. UAV visits each node during network traversing. When messagesare not received from a node, it is considered as a blackhole node. If threshold is set to low,then genuine nodes are treated as blackhole nodes. If threshold is set to high, then blackholenodes are treated as genuine nodes.

Authors have reviewed several existing blackhole detection methods in [95]. In [96], eachnode observes the behavior of its neighbors. Every node overhears packets transmitted by


its neighbors and identifies the suspicious nodes based on the behavior. The node detectsmisbehavior of its neighbor. If the misbehavior entries exceeds than the threshold, then thenode is considered as a malicious node. All the suspicious nodes are verified during the nextstage. The verification messages are sent to the root via an alternative path.

In [97], authors have presented blackhole attack detection in cluster based wireless sensornetworks. Cluster head stores all node’s ID in its table. It starts timer and sensor nodes mustsend the data within that time. The malicious node will not forward the packets. Therefore,it is detected by the cluster head. If the cluster head becomes malicious, then it is detectedby the base station.

In [98], authors have simulated black hole and selective forwarding attack. For detecting theattack, the base station monitors all the sensor nodes as it has high resources compared toother sensor nodes. The detection method is also energy efficient as there is no extra burdenon sensor nodes to detect the attack.

Authors have proposed black hole attack detection method based on data mining [99]. Datasetof the network is extracted. The ability of every node in terms of receive, send, forward anddrop is analyzed as high and low by keeping the threshold value. The main idea is to exam-ine the behavior of every node. If a node is receiving maximum no. of packets but it doesnot forward them, then it will be treated as a blackhole node. Nodes with maximum packetreceiving ratio and zero forwarding ratio are treated as black hole nodes.

Authors have proposed an authentication mechanism for detecting black hole attack in wire-less sensor networks [100]. After cluster formation, cluster head node is elected. The respon-sibility of the cluster head is to detect the malicious node in its cluster. Cluster head maintainsa table to include IDs of sensor nodes. Cluster head sends the authentication packet to eachof the sensor nodes. The legitimate nodes only send the reply message.

Authors have proposed a lightweight security scheme for detection of selective forwardingattack in [101]. After obtaining responses from intermediate nodes, it uses multi-hop ac-knowledgement for launching alarms. Any packet loss is detected by an intermediate nodewith low communication overhead and good detection accuracy. In case of poor radio con-dition, detection accuracy is guaranteed.

In [102], authors have proposed support vector machines based centralized detection method.It is a part of machine learning algorithms. A one class support vector machine is used fordata pattern classification. The problems of curse of dimensionality and over fitting areavoided by SVMs. Without depleting the node’s energy, high detection accuracy is achieved.

The authors have proposed checkpoint based multi hop acknowledgement scheme for de-tecting selective forwarding attack [103]. The checkpoint nodes are used to find the areawhere selective forwarding attack is launched. A fuzzy rule based system is used to selectcheckpoint nodes. It considers the number of suspect nodes, the estimated distance from thebase station to each node and the remaining energy of each path.


The authors have proposed lightweight detection method based on neighbor information[104]. Each node maintains two hop neighbor lists. Each node maintains malicious counter.The node monitors the behavior of its neighbors. It monitors that the neighbor node for-wards the packet towards the sink node. If not, then counter value is incremented. When thecounter value exceeds than the threshold, the node is declared as a malicious node. Over-hearing mechanism is used to reduce the transmission of alert packets and thereby consumesless energy.

In [105], an intrusion detection system is proposed for detecting selective forwarding attackin mobile wireless sensor networks in which Routing Protocol for Low Power and LossyNetworks (RPL) is used. Each node collects information from its neighbors and stores theno. of packets sent and received into the table. During the data analysis step, sink nodecalculates the no. of dropped packets and the probability of dropped packet. SequentialProbability Radio Test is used during decision step. Finally, a compromised node is elimi-nated.

A fog computing based system is proposed for detection of selective forwarding attack inmobile wireless sensor networks [106]. The intrusion detection system in a fog server col-lects the information regarding received and forwarded packets of mobile monitor nodes.Watchdog is used to receive the information and maintains a monitoring table for all nodes.The received information is analyzed and malicious node is detected using voting.

The authors have proposed network area monitoring based approach for attack detection in[107]. An Intrusion Detection System (IDS) is installed in each sensor node. It continuouslymonitors the sent packets and the overheard packets. A time attribute is assigned to eachpacket for detecting delay attack.

In [108], authors have proposed adaptive and channel aware detection approach for selectiveforwarding attack. The adaptive detection threshold channel aware reputation system evalu-ates the behaviors of sensor nodes and accurately detects the compromised node. The authorshave also proposed an attack tolerant data forwarding approach. Using this approach, datadelivery ratio is significantly improved.

For detecting the forwarding misbehavior, the authors have proposed a hop-by-hop cooper-ative detection approach in [109]. Here, each node overhears the packets and make recordsof forwarding operations. If the node has overheard a packet, the flag value is 1.If the nodehas not overheard a packet, the flag value is 0. If any forwarding misbehavior is detected,then the node decreases the forwarding probability of malicious node. If a malicious node ismultiple times detected, then forwarding probability is quickly reduces.

Authors have proposed multipath routing scheme for defense against selective forwardingattack in [110]. If packet drops occur, then source resends the packets on the different alter-nate route. The proposed algorithm consists of two phases: (1) Network construction and (2)Multipath routing. There exist many paths from source node to the sink. Using minimum


no. of hops, packets are transmitted between source and the sink node. If the sender nodecannot overhear the transmission of packet from the destination, then the sender node selectsdifferent alternate route.

In [111], the authors have proposed selective forwarding attack detection method using wa-termark in wireless sensor networks. A trust value of each node is calculated for selectingthe path for message forwarding. Watermark technology is applied for detection of mali-cious nodes. Watermarking technique is used to calculate the packet lost rate. If the detectedpacket lost rate is bigger than the normal rate, then the base station detects the maliciousnode hop by hop.

For detecting selective forwarding attack, the authors have proposed game theory model in[112]. Malicious nodes are detected using Zero-Sum game approach and selective node ac-knowledgement. The existing system is treated as a game. Two players, intruder and thedetection system are involved in the game theory model. Multi-hop acknowledgement baseddetection method is used for attack detection. One or more intermediate nodes are selectedon the forwarding path to detect malicious nodes.

Authors have presented intrusion detection method for detecting black hole and selectiveforwarding attacks using local information [113]. For detecting malicious behavior, nodemonitor’s their neighbors. Watch dogs are used to analyze the communication links. Foreach packet that a node send to its neighbors, watchdog temporarily buffer the packet andwait to see that the neighbor node forwards the packet or not. If neighbor node is not for-warding the packet, then the counter value is incremented. If the probability of a node beingmalicious is greater than 50 percentage, then the node is considered as a malicious node andall the nodes are informed about the malicious node.

