Elsevier

Computer Communications

Volume 34, Issue 3, 15 March 2011, Pages 468-484
Computer Communications

Pattern recognition for detecting distributed node exhaustion attacks in wireless sensor networks

https://doi.org/10.1016/j.comcom.2010.04.008Get rights and content

Abstract

Malicious attacks when launched by the adversary-class against sensor nodes of a wireless sensor network, can disrupt routine operations of the network. The mission-critical nature of these networks signifies the need to protect sensory resources against all such attacks. Distributed node exhaustion attacks are such attacks that may be launched by the adversarial class from multiple ends of a wireless sensor network against a set of target sensor nodes. The intention of such attacks is the exhaustion of the victim’s limited energy resources. As a result of the attack, the incapacitated data-generating legitimate sensor nodes are replaced with malicious nodes that will involve in further malicious activity against sensory resources. One such activity is the generation of fictitious sensory data to misguide emergency response systems to mobilize unwanted contingency activity. In this paper, a model is proposed for such an attack based on network traffic flow. In addition, a distributed mechanism for detecting such attacks is also defined. Specific network topology-based patterns are defined to model normal network traffic flow, and to facilitate differentiation between legitimate traffic packets and anomalous attack traffic packets. The performance of the proposed attack detection scheme is evaluated through simulation experiments, in terms of the size of the sensor resource set required for participation in the detection process for achieving a desired level of attack detection accuracy. The results signify the need for distributed pattern recognition for detecting distributed node exhaustion attacks in a timely and accurate manner.

Introduction

Wireless sensor networks have emerged as a significant source of data collection based on sensing of the immediate environment of the sensor nodes. Sensor networks are deployed in harsh and inaccessible environments with the purpose of monitoring their respective surroundings, and generating observed readings, for delivery to a centralized entity, for further data analysis. Sensor nodes are tiny devices with limited available resources (power, processing and memory) for performing all their sensory operations, and be sustained for their entire lifetime. Applications of wireless sensor networks such as battlefield monitoring, bushfire monitoring and surveillance, are mission-critical in nature. The timeliness and accuracy in the delivery of the sensory data affects several contingency efforts that may be launched upon successful detection of a particular event in the environment. Therefore, it is essential to protect such networks from malicious attacks, that may be launched by the adversary-class, with the intent of causing loss to such networks.

The limited on-board memory resources of the sensor nodes restricts the size of applications, program codes and actual data that can be stored in their memory. The on-chip processing capability of the Berkeley Mica sensor [1], operating at 4 MHz, is several orders of magnitude less than that of a standard desktop processor. Sensor nodes are generally supplied with power from batteries (8 mW for a Mica sensor node). Program codes and applications that demand large numbers of CPU cycles for execution may exhaust the limited energy of the sensor node much earlier than the anticipated lifetime of the node. It is thus evident that most applications and programs designed for high-performance computing devices cannot be accommodated unaltered into the small memory space of sensor nodes. All applications and programs designed for such resource-constrained devices must be light-weighted and compact in nature.

Sensor nodes are prone to a plethora of possible malicious attacks that may be launched by the adversary-class from either within or outside the network. Deployment of sensor nodes over a larger geographical area makes them even more vulnerable to any of these attacks [2]. Distributed node exhaustion attacks are launched from multiple ends of a network towards a set of victim nodes, with the intent of exhausting their limited resources; exploiting the disparity which exists between the network bandwidth and the target’s limited resource availability. As a result, the victims are incapacitated from further participation in crucial network operations such as provisioning of service to legitimate clients [3], [4], [5].

In this paper, distributed node exhaustion attacks are defined as attacks launched by the adversary-class from multiple ends of the network with the intent of exhausting the limited energy resources of the victim nodes. As a result of the attack, access to sensory readings by the base station is denied. Due to the distributed nature of the attack, these attacks are analogous to Distributed Denial of Service attacks [3] in high performance computer networks. As a result of the attack, target nodes are overwhelmed with higher than normal intensities of traffic inflow, that will lead to the rapid exhaustion of their limited energy resources; incapacitating them from further participation in crucial network operations [2], [6]. It is postulated that for timely and accurate detection of such attacks, predefined patterns of normal network traffic flow must be programmed in a conglomerate of collaborating sensors with attack detection capabilities.

