A Novel Correlated Attributes Model for Malicious Detection in Wireless Sensor Networks Name: Patrick Zwane University: National Taipei University of Technology Department Class: Electrical Engineering and Computer Science IMEECS Student ID: 104998015 Advisor: Dr. Kai-Wei Ke Date: 5/21/2017

Outline Motivation Research Objectives Proposed Model Malicious Attack Detection Conclusion References

Motivation (1/1)

Motivation (1/4) Task : monitor, sense and send data Uses: military and civilian applications, agriculture, traffic control, environmental monitoring etc. Why: small, low power sensors inexpensive, robustness and high flexibility

Motivation (2/4) Challenges: Resource constrain Lack of central control Deployed in remote and hostile environment Routing protocol also contribute to attacks

Motivation (3/4) Network security fundamentals: Confidentiality: security mechanism must ensure that only intended receiver can correctly intercept a message and unauthorized access and usage can not be done. Integrity: an unauthorized individual is not to be able to destroy the information when a message is transferred from source to destination Availability: an interruption should not occur when a system and its application performs a task.

Motivation (4/4) Security attacks in WSN:

Research Objectives (1/4) Propose a resource constrain free security model for malicious nodes detection: Traditional security mechanism have very high overheads, for this resource constrain WSN’s are not suitable The model focuses on only routing attacks detection mainly: Sybil: Fake multiple identities. A sensor node will behave as if it were a large number of nodes

Research Objectives (2/4) blackhole Attack: A black hole problem means that one malicious node utilizes the routing protocol to claim itself of being the shortest path to the destination node, but drops the routing packets but does not forward packets to its neighbors

Research Objectives (3/4) wormhole attack: create a tunnel to the other end where the packets are replayed. Routing mechanisms which rely on the knowledge about distance between nodes can get confuse because wormhole nodes fake a route that is shorter than the original one within the network.

Research Objectives (4/4) Sinkhole attack: the compromise node try to attract all the traffic from neighbor nodes based on the routing metric that used in routing protocol. An adversary could spoof or replay an advertisement for an extremely high quality route to a BS

Attributes Verification Proposed Model (1/3) Correlated attributes Model Node Registration phase: identity registration is one way of preventing malicious node. In wireless sensor networks, a trusted central authority (TCA) is used to manage the network, and thus knowing deployed nodes. The TCA disseminate that information securely to the network. To prevent the malicious node, any node could check the list of “known-good‟ identities to validate another node as legitimate. Local Data Collection Node Registration Attributes Verification Matching Attributes

Proposed Model (2/3) Local Data Collection Phase: In the local data collection phase, a node identity table is constructed and maintained by each node in the network. Each node evaluates the information of packets to determine whether there is any malicious node Attributes Verification Phase: The initial detection node check packet if the inspection attributes are positive, the questionable node is regarded as a normal or else malicious node Matching attributes phase: The inspected node packet is checked by matching all attributes values. If found positive, a notification is executed and send as a warning message to the whole network about malicious node.

Proposed Model (3/3) Key Attributes Position verification Energy Timestamp Path Cost (PCost)

Malicious Attack Detection (1/9) Proposed Technique Node registration and attributes verification When the nodes are deployed, energy, timestamp, PCost and reference points attributes are used determine the node The base station will send a ‘Hello’ broadcast message to the nodes and the nodes will send ‘Res ID’ with all attributes to update the node determinant table (ND) IF (all parameters are available and correct (ID, Energy, PCost, (location (X, Y) co-ordinates) and Timestamp)) then node is added to legitimate node else discarded

Malicious Attack Detection (2/9) Node registration and attributes verification flow chart

Malicious Attack Detection (3/9) Matching method Step 1: start Step 2: the BS will send a message to each node for their availability and verification Step 3: The node will send a reply message for authenticity with their ID, Energy, PCost, location ((X, Y) co-ordinates) and Timestamp. Step 4: After nodes discovery, the matrix table is updated with the routing cost details to identify eligible routes. Step 5: The node which want to send the message will start the detection of malicious node before sending packet. Step 6: After the node obtain the request to send message to the base station, it send the packets in the form of broadcast message. Then the node will compare the energy values of nodes with different routes.

Malicious Attack Detection (4/9) Matching method Step 7: the energy of the node is compared with residual energy, if energy is greater or equal to, then the node maybe considered as original or else can be malicious. Step 8: Furthermore, the node is checked for its malicious state. The malicious node is detected by matching the ID, PCost, location co- ordinates and timestamp values stored in matrix table. If values of the node does not match it is regarded as malicious else legitimate. Step 9: In addition to that if detected as malicious a new route will be selected to send the packet to the base station. The malicious node will be send to “non-good list”

Malicious Attack Detection (5/9) Matching method flow chart

Malicious Attack Detection (6/9) Blackhole detection Example: node ID1 sends message to base station using route (2-3-4) and node ID 2 drops packets by not forwarding to the neighbor node. ID Timestamp Energy coordinates Hop-count 1 10:30:33 999.980 11.33, 12.45 2 10:30:34 999.979 16.34, 13.02 3 10:30:35 999.968 18.67, 45.02 4 10:30:36 999.785 10.56, 3.67 ID Timestamp Current Timestamp Energy coordinates Hop-count 2 10:30:34 10:33:00 1300 16.34, 13.02 1 3 10:30:35 10:33:01 999.968 18.67, 45.02 4 10:30.36 10:33:02 999.785 10.56, 3.67