In [114], authors have presented selective forwarding attack detection method in wirelesssensor networks using binary search. When the no. of dropped packets is more than thethreshold value, then cluster head raises an alarm message. For detecting the compromisednode, hello packets and control packets are exchanged on a suspicious path. Multiple com-promised nodes are also detected.

In [115], authors have proposed selective forwarding attack detection method in heteroge-neous sensor networks using sequential probability ratio test. Two types of sensor nodes aredeployed in networks: H-sensors and L-sensors. Authors have proposed a method that canreport successful forwarding packets and drop packets to an H-sensor node. After receivingthe report, H-sensor will run a test to determine whether L-sensor is compromised or not.

In [116], authors have proposed cumulative acknowledgement based detection method to de-tect selective forwarding attack. The proposed approach consists of three phases: (1) Topol-ogy construction and route selection (2) Data transmission and (3) Detection process. The at-tack is detected using multi hop acknowledgements. Some nodes are selected as checkpointnodes along the forwarding route to send acknowledgements after receiving each packet.


Malicious nodes are detected after receiving the acknowledgements.

The authors have proposed selective forwarding attack detection method based on sequentialmesh test [117]. After receiving the packet drop report, the cluster head node detects thepacket dropping node using sequential mesh test. This test extracts a small quantity of sam-ples for running the test. It requires less computation and communication power with shorterdetection time.

Authors have proposed a novel message observation mechanism (MoM) for detecting theDoS attack in [118]. For isolating malicious nodes, it uses rekey and reroute countermea-sures. Energy consumption is also reduced. Message observation mechanism consists oftwo types of lists: normal message list (NML) and abnormal message list (AML). MoM isdeployed in cluster head.

In [119], authors have proposed an approach for preventing denial of service attacks. It isoperated in two phases: (1) Control node election and (2) Detection and blocking of ma-licious node. Every cluster head node monitors traffic in its cluster. If any node transmitsno. of messages higher than the threshold, then it is considered as a malicious node. Afterdetecting malicious node, all messages transmitted by the malicious node will be blocked.

The authors have proposed a localized clustering scheme to detect attacks with the use oftraffic monitoring proxies on some nodes in wireless sensor network in [120]. The methodconsists of two modules: (1) Cluster formation and the cluster head selection and (2) Sessionkey establishment. The security is achieved using session key establishment.

The authors have proposed a hybrid approach using table and swarm-based protection fordenial of service attacks in WSNs [121]. Cluster head periodically checks that each node hassufficient trust value. If yes, then routing path is formed. If no, then new routing path is cal-culated based on swarm-based defense. The variation in channel behavior is also identified.The faulty channel is mitigated using swarm-based approach.

For identifying compromised nodes, authors have use recursive clustering based approach in[122]. The recursive clustering process is done till the desired granularity is obtained. Thisapproach is called k-clustering. The detection approach is based on building multicast tree.

In [123], the authors have explored the flooding based denial of service attack and assessthe lifetime of the network under attacking scenario. The authors have presented multilevelanalysis of the distributed denial of service attack. The role of the attacker is to generate aflood command. Authors have used protection modeling language.

Authors have presented DDoS attack prevention mechanism using Hidden Semi-MarkovModel [124]. The system collects packets every second. For captured packets, selected fea-tures are calculated. These features are used to classify the incoming attack packets. Packetclassification algorithm is applied and is estimated using Hidden Semi-Markov Model.

In [125], the authors have proposed Received Signal Strength Indicator (RSSI) based ap-proach for detection of sinkhole and selective forwarding attack. Some extra monitor nodes


are added and the RSSI value from the extra monitor nodes is used to determine the positionof the sensor nodes. The extra monitor nodes are used to monitor the traffic. Sinkhole attackis detected using RSSI value and selective forwarding attack is detected by monitoring thetraffic.

In [126], the authors have proposed sinkhole attack detection method by analyzing the con-sistency of data. Using data consistency, a list of suspected nodes is found and then anintruder is identified by analyzing network flow information. It can effectively deal withmultiple malicious nodes.

The authors have presented the vulnerabilities of Mintroute protocol and the detection methodfor sinkhole attack in [127]. The nodes send their local decision regarding attack to the sinknode. Every node listen promiscuously the route update messages broadcasted by neigh-bors. If any rule is violated, then send the suspected node list to the sink node. The sinknode makes the decision based on the received alarms from the sensor nodes. The sink nodechecks the common suspected nodes in the lists sent by the sensor nodes.

Algorithm proposed in [128] is based on network flow graph. Initially, the suspected nodesare found and then the intruder is located from the attacked area. The base station obtainsmore than one tree for network flow information. Using depth-first search method, authorshave calculated no. of nodes in different trees. The intruder attracts more traffic; therefore itis located as the root of the biggest tree.

6.6 Impact of Variants of Wormhole

The variants of wormhole are simulated in NS2. The measured parameters are PDF andthroughput. Both the parameters are measured for two situations: without attack and in thepresence of attack. Packet delivery fraction is the ratio of the number of packets delivered tothe destination to the number of packets delivered from the source. Throughput refers to thenumber of data packets delivered from source node to the destination node per unit of time.

Table 6.1, 6.2 and 6.3 show the results of PDF and throughput for variants of wormholeattack.


Table 6.1: PDF and throughput for sinkhole based wormhole attack.

No. of NodesThroughput (KBPS) PDF (Percentage)

Without Attack With Attack Without Attack With Attack

60 84 72.15 99.70 85.14

80 84.75 72.90 99.76 85.90

100 85.10 73.20 99.78 86.10

Table 6.2: PDF and throughput for denial of service based wormhole attack.



60 84 57.10 99.70 46.10

80 84.75 58.05 99.76 46.85

100 85.10 58.30 99.78 47.05

Table 6.3: PDF and throughput for black hole based wormhole attack.



60 84 62.30 99.70 59.40

80 84.75 62.65 99.76 59.85

100 85.10 62.75 99.78 60.10

Chapter 7

Conclusions and Scope for FutureResearch

This Chapter summarizes and concludes our research work. Security is very crucial forWSNs due to its applications in military, environmental observation, habitat monitoring etc.Securing wireless sensor networks include various issues such as secure data aggregation,intrusion detection, key management schemes, secure routing etc. Sensor networks poseunique challenges. Therefore, traditional security algorithms cannot be applied to wirelesssensor networks. There is enormous research potential in the field of security in wirelesssensor networks. Our work is mainly focused in the area of security attacks in wireless sensornetworks. We have surveyed major security attacks in wireless sensor networks. Researchrelated to wormhole attack in sensor network has received much interest recently.

To begin with, we have classified existing wormhole detection techniques into four cate-gories: (1) Using Distance and Time Information (2) Using Secure Neighbor Discovery (3)Using Connectivity Information and (4) Using Location Information. We have presentedexisting methods for wormhole detection with merits and demerits. Some of the wormholedetection approaches presented in the literature require extra hardware such as GPS, direc-tional antenna, synchronized clock and fingerprinting device. Some approaches are based oncryptography mechanism in which sensor node requires public and private keys for securecommunication. For some approaches, a set of investigator nodes are distributed over thenetwork to monitor network topology. Existing detection approaches are resource hungry.Sensor nodes are resource limited devices. There is a need to develop lightweight algorithmwith high detection accuracy and low overhead. In our research work, we have proposed, de-veloped and analyzed three new mechanisms. These approaches are summarized as follow:

75

CHAPTER 7. CONCLUSIONS AND SCOPE FOR FUTURE RESEARCH 76

• Wormhole Detection in Static Wireless Sensor Networks.