In [7], we proposed a simple attack detection scheme to detect a class of distributed attacks, namely distributed denial of service, in wireless sensor networks. The scheme did not address the issue of the presence of adversaries with varying capabilities, and lacked the flexibility to detect attacks under varying network conditions. In contrast to the work done earlier, in this paper a robust adversary model for a distributed node exhaustion attack is formulated. In addition, a distributed pattern recognition scheme is defined to efficiently detect such an attack.

The contributions of this paper are listed as follows:

  • An adversary (attack) model is proposed to define capability-based malicious nodes.

  • An adversary node energy usage model is defined to signify the potential strength of the attack.

  • A network model is defined to classify wireless sensor networks into three distinct data delivery models.

  • A distributed, pattern recognition scheme for distributed node exhaustion attack detection in wireless sensor networks is defined.

  • A detailed simulation analysis to test the effectiveness and performance of the proposed scheme is performed.

Throughout the rest of the article, the term attack has been used for referring to a distributed node exhaustion attack.

The paper is organized as follows: the background is given in Section 2. Section 3 defines the attack model for a distributed node exhaustion attack. The network model for a wireless sensor network is defined in Section 4. A pattern-based model for normal and anomalous network traffic is defined in Section 5. The attack detection scheme is given in Section 6. Section 7 describes the method used for generating optimal time frames, as a parameter, necessary for accuracy in the attack detection process. In Section 8, the algorithm for the selection of decision-making nodes for the attack detection scheme is defined. In Section 9, a qualitative analysis of the efficiency of the attack detection scheme is given. The results and analysis of the simulations are elaborated upon in Section 10. The concluding remarks are given in Section 11.

Section snippets

Background

Although several pattern recognition schemes for network intrusion detection have been proposed in the literature, their centralized nature, with intensive resource demands make them infeasible for deployment on sensor networks. It may be noted that schemes proposed for detecting distributed denial of service attacks can be modified to detect node exhaustion attacks in sensor networks. However, a detection scheme to explicitly detect such attacks in sensor networks does not exist. In [8], the

Adversary model

The adversary-class is defined as a set of malicious entities, intending to inflict loss either directly, or through other entities, on the network. It is responsible for defining, and if need be, introduction of malicious nodes into the network, with the purpose of launching a distributed node exhaustion attack. The set of malicious nodes intending to launch such an attack, can be classified into the following categories:

  • 1.

    Injected sensor nodes consist of either sensor nodes with normal sensor

Network model

The wireless sensor network model consists of a finite set of sensor nodes given by: N = {N1,  , Nn}, where ∣N = n. The network also consists of a centralized base station in addition to the sensor nodes. The n sensor nodes of the network consist of sensors with added capabilities and/or administrative and control tasks of the network (cluster heads and data aggregation points). The frequency of communication of messages by the nodes to the base station is referred to as the network taxonomy [21].

Threshold pattern modeling

The analytical model of a sensor network undergoing an attack consists of two types of network traffic, namely, normal and attack. It is assumed that each adversarial node generates a single flow of traffic towards a victim node r. Each node in the network is considered to bear a single queue, with average time for packet processing and transmission at node i being si (actual value is computed in Section 7). The intensity of the arriving traffic at node r is thus given byρr=sii=1fIr,ii+j=1kIr,

The attack detection scheme

The attack detection scheme consists of five phases of operation. Apart from the initialization phase, all other phases of the proposed scheme need to be executed within each interval of time, of fixed duration: Δopt. The notations used by the scheme are given in Table 2. Attack detector nodes are defined as sensor nodes that are designated the additional responsibility of participating in the attack detection process. These nodes are also referred to as GN nodes [19]. For purposes of attack

Computation of the optimal time epoch length (Δopt)

The length of Δopt has a significant impact on several other factors, such as the effect of attack detection, false alarm rate and the energy consumption rate associated with the attack detection scheme. In this section, I formulate an equation to tradeoff between frequent attack detection and detector/mGN node energy resource consumption. Higher frequency of detection scheme convergence will lead to higher energy consumption rates in the detector and mGN nodes. However, such an approach will

Selection of the Decision-Making (mGN) Nodes

Several algorithms for neighbor-based topology control have been proposed in the literature. The k-Neigh protocol [25], [26], [27], is a topology control protocol for Wireless and AdHoc networks, for generation of the k-closest neighbor lists within each participating mobile or sensor node, based on node transmission ranges and inter-node distances. In [28], a communication link quality-based topology control algorithm is proposed, for generation of closest neighbor lists within the wireless