Malicious Attack Detection (7/9) Sinkhole detection Example: node 1 sends message to base station using route (2-3-4) ID Timestamp Energy coordinates Hop-count 1 10:30:33 999.980 11.33, 12.45 2 10:30:34 999.979 16.34, 13.02 3 10:30:35 999.968 18.67, 45.02 4 10:30:36 999.785 10.56, 3.67 ID Timestamp Current Timestamp Energy coordinates Hop-count 2 10:30:34 10:33:00 999.979 16.34, 13.02 1 3 10:30:35 10:33:01 2000 18.67, 45.02 4 10:30.36 10:33:02 999.785 10.56, 3.67

Malicious Attack Detection (8/9) wormhole detection Example: node 1 sends message to base station using route (2-3-4) ID Timestamp Energy coordinates Hop-count 1 10:30:33 999.980 11.33, 12.45 2 10:30:34 999.979 16.34, 13.02 3 10:30:35 999.968 18.67, 45.02 4 10:30:36 999.785 10.56, 3.67 ID Timestamp Current Timestamp Energy coordinates Hop-count 2 10:30:34 10:33:00 1200 16.34, 13.02 1 3 10:30:35 10:33:01 999.968 18.67, 45.02 4 10:30.36 10:33:02 10.56, 3.67

Malicious Attack Detection (9/9) Sybil detection Example: node ID4 is the Sybil , acting as node ID2 ID Timestamp Energy coordinates Hop-count 1 10:30:33 999.980 11.33, 12.45 2 10:30:34 999.979 16.34, 13.02 3 10:30:35 999.968 18.67, 45.02 4 10:30:36 999.785 10.56, 3.67 ID Timestamp Current Timestamp Energy coordinates Hop-count 1 10:30:33 10:32:59 999.980 11.33, 12.45 4 [2] 10:30:34 10:33:00 999.979 16.34, 13.02 3 10:30:35 10:33:01 999.968 18.67, 45.02 2 4 10:30.36 10:33:02 999.785 10.56, 3.67

Implementation and Evaluation (1/6) Software requirements Ns-2.35 Ubuntu 14.04 (32 bit) Implementation Plan Create 1 sink node , 10-70 wireless nodes ( including malicious nodes) Use Ad Hoc On-Demand Distance Vector (AODV) routing protocol to perform packet data transmission Perform position verification, energy, timestamp and Path cost Detect the malicious nodes from the network Plot the result as graphs for throughput and packet successful rate (PSR)

Implementation and Evaluation (2/6) Simulation parameters setup Parameter Name Value Number of nodes 70 Simulation area 1000 x 1000 Malicious nodes 6 Initializing Energy 1000 Traffic type Constant Bit rate(CBR) TCP Node placement Random way point Packet size 512 bytes Simulation time 100seconds

Implementation and Evaluation (3/6) Example: Node setup Node definition if [expr $i==69] { set xx($i) 1177 set yy($i) 658 $node_(69) set X_ 1177 $node_(69) set Y_ 658 $node_(69) set Z_ 0.0 } Agents Definition #Setup a TCP connection set tcp1 [new Agent/TCP] $ns attach-agent $n0 $tcp1 set sink94 [new Agent/TCPSink] $ns attach-agent $n53 $sink94 $ns connect $tcp1 $sink94 $tcp1 set packetSize_ 512

Implementation and Evaluation (4/6) Network animator after malicious detection Malicious node definition $ns at 9.0 "[$node_(60) set ragent_] malicious" $ns at 9.0 "[$node_(48) set ragent_] malicious" $ns at 9.0 "[$node_(8) set ragent_] malicious" $ns at 9.0 "[$node_(23) set ragent_] malicious" $ns at 9.0 "[$node_(35) set ragent_] malicious" $ns at 9.0 "[$node_(68) set ragent_] malicious"

Implementation and Evaluation (5/6) Throughput graph Results obtained Normal – Without Malicious Nodes WMN - With Malicious Nodes CAM - Correlated Attributes Model Metric Normal WMN CAM Throughput 218.2742 121.491 184.636

Implementation and Evaluation (6/6) Packet delivery ratio (PDR) Results obtained Normal – Without Malicious Nodes WMN - With Malicious Nodes CAM - Correlated Attributes Model Metric Normal WMN CAM Av PDR (%) 97.45 71.2 94.2

Conclusion Based on the Correlated Attributes Model, it is evident that malicious attacks can be detected and verified in WSN. CAM can prevent dangerous routing attacks such as Sybil, blackhole, wormhole and sinkhole attacks Throughput improves when the model is initialized to mitigate the malicious nodes. Packet delivery ration also is achieved with 94% to show how effective and lightweight the model it is

Reference(s) K.S.Sujatha, V.Dharmar and R.S.Bhuvaneswaran (2012), “Design of Genetic Algorithm based IDS for MANET”, International Conference on Recent Trends in Information Technology (ICRTIT), IEEE, pp.28-33 ZolidahKasiran and Juliza Mohamad (2014), “Throughput Performance Analysis of the Wormhole and Sybil Attack in AODV”, Fourth International Conference on Digital Information and Communication Technology and it's Applications (DICTAP), IEEE, pp.81-84 C. Bettstetter, G. Resta, and P. Santi, “The node distribution of the random waypoint mobility model for wireless ad hoc networks,” IEEETrans. Mobile Comput., vol. 2, no. 3, pp. 257–269, Jul.–Sep. 2003.

Thank You!