Detecting wormhole is very hard in WSNs. A malicious node attracts traffic from onepart of the network and tunnels to another malicious node located in different area. Bygathering the traffic it is possible to break security mechanism used in the network.We have proposed a lightweight algorithm for wormhole detection in static wirelesssensor network. The proposed methodology is based on neighborhood information.With mathematical analysis, we have shown that two genuine neighbor nodes sharecommon one hop neighbors. Proposed protocol uses very less memory and thereforeit is applicable to resource constrained wireless sensor networks. Table 4.3 shows thatthe proposed approach has high detection accuracy. False positives are reduced. Falsenegatives occur for wormhole with short distance.

• Wormhole Detection in Mobility Based Wireless Sensor Networks.

Detecting wormhole in mobility based wireless sensor network is very challenging is-sue because the nodes which are far away in one session can become one hop neighborsin the next session due to mobility. It creates an illusion that wormhole is launched.Differentiating these genuine nodes from the malicious nodes is a challenging issue.We have proposed wormhole detection methodology for mobility based wireless sen-sor networks. It is based on the rate of change of neighboring nodes and the lengthof an alternative path. The simulation results show that the detection accuracy in thedense network is high. A node may possibly have very few neighbor nodes then falsepositive increase.

• Wormhole and its Variants.

After launching the wormhole, an attacker can create many other attacks. It is a gate-way of many attacks. Therefore, wormhole is very dangerous for WSNs. We havepresented three variants of wormhole namely sinkhole based wormhole attack, denialof service based wormhole attack and blackhole based wormhole attack. We have pre-sented various countermeasures against them. The variants of wormhole are simulatedin NS2. The measured parameters are PDF and throughput. Both the parameters aremeasured for two scenarios: without attack and in the presence of an attack. Table 6.1,6.2 and 6.3 show the results of PDF and throughput for variants of wormhole attack.Simulation results show that PDF and throughput sharply decrease in the presence ofan attack.

CHAPTER 7. CONCLUSIONS AND SCOPE FOR FUTURE RESEARCH 77

The possible future directions of our research can be outlined as follows:

1. We have presented variants of wormhole attack and their impact in wireless sensornetwork. We have not presented the detection methodology for variants of wormhole.One can develop lightweight intrusion detection system against variants of wormhole.

2. For wormhole attack detection in mobility based wireless sensor networks, we haveconsidered that all mobile nodes are moving with same speed. It may possible that allnodes are moving with different speed.

3. Our approach can be applied to different topologies such as grid topology, clusterhierarchical configuration etc.

4. Other crucial security issues in wireless sensor networks include secure localization,key management, secure data aggregation, secure routing and cryptography techniquesetc.

5. Many solutions have been proposed for wormhole detection but still it is an activeresearch area.

Bibliography

[1] A. Boukerche; “Performance Evaluation of Routing Protocols for Ad Hoc Wireless Net-works”, Mobile Networks and Applications, vol. 9, no. 4, pp. 333–342, Aug. 2004.

[2] L. Ertaul and N. Chavan; “Security of ad hoc networks and threshold cryptography”, In-ternational Conference on Wireless Networks, Communications and Mobile Computing,2005, vol. 1, pp. 69–74.

[3] I. Mansour, G. Chalhoub, and A. Quilliot; “Security architecture for wireless sensornetworks using frequency hopping and public key management”, in IEEE InternationalConference on Networking, Sensing and Control (ICNSC), 2011, pp. 526–531.

[4] O. Erdene-Ochir, M. Minier, F. Valois, and A. Kountouris; “Resiliency of wireless sensornetworks: Definitions and analyses”, in IEEE 17th International Conference on Telecom-munications (ICT), 2010, pp. 828 –835.

[5] Z. Manap, B. M. Ali, C. K. Ng, N. K. Noordin, and A. Sali; “A Review on HierarchicalRouting Protocols for Wireless Sensor Networks”, Wireless PersCommun, vol. 72, no. 2,pp. 1077–1104, Sep. 2013.

[6] M. Ahmed, X. Huang, D. Sharma, and H. Cui; “Wireless Sensor Network: Character-istics and Architectures”, in World Academy of Science, Engineering and Technology,Penang, Malaysia, 2012, vol. 72, pp. 660–663.

[7] C. Buratti, A. Conti, D. Dardari, and R. Verdone; “An Overview on Wireless SensorNetworks Technology and Evolution”, Sensors, vol. 9, pp. 6869–6896, Aug. 2009.

[8] I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E. Cayirci; “A survey on sensornetworks”, IEEE Communications Magazine, vol. 40, no. 8, pp. 102–114, Aug. 2002.

[9] S. R. Jino Ramson, D. Jackuline Moni; ”Applications of wireless sensor networks - Asurvey”, IEEE International Conference on Advanced Systems and Electric Technologies,14-17 Jan 2017, Tunisia.

[10] Geoff Martin, An evaluation of ad-hoc routing protocols for wireless sensor networks,Master’s thesis, University of Newcastle upon Tyne, May 2004.

78

BIBLIOGRAPHY 79

[11] moteiv Corp. Tmote Sky datasheet. Available athttp://www.moteiv.com/products/docs/tmote-sky-datasheet.pdf.

[12] Wang, Q., Balasingham, I.; Wireless Sensor Networks - An Introduction. In Y. K. Tan,Wireless Sensor Networks: Application-Centric Design, pp. 1–13, InTech, 2010.

[13] Y. C. Hu, A. Perrig, and D. B. Johnson; “Packet leashes: a defense against wormholeattacks in wireless networks”, IEEE Computer and Communications Societies, IEEE, vol.3, pp. 1976–1986, 2003.

[14] Y.-C. Hu, A. Perrig, and D. B. Johnson; “Wormhole attacks in wireless networks”,IEEE Journal on Selected Areas in Communications, vol. 24, no. 2, pp. 370–380, 2006.

[15] J. Eriksson, S. Krishnamurthy, and M. Faloutsos; “Truelink: A practical countermea-sure to the wormhole attack”, in ICNP, pp. 75-84, 2006.

[16] Qiuwei Yang, Xiaogang Zhu, Hongjuan Fu, Xiqiang Che; “Survey of Security Tech-nologies on Wireless Sensor Networks”, Journal of Sensors, volume 2015, Article ID842392, 9 pages.

