The detection and defence of DoS attack for wireless sensor network

The Journal of China Universities of Posts and Telecommunications October 2012, 19(Suppl. 2): 52–56 www.sciencedirect.com/science/journal/10058885

http://jcupt.xsw.bupt.cn

The detection and defence of DoS attack for wireless sensor network ZHANG Yi-ying1,2 ( ), LI Xiang-zhen3, LIU Yuan-an1 1. Beijing University of Posts and Telecommunications, Beijing 100876, China 2. State Grid Information & Telecommunication Company Ltd. , Beijing 100761, China 3. State Grid Electric Power Research Institute, Nanjing 210003, China

Abstract Due to the limitations of energy, computation and storage for sensors etc, although the wireless sensor networks (WSNs) have been widely deployed in many applications, it is a critical challenge to present the effective and lightweight security protocol to prevent various attacks for WSN, especially for the denial of service (DoS) attack. Normally, the adversaries compromise sensors and launch the DoS attack by replaying redundant messages or making overdose of fake messages. In this paper, we design a novel message observation mechanism (MoM) to detect and defense the DoS attack. Based on the spatiotemporal correlation, MoM utilizes the similarity function to identify the content attack as well as the frequency attack. And then the MoM adopts rekey and reroute countermeasures to isolate the malicious node. The security analysis shows that our solution can not only detect and defense the DoS attack but also can reduce the energy consumption. Keywords DoS attack, wireless multimedia sensor network, security, attack

1

Introduction 

Due to the limitations of energy, computation and storage for sensors etc, even the WSNs have been widely deployed in many applications, it is a huge challenge to present the effective and lightweight security protocol to prevent various attacks for WSN, especially for the DoS attack [1–5]. Normally, in WSNs, many kinds of sensors are distributed to monitor the temperature, vibration, sound and video etc. However, the adversaries can compromise some sensors and launch the DoS attack by replaying redundant messages or making overdose of fake messages. Under this situation, DoS attack breaks off the wireless communication channel and causes either unintentionally in the form of interference, noise or collision between the senders and the receivers, which can lead to a high transmission power signal in a certain area and then overwhelm sensors by flooding bogus or relayed packets. The DoS attack can quickly exhaust the limited energy and Received date: 29-06-2012 Corresponding author: ZHANG Yi-ying, E-mail: [email protected] DOI: 10.1016/S1005-8885(11)60444-5

block the communication bandwidth, which makes the network not work well even fail down. In this paper, we design a novel MoM in the hierarchical WSN based on spatiotemporal correlation [6]. In MoM, we store several representative normal messages and abnormal messages as referential data sets. The MoM is usually deployed in the cluster head (CH). As mentioned above, MoM includes two types of lists normal message list (NML) and abnormal message list (AML) which distinguish forge messages and redundant messages (replayed attack) based on the lists and frequency, also present a MoM to judge the new event to avoid the adversary’s tampering with packets. When the CHs identify DoS attacks, they will determine the malicious nod and adopt the corresponding countermeasures. Firstly, the CH broadcasts the malicious node information to the member nodes. And then, they will rekey and insulate the malicious node. We present an avoidance function to make that the adversary’s node has no chance to catch new key. The security analysis shows that our solution can not only detect and defense the DoS attack but also can effectively aggregate the redundant

Supplement 2

ZHANG Yi-ying, et al. / The detection and defence of DoS attack for wireless sensor network

messages including the bogus messages and reduce the energy consumption. Compared with the previous works for DoS detection in WSNs, the proposed MoM has the following scientific research contributions: 1) MoM utilizes the spatiotemporal correlation activities as well as the statistical similarity, which provides a heuristic methodology to detect the malicious sensor. 2) In MoM, there are two types of list for the judgment of messages, which can effectively reduce computation and energy consumption. 3) The CH can authenticate and manage member nodes based on the cluster architecture, which localizes the DoS attack and enhance the security. The rest of this paper is organized as follows: Sect. 2 discusses previous work. In Sect. 3, we present the system model. Sect. 4 presents the attack model. In Sect. 5, we describe the detection and defence of DoS attack in detail. And Sect. 6 analyzes the security of our solution. Finally, in Sect. 7, we conclude our paper.

2

53

garbage data can reach the base station and affect the result.

3

System model

3.1 Network model Supposed the WSN is hierarchical network which consists of many clusters. In each cluster, there is a node named CH which manages member nodes, such as collecting information or release requirements etc. Meanwhile, the member nodes gather and submit information to the CH, and then the CH aggregate and forward the information to the base station. Once the cluster formed, all member sensors’ identities (IDs) register in CH. After initial phase, the new node will be authenticated by CH and neighbor nodes.