Efficiency analysis

In this Section 1 analyze the overhead incurred on a sensor node participating in the attack detection process. On an average, each GN node stores 1 Byte of subpatterns for each of the r target nodes. For a network with 1024 nodes, with 50% of nodes being targets, each GN node GNn will have to store approximately 500 Bytes of subpatterns, which is less than 6% of a typical Mica’s memory [1]. Each GNn will exchange exactly 2 packets with its adjacent GN nodes nsuccn and npredn, and a single packet

Simulation results

In this section a study on the performance of the distributed pattern recognition scheme is given. The performance is evaluated using simulation carried out on a C-based discrete event simulator. The simulator was run for different key system parameters, with results averaged over 100 independent runs. The traffic interarrival delays for all inter-node communication is assumed to be exponentially distributed. Wireless sensor networks are deployed for specific sensing and reporting applications.

Conclusions

The availability of sensor nodes is under constant threat from distributed node exhaustion attacks. As part of the contributions of this paper, an attack model was proposed to accurately define such an attack. The purpose of attack modeling was to ascertain that appropriate attack detection approaches are subsequently proposed for detecting such attacks in a timely and energy-efficient manner. Moreover, the detection of such attacks is the first step towards any counter-measures, including

References (33)

  • A. Perrig et al.

    Secure Broadcast Communication in Wired and Wireless Networks

    (2002)
  • H. Chan, A. Perrig, D. Song, Random key predistribution schemes for sensor networks, in: IEEE Symp. on Security and...
  • R. Chang

    Defending against flooding-based distributed denial of service attacks: a tutorial

    IEEE Communications Magazine

    (2004)
  • J. Elliot

    Distributed denial of service attacks and the zombie ant effect

    IT Pro

    (2000)
  • V.D. Gligor, Guaranteeing access in spite of service-flooding attacks, in: Proc. of the International Workshop on...
  • A. Wood et al.

    Denial of service in sensor networks

    IEEE Computer Magazine

    (2002)
  • Z.A. Baig, M. Baqer, A.I. Khan, A pattern recognition scheme for distributed denial of service (ddos) attacks in...
  • R. Jalili, F. Imani-Mehr, M. Amini, H. Shahriari, Detection of distributed denial of service attacks using statistical...
  • J. Zheng et al.

    An anomaly intrusion detection system based on vector quantization

    IEICE Transactions on Information and Systems

    (2006)
  • L. Fang, W. Du, P. Ning, A beacon-less location discovery scheme for wireless sensor networks, in: Proc. of IEEE...
  • M. Ramadas, S. Ostermann, B. Tjaden, Detecting anomalous network traffic with self-organizing maps, in: Proc. of Recent...
  • G. Zhang, M. Parashar, Cooperative defense against ddos attacks, Journal of Research & Practice in Information...
  • W. Du, L. Fang, P. Ning, Lad: localization anomaly detection for wireless sensor networks, in: Proc. of the 19th...
  • F. Stajano, R. Anderson, The resurrecting duckling: security issues for adhoc wireless networks, in: Proc. of the 7th...
  • J. McCune, E. Shi, A. Perrig, M. Reiter, Detection of denial-of-message attacks on sensor network broadcasts, in: Proc....
  • F. Anjum, D. Subhadrabandhu, S. Sarkar, R. Shetty, On optimal placement of intrusion detection modules in sensor...
  • Cited by (38)

    • Averaged dependence estimators for DoS attack detection in IoT networks

      2020, Future Generation Computer Systems
      Citation Excerpt :

      A wireless sensor network (WSN) is defined as a network of interconnected sensors that constantly monitor their respective environments for phenomena, communicate their readings to peer sensor nodes and to a centralized base station (BS) for storage and processing, and inform relevant stakeholders in the event of the detection of an anomalous event. Minute sensor nodes deployed for these activities have limited computing, storage, and communication capabilities for carrying out their designated tasks [1–4]. Historically, WSNs have played a vital role in supporting critical infrastructures.

    • Outlier detection approaches for wireless sensor networks: A survey

      2017, Computer Networks
      Citation Excerpt :

      Outliers that are very close to random errors in terms of size can only be determined through the application of outlier tests. Malicious attacks: are related to the network security and some works such as Baig [33] has tackled this problem. This sort of outliers can access and control some nodes and then start launching attacks.

    • Enhancing blockchain security through natural language processing and real-time monitoring

      2023, International Journal of Parallel, Emergent and Distributed Systems
    View all citing articles on Scopus
    View full text