[17] Murat Dener; “Security Analysis in Wireless Sensor Networks”, International Journalof Distributed Sensor Networks, volume 2014, Article ID 303501, 9 pages

[18] Sergio Saponara, Agusti Solanas, Gildas Avoine and Bruno Neri; “Privacy and Securityin Wireless Sensor Networks: Protocols, Algorithms and Efficient Architectures”, Journalof Computer Networks and Communications, volume 2013, Article ID 528750, 3 pages.

[19] Wang,Yong, Attebury, Garhan and Ramamurthy, Byrav; “A Survey of security issuesin wireless sensor networks”, IEEE Communications Surveys and Tutorials, 2006.

[20] Chen, Xiangqian, et al.; “Sensor network security: A survey”, IEEE Communicationssurveys and tutorials, vol. 11, pp. 52-73, 2009.

[21] C. Karlof and D. Wagner; “Secure routing in wireless sensor networks: attacks andcountermeasures”; Journal of Ad Hoc Networks, vol. 1, no. 2-3, pp.293–315, 2003.

[22] S. K. Singh, M. P. Singh, and D. K. Singh; “A Survey on Network Security and AttackDefense Mechanism for Wireless Sensor Networks”, International Journal of ComputerTrends and Technology, vol. 1, no. 2, pp. 1–9, Jun. 2011.

[23] D. G. Padmavathi and M. D. Shanmugapriya; “A Survey of Attacks, Security Mecha-nisms and Challenges in Wireless Sensor Networks”, arXiv e-print 0909.0576, Sep. 2009.

[24] C. Karlof and D. Wagner; “Secure routing in wireless sensor networks: attacks andcountermeasures”, in Sensor Network Protocols and Applications, Berkeley, CA, USA,2003, pp. 113 – 127.

BIBLIOGRAPHY 80

[25] R. Di Pietro, L. V. Mancini, and A. Mei; “Random key-assignment for secure WirelessSensor Networks”, in Proceedings of the 1st ACM workshop on security of ad hoc andsensor networks, New York, NY, USA, 2003, pp. 62–71.

[26] C. Karlof and D. Wagner; “Secure routing in wireless sensor networks: attacks andcountermeasures”, in Sensor Network Protocols and Applications, Berkeley, CA, USA,pp. 113 – 127, 2003.

[27] A. Wood, J. Stankovic, and S. Son; “JAM: A mapping service for jammed regions insensor networks”, in Proceedings of the IEEE Real-Time Systems Symposium, December2003.

[28] Zinaida Benenson, Felix C. Gartner, and Dogan Kesdogan; “An algorithmic frameworkfor robust access control in wireless sensor networks”, in Second European Workshop onWireless Sensor Networks (EWSN), January 2005.

[29] Lingxuan Hu and David Evans; “Secure aggregation for wireless networks”, in SAINT-W ’03: Proceedings of the Symposium on Applications and the Internet Workshops(SAINT’03 Workshops), IEEE Computer Society, 2003.

[30] Bartosz Przydatek, Dawn Song, and Adrian Perrig; “SIA: Secure information aggrega-tion in sensor networks”, in ACM SenSys, Nov 2003.

[31] David Wagner; “Resilient aggregation in sensor networks”, in SASN ’04: Proceedingsof the 2nd ACM workshop on Security of ad hoc and sensor networks, pages 78–87, ACMPress, 2004.

[32] J. Deng, R. Han, and S. Mishra; “A performance evaluation of intrusion-tolerant rout-ing in wireless sensor networks”, in 2nd IEEE International Workshop on InformationProcessing in Sensor Networks (IPSN 2003), April 2003.

[33] Chris Karlof and David Wagner; “Secure routing in wireless sensor networks: Attacksand countermeasures”, Elsevier’s Ad Hoc Network Journal, Special Issue on Sensor Net-work Applications and Protocols, September 2003.

[34] Erik-Oliver Blass, Joachim Wilke, and Martina Zitterbart; “A Security–Energy Trade-Off for Authentic Aggregation in Sensor Networks”, in IEEE Conference on Sensor,Mesh and Ad Hoc Communications and Networks (SECON), Extended Abstract, pages135–137, Washington D.C., USA, September 2006. ISBN: 1-4244-0732-X.

[35] Martina Zitterbart and Erik-Oliver Blaß; “An Efficient Key Establishment Scheme forSecure Aggregating Sensor Networks”, in ACM Symposium on Information, Computerand Communications Security, pages 303–310, Taipei, Taiwan, March 2006. ISBN 1-59593-272-0.

BIBLIOGRAPHY 81

[36] Zinaida Benenson, Peter M. Cholewinski, and Felix C. Freiling; “Simple evasive datastorage in sensor networks”, in IASTED PDCS, pages 779–784, 2005.

[37] Abhishek Ghose, Jens Grossklags, and John Chuang; “Resilient data-centric storagein wireless ad-hoc sensor networks”, in MDM ’03: Proceedings of the 4th InternationalConference on Mobile Data Management, pages 45–62, Springer-Verlag, 2003.

[38] Lingxuan Hu and David Evans; “Secure aggregation for wireless networks”, in SAINT-W’03: Proceedings of the 2003 Symposium on Applications and the Internet Workshops(SAINT’03 Workshops), page 384. IEEE Computer Society, 2003.

[39] Bartosz Przydatek, Dawn Song, and Adrian Perrig; “SIA: Secure information aggrega-tion in sensor networks”, in ACM SenSys 2003, Nov 2003.

[40] David Wagner; “Resilient aggregation in sensor networks”, in SASN ’04: Proceedingsof the 2nd ACM workshop on security of ad hoc and sensor networks, pages 78–87, ACMPress, 2004.

[41] H. K. D. Sharma, A. Kar; “Security Threats in Wireless Sensor Networks”, CarnahanConferences Security Technology, Proceedings 2006, 40th Annual IEEE International.

[42] Shi, E., and A. Perrig; “Designing Secure Sensor Networks”, Wireless CommunicationMagazine 11 (6): 38–43, December 2004.

[43] Wang, X., W. Gu, S. Chellappan, D. Xuan and T. H. Laii; “Search-Based PhysicalAttacks in Sensor Networks: Modeling and Defense”, Technical Report, Department ofComputer Science and Engineering, Ohio State University, February 2005.

[44] Wood, A. D., and J. A. Stankovic; “Denial of Service in Sensor Networks”, IEEEComputer 35(10): 54–62, 2002.

[45] Hartung, C., J. Balasalle, and R. Han; “Node Compromise in Sensor Networks: TheNeed for Secure Systems”, Technical Report CU-CS-988-04, Department of ComputerScience, University of Colorado at Boulder, 2004.

[46] Wang, X., W. Gu, K. Schosek, S. Chellappan, and D. Xuan; “Sensor Network Configu-ration Under Physical Attacks”, Technical report (OSU-CISRC-7/04-TR45), Departmentof Computer Science and Engineering, Ohio State University, July 2004.

[47] Newsome, J., E. Shi, D. Song, and A. Perrig; “The Sybil Attack in Sensor Networks:Analysis and Defenses”, in Proceedings of the 3rd International Symposium on Informa-tion Processing in Sensor Networks, 259–68, ACM Press, 2004.