Related work

WSNs are vulnerable to the DoS attacks since they are energy-constrained devices without a central powerful monitoring point [1–4]. Meanwhile, there are deferent types of DoS attack in the layers protocol of sensor network [2]. Many solutions of different sensor network routing protocols are designed to enhance the security of sensor network [7–8]. In Ref. [7], the authors designed a one-way hash chain (OHC) to protect end-to-end communications in WSNs from path-based DoS attacks. The OHC deploys an OHC in each intermediate node of path to detect a PDoS attack. OHC put a new OHC number for every message from source. Therefore, the messages, which can be authenticated correctly in the chain, can only be transferred. However, OHC did not provide any protection for the data transmission between the member nodes and the CH, which is threatened by the attacks. In Ref. [8], the authors presented a reputation-based client puzzle mechanism to enhance the security and against DoS attacks. The mechanism can control the difficulty level of puzzle with reputation value, and the malicious nodes will get low reputation and have to solve the harder puzzle. Thus, the adversaries have few chances to lunch the DoS attack. However, if the puzzle is not hard enough or the malicious node, the spurious packet or

The considered hierarchical WSN

Fig. 1

3.2 Notations In Table 1, we list some notations used in this paper. Table 1 Notations   Mnew

The set of normal representative messages. The set of abnormal messages. The set of new message a certain time t

i mnew  F

The new message The mean value of frequency The filter function

3.3 Assumptions In our network, all sensor nodes are deployed in the network uniformly and randomly and are static. Each sensor has a unique ID. If a node is compromised, all of the information in this node will be compromised including the key materials [9]. The sensors in network should be in at least one cluster.

54

4

The Journal of China Universities of Posts and Telecommunications

Attack model

In the attack model, the adversary controls the compromised node remotely, called malicious node, and then launch DoS attack inside a cluster. Malicious node tries to inject large numbers of bogus messages or replayed messages to interrupt communication as shown in Fig. 2.

Fig. 2

5

DoS attack model

Detection and defence protocol

In this section, we design a MoM to detect the DoS attack, and then give the corresponding countermeasure, a defence protocol in detail. 5.1

MoM mechanism

2012

indicates the last time when the msg has been considered as abnormal message. Moreover, the OM is used to analysis the incoming messages and then detect the DoS attack. 5.2 Detection protocol To detect DoS attack, we normally consider two aspects: the number of messages and the content of messages. According to the spatio-temporal correlation, in WSN, there should be several nodes (more than 1 node) which can detect the event. And when a node catches a phenomenon, it will send messages to CH to report the event. Therefore, in the same cluster, there should be many nodes to report the event. The malicious node uses this feature to disperse bogus messages or replayed messages and then launch DoS attacks. i n Given M new {mnew | m1new ,..., mnew } is the set of

messages from member nodes during a certain time t, i Similar to nmi, mnew has format as , where ID indicates the node where the message from. 1 i .counter W (1) ¦ mnew n Algorithm 1 malicious node detection

Usually, the WSN is triggered by event, which means the network would only send messages to the base station when the event happens. According to the sink-function in CH, we deploy the MoM in CH. The MoM consists of three components: NML, AML, observation mechanism (OM). Definition 1 NML given  is NML, and = {nmi|nm1,…,nm||}, nmi is a representative message which has been submitted successfully. Before deployment, =˻. The nmi is a triple as , where msg indicates the content of representative message; timestamp indicates the last time when the msg has been submitted, which can be used to determine whether the expired; counter indicates the number of times the message is transmitted. Definition 2 AML given  is AML, and = {ami|am1,...,am||}, ami is a representative message which has been considered as bogus messages. Before deployment, =˻. The ami is a tuple as , where msg indicates the content of abnormal message; timestamp

i Input mnew

for i = 1 to ||{ i if mnew \ then

//abnormal message

{end; }

// Bogus messages

} for i=1 to ||{ i i   and mnew .counter ! W and  > threshold) then if ( mnew {end; }

//Replayed messages

} End

Furthermore, if new event happens, the report is different from any pre-messages, that is, the new message belongs to neither  nor , and there should be more than 1 node catching it. Then, we give the new message algorithm as follow. Algorithm2 new event detection i j Input mnew , mnew

i i j .msg mnew .msg and i z j and mnew .counterİW ) if ( mnew

then { i mnew is new message; i Add mnew into

;

Supplement 2

ZHANG Yi-ying, et al. / The detection and defence of DoS attack for wireless sensor network

} End

5.3 Defence protocol Once detecting the malicious node, CH would announce the ID of malicious node and refuse to forward its messages [10]. Step 1 Announce malicious node. The CH sends the alert message containing the ID of malicious node to its member nodes. Once the member nodes ensure the alert message, they remove the ID from neighbor node list and add the ID to the black list to insulate the malicious node and break off the path. Step 2 Change key things. The adversaries can get key things from the compromised node. Thus, when we detect the DoS attack, it is very necessary to change key things including the cluster key and session key, even the pairwise key. Due to the announce is broadcast model, we adopt the filter function F() to avoid the malicious node as follow. F ( IDmalicious ) – ( IDmalicious  IDi ) (2) i 1

The node IDmalicious cannot recover the new key because F ( IDmalicious ) 0 , and then it has no the ability to decrypt new key and loses the chance to rekey. Step 3 Build new route to CH. Due to the multi-hop transmission model in WSN, the malicious node is usually in the path which other node transfers messages to the CH. Therefore, we should build a new route for normal.