BIBLIOGRAPHY 82

[48] Douceur, J; “The Sybil Attack”, in Proceedings of the 1st International Workshopon Peer to Peer Systems (IPTPS’02), vol. 2429, 251–60, Cambridge, Massachusetts:Springer LNCS, March 2002.

[49] Awerbuch, B., D. Holmer, C. Nita-Rotaru, and H. Rubens; “An On-Demand SecureRouting Protocol Resilient to Byzantine Failures”, in Proceedings of the 1st ACM Work-shop on Wireless Security (WiSe’02), 21–30. Atlanta, Georgia: ACM Press, September2002.

[50] Anderson, R., and M. Kuhn; “Low Cost Attacks on Tamper Resistant Devices”, inProceedings of the 5th International Workshop on Security Protocols (IWSP), LNCS vol.1361, 125–36, 1997.

[51] Parno, B., A. Perrig, and V. Gligor; “Distributed Detection of Node Replication Attacksin Sensor Networks”, in Proceedings of the IEEE Symposium on Security and Privacy (Sand P’05), 49–63. Oakland, California: IEEE Computer Society, May 2005.

[52] Deng, J., R. Han, and S. Mishra; “Countermeasures Against Traffic Analysis in Wire-less Sensor Networks”, Technical Report CU-CS-987-04, University of Colorado at Boul-der,2004.

[53] Yang Xiao, Xuemin Shen and Ding Zhu Du; “Wireless Network Security”, Signal andCommunication Technology, Springer, 2007, ISBN: 978-0-387-28040-0.

[54] D.B. Johnson, D.A. Maltz and J. Broch; “The dynamic source routing protocol formultihop wireless ad hoc networks”, in: Ad Hoc Networking, (Addison-Wesley, 2001),ch. 5, pp. 139–172.

[55] C.E. Perkins and E.M. Royer, “Ad-hoc on-demand distance vector routing”, Proceed-ings of WMCSA (Feb. 1999) pp. 90–100.

[56] Khabbazian, Mercier, Bhargava; “Wormhole attacks in wireless Adhoc networks:Analysis and Countermeasures”, Global Telecommunications Conference, 2006, IEEEGLOBECOM’06.

[57] S. Han, E. Chang, L. Gao, and T. Dillon; “Taxonomy of attacks on wireless sensornetworks”, Proceeding of the First European Conference on Computer Network DefenseSchool of Computing, pp. 97-105, Dec. 2005.

[58] Y. C. Hu, A. Perrig, and D. B. Johnson; “Packet leashes: a defense against wormholeattacks in wireless networks”, IEEE Computer and Communications Societies, IEEE, vol.3, pp. 1976–1986, 2003.

[59] Y.-C. Hu, A. Perrig, and D. B. Johnson; “Wormhole attacks in wireless networks”,IEEE Journal on Selected Areas in Communications, vol. 24, no. 2, pp. 370–380, 2006.

BIBLIOGRAPHY 83

[60] S. Capkun, L. Buttyan and J.P. Hubaux; “SECTOR: Secure tracking of node encountersin multi-hop wireless networks”, Proceedings of the 1st ACM workshop on Security ofad-hoc and sensor networks (SASN 03), pp. 21-32, Oct. 2003.

[61] Majid Khabbazian, Hugues Mercier and Vijay K. Bhargava; “Severity Analysis andCountermeasure for the Wormhole Attack in Wireless Ad Hoc Networks”, IEEE Trans-actions on Wireless Communications, Vol. 8, and Issue: 2, 2009, pp. 736-745.

[62] R. Maheshwari, J. Gao, and S. R. Das; “Detecting wormhole attacks in wireless net-works using connectivity information”, in Proc. INFOCOM, 2007.

[63] Honglong Chen,Wei Lou, Xice Sun and ZhiWang; “A Secure localization approachagainst wormhole attacks using distance consistency”, EURASIP Journal on WirelessCommunications and Networking, Volume 2010, 11 pages.

[64] Gu-Hsin Lai; “Detection of wormhole attacks on IPv6 mobility-based wireless sensornetwork”, EURASIP Journal on Wireless Communications and Networking, 2016.

[65] Reza Shokri, Marcin Poturalski; “A Practical Secure Neighbor Verification Protocol forWireless Sensor Networks”, ACM, WiSec’09, March 16-18, 2009, Zurich, Switzerland.

[66] Yurong Xu, Yi Ouyang, Zhengyi Le, James Ford, Fillia Makedon; “Analysis ofRange-Free Anchor-Free Localization in a WSN under Wormhole Attack”, ACM,MSWiM’07,October 22-26, 2007, Chaina, Greece.

[67] Mehdi Sookhak, Adnan Akhundzada, Alireza Sookhak, Mohammadreza Eslamine-jad, Abdullah Gani, Muhammad Khurram Khan, Xiong Li, Xiaomin Wang; “GeographicWormhole Detection in Wireless Sensor Networks”, Journal of PLOS ONE, January 20,2015, DOI: 10.1371/journal.pone.0115324.

[68] Zhibin Zhao, Bo Wei, Xiaomei Dong, Lan Yao, Fuxiang Gao; “Detecting wormholeattacks in wireless sensor networks with statistical analysis”, International Conference onInformation Engineering(ICIE), 2010, pp. 251-254.

[69] Hon Sun Chiu, King –Shan Lui; “DelPHI: Wormhole Detection Mechanism for Ad HocWireless Networks”, 1st IEEE International Symposium on Wireless Pervasive Comput-ing, 2006.

[70] Shams Qazi, Raad Raad, Yi Mu, Willy Susilo; “Securing DSR against wormhole at-tacks in multirate ad hoc networks”, Journal of Network and Computer Applications, pp582-593, 2013.

BIBLIOGRAPHY 84

[71] Rupinder Singh, Jatinder Singh, and Ravinder Singh; “WRHT: A Hybrid Techniquefor Detection of Wormhole Attack in Wireless Sensor Networks”, Journal of Mobile In-formation Systems, Hindawi Publishing Corporation, Volume 2016, Article ID 8354930,13 pages.

[72] Hyeon Myeong Choi, Su Man Nam, Tae Ho Cho; “A Secure routing method for detect-ing false reports and wormhole attacks in wireless sensor networks”, Scientific Researchon Wireless Sensor Network, March 2013, vol. 5,pp. 33-40.

[73] Lijun Qian, Ning Song, Xiangfang Li; “Detection of wormhole attacks in multi-pathrouted wireless ad hoc networks: A statistical analysis approach”, Journal of Network andComputer Applications, 2005.

[74] Sanjay Madria, Jian Yin; “SeRWA : A secure routing protocol against wormhole attacksin sensor networks”, Journal of Ad Hoc Networks, September 2008.

[75] L. Hu and D. Evans; “Using directional antennas to prevent wormhole attacks”, inNetwork and Distributed System Security Symposium (NDSS), pp. 131–141, 2004.

[76] Bayrem Triki, Slim Rekhis, and Noureddine Boudriga; “Digital investigation of worm-hole attacks in wireless sensor networks”, Eighth IEEE International Symposium on Net-work Computing and Applications, pp. 179-186, 2009.

[77] K.B. Rasmussen and S. Capkun; “Implications of radio fingerprinting on the securityof sensor networks”, Third International Conference on Security and Privacy in Commu-nication Networks and the Workshops, pp. 331-340, Sep. 2007.

[78] Xiaomeng Ban, Rik Sarkar, Jie Gao; “Local Connectivity Tests to Identify Wormholesin Wireless Networks”, ACM, MobiHoc’11, May 16-20, 2011, Paris, France.

[79] Levente Buttyan, Laszlo Dora, and Istvan Vajda; “Statistical wormhole detection insensor networks”, SAS 2005, Springer, pp. 128–141.

[80] Dong D, Liu Y, yang Li X, Liao X, Li M; “Topological detection on wormholes inwireless ad hoc and sensor networks”, 17th IEEE International Conference on NetworkProtocols, 2009, pp. 314-323.

[81] W. Wang and B. Bhargava; “Visualization of wormholes in sensor networks”, WiSe’04,Proceeding of the 2004 ACM workshop on Wireless Security, ACM Press, pp. 51-60,2004.

[82] Xiaopei Lu, Dezun Dong and Xiangke Liao; “MDS-Based Wormhole Detection usingLocal Topology in Wireless Sensor networks”, International Journal of Distributed Sensornetworks, Volume 2012, Article ID 145702, 9 pages.

BIBLIOGRAPHY 85

[83] Saswati Mukherjee, Matangini Chattopadhyay, Samiran Chattopadhyay, Pragma Kar;“Wormhole Detection Based on Ordinal MDS Using RTT in Wireless Sensor Network”,Journal of Computer Networks and Communications, Volume 2016, Article ID 3405264,15 pages.

[84] Li Lu, Muhammad Jawad Hussain, Guoxing Luo, Zhigang Han; “Pworm: passive andReal-Time Wormhole Detection Scheme for WSNs”, International Journal of DistributedSensor networks, Volume 2015, Article ID 356382, 16 pages.

[85] Rakesh Matam, Somanath Tripathy; “WRSR: wormhole-resistant secure routing forwireless mesh networks”, Springer, EURASIP Journal on Wireless Communications andNetworking 2013.

[86] N. Tsitsiroudi, P. Sarigiannidis, E. Karapistoli, and A. Economides; “EyeSim : A mo-bile application for visual-assisted wormhole attack detection in IoT-enabled WSNs”,Proceedings of the 9th IFIPWireless and Mobile Networking Conference (2016), pp.103–109.

[87] J. Biswas, A. Gupta, and D. Singh; “WADP: a wormhole attack detection and pre-vention technique in MANET using modified AODV routing protocol”, Proceedings ofthe 9th IEEE International Conference on Industrial and Information Systems (2014), pp.1–6.

[88] Radha Poovendran, Loukas Lazos; “A graph theoretic framework for preventing thewormhole attack in wireless ad hoc networks”, Springer, Wireless Netw (2007) 13:27–59.

[89] Honglong Chen, Wendong Chen, Zhibo Wang, Yanjun Li; “Mobile Beacon BasedWormhole Attackers Detection and Positioning in Wireless Sensor Networks”, Interna-tional Journal on Distributed Sensor Networks, Vol. 2014, 10 pages.

[90] Yanchao Zhang, Wei Liu, Wenjing Lou, Yuguang Fang; “Location-Based Compromise– Tolerant Security Mechanisms for Wireless Sensor Networks”, IEEE Journal on Se-lected Areas in Communications, Vol. 24, No. 2, February 2006.

[91] Issa Khalil, Saurabh Bagchi, Ness B. Shroff; “MOBIWORP: Mitigation of the worm-hole attack in mobile multihop wireless networks”, Elsevier, Journal of Ad Hoc Networks6 (2008), 344-362.

[92] L. Lazos and R. Poovendran; “SeRLoc: Robust Localization for Wireless Sensor Net-works”, ACM Transactions on Sensor Networks, pp. 73–100, 2005.

[93] L. Lazos and R. Poovendran; “HiRLoc: High-Resolution Robust Localization for Wire-less Sensor Networks”, IEEE Journal on Selected Areas in Communications, vol. 24, no.2, pp. 233–246, 2006.

BIBLIOGRAPHY 86

[94] Maryam Motamedi, Nasser Yazdani; “Detection of Black Hole Attack in Wireless Sen-sor Network Using UAV”, 7th IEEE International Conference on Information and Knowl-edge Technology, 2015.

[95] Binod Kumar Mishra, Mohan C. Nikam, Prashant Lakkadwala; “Security AgainstBlack Hole Attack In Wireless Sensor Network–A Review”, 4th IEEE International Con-ference on Communication Systems and Network Technologies, 2014.

[96] Firoz Ahmed and Young-Bae Ko; “Mitigation of black hole attacks in Routing Protocolfor Low Power and Lossy Networks”, Journal of security and communications networks,John Wiley and Sons, Ltd, 2016.

[97] Prachi Dewal, Gagandeep Singh Narula, Vishal Jain; “Detection and Prevention ofBlack Hole Attacks in Cluster Based Wireless Sensor Networks”, 3rd IEEE InternationalConference on Computing for Sustainable Global Development, 2016.

[98] Meenakshi Tripathi, M. S. Gaur, V. Laxmi, and P. Sharma; “Detection and Counter-measure of Node Misbehaviour in Clustered Wireless Sensor Network”, ISRN SensorNetworks, Volume 2013, Article ID 843626, 9 pages.

[99] Gursheen Kaur, Mandeep Singh; “Detection of Black Hole in Wireless Sensor Net-work based on Data Mining”, 5th IEEE International Conference - Confluence The NextGeneration Information Technology Summit, 2014.

[100] Mohammad Wazid, Avita Katal, Roshan Singh; “Detection and Prevention Mech-anism for Blackhole Attack in Wireless Sensor Network”, International conference onCommunication and Signal Processing, April 3-5, 2013, India.

[101] Bo Yu, Bin Xiao; “Detecting Selective Forwarding Attacks in Wireless Sensor Net-works”, Proceedings 20th IEEE International Parallel and Distributed Processing Sympo-sium, 2006.

[102] Sophia Kaplantzis, Alistair Shilton, Nallasamy Mani, Y. Ahmet Sekercioglu; “De-tecting Selective Forwarding Attacks in Wireless Sensor Networks using Support VectorMachines”, 3rd International Conference on Intelligent Sensors, Sensor Networks andInformation, 2007, Pages: 335 – 340.

[103] Sang Jin Lee, In Geol Chun, Won Tae Kim, Seung Min Park; “Control method for thenumber of checkpoint nodes for detecting selective forwarding attacks in wireless sen-sor networks”, International Conference on Information and Communication TechnologyConvergence (ICTC), 2010, Pages: 537 – 538.

BIBLIOGRAPHY 87

[104] Tran Hoang Hai, Eui-Nam Huh; “Detecting Selective Forwarding Attacks in WirelessSensor Networks Using Two-hops Neighbor Knowledge”, Seventh IEEE InternationalSymposium on Network Computing and Applications, 2008, Pages: 325 – 331.

[105] Fatma Gara, Leila Ben Saad, Rahma Ben Ayed; “An intrusion detection system forselective forwarding attack in IPv6-based mobile WSNs”, 13th International WirelessCommunications and Mobile Computing Conference (IWCMC), 2017, Pages: 276 – 281.

[106] Qussai Yaseen, Firas AlBalas, Yaser Jararweh, Mahmoud Al-Ayyoub; “A Fog Com-puting Based System for Selective Forwarding Detection in Mobile Wireless Sensor Net-works”, IEEE 1st International Workshops on Foundations and Applications of Self Sys-tems, 2016, Pages: 256 – 262.

[107] Martin Stehlik, Vashek Matyas, Andriy Stetsko; “Towards better selective forwardingand delay attacks detection in wireless sensor networks”, IEEE 13th International Con-ference on Networking, Sensing, and Control (ICNSC), 2016, Pages: 1 – 6.

[108] Ju Ren, Yaoxue Zhang, Kuan Zhang, Xuemin Shen; “Adaptive and Channel-AwareDetection of Selective Forwarding Attacks in Wireless Sensor Networks”, IEEE Transac-tions on Wireless Communications, 2016, Volume: 15, Issue: 5, Pages: 3718 – 3731.

[109] Sunho Lim, Lauren Huie; “Hop-by-Hop cooperative detection of selective forward-ing attacks in energy harvesting wireless sensor networks”, International Conference onComputing, Networking and Communications (ICNC), 2015, Pages: 315 – 319.

[110] P C Geethu, A Rameez Mohammed; “Defense mechanism against selective forward-ing attack in wireless sensor networks”, Fourth International Conference on Computing,Communications and Networking Technologies, 2013, Pages: 1 – 4.

[111] Deng-yin Zhang; Chao Xu; Lin Siyuan; “Detecting selective forwarding attacks inWSNs using watermark”, International Conference on Wireless Communications and Sig-nal Processing, 2011, Pages: 1 – 4.

[112] Yenumula B. Reddy, S. Srivathsan; “Game theory model for selective forward attacksin wireless sensor networks”, 17th Mediterranean Conference on Control and Automa-tion, 2009, Pages: 458 – 463.

[113] Mukesh Tiwari, Karm Veer Arya, Rahul Choudhari, Kumar Sidharth Choudhary; “De-signing Intrusion Detection to Detect Black Hole and Selective Forwarding Attack inWSN Based on Local Information”, Fourth International Conference on Computer Sci-ences and Convergence Information Technology, 2009, Pages: 824 – 828.

[114] Saswati Mukherjee, Matangini Chattopadhyay, Samiran Chattopadhyay, Prince Bose,Agniswar Bakshi; “Detection of selective forwarding attack in wireless ad hoc networks

BIBLIOGRAPHY 88

using binary search”, Third International Conference on Emerging Applications of Infor-mation Technology, 2012, Pages: 382 – 386.

[115] J. Brown; X. Du; “Detection of Selective Forwarding Attacks in Heterogeneous Sen-sor Networks”, IEEE International Conference on Communications, 2008, Pages: 1583 –1587.

[116] Young Ki Kim, Hwaseong Lee, Kwantae Cho, Dong Hoon Lee; “CADE: CumulativeAcknowledgement Based Detection of Selective Forwarding Attacks in Wireless Sen-sor Networks”, Third International Conference on Convergence and Hybrid InformationTechnology, Volume 2, Pages: 416 – 422, 2008.

[117] Guorui Li, Xiangdong Liu, Cuirong Wang; “A sequential mesh test based selectiveforwarding attack detection scheme in wireless sensor networks”, International Confer-ence on Networking, Sensing and Control, 2010, Pages: 554 – 558.

[118] ZHANG Yi-ying, LI Xiang-zhen, LIU Yuan-an; “The detection and defence of DoSattack for wireless sensor network”, Journal of China Universities of Posts and Telecom-munications, Elsevier, October 2012, 19: 52–56.

[119] Djamel Mansouri, Lynda Mokddad, Jalel Ben-othman, Malika Ioualalen; “Prevent-ing Denial of Service Attacks in Wireless Sensor Networks”, IEEE Mobile and WirelessNetworking Symposium, 2015.

[120] P.P. Joby, P. Sengottuvelan; “A localised clustering scheme to detect attacks in wirelesssensor network”, Int. J. Electronic Security and Digital Forensics, Vol. 7, No. 3, 2015.

[121] Mahalakshmi Gunasekaran, Subathra Periakaruppan; “A hybrid protection ap-proaches for denial of service (DoS) attacks in wireless sensor networks”, InternationalJournal of Electronics, Taylor and Francis, 2017, ISSN: 0020-7217 (Print) 1362-3060.

[122] S. Fouchal, D. Mansouri, L. Mokdad and M. Iouallalen; “Recursive-clustering-basedapproach for denial of service (DoS) attacks in wireless sensors networks”, Int. J. Com-mun. Syst. 2015; 28: 309–324.

[123] KatarzynaMazur, Bogdan Ksiezopolski and Radoslaw Nielek; “Multilevel Modelingof Distributed Denial of Service Attacks in Wireless Sensor Networks”, Journal of Sen-sors, Volume 2016, Article ID 5017248, 13 pages.

[124] Ko Ko Oo, Kyaw Zaw Ye, Hein Tun, Kyaw Zin Lin and E.M. Portnov; “Enhancementof Preventing Application Layer Based on DDOS Attacks by Using Hidden Semi-MarkovModel”, 9th International Conference on Genetic and Evolutionary Computing, August26-28, 2015.

BIBLIOGRAPHY 89

[125] Chanatip Tumrongwittayapak, Ruttikorn Varakulsiripunth; “Detecting sinkhole attackand selective forwarding attack in wireless sensor networks”, 7th International Conferenceon Information, Communications and Signal Processing (ICICS), 2009, Pages: 1 – 5.

[126] S. Ahmad Salehi, M. A. Razzaque, Parisa Naraei, Ali Farrokhtala; “Detection of sink-hole attack in wireless sensor networks”, IEEE International Conference on Space Scienceand Communication, 2013, Pages: 361 - 365.

[127] Murad A. Rassam, Anazida Zainal, Mohd. Aizaini Maarof, Mohammed Al-Shaboti;“A sinkhole attack detection scheme in Mintroute Wireless Sensor Networks”, Interna-tional Symposium on Telecommunication Technologies, 2012, Pages: 71 – 75.

[128] Edith C. H. Ngai, Jiangchuan Liu, Michael R. Lyu; “On the Intruder Detection forSinkhole Attack in Wireless Sensor Networks”, IEEE International Conference on Com-munications, 2006, Volume: 8, Pages: 3383 – 3389.