6

Performance analysis

In this section, we analyze the performance of MoM in security and energy consumption. To analytically evaluate the performance of MoM in these two aspects, we also give some simulations.

then drop them, which erases the forged packets and reduces the energy consumption. Furthermore, according to Algorithm 2, we can identify a new message or exception messages, which avoids misjudgment of new message. The AML mechanism can effectively defense the bogus message-based DoS attack. Secondly, in MoM, the NML mechanism is used to judge the DoS attack by abnormal message frequency. When DoS happens, a notable feature is that the network bandwidth is filled with meaningless repetition messages and the communication channel is blocked. In NML, CH employs the spatiotemporal correlation to prevent lots of fake messages from malicious nodes. By adjusting the threshold value, NML can distinguish the messages in different granularities. Comparing with the history messages and current messages respectively, NML can avoid those new messages considered as exceptional message, which improves the reliability. Finally, MoM can locate the DoS attack and then invoke the rekey and reroute mechanisms. To avoid the malicious node, we build a filter function to isolate the source of DoS attack, which can both localize the attack and enhance the security. MoM can reduce the bogus messages as well as redundant messages, which makes the network high security and low energy-consumption. 6.2 Simulation We evaluate the performance of MoM via simulations by using VC++. In order to set the simulation environment realistically, our simulations are injected in the cases of message loss and replay attack. Under normal circumstances, MoM performs much better not only in security but also in energy consumption than OHC from simulation results. Fig. 3 shows the situations with/without attackers, which

6.1 Security analysis Comparing with previous works, we focus on the DoS attack detection in WSN based on the spatio temporal correlation, and present corresponding countermeasures to defend against the attack. Firstly, we establish a MoM to filter not only the redundant messages but also the bogus messages. Through the AML, the abnormal messages can be distinguished and

55

Fig. 3

The number of packets with/without attackers

56

The Journal of China Universities of Posts and Telecommunications

does not employ MoM. When the number of attackers is over 20%, they can send more than 200% bogus packets or relayed packets in-cluster. For WSN, it can make the result deviate from correct conclusion seriously. In spite of the MoM schedule, the attackers can send more bogus packets or relayed packets continually, which affect the loss rate of packets as shown in Fig. 4.

2012

And then the MoM adopts rekey and reroute countermeasures to isolate the malicious node. The security analysis shows that our solution can not only detect and defense the DoS attack but also can reduce the energy consumption. In the future, we will integrate the location information with the node, which can help locate the node by position for isolating the malicious node. Acknowledgements This work was supported by China Postdoctoral Science Foundation Funded Project (2012M510367) and the National Basic Research Program of China (2011CB302900).

References

Fig. 4

The comparison with/without MoM in operation

As shown in Fig. 4, our approach can efficiently detect and defend against the DoS attacks. With the MoM, the network can detect the all malicious nodes, filter the replayed or fake messages out and keep a low packet loss rate. Without considering the inherent loss rate of packet, almost 100% of the malicious nodes can be detected and excluded by using our scheme. However, without MoM, the loss rate of packets increases evidently with the increase of amount of attackers.

7

Conclusions

Comparing with previous works, we focus on the DoS attack detection and defense and present the corresponding countermeasures. We design a novel MoM to detect and defense the DoS attack. Based on the spatiotemporal correlation, MoM utilizes the similarity function to identify the content attack as well as the frequency attack.

1. Raymond D R, Midkiff S F. Denial-of-service in wireless sensor networks: attacks and defenses. IEEE Pervasive Computing, 2008, 7(1): 7481 2. Li M, Koutsopoulos I, Poovendran R. Optimal jamming attacks and network defense policies in wireless sensor networks. Infocom, May 2007 3. Zhou Y. Securing wireless sensor networks: a survey. IEEE Communications Surveys & Tutorials, 2008: 628 4. Han G J, Shen W, Trung Q D, et al. A proposed security scheme against denial of service attacks in cluster-based wireless sensor networks. Security and Communication Networks, 2011 5. Nanda R, Krishna P V. Mitigating denial of service attacks in hierarchical wireless sensor networks. Network Security, 2011: 1418 6. Bandyopadhyay S, Tian Q J, Coyle E J. Spatio-temporal sampling rates and energy efficiency in wireless sensor networks. Journal IEEE/ACM Transactions on Networking (TON) archive, 2005, 13(6) 7. Deng J, Han R, Mishra S. Defending against path-based DoS attacks in wireless sensor networks. SASN’05, ACM New York, NY, USA, 3rd ACM workshop on Security of Ad Hoc and Sensor Networks Table of Contents Alexandria, VA, USA, Nov 7, 2005: 8996 8. Cao Z, Zhou X, Xu M X, et al. Enhancing base station security against DoS attacks in wireless sensor networks. 2006 IEEE Wireless Communications (WiCOM 2006), Networking and Mobile Computing. 2006: 14 9. Zhu S, Setia S, Jajodia S. LEAP+: efficient security mechanisms for large-scale distributed sensor networks. ACM Transactions on Sensor Networks, 2006: 500528 10. Zhang Y Y, Park M S, Chao H C, et al. Outlier detection and countermeasure for hierarchical wireless sensor networks. IET Information Security, 2010: 361373