[129] The Network Simulator -ns-2. http://www.isi.edu/nsnam/ns/

[130] D.B.Johnson, ”Validation of Wireless And Mobile Network Models And Simulation”,Proceedings of the DARPA/NIST Workshop on Validation of Large Scale Network Mod-els and Simulation, Fairfax, Virginia, May 1999.

[131] I. Svilen, H. Andre and L. Georg, “Experimental Validation of the NS-2 WirelessModel using Simulation, Emulation and Real Network”, Proceedings of Kommunikationin Verteilten Systemen 15, ITG/GI Fachtagung, Bern, Schweiz, (KIVS’2007) February,2007.

[132] Rajinder Kaur, Amit Grover; “Performance Analysis of AODV, DSR and OLSR Rout-ing Protocols in WSN”, International Journal of Computer Applications (0975 – 8887),Vol. 170, No. 1, July 2017.

[133] Akshai Aggarwal, Savita Gandhi, Nirbhay Chaubey; “Performance Analysis ofAODV,DSDV and DSR in MANETS” International Journal of Distributed and ParallelSystems (IJDPS) Vol. 2, No. 6, November 2011.

[134] Nitiket N Mhala, and N K Choudhari; “An Implementation Possibilities for AODVRouting Protocols in Real World,” International Journal of Distributed and Parallel Sys-tems (IJDPS) Vol. 1, No. 2, November 2010.

[135] Parag Kumar, Guha Thakurta, Rajeswar Guin, Subhansu Bandyopadhyay; “An Effi-cient Approach for Detecting Wormhole Attacks in AODV Routing Protocol” Advancesin Intelligent Systems and Computing, Springer, pp. 217-227, 2018.

BIBLIOGRAPHY 90

[136] Parmar Amish, V.B. Vaghela, “Detection and Prevention of Wormhole Attack in Wire-less Sensor Network using AOMDV protocol”, Procedia Computer Science 79 ( 2016 )700 – 707.

BIBLIOGRAPHY 91

Publications

1. Manish M Patel et al; “Security Attacks in Wireless Sensor Networks: A Survey”,IEEE International Conference on Intelligent System and Signal Processing, 1-2 March,2013, Gujarat, INDIA. (IEEE Xplore)

2. Manish M Patel et al; “Two Phase Wormhole Attack Detection in Dynamic WirelessSensor Networks”, IEEE International Conference on Wireless Communications, Sig-nal Processing and Networking, 23-25 March, 2016, Chennai, INDIA. (IEEE Xplore)

3. Manish M Patel et al; “Wormhole Attack and Countermeasures in Wireless SensorNetworks: A Survey”, International Journal of Engineering and Technology, Vol. 9,No 2, May-2017. (Scopus)

4. Manish M Patel et al; “Analysis of Wormhole Attack in Wireless Sensor Networks”,5th International Conference on Advanced Computing, Networking and Informatics,01-03 June, 2017, NIT Goa, Advances in Intelligent Systems and Computing Series.(Springer)

5. Manish M Patel et al; “Detection of Wormhole Attack in Static Wireless Sensor Net-works”, 2nd International Conference on Computer Communication and Computa-tional Sciences, October 11-12, 2017, Phuket, Thailand, Advances in Intelligent Sys-tems and Computing Series. (Springer) (Best Paper Award)

6. Manish M Patel et al; “Performance Evaluation of Wireless Sensor Network in Pres-ence of Wormhole Attack”, 2nd International Conference on Advanced Computingand Intelligent Engineering, 23-25 November, 2017, Ajmer, India. Advances in Intel-ligent Systems and Computing Series. (Springer)

7. Manish M Patel et al; “Variants of Wormhole Attacks and their Impact in WirelessSensor Networks”, International Conference on Computing Analytics and Network-ing, 15–16 December, 2017, Bhubaneswar, India, Progress in Computing, Analyticsand Networking, pp. 637-642. (Springer)

8. Manish M Patel et al; “Detection of Wormhole Attacks in Mobility Based WirelessSensor Networks”, International Journal of Communication Networks and DistributedSystems, Vol. 21, No. 2, pp. 147-156, 2018. (INDERSCIENCE)

9. Manish M Patel et al; “Experimental Analysis of Measuring Neighborhood Change inthe Presence of Wormhole in Mobile Wireless Sensor Networks” Security and Privacy@ John Wiley and Sons Ltd, ISSN : 2475-6725. (Under Review)

BIBLIOGRAPHY 92

10. Manish M Patel et al; “Countermeasures against Variants of Wormhole in WirelessSensor Networks: A Review”, IEEE Communications Surveys and Tutorials. (UnderReview)

11. Manish M Patel et al; “Analysis of Wormhole Detection Features in Wireless SensorNetworks”, Journal of Engineering Science and Technology Review. (Under Review)

BIBLIOGRAPHY 93

Appendix

RCN value measured without wormhole attack

Table 7.1 shows the rate of change of neighborhood value measured at different time withdifferent speed without wormhole attack.

Table 7.1: RCN value measured without wormhole attack

Speed = 1 m/s Speed = 5 m/s Speed = 10 m/s

Time(Seconds) RCN

Time(Seconds) RCN

Time(Seconds) RCN

42 0.39 18 0.37 4 0.34

43 0.39 19 0.37 5 0.34

44 0.39 20 0.40 6 0.37

45 0.46 21 0.40 7 0.39

46 0.46 22 0.40 8 0.39

47 0.46 23 0.46 9 0.46

48 0.46 24 0.46 10 0.46

49 0.46 25 0.46 11 0.46

50 0.46 26 0.46 12 0.52

51 0.46 27 0.46 13 0.59

52 0.46 28 0.51 14 0.59

53 0.51 29 0.51 15 0.70

54 0.51 30 0.51 16 0.70

55 0.51 31 0.58 17 0.82

BIBLIOGRAPHY 94

RCN value measured in the presence of wormhole attack

Table 7.2 shows the rate of change of neighborhood value measured at different time withdifferent speed without in the presence of wormhole attack.

Table 7.2: RCN value measured in the presence of wormhole attack

Speed = 1 m/s Speed = 5 m/s Speed = 10 m/s

Time(Seconds) RCN

Time(Seconds) RCN

Time(Seconds) RCN

42 0.67 18 0.65 4 0.62

43 0.67 19 0.65 5 0.62

44 0.67 20 0.65 6 0.65

45 0.74 21 0.72 7 0.70

46 0.74 22 0.72 8 0.70

47 0.74 23 0.72 9 0.78

48 0.79 24 0.76 10 0.78

49 0.79 25 0.76 11 0.78

50 0.79 26 0.76 12 0.82

51 0.79 27 0.76 13 0.82

52 0.79 28 0.80 14 0.87

53 0.83 29 0.80 15 0.87

54 0.83 30 0.80 16 0.94

55 0.83 31 0.86 17 0.94

networks - amazon s3 · it is certified that phd thesis titled security attacks in wireless sensor...

